Privacy Law at San Marino
Privacy Law in San Marino is governed by a combination of national legislation and adherence to European Union standards, as San Marino is a member of the European Economic Area (EEA). While San Marino is not an EU member state, it has agreements with the EU, including provisions that align its data protection laws with EU standards, particularly the General Data Protection Regulation (GDPR).
The primary privacy law in San Marino is governed by the Personal Data Protection Law, which was introduced to align with international data protection norms.
1. Personal Data Protection Law
The main privacy law in San Marino is Law No. 171 of 2018 on the Protection of Personal Data (also referred to as the Personal Data Protection Law). This law, enacted in 2018, serves to protect personal data and to regulate the collection, processing, storage, and transfer of personal information. It is designed to bring San Marino in line with European Union standards and provides a comprehensive framework for personal data protection.
Key Features of the Law:
Alignment with GDPR: The law is designed to be in harmony with the General Data Protection Regulation (GDPR), which came into effect in May 2018. This means that individuals in San Marino have rights similar to those granted under the GDPR, such as the right to access, rectification, erasure, and data portability.
Scope: The law applies to both public and private entities that process personal data, whether within the country or in cross-border contexts.
Processing Requirements: Personal data can only be processed for specific purposes, and organizations must ensure that data processing is lawful, transparent, and conducted for legitimate purposes.
2. Rights of Data Subjects
Under the Personal Data Protection Law in San Marino, data subjects (individuals whose personal data is being processed) enjoy several rights similar to those in the GDPR. These include:
Key Rights of Data Subjects:
Right to Access: Data subjects can request access to their personal data and obtain information on how it is being processed.
Right to Rectification: Individuals can request the correction or completion of inaccurate or incomplete data.
Right to Erasure (Right to be Forgotten): Data subjects have the right to request the deletion of their personal data when it is no longer needed for the purposes it was collected.
Right to Restrict Processing: Individuals may request restrictions on the processing of their personal data in certain situations (e.g., when they contest the accuracy of the data).
Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transfer that data to another data controller.
Right to Object: Individuals can object to the processing of their personal data, especially in cases where processing is based on legitimate interests or for direct marketing purposes.
3. Data Processing Principles
The Personal Data Protection Law in San Marino outlines several key principles for the processing of personal data. These principles mirror those found in the GDPR and ensure that personal data is handled responsibly and with respect for individual privacy:
Lawfulness, Fairness, and Transparency: Data processing must be lawful, fair, and transparent, and individuals must be informed about the processing of their data.
Purpose Limitation: Personal data should only be collected for specific, legitimate purposes and not processed further in a manner incompatible with those purposes.
Data Minimization: Organizations should collect only the personal data that is necessary for the intended purposes.
Accuracy: Personal data must be accurate and kept up to date. Inaccurate data must be rectified or erased.
Storage Limitation: Personal data should not be kept longer than necessary for the purposes for which it was collected.
Integrity and Confidentiality: Personal data must be processed securely, using appropriate technical and organizational measures to protect it from unauthorized access, loss, or destruction.
4. Data Protection Authority: Authority for the Protection of Personal Data (APDP)
San Marino has established an independent supervisory authority called the Authority for the Protection of Personal Data (Autorità per la Protezione dei Dati Personali - APDP). The APDP is responsible for overseeing compliance with data protection laws in San Marino and ensuring that organizations adhere to the provisions of the Personal Data Protection Law.
Responsibilities of APDP:
Supervision and Enforcement: The APDP monitors compliance with privacy laws and can impose penalties for non-compliance.
Guidance and Advice: The APDP provides guidance and recommendations to both individuals and organizations about data protection rights and responsibilities.
Handling Complaints: The authority investigates complaints from individuals concerning the unlawful processing of their personal data.
Issuing Fines and Penalties: The APDP has the authority to issue fines or other penalties in cases of non-compliance with privacy laws.
5. Consent for Data Processing
Similar to the GDPR, the Personal Data Protection Law in San Marino requires that data subjects give explicit consent for the processing of their personal data, unless another lawful basis for processing exists (e.g., contract performance, legal obligations). Consent must be informed, freely given, and specific to the purposes for which the data will be processed.
Key Requirements for Consent:
Clear and Unambiguous: Consent must be given through a clear affirmative action, such as ticking a box or submitting a form.
Withdrawal of Consent: Data subjects have the right to withdraw their consent at any time, and this should be as easy as giving consent.
Informed Consent: Data subjects must be informed about the purposes of data processing, the identity of the data controller, and their rights before giving consent.
6. Data Security and Data Breaches
The Personal Data Protection Law mandates that organizations implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, or destruction. This includes:
Encryption: Personal data should be encrypted to protect it during storage and transmission.
Access Controls: Only authorized personnel should have access to personal data, and access should be granted on a need-to-know basis.
Regular Audits: Organizations should conduct regular security audits to assess the effectiveness of their data protection measures.
In the event of a data breach, organizations are required to notify the APDP and affected individuals if the breach is likely to result in harm to individuals' privacy rights. The notification should be made within 72 hours of discovering the breach.
7. Cross-Border Data Transfers
San Marino’s Personal Data Protection Law includes provisions for the transfer of personal data outside the country. Since San Marino is aligned with EU standards, cross-border data transfers to countries outside the European Economic Area (EEA) are allowed if the destination country ensures an adequate level of data protection.
Adequacy Decision: Personal data can be transferred to countries that the European Union has determined to have adequate data protection standards.
Appropriate Safeguards: In the absence of an adequacy decision, organizations may use Standard Contractual Clauses (SCCs) or other safeguards to ensure data protection during international transfers.
8. Penalties for Non-Compliance
Organizations that fail to comply with the Personal Data Protection Law in San Marino may face various penalties, including:
Fines: Organizations may be fined for failing to comply with data protection requirements, such as failing to obtain consent or failing to notify authorities of a data breach.
Corrective Actions: The APDP may require organizations to take corrective actions, such as implementing data protection measures or revising their privacy policies.
Compensation: Individuals may seek compensation for damages resulting from unlawful data processing.
9. Exemptions and Special Provisions
Similar to the GDPR, the Personal Data Protection Law in San Marino provides for certain exemptions and special provisions. These may include situations where data processing is necessary for national security, public safety, or the defense of legal claims. Additionally, personal data processing for journalistic, artistic, or literary purposes may be subject to specific exemptions.
✅ Summary of Privacy Law in San Marino
| Aspect | Details |
|---|---|
| Primary Law | Personal Data Protection Law (Law No. 171/2018) |
| Supervisory Authority | Authority for the Protection of Personal Data (APDP) |
| Individual Rights | Access, rectification, erasure, objection, data portability, withdrawal of consent |
| Consent | Required for most data processing activities |
| Data Security | Encryption, access controls, regular audits |
| Data Breach Notification | Notify APDP and affected individuals within 72 hours of a breach |
| Cross-Border Data Transfers | Transfers to countries with adequate protection or appropriate safeguards |
| Penalties | Fines, corrective actions, compensation for damages |
Conclusion
San Marino's privacy laws are aligned with EU standards through the Personal Data Protection Law (Law No. 171/2018), which emphasizes strong protection for personal data and the rights of individuals. Organizations in San Marino must adhere to the requirements of the law, including obtaining consent, ensuring data security, and complying with cross-border data transfer rules. The APDP oversees compliance and has the authority to issue penalties for non-compliance.
RELATED Blog
0 comments