The protection of individuals with regard to the processing of personal data is a fundamental right.

On 25 May 2018 the general regulation on data protection entered into force

(GDPR, acronym for General Data Protection Regulation – EU Regulation 679/2016).

This regulation strengthens and makes the data protection of citizens / residents of the European Union more homogeneous.

The main objectives of the European Commission in the GDPR are:

  • give back to citizens the control of their personal data;
  • to simplify the regulatory environment concerning international affairs by unifying and standardizing the privacy legislation within the EU;
  • regulate how companies process, store, manage and destroy users’ personal data.

From 25 May 2018, the GDPR will replace the Data Protection Directive (officially Directive 95/46 / EC)

will replace, in part, the Dgls 196/2003 to other directives of the Privacy Guarantor.


The new Regulation is applied to all types of organizations (organizations, companies, companies, foundations, associations) that offer services or products to people who are in the territory of the European Union.



The regulation applies to data of residents of the European Union, managed by companies and institutions, organizations in general, also with registered offices outside the EU that process personal data of residents of the European Union. Regardless of the place or places where the data are located, analog or digital including storage and processing systems. The regulation only regulates the processing of personal data.



According to the European Commission “personal data” is any information relating to an individual, related to his or her private, professional or public life. It can cover any personal data: names, photos, email addresses, bank details, interventions on social network websites, medical information or computer IP addresses “.

In addition to personal data, we find other classifications of genetic, biometric and health data, however all information that allows the univocal identification or authentication of a physical person.

Personal data: information concerning an identified or identifiable natural person. The novelty lies in the identification criterion, where “identifier” means name, physical or physiological characteristics, identifying online.

Particular personal data:

  • Genetic data: inherited or acquired, obtained by DNA and RNA analysis from a biological sample of the individual in question.
  • Biometric data: like the fingerprint or the facial image, thanks to which it is possible to identify one and only one physical person.
  • Health data: both physical and mental, past, present or future, but also information on health care services, where present, regardless of source, such as, for example, a doctor.
  • Data on sexuality: data concerning the sexual preferences of the individual.



The principle of responsibility is linked to the concept of Accountability, which is an aspect of access control, of role, of control of possible actions, based on the concept that individuals are responsible for their actions within an organized system, be it informatic or organizational.

There must therefore be a series of activities and controls, organized and periodic, such as the audit of the traces and events recorded within the organization or of a technological system, in information technology, for example: applications, systems and networks. Track audit can be used for intrusion detection and past events.



Privacy by design and by Default concern the principle of incorporation of privacy starting from the design of a business process with the related supporting IT applications. This implies the implementation of certain mechanisms which guarantee the exclusive processing of personal data necessary for that specific design. It represents the future of privacy as it adds a new key element in the legislation concerning the protection of personal data.



The DPO manager is a data protection expert.

His task is to evaluate and organize the management and protection of the processing of personal data, within a company, an institution or an association, so that they are treated in a lawful and relevant manner.

The company has total responsibility in choosing the correct professional figure of the DPO.

The figure of the DPO, can be internal or external to the company but, since the legislation emphasizes its independence and freedom from constraints and conflicts of interest, we recommend an external figure.

The DPO is a figure with an AUDITOR profile, with extensive experience relating to ISO27001 and ISO27002; can be personified by a natural or legal person, but it is strongly recommended to choose a natural person.



The controller of the data will have the legal obligation to disclose data leaks to the national authority and to communicate them within 72 hours from when it became known. In some situations the people whose data have been stolen must be warned.



The following penalties may be imposed:

  • a written warning in cases of a first non-intentional non-observance;
  • regular and periodic data protection checks;
  • a fine of up to 10 million euros, or up to 2% of the total turnover recorded in the previous year in the cases provided for in Article 83, Paragraph 4 or up to 20 million euros or up to 4% of the volume of business in the cases provided for in Paragraphs 5 and 6.


  • null

    Do you need advice to better understand how to deal with the changes the GDPR will bring?

    Anthilla is here for you!

  • null

    Do you need the figure of an expert DPO and with extensive experience related to ISO27001 and ISO27002, which can guide you in the changes to the new Regulations?
    Anthilla collaborates with professionals in the sector:
    AxisNet is here for you!



Yes No
Yes No
Yes No
Yes No