Duties and Responsibilities
Everyone may freely collect, for exclusively personal purposes, personal data relating to other individuals, providing they do not disseminate or communicate this data systematically to third parties (e.g., Personal data entered for personal purposes into your paper or electronic address books).
However, if a personal data is collected and used for other purposes (e.g., by a company intending to sell its products, by a freelance professional intending to advertise his services, by an association planning to recruit new members, by a party making political propaganda, etc.), there are some rules to be complied with.
Apart from a few exceptions, whoever plans to process personal data must first provide the data subject with some items of information (see Section 13 of the DP Code) to enable him or her to exercise their rights (under Section 7 of the DP Code).
In particular, the information notice must specify:
a. How and for what purpose(s) the personal data will be processed;
b. Whether a person is obliged or free to provide their personal data;
c. What happens if a person is unwilling to provide their personal data;
d. Who the person's data will be communicated to, or whether the data will be disseminated;
e. The rights mentioned in Section 7 of the DP Code;
f. The data controller's and (if appointed) the data processor's identities.
If a personal data was collected from other sources (e.g., public registers, data subject's family members, etc.), that is, if a personal data was not collected directly from the data subject, the information notice must be given
- Either when the data is recorded,
- Or no later than when the data is first communicated to third parties.
Private Entities and Profit-Seeking Public Entities
Apart from a few exceptions, private entities and profit-seeking public entities may only process personal data with the data subject's consent, of which proof must be available in writing (see Section 23 of the DP Code). This consent is only valid if
- The information notice (as per Section 13 of the DP Code) was provided to the data subject;
- Consent was given by the data subject freely and with specific regard to a processing operation (or to individual processing operations) that must be highlighted unambiguously.
Public administrative bodies are not required to obtain a data subject's consent, providing they process personal data as part of the fulfillment of the respective institutional tasks (see Section 18 of the DP Code).
If a personal data is processed in breach of Section 23 of the DP Code, a pecuniary penalty may be imposed ranging from Euro 10,000 to 120,000 (see Section 162(2-bis) of the DP Code).
|Processing Arrangements||Security Measures|
Any processing must be performed by minimizing the use of personal data (data minimization principle – see Section 3 of the DP Code) and by complying with the following principles (see Section 11 of the DP Code):
The Data Controller is required to take security measures that are suitable for minimizing the risks that personal data may be destroyed, lost, accessed without authorization, or processed unlawfully or by departing from the purposes for which the data was collected (see Section 31 of the DP Code).
In particular, the Data Controller must take the minimum security measures (as per Section 33 of the DP Code and Annex B to the DP Code), which are aimed at ensuring a baseline level of personal data protection.
If the minimum security measures are not taken, a pecuniary penalty may be imposed ranging from Euro 10,000 to 120,000 (see Section 162(2-bis) of the DP Code) along with a criminal punishment consisting in a custodial penalty (detention for up to 2 years – see Section 169 of the DP Code).
In the cases that are mentioned specifically as related to particular risks in terms of safeguarding data subjects' rights and freedoms, a Data Controller must notify the DPA of his intention to carry out a processing operation before starting such processing (see Section 37 of the DP Code).
If a notification obligation applies and the notification is not given, is delayed or is incomplete, a pecuniary penalty may be imposed ranging from Euro 20,000 to Euro 120,000 (see Section 163 of the DP Code).
If there are specific risks for individuals' fundamental rights and freedoms and/or their dignity on account of the processing of their personal data – even though no sensitive or judicial data is involved – by having regard to
- The particular features of the processed data (e.g., biometric data); or
- The processing arrangements (e.g., if images are collected alongside biometric data); or
- The effects possibly produced by the processing,
the DPA carries out a check prior to start of the processing, either upon the Data Controller's request or of its own motion. As a result of this prior checking, the DPA may order specific measures and arrangements to be implemented in order to protect data subjects (see Section 17 of the DP Code).
If a personal data is processed in breach of Section 17 of the DP Code, a pecuniary penalty may be imposed ranging from Euro 10,000 to Euro 120,000 (see Section 162(2-bis) of the DP Code).
PROCESSING SENSITIVE AND JUDICIAL DATA
Private Entities and Profit-Seeking Public Entities
Private entities and profit-seeking public entities may process
- Sensitive data, if they obtain the data subject's written consent and are authorized by the DPA (see Section 26 of the DP Code), apart from a few specific exceptions;
- Judicial data, if they are authorized to do so by explicit legal provisions or else by a decision issued by the DPA (see Section 27 of the DP Code).
Public administrative bodies may process sensitive or judicial data in accordance with the provisions specifically contained in Sections 20, 21 and 22 of the DP Code.
CROSS-BORDER DATA FLOWS
To EU Member States
The laws enacted in EU Member States (transposing the European data protection directive 95/46/EC) are considered to afford an adequate protection of personal data. Thus, there are no specific limitations on data flows to or through these countries (see Section 42 of the DP Code).
To Non-EU Countries
A personal data may be transferred to non-EU countries if
- Any of the conditions mentioned in Section 43 of the DP Code is fulfilled; or
- The transfer is authorized by the DPA on the basis of adequate safeguards for the data subject's rights (see Section 44 of the DP Code).
Apart from the above cases, no personal data may be transferred if the legal system of the country the data is bound for or in transit through does not afford an adequate protection level to individuals (see Section 45 of the DP Code).
If a personal data is transferred in breach of Section 45 of the DP Code, a pecuniary penalty may be imposed ranging from Euro 10,000 to Euro 120,000 (see Section 162(2-bis) of the DP Code).
TERMINATION OF PROCESSING
If processing is terminated, any personal data must be:
b. Transferred to another Data Controller, providing the data is intended for a processing operation under terms that are compatible with the purposes for which the data was collected;
c. Kept for exclusively personal purposes without being intended for systematic communication and/or dissemination;
d. Kept or transferred to another Data Controller for historical, statistical or scientific purposes.
|PLEASE APPLY TO THE DPA's "UFFICIO RELAZIONI CON IL PUBBLICO" (FRONT DESK) FOR ADDITIONAL INFORMATION|