The course "Protection of personal data and fundamental rights – Privacy law clinic" (7 ECTS), within the scientific-disciplinary sector IUS/09 "Public law", aims at involving students (obviously in a limited number, for the best usability of the course) in carrying out practical activities, based on the theoretical notions that will be provided in the first part of the course, according to the "learning by doing" method.
What urges the activation of a Course on this topic - which is linked to the Postgraduate Master’s in "Data protection officer and Privacy expert", organised under the patronage of the Garante per la protezione dei dati personali - is the awareness that the fundamental rights of the person are now a consolidated heritage of the European legal tradition, both at the level of individual national systems, and the European Union as a whole. In fact, it deals with a multilevel protection of fundamental rights, made possible by the numerous constitutional clauses that allow the opening of individual national legal systems to international and EU law.
In this context, the right to the protection of personal data, codified at legislative level in the Personal Data Protection Code (Legislative Decree no. 196/2003), represents a fundamental right of the individual, as a direct expression of individual dignity, thanks also to the contribution coming from the European Union system and the system of the European Convention on Human Rights.
Therefore, the right to privacy, understood both as protection of confidentiality and as protection of personal data, has now reached a solid legal foundation. This is primarily thanks to the provision expressed in Articles 7 and 8 of the Charter of Nice (respectively dedicated to the respect of private and family life, and to the protection of personal data), as well as to the valuable case law of both the Court of Justice of EU (most recently, the well-known ruling on Privacy Shield, the so-called Schrems II judgment), and the Court of Strasbourg. Secondly, by virtue of the interventions produced by the EU legislation starting from Directive 95/46/EC - implemented in Italy by Law no. 675/1996 and then by Legislative Decree no. 196/2003, the so-called Privacy Code - up to the Regulation EU 2016/679, which repealed the aforementioned Directive and carried out a significant work of standardisation of the regulatory landscape of the Member States on the subject.
The first part of the course will focus on the EU and national framework of the discipline, within which the individual issues will be addressed both from a theoretical point of view and through practical cases. In fact, students will be asked to answer real cases and questions - appropriately disguised - that are daily asked to the Office for Relations with the Public of the Garante per la protezione dei dati personali and to confront, also divided into teams, in simulations of process having as object, obviously, privacy issues or in the drafting and revision of the most recurrent documents such as privacy policy, notifications of violation of the processing of personal data, processes for the acquisition of consent.
This will provide students with the necessary tools to acquire specific skills in the field of personal data protection, functional to a possible future job, both in the public and private sectors.
What urges the activation of a Course on this topic - which is linked to the Postgraduate Master’s in "Data protection officer and Privacy expert", organised under the patronage of the Garante per la protezione dei dati personali - is the awareness that the fundamental rights of the person are now a consolidated heritage of the European legal tradition, both at the level of individual national systems, and the European Union as a whole. In fact, it deals with a multilevel protection of fundamental rights, made possible by the numerous constitutional clauses that allow the opening of individual national legal systems to international and EU law.
In this context, the right to the protection of personal data, codified at legislative level in the Personal Data Protection Code (Legislative Decree no. 196/2003), represents a fundamental right of the individual, as a direct expression of individual dignity, thanks also to the contribution coming from the European Union system and the system of the European Convention on Human Rights.
Therefore, the right to privacy, understood both as protection of confidentiality and as protection of personal data, has now reached a solid legal foundation. This is primarily thanks to the provision expressed in Articles 7 and 8 of the Charter of Nice (respectively dedicated to the respect of private and family life, and to the protection of personal data), as well as to the valuable case law of both the Court of Justice of EU (most recently, the well-known ruling on Privacy Shield, the so-called Schrems II judgment), and the Court of Strasbourg. Secondly, by virtue of the interventions produced by the EU legislation starting from Directive 95/46/EC - implemented in Italy by Law no. 675/1996 and then by Legislative Decree no. 196/2003, the so-called Privacy Code - up to the Regulation EU 2016/679, which repealed the aforementioned Directive and carried out a significant work of standardisation of the regulatory landscape of the Member States on the subject.
The first part of the course will focus on the EU and national framework of the discipline, within which the individual issues will be addressed both from a theoretical point of view and through practical cases. In fact, students will be asked to answer real cases and questions - appropriately disguised - that are daily asked to the Office for Relations with the Public of the Garante per la protezione dei dati personali and to confront, also divided into teams, in simulations of process having as object, obviously, privacy issues or in the drafting and revision of the most recurrent documents such as privacy policy, notifications of violation of the processing of personal data, processes for the acquisition of consent.
This will provide students with the necessary tools to acquire specific skills in the field of personal data protection, functional to a possible future job, both in the public and private sectors.
teacher profile teaching materials
1. The rules on personal data protection: lectures on fundamental rights, in the national and European constitutional framework, with particular attention to the evolution of the right to privacy and personal data protection. The lecturer will guide students in reading and examining the main provisions of EU Regulation 2016/679 and the main case law, with reference to the Constitutional Court, the Court of Justice of the European Union and the European Court of Human Rights.
In particular, there will be specific focuses on the following topics: purpose and scope; dynamic notion of personal data and the right to informational self-determination; definitions of Art. 4 GDPR; general principles of processing; principle of accountability; principle of privacy by design and privacy by default; subjects of processing; procedures for cooperation between supervisory authorities and consistency mechanism; one-stop shop; transfer of personal data to third countries; obligations of the data controller and data processor; register of processing activities; privacy impact assessment (DPIA) and prior consultation; risk analysis and security policy; data breach management.
2. Specific themes: analysis of specific topics, having regard to the main European and national case law and to the decisional and consultative practice of the Garante per la protezione dei dati personali in the following fields
- Privacy and social networks: relationship between ToS and privacy notice. The legal bases of processing and the choice between consent, contract and legitimate interest. Profiling, automated processing. Online advertising and personal data monetization. Convergence between privacy/antitrust and consumer protection: towards the protection of the digital citizen. Child protection on online platforms.
Cases and issues: Tik Tok, Facebook, WhatsApp, Telegram, Clubhouse, etc. Cyberbullying, sexting and revenge porn.
- Information and right to be forgotten: The processing of personal data in journalism: balancing the right to privacy and freedom of thought. Treviso Charter and ethical rules. Online information and the activity of the Garante. Right to be forgotten: protection of personal identity in relation with the right to memory, updating of information. The Google Spain ruling of the Court of Justice. Freedom of expression and social networks.
- Privacy, marketing and electronic communications: Online data collection through websites and data protection. Legal obligations for providers of electronic communication services: security and data retention. Privacy and unsolicited communications: spam, telemarketing and silent calls. Information requirements and legal basis for promotional activities carried out through automated and non-automated systems. Profiling and marketing. Big data and artificial intelligence. Cookies and other tracking tools. The construction of digital identity.
- Privacy and transparency: The path of anti-corruption and transparency in Italy: from l. 241/1990 to legislative decree 97/2016. The problematic relationship between transparency of administrative action and personal data protection: the processing of personal data by public entities. Documentary access, "simple" civic access and "generalised" civic access in the current regulatory framework. Limits deriving from personal data protection requirements. The rules on publication obligations. The necessary balance between privacy and transparency. Article 22 GDPR (automated decision-making process concerning natural persons). Administrative case law on algorithmic decisions and references to personal data protection.
- Privacy and labor: the regulation of personal data protection in the workplace in the light of the supranational and national regulatory framework. The legal bases of the processing of workers' data. The processing of workers' data for the purpose of managing the employment relationship. Use of technological systems within the employment relationship and remote control of workers' activities (video surveillance, geolocation, e-mail, internet and social networks). New technologies and methods of attendance recording (biometrics).
- Privacy and security: the risk-based approach and security policy. Identification of appropriate security measures. Privacy by design and by default. Anonymisation and pseudonymisation of personal data; The management of personal data breaches. Notification of data breaches to the Garante and communication to data subjects.
3. Practical cases: resolution of practical cases concerning data protection issues.
G. SCORZA, Processi al futuro. Quando la tecnologia ha incrociato il diritto, Milano, Egea, 2020.
Programme
The Course will be scheduled according to the following scheme:1. The rules on personal data protection: lectures on fundamental rights, in the national and European constitutional framework, with particular attention to the evolution of the right to privacy and personal data protection. The lecturer will guide students in reading and examining the main provisions of EU Regulation 2016/679 and the main case law, with reference to the Constitutional Court, the Court of Justice of the European Union and the European Court of Human Rights.
In particular, there will be specific focuses on the following topics: purpose and scope; dynamic notion of personal data and the right to informational self-determination; definitions of Art. 4 GDPR; general principles of processing; principle of accountability; principle of privacy by design and privacy by default; subjects of processing; procedures for cooperation between supervisory authorities and consistency mechanism; one-stop shop; transfer of personal data to third countries; obligations of the data controller and data processor; register of processing activities; privacy impact assessment (DPIA) and prior consultation; risk analysis and security policy; data breach management.
2. Specific themes: analysis of specific topics, having regard to the main European and national case law and to the decisional and consultative practice of the Garante per la protezione dei dati personali in the following fields
- Privacy and social networks: relationship between ToS and privacy notice. The legal bases of processing and the choice between consent, contract and legitimate interest. Profiling, automated processing. Online advertising and personal data monetization. Convergence between privacy/antitrust and consumer protection: towards the protection of the digital citizen. Child protection on online platforms.
Cases and issues: Tik Tok, Facebook, WhatsApp, Telegram, Clubhouse, etc. Cyberbullying, sexting and revenge porn.
- Information and right to be forgotten: The processing of personal data in journalism: balancing the right to privacy and freedom of thought. Treviso Charter and ethical rules. Online information and the activity of the Garante. Right to be forgotten: protection of personal identity in relation with the right to memory, updating of information. The Google Spain ruling of the Court of Justice. Freedom of expression and social networks.
- Privacy, marketing and electronic communications: Online data collection through websites and data protection. Legal obligations for providers of electronic communication services: security and data retention. Privacy and unsolicited communications: spam, telemarketing and silent calls. Information requirements and legal basis for promotional activities carried out through automated and non-automated systems. Profiling and marketing. Big data and artificial intelligence. Cookies and other tracking tools. The construction of digital identity.
- Privacy and transparency: The path of anti-corruption and transparency in Italy: from l. 241/1990 to legislative decree 97/2016. The problematic relationship between transparency of administrative action and personal data protection: the processing of personal data by public entities. Documentary access, "simple" civic access and "generalised" civic access in the current regulatory framework. Limits deriving from personal data protection requirements. The rules on publication obligations. The necessary balance between privacy and transparency. Article 22 GDPR (automated decision-making process concerning natural persons). Administrative case law on algorithmic decisions and references to personal data protection.
- Privacy and labor: the regulation of personal data protection in the workplace in the light of the supranational and national regulatory framework. The legal bases of the processing of workers' data. The processing of workers' data for the purpose of managing the employment relationship. Use of technological systems within the employment relationship and remote control of workers' activities (video surveillance, geolocation, e-mail, internet and social networks). New technologies and methods of attendance recording (biometrics).
- Privacy and security: the risk-based approach and security policy. Identification of appropriate security measures. Privacy by design and by default. Anonymisation and pseudonymisation of personal data; The management of personal data breaches. Notification of data breaches to the Garante and communication to data subjects.
3. Practical cases: resolution of practical cases concerning data protection issues.
Core Documentation
C. COLAPIETRO, Il diritto alla protezione dei dati personali in un sistema delle fonti multilivello. Il Regolamento UE 2016/679 parametro di legittimità della complessiva normativa italiana sulla privacy, Napoli, Editoriale Scientifica, 2018.G. SCORZA, Processi al futuro. Quando la tecnologia ha incrociato il diritto, Milano, Egea, 2020.
Type of delivery of the course
Lectures and activities carried out within the legal advisory office.Type of evaluation
The exam consists of a final oral test. Students are also required to prepare a paper on the topics covered during the course, subject to evaluation as a mid-term exam.