Italy’s consolidated data protection code came into force on 1 January 2004.The Code brings together all the various laws, codes and regulations relating to data protection since 1996.
In particular, it supersedes the Data Protection Act 1996 (no. 675/1996), which had come into effect in May 1997.
There are three key guiding principles behind the code, which are outlined in section 2:
The code is divided into three parts.
The first part sets out the general data protection principles that apply to all organisations.
Part two of the code provides additional measures that will need to be undertaken by organisations in certain areas, for example, healthcare, telecommunications, banking and finance, or human resources.
Part three relates to sanctions and remedies. It is expected that the second part of the code will be developed further through the introduction of sectoral codes of practice.
Scope of the Italian data protection code
The code applies to all processing within the State and its territories. It will also affect outside organisations that make use of equipment located within Italy, which could include e.g. PCs and other computer-based systems (see Section 5 of the Code). If an organisation outside the EU is processing data on Italian territory, it must appoint a representative in Italy for the application of Italian rules (this will be necessary for notifying with the Garante, if notification is due, and providing data subjects with information notices).
Main Features of the Data Protection Code
Notification – One of the key targets for simplification was the notification process, which was made more straightforward compared to the 1996 Act in line with the EU Data Protection Directive – which allows the notification process to be simplified in cases where data processing does not adversely affect the rights and freedoms of data subjects (see Article 18(2) of the directive). Under the Italian code, organisations are only required to notify the Garante when processing higher-risk categories of data. These include, in particular, genetic and biometric data, data processed for the purpose of analysing or profiling individuals, and credit-related information (see Section 37 of the code for additional details). This approach is also aimed at making the process more transparent and understandable for individuals.
Data minimisation – Section 3 of the code introduces the element of data minimisation into Italian data protection. The code encourages organisations to make use of non-personal data whenever possible.
Data subjects’ rights/Decision taking – The code aims to strengthen individuals’ data protection rights, allowing them to exercise their rights and instigate proceedings more easily. In an effort to simplify the complaints process, the Garante has published a complaints form on its website. The Garante can also order businesses to abide by compliance requirements set out in its decisions. When responding to investigations, businesses now have 15 days to comply, compared to the previous 5-day timeframe. The turnaround for dealing with complaints has been raised to 60 days (previously it was 30 days); this period was found to be suitable in order for the Garante to work effectively and the parties to prepare their pleadings appropriately.
International Data Transfers – The data protection Code has incorporated and, to some extent, updated the previous rules on data transfers (data transfers are addressed in Sections 42-45 of the Code). Whereas previously businesses had to notify the Garante of their intention to transfer data outside the EU, under the new system companies will only have to provide notification in cases in which the transfer of data could prejudice data subjects’ rights (see the Notification section). Additionally, the new system does not require organisations to resubmit notifications each year The rules for legitimising transfers to non-EU countries can be found in Section 43 of the Code and include consent, meeting contractual obligations, public interest requirements, safeguarding life/health, investigations by defence counsel, use of publicly available data, processing for statistical/historical purposes. Additional provisions for legitimising transfers are laid out in Section 44 of the Code and include transfers to countries deemed adequate by the European Commission, the adoption of contractual safeguards, and the use of binding corporate rules. Data subjects are entitled to lodge claims in Italy for non-compliance with the said contractual/corporate safeguards.
Main Features in Respect of Specific Processing Operations
Human Resources Data – The code has fully implemented Article 8 (b) of the EU directive which applies to the processing of data. Organisations processing sensitive data that wish to find an alternative to the somewhat unreliable issues of employee consent, can look at the exemptions laid out in Section 26 of the code. For example, Section 26 (4d) allows the processing of sensitive data without consent if necessary to meet obligations under employment law.
Health data – Processing is allowed with the data subject’s consent (which must be provided in writing) and the Garante’s authorisation if the data controller is a private body. As for public bodies, processing is allowed if it is provided for in laws/regulations; however, the latter must set out the specific processing operations and purposes in detail, otherwise the relevant public bodies must specify them via ad-hoc regulatory instruments. The data subject’s consent is not required, in principle, whilst the Garante’s authorisation is necessary except for the processing by health care professionals that is indispensable with a view to the data subject’s health and/or bodily integrity. The Garante’s authorisation has been granted in the form of an instrument applying to several entities and/or processing operations, i.e. as a “General Authorisation for the Processing of Sensitive Data” by various categories of data controller (see Legislation section). It should be recalled that specific provisions are laid down in the DP Code to regulate the processing of medical data in the health care sector (Sections 75-94). In particular, health care professionals and public health care bodies may process medical data (the Code refers to “data suitable for disclosing health”) with the data subject’s consent and without the Garante’s authorisation if the processing concerns data and operations that are indispensable with a view to the data subject’s health and/or bodily integrity; conversely, they may process medical data without the data subject’s consent but with the Garante’s authorisation if the processing is indispensable to safeguard public health.
Electronic Communications Data – The Code has implemented the provisions contained in the E-Communications privacy directive 2002/58/EC as well as in the data retention directive (2006/24/EC) (see Title 10, Part 2 of the Code). One of the main principles is on electronic marketing which requires organisations to obtain prior consent before sending electronic marketing to consumers (see Section 130). This applies to all forms of e-marketing, including e-mail, fax, SMS/MMS etc.. Specific provisions were added to regulate telemarketing. There is also a ban on sending e-marketing from anonymous addresses – this is a breach of the data protection code as the data controller has withheld its identity. As for data retention, communications service providers (CSPs) are permitted to retain traffic data for only a six-month period in order to deal with disputes over billing and subscriber services (section 123(2) ). CSPs are also required to retain traffic data for longer in connection with law enforcement purposes; the retention periods are currently set at twenty-four months (telephone traffic data) and twelve months (electronic communications traffic data), irrespective of the given offence at issue (in pursuance of directive 2006/24/EC) (see section 132). Following ratification of Council of Europe’s Cybercrime Convention (via Act no. 48/2008, which amended Section 132 of the DP Code), police authorities were enabled, under specific circumstances, to order IT and/or Internet service providers and operators to retain and protect Internet traffic data – except for contents data- for no longer than ninety days, in order to carry out pre-trial investigations or else with a view to the detection and suppression of specific offences. The order issued by police authorities must be notified to and validated by the competent public prosecutor.
Main Features as to Compliance and Enforcement
Complaints – Data subjects can settle disputes either through the courts or by lodging a complaint with the Garante in case they have been prevented from exercising access/erasure/rectification/updating rights (as per Section 7 of the code).Organisations have 30 15 days to respond and can appeal to the Garante for more time. The Garante will then have 60 days to consider the request (see above “Data Subjects’ Rights/Decision Taking”).
Inspections – The Garante’s inspection powers are laid out in Section 158 of the code. When investigating organisations, the Garante can request information and documents, although these requests are not legally binding. However, if there is no cooperation, and the organisations refuses access to its systems, the Garante can apply for a judicial order to carry out an investigation.
When carrying out formal inspections, the Garante can demand copies of manual records and databases, which may be passed onto the judicial authorities. A report of the outcome is then published.
Original text available here.