Background

The Decision was adopted under the pre-GDPR regime pursuant to Legislative Decree No. 196/2003 ('the Privacy Code'), and includes a number of undertakings which data controllers must implement with regards to the so-called 'system administrators', namely the professionals in charge of managing and servicing a processing system and/or components thereof.

Following the entry into force of the GDPR back in 2018, companies (especially non-Italian ones) have been struggling in approaching the obligations arising from the Decision, as it is not clear to what extent they shall be considered as fully binding under the law (as opposed to an accountability measure), as well as the liability regime arising from non-compliance with the Decision.

Brief overview of the Decision

Definition of system administrator

Typically, a system administrator is a professional in charge of managing and servicing a processing system and/or components thereof. However, the Decision addresses as such also other professionals whose functions entail similar data protection risks, such as database administrators, network and security equipment administrators, and the administrators of complex software systems. More specifically, the Decision considers as system administrator any professional figure entrusted with the management and maintenance of processing systems and databases, including complex software systems, such as Enterprise Resource Planning ('ERP'), local networks, and security tools, when they allow access to personal data (i.e. data related to identified or identifiable individuals, also by means of identification codes).

The Decision expressly applies even in cases of 'technical activities such as data backup/recovery, management of network flows, handling of storage media and/or hardware maintenance entail[ing], in many cases, the capability to impact on information; such capability should be equated, for all intents and purposes, to the processing of personal data - even if the administrator does not access "plaintext" information'.

Due to the clarifications provided by the Garante within the additional frequently asked questions ('FAQs') attached to the Italian version of the Decision², the meaning of access to plaintext information must be understood as 'the critical tasks which involve the potential violation of personal data even in conditions in which the ability to know the violation of the plaintext information is excluded, as it may happen, for example, in the case of encryption of data'.

Addressees of the Decision

The original version of the Decision was addressed to data controllers. However, the Garante subsequently amended the Decision by means of the decision titled 'Amendments to the Decision of 27 November 2008 prescribing measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator and extension of the terms to comply with it' dated 29 June 2009³, by expressly extending the responsibility for its adoption also to processors operating on behalf of the controller. This amendment was justified in order to facilitate the monitoring capabilities of data controllers on the activities carried out by processors.

Main obligations under the Decision

Under the Decision, system administrators (defined as indicated above) shall be individually appointed by the controller (or processor) relying on their services.

More specifically, the appointment shall be made on the basis of the individual's skills, on an individual basis, and detail the scope of the entrusted activities.

In addition, the controller (or the processor) shall maintain an internal document with the contact details of the natural persons working as system administrators, as well as the entrusted functions. This document should be updated regularly and made available for inspection by the Garante.

If the activities performed by system administrators concern, also indirectly, services or systems that process, and/or allow the processing of, employee personal data, the identity of system administrators shall be disclosed within the organisation (either by means of the information notice or the intranet).

The activity of system administrators shall be subject to periodical audits.

Finally, access to the systems by system administrators shall be logged by means of access logs, including timestamps and event descriptions. Such access logs shall be retained for at least six months.

Main issues arising from the Decision

In itself, the Decision does not pose major problems as to actual compliance with its requirements, which are pretty basic. In fact, similar requirements can be also found in other security models (e.g. Standard ISO/IEC 27001). However, it is unclear to what extent the Decision has binding nature after the entry into force of the GDPR.

During negotiations, Italian controllers often require an express undertaking for their suppliers to abide by the Decision, which in many instances creates churn, as tech providers (especially foreign ones) are not willing to stick to such specific requirements, absent similar indications in their standard internal policies and procedures. In addition, the adoption of such granular measures seems to be in contrast with the flexibility naturally embedded within the accountability principle informing the GDPR, which under Article 32 expressly indicates that security measures shall be adopted by organisations taking into account the 'state of the art', as well as context and purposes of processing.

In this regard, some of the measures under the Decision appear outdated - for instance, maintaining an internal document with the names and surnames of the system administrators may nowadays seem at least naïve or, in the worst-case scenario, somehow dangerous to actually grant maximum protection to a company's systems and cyber assets.

In my personal experience, I have seen multiple times negotiations (including for multi-million value agreements) struggle because of the difficulty for parties to agree on a common position on system administrators, and it is not uncommon that clients come ask for an opinion on the applicability of the Decision, or the liabilities related thereto. So, what is the solution here?

A holistic interpretation of the Decision

Under Article 24 of Legislative Decree No. 101/2018, which implemented the GDPR into the Italian legal system by amending the Privacy Code, the pre-GDPR decisions of the Garante continue to apply, as far as, and to the extent that, they are compatible with the GDPR and the Privacy Code.

As a consequence, the Decision continues to be fully applicable. But rather than representing a 'mandatory measure' (as it was at the time it was issued), it shall be considered as a good accountability measure only. This means that, anytime the context and circumstances of the processing - in particular the risks arising therefrom - suggest that the measures under the Decision do not ensure a level of security appropriate to the risk, organisations shall adopt stricter measures, granting the needed protection level.

More in general (i.e. also where the measures under the Decision appear adequate on consideration of the actual risk arising from the processing), controllers shall feel free to implement different measures, albeit ensuring an equivalent protection level to that afforded by the Decision.

In this regard, although the Decision undeniably represents a well-established practice standard in Italy, the obligations under Articles 5 and 32 of the GDPR would not allow an organisation to hold itself accountable for merely complying with the Decision. In fact, such obligations are dynamic and require controllers and processors to continuously update their systems to ensure the highest degree of security at all times. Hence, a controller shall always internally assess whether, in light of the specific circumstances of the processing at stake, the Decision is adequate, or in turn different and/or additional measures shall be adopted.

In the event system administrators are effectively appointed, companies shall make sure to consider the following:

• system administrators shall be appointed individually, on the basis of their skills, and by means of an appointment deed listing the scope of the activities that system administrators are allowed to carry out based on the authorisation profile assigned to each of them;
• the controller (or processor) appointing system administrators shall make sure to implement audits and control levels to effectively monitor their activity;
• any additional or different organisational and technical measure shall be thoroughly documented by controllers;
• system administrators may incur in civil and criminal liability in the event of non-compliance with their obligations arising from the appointment, or the commission of the cyber crimes provided for under the Italian Criminal Code; and
• employers of system administrators (i.e. the controller or the processor) may also incur in some form of liability in the event that a system administrator commits any intentional or negligent fact inflicting unjust damage on a third party.

By interpreting the Decision in accordance with the GDPR principles, and ensuring that the measures contained therein are applied in the context of a wider accountability exercise (as opposed to superficial implementation thereof), it will be easier for controllers to meet the threshold set forth under data protection legislation, and avoid the Garante's challenges in case of regulatory contacts.

Giulia Mariuz Counsel
[email protected]
Hogan Lovells, Milan

1. Available at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1628774
2. Available at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1577499#FAQ (only available in Italian)
3. Available at: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1626595 (only available in Italian)