The unified system of definitions set forth by the GDPR is its main strength because it prevents – at national level – the unauthorized modification of the EU provisions.
The Italian Data Protection Directive enforcement (Legislative Decree 196/03) is a clear example of what I mean.
The Data Protection Directive (DPD) clearly says, in its Whereas number 15, that the Directive is going to be enforced to data processing performed by way of a filing system.
The Italian Legislative Decree 196/03, oddly enough, defines “trattamento” (processing” as:
qualunque operazione o complesso di operazioni, effettuati anche senza l’ausilio di strumenti elettronici, concernenti la raccolta, la registrazione, l’organizzazione, la conservazione, la consultazione, l’elaborazione, la modificazione, la selezione, l’estrazione, il raffronto, l’utilizzo, l’interconnessione, il blocco, la comunicazione, la diffusione, la cancellazione e la distruzione di dati, anche se non registrati in una banca di dati; (emphasis added)
So, as the emphasis shows, the notion of “processing” the Italian Way has been arbitrarily extended from one performed by filing system up to include those processing that are not recorded into a data-base.
Yes, just in case, you may challenge a fine from the Data Protection Authority issued by enforcing a wrong provision. But you have to do it through a Court, thus spending time and money.
Luckily, the GDPR contains a limitation similar to the one included into the DPD):
The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.(emphasis added)
Since member-States have no power to change what a Regulation states (because there is no need to pass local bills to have it up and running), falling next May 25, 2018 this Italian oddity (and, hopefully, many more) will disappear.