Italy: Garante introduces ‘progressive’ mandatory breach notification
The Italian Data Protection Authority (Garante) issued, on 26 November 2014, its general resolution on biometrics (‘the Resolution’), which includes a new 24-hour data breach notification obligation. The requirement was introduced a means of balancing the new simplified rules on authorisation for use of biometrics which will no longer require the Garante’s prior authorisation. Mandatory notification was previously only applicable to the telecoms and banking industries.
The Resolution indicates that data breaches or cyber incidents that could have a significant impact on biometric systems or on stored personal data, must be notified to the Garante within 24 hours. This would allow for appropriate protective actions to be taken in order to prevent theft of biometric identity.
Read more on DataGuidance.