The GDPR today: data protection in the financial sector between compliance, Public Administration, technology and new regulatory challenges.

The training programme “The GDPR Today: Data Protection in the Financial Sector between Compliance, Public Administration, Technology and New Regulatory Challenges” was entirely delivered and scientifically coordinated by Avv. Alessandro del Ninno, Partner at FIVERS Studio Legale e Tributario. Acting both as sole lecturer and as Scientific Programme Director, Avv. Del Ninno provided a comprehensive and highly structured analysis of the current regulatory framework governing personal data processing in the financial sector, with a focus on Finlombarda S.p.A. and on the broader ecosystem of public financial entities.

 

The programme opened with an in-depth examination of practical data protection compliance and data governance under the GDPR, contextualised within the evolving EU regulatory landscape—including the Data Governance Act, the Data Act, and the digital-finance framework (FIDA). Avv. Del Ninno outlined the strategic role of data protection for risk management within public financial institutions.

 

A substantial part of the training addressed the operational governance of data protection, including: the correct allocation of privacy roles among Finlombarda, Regione Lombardia and external stakeholders; the duties and accountability of the DPO (with reference to the 2024 inquiry of the Italian Garante); coordination with the RPCT; internal authorisation procedures; and the structuring and monitoring of data processing agreements with external processors.

 

The session then focused on key compliance tasks in the data lifecycle, such as mapping processing activities, managing DPIAs in the financial sector, drafting effective privacy notices for internal and external data subjects, and applying GDPR and national rules—including Article 3-ter of the Italian Privacy Code.

 

Further modules covered:

– the application of sectoral Codes of Conduct (credit reporting, commercial information),
– IT security obligations, including Article 32 GDPR, EDPB Guidelines 4/2019, data breach procedures, and the interaction with DORA and NIS2,
– the processing of special categories of data and judicial data in subsidised finance,
– the legal constraints on automated decision-making and profiling (Article 22 GDPR), with reference to the CJEU ruling of 7 December 2023 and the EDPB Statement 2/2024.

A dedicated segment analysed the intersection between the GDPR and the EU Artificial Intelligence Act, highlighting data governance obligations for providers and deployers of AI systems, contractual safeguards for AI-based technological solutions, and compliance requirements for high-risk AI systems used in creditworthiness assessment.

The training concluded with an overview of managerial liability and the GDPR enforcement framework, including administrative, civil and criminal sanctions, as well as practical rules on compensation for damages arising from unlawful data processing.