Annual Report for 2003 - Summary
Annual Report for 2003
SUBMITTED TO PARLIAMENT ON APRIL 28, 2004
GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Table of Contents
I THE REGULATORY FRAMEWORK 4
1 THE DATA PROTECTION CODE 4
II - DATA SUBJECTS' RIGHTS AND DATA CONTROLLERS' DUTIES 9
7 RIGHT OF ACCESS 9
8 ERASURE OF DATA 13
9 OBJECTING TO THE PROCESSING OF DATA 14
10 EMPLOYMENT CONTEXT 15
11 SECURITY OF DATA AND SYSTEMS 15
12 NOTIFICATION 17
III – PRIVACY AND OTHER RIGHTS 18
13 PROCESSING OF DATA SUITABLE FOR DISCLOSING HEALTH 18
14 ASSOCIATIONS, POLITICAL MOVEMENTS, AND PARTIES 19
15 JOURNALISM AND THE MEDIA 20
16 CREDITING AND INSURANCE 21
17 MARKETING 22
IV – PRIVACY AND THE PUBLIC ADMINISTRATION 23
18 OVERVIEW : SENSITIVE AND JUDICIAL DATA 23
19 OPENNESS OF ADMINISTRATIVE PROCEEDINGS 23
20 ELECTORAL CARD 24
21 CENSUS REGISTER DATA AND ELECTORAL MATTERS 24
22 EDUCATION AND TEACHING 25
23 LOCAL AUTHORITIES 25
24 SERVICE OF NOTICES AND RECORDS 25
25 PUBLIC REGISTERS, LISTS, AND PUBLICLY AVAILABLE INSTRUMENTS AND RECORDS 26
26 TAXATION AND FISCAL MATTERS 26
27 JUDICIAL ACTIVITIES, LEGAL INFORMATICS 26
28 POLICE 27
29 EMPLOYMENT CONTEXT 27
30 STATISTICAL RESEARCH 27
31 PROFESSIONAL ROLLS 28
V PRIVACY AND FUTURE CHALLENGES 29
32 TELEPHONY AND COMMUNICATION NETWORKS 29
33 PROCESSING OF PERSONAL DATA ON THE INTERNET 31
34 TRANSBORDER DATA FLOWS 32
35 STANDARD CONTRACTUAL CLAUSES 33
36 TRANSFER OF PNR (PASSENGER NAME RECORD) DATA 33
37 VIDEO SURVEILLANCE 34
38 BIOMETRICS 35
39 POLICE ACTIVITIES 35
40 SCHENGEN INFORMATION SYSTEM – NEW DEVELOPMENTS 36
42 GENETIC DATA – THE GARANTE'S TASKS AND INTERVENTIONS 36
VI ACTIVITIES PERFORMED BY THE GARANTE 38
50 HANDLING OF COMPLAINTS 38
51 INSPECTIONS AND IMPOSITION OF ADMINISTRATIVE SANCTIONS 38
52 INFORMATION AND COMMUNICATION ACTIVITIES 39
I THE REGULATORY FRAMEWORK
1 THE DATA PROTECTION CODE
1.1. Drawing up of the Code
The law-making process aimed at supplementing and streamlining legislation on personal data protection could be completed in 2003. For the first time, the data protection legislation was gathered in a consolidated text implemented by legislative decree no. 196 of 30 June 2003 (Personal Data Protection Code). In the past few years, many legislative instruments had been enacted to amend and/or supplement Act no. 675 of 31 December 1996, i.e. the original Data Protection Act.
The provisions to be included in the consolidated text were carefully identified and examined during the preparatory work that ended at the beginning of 2003. The final choice was to adopt a consolidated text of primary legislation.
1.2. Structure of the Code
The Code, which also implemented Directive no. 2002/58/EC on the protection of privacy in the electronic communications sector, is divided into three parts. The first part lays down general provisions applying to all data processing operations as well as specific provisions applying to processing carried out by public or private entities. The second part of the Code includes specific provisions applying exclusively to some types of processing, which supplement or, in some cases, derogate from the general provisions set out in the first part. Administrative and judicial remedies, sanctions and the powers and activity of the Supervisory Authority are regulated in Part 3 of the Code.
1.3. Principles: The Right to the Protection of Personal Data and the Enhanced Safeguards
As regards safeguards in general, the Code sets out the autonomous right to the protection of personal data (Section 1 of legislative decree no. 196/2003) in compliance with the provisions laid down in the Charter of Fundamental Rights of the European Union as well as in the draft European Constitution.
Though based on the principles of simplification, harmonisation and efficiency, the Code provides that processing of personal data has to be performed in a such a manner as to ensure a high protection level (Section 2(2) ) of data subjects' rights as well as in compliance with the “data minimisation principle” applicable to all processing operations (Section 3). This principle was also extended to information systems and software, so that using personal and/or identification data is only allowed if such data are indispensable for lawful purposes in connection with specific cases.
1.4. Legislative Innovations: Access to Data
As regards access to personal data, the Code brought about some important innovations.
In particular, it is specifically provided for that the request to access personal data as well as exercise of related rights may also apply to evaluation data, without prejudice to the possibility of amending and/or supplementing them (Section 8(5) ). As regards limitations on the exercise of data subjects' rights, it should be pointed out that access may be “delayed” and, on the other hand, the data concerning incoming phone calls may be accessed – which would not be permitted otherwise – exclusively to prevent “actual, concrete” harm in respect of the performance of investigations by defence counsel and/or exercise of a right.
Another important innovation is laid down in Section 7, para. 2, subheading e) of the Code: an individual has the right to also obtain, from the controller, information on the other entities that, in their capacity as either data processors or persons in charge of the processing, may come to know his/her personal data.
1.5. Protection of Rights
With a view to affording enhanced safeguards for data subjects and simplifying, at the same time, the activities to be performed by data controllers, the Code lays down provisions aimed at simplifying the exercise of rights and encouraging the prior settlement of conflicts that may arise between data subject and data controller/processor. A longer term is laid down for the controller/processor to complete the procedure allowing an individual to exercise his/her rights (15 days as of receipt of the relevant request).
As regards judicial proceedings, the Code currently provides for a single type of proceeding to be instituted only before a standard court by way of a petition (Section 152).
1.6. Simplified Provisions Applying to Notification, Information and Consent
The Code also includes other innovations aimed at simplifying both the mechanisms for the exercise of data subjects' rights and the obligations to be fulfilled by controllers. The cases in which the processing is to be notified to the Garante - currently only via electronic means – are expressly set out, i.e. whenever the processing may entail dangers for the data subject (Sections 37 and 38 of legislative decree no. 196/2003). However, additional processing operations may be exempted from notification on the basis of a specific measure taken by the Garante. Similarly, the Authority may specify other processing operations that must be notified, although they are not included in the list referred to in Section 37 of the Code.
Other simplifying mechanisms are also provided for as regards the information given to data subjects. The Garante may actually set out simplified mechanisms to supply information, in particular if there is no direct contact with the data subject (this is the case, for example, of call centers, see Section 13, para. 3, of legislative decree no. 196/2003). The Code additionally provides for simplified mechanisms as regards informing data subjects and obtaining their consent in respect of processing operations in the health care context.
Finally, special importance should be attached to the simplification brought about – albeit by retaining a high-level protection – by increasing the number of cases in which private entities and profit-seeking public bodies may process personal data without the data subjects' consent.
This is the case of the processing of “standard” data carried out by not-for- profit organizations, provided that the processing concerns members' data and does not entail either communications to other entities or data dissemination, in compliance with the provisions applying to sensitive data (Section 24, para. 1, subheading h) of legislative decree no. 196/2003). It is also permitted to derogate from the consent requirement if processing of sensitive data is necessary in order to fulfil specific obligations provided for by legislation applying to employee/employer relations, provided that the limitations set out in the Garante's authorization are complied with (Section 26, para.4, subheading d) of legislative decree no. 196/2003).
1.7 Applicable National Law and Transborder Data Flows.
The Code completed transposition of the Community principle concerning the data controller's “establishment” as per Section 4 of Directive 95/46/CE, being the main criterion to determine the applicable national law. In line with the simplification applying to data transfer operations, the obligation to specifically notify the Garante of the transfer of personal data to third countries was excluded - if the categories of data to be processed do not fall under the scope of those subjected to mandatory notification.
1.8. Security Measures
As regards security measures, the Code re-affirms the “two-tiered” approach in respect of the obligations applying to data controllers, i.e. the obligation to adopt all measures “suitable” for minimizing the risks of causing damage to data subjects as regards lawfulness of processing and civil liability (Sections 15 and 31 of legislative decree no. 196/2003), and the obligation to take at least the so-called “minimum security measures” as regards criminal liability (Sections 33-36 and 169 of legislative decree no. 196/2003).
“Minimum” security measures were updated also on the basis of technological developments in the past few years. They are set out in ad-hoc technical specifications annexed to the Code (ann. B), which may be amended via a ministerial decree so as to facilitate their continuous updating.
1.9. Processing of Data in the Public Sector
No major changes were made to the regulatory framework applying to the processing of data by public bodies. Public bodies may continue processing sensitive data if either the law or, on a transitional basis, the Garante have specified the substantial public interest purposes that are pursued by means of a specific processing operation, and if the public bodies concerned have identified and disclosed the categories of data and processing operation at stake (Section 20 of legislative decree no. 196/2003, formerly Section 22-3bis of Act no. 675/1996). The Code allows public administrative agencies to fulfil their obligations within 30 September 2004, where they have not yet done so. Because of the sensitive nature of the processed data, which requires a high level of safeguards, the instrument by which public entities should specify the categories of data and processing operation to be carried out must be an item of secondary legislation and may be drawn up also on the basis of standard models (Section 20, para. 2, of legislative decree no. 196/2003).
1.10. Codes of Conduct and Professional Practice
Legislative decree 196/2003 has enhanced the importance of codes of conduct in respect of the protection of personal data. In particular, it provides for their adoption in several, highly significant sectors such as processing of data via the Internet and/or in the employment context, for purposes of direct marketing, by private credit reference agencies, or in connection with video surveillance activities.
The principle whereby compliance with the provisions set out in the relevant code of conduct is a prerequisite for the processing operations to be lawful has been extended to all codes of conduct in the data protection sector.
1.11 Traffic Data Retention
Though enacted quite recently, the Code was amended in respect of an important subject matter, i.e. processing of personal data for judicial reasons. By means of decree-law no. 354 of 24 December 2003, converted with amendments into Act no. 45 of 26 February 2004, an amendment was introduced into Section 132 of the Code – which regulates retention of traffic data for purposes connected with detection and suppression of offences.
In its original wording, Section 132 required providers of electronic communications services to retain “telephone traffic data” for 30 months for purposes related to detection and suppression of offences.
On the basis of some successful investigating activities regarding terrorism, contacts between the Garante and some judicial offices – in particular, the National Antimafia Direction – were established that led to considering new possible approaches which were then submitted as required to governmental authorities.
However, with a view to ensuring effective investigations into especially serious crimes, which may require long, quite complex inquiries, said decree-law had drastically suppressed any reference to telephone traffic and replaced it by the broader reference to “traffic data”. It had also provided for an additional 30-month data retention period in order to prosecute the offences set out in Section 407 para.2, subheading a) of the Code of Criminal Procedure, as well as the offences consisting in damaging electronic systems or software.
The solutions envisaged in the decree-law were widely debated. In order to ensure full respect for fundamental human rights, immediately after the passing of the decree-law and in connection with drafting of the converting law, as well as during the hearing of the President of the Authority before the Justice Committee at the Chamber of Deputies on 20 January 2004, the Garante pointed out that the extension envisaged in respect of the data retention period – which had been increased to 5 years compared with the 30 months set out initially in the Code as a maximum – and, above all, the application of the new provisions to Internet traffic would have resulted into a marked limitation on individual safeguards, by having also regard to the constitutional principles of freedom of communications and secrecy in correspondence.
Also in the light of the discussions held on 14 January 2004 in the Chamber – where two converging motions proposed by both the majority and the opposition were carried unanimously, requiring Government “to withdraw all provisions that potentially are in breach of confidentiality rights”, as well as to “more effectively regulate the processing of traffic data in respect of mobile telephony, in order to protect the rights of individuals” – , the Committee approved some amendments to the decree-law. Such amendments reduced the retention period to four years, envisaged applicability to both telephone traffic and “correspondence performed via electronic networks”, and entrusted the Garante with the task of setting out specific safeguards for data subjects.
In the course of Parliamentary discussions, it was decided to remove any reference to traffic data other than telephone traffic, also considering the sensitivity of systematic data retention in respect of Internet traffic.
A more thorough analysis was found to be necessary, also based on a public discussion, concerning the implications the above provisions might have on network development. Account was also taken of the impact produced by processing of these data on data subjects' privacy and other rights and fundamental freedoms, as well as of the objective complexity and difficulties related to retention and management of the data in question.
On the other hand, the Chamber confirmed the choice made by the Committee as for reducing the total retention period to four years. The Senate finally approved the bill as adopted by the Chamber of Deputies.
II - DATA SUBJECTS' RIGHTS AND DATA CONTROLLERS' DUTIES RIGHTS
7 RIGHT OF ACCESS
7.1. Employment Context
In two decisions dated 28 March 2003, the Garante examined the case of two employees that complained of the incomplete answers given by their former employer to the requests for access to their personal data regarding, inter alia, the reasons of their transfer to another office. The controller answered in both cases that he had communicated all the personal data contained in his archives and that he did not consider that he was obliged to create other data on purpose, i.e. in order to fulfil additional, different requests from the applicants.
The Garante considered that the answer provided by the company complied with the legislation in force concerning protection of personal data, whereby an employee has the right to access his/her personal data as held by the employer and to obtain their communication in a complete and intelligible way, but not to obtain the creation of inexistent data or their re-processing on the basis of indications given by the employee.
The Garante also stressed that the request to obtain information of contractual or professional nature, which in no way may be referred to identified or identifiable persons, did not fall within the scope of data protection legislation. This is the case, for example, of national collective agreements and/or intra-group agreements.
In fact, the right of access allows the employee to know his/her personal data as held by the respective employer, but it may not be exercised in order to gather information of a general nature that is not related to an identified or identifiable data subject.
7.2. Access to Data for Purposes of Justice
In connection with a decision on a complaint lodged against a Public Prosecutor's Office, the Garante pointed out that, as to data processing operations carried out for “purposes of justice” (see now Section 47 of legislative decree no. 196/2003), neither direct exercise of the right of access and other data subjects' rights nor lodging of a complaint with the Authority were allowed. In fact, it is possible to apply to the Garante for the latter to check compliance of data processing with the requirements set forth by the relevant legislation.
Therefore, the different mechanisms provided for in order to exercise data subjects' rights do not affect the actual protection afforded to data subjects, as the Garante is empowered to verify lawfulness and fairness of processing operations according to arrangements that are adequate to the specific contexts where said operations are performed and can ensure full respect both for the specific powers of the entities at stake and for the peculiar institutional role played by the judicial body in charge of a given proceeding (see Sections 8, 47 and 160 of legislative decree no. 196/2003).
In 2003, a number of cases were addressed concerning access by members or subscribers to the personal data related to other members of bodies or associations.
The Garante has pointed out, once again, that processing members' non-sensitive personal data without their consent is only allowed for lawful purposes that must be provided for in the relevant memorandum or articles of association; alternatively, any of the other prerequisites considered to have the same legal force as consent should be fulfilled, pursuant to the legislation in force.
This approach was confirmed by the Code with reference to data processing carried out by not-for-profit associations or entities, recognised or not, in respect of members and persons with whom they have regular contacts.
7.4. Traffic Data: Itemised Billing
The Garante has re-affirmed that the right of access fully applies to information included in invoicing, as far as personal data are concerned; on the contrary, it is not possible to ask suppliers of telephone services to have access to identification data and addresses of entities to whom phone numbers refer that appear in the printout of outgoing phone calls. The data subject may in fact know his personal data, but he is not allowed to know data and information regarding other individuals, as expressly provided for by the Code (Section 10, para. 5, of legislative decree no. 196/2003).
As for outgoing phone calls, this Authority also stressed that the controller has to answer only the access requests made by the person to whom the personal data referred to in the request relate. As an example, a case can be quoted in which the Garante pointed out unlawfulness of the answer given by a controller who had not denied access to a person who was not the actual user of the relevant phone number.
7.5. Traffic Data: Incoming and Malicious Phone Calls
The Code provides a solution to the issue regarding limitations on the exercise of the right of access to identification data in respect of the so-called incoming phone calls. The access to identification data of these calls is not allowed for purposes relating to the exercise of a right in a civil proceeding. It is only permitted where failing to do so would result into “actual, concrete” harm to the investigations performed by defence counsel during a criminal proceeding (Section 8, para. 2, subheading f) of legislative decree no. 196/2003; Act no. 397 of 07.12.2000).
As the Authority stressed in its decision of 18.02.2004, the above provision strikes a balance between the data subject's right to access his/her personal data and the right to privacy for third parties (the users-natural persons who made the calls and the persons who received the calls). The right of access is limited to the sole incoming phone calls that are really necessary to be known.
As regards access to malicious calls, in particular when calling line identification is not possible, the Code confirms the subscriber's right to request the service provider to temporarily override elimination of the presentation of calling line identification. It also expressly recognises the right to be informed (Section 127 of legislative decree no. 196/2003).
7.6. Unsolicited E-Mail
The addressees of unsolicited e-mail messages have the right to know from what source their data have been extracted, request at any time that their use for marketing or advertising purposes be discontinued, and that the data processed in breach of law be erased.
Without prejudice to the protection afforded under criminal law by the definition of spamming as a criminal offence (Section 167 of the Code), the data subject may, free of charge and without any special formalities, lodge a specific request with the sender of the unsolicited message(s); if he does not receive any answer within 15 days (or 30 days, if particularly complex operations are necessary), he may file a complaint with the standard judicial authority or else with the Garante.
As regards the complaints concerning spamming examined by the Garante, it was stressed that exercise of the right of access and the possible submission of a complaint to the Garante are not allowed in connection with personal data concerning third parties.
As regards the right of access to data held by credit institutions, it is important to underline that the controller must provide a free of charge answer to the access requests submitted by data subjects.
In some cases, credit institutions have made their answers conditional upon payment by their customers of fees allegedly necessary to retrieve and make the relevant documents available. This was considered unlawful by the Garante in a number of decisions. It was pointed out that the right of access had to be ensured free of charge and without any specific requirement. The Garante ordered the banks at stake to extract, from the records and documents in their possession, all the personal data requested concerning transactions, and to communicate them without delay to the data subjects in an intelligible way.
7.8. Private Credit Reference Agencies
The right of access to one's personal data is exercised frequently in respect of the so-called Credit Reference Agencies. The Garante has stressed that data subjects may apply directly to the controller / processor, as it is not indispensable to first submit the request to the Garante.
In some cases, the answers provided to the access requests lodged with banks and financial institutions were incomplete. The Garante repeatedly invited the entities in question to complete the information made available, and also asked that all personal data regarding their business relationships with customers should be disclosed. In other cases, CRAs failed to communicate personal data held in the form of a number defining the customer's level of reliability and/or creditworthiness. The agencies were then urged by the Garante to supplement information and communicate all the personal data on file concerning the given data subject, even though they were kept in the form of numbers.
7.9. Insurance Companies
As regards insurance companies, the Garante re-affirmed the principle that the personal information contained in evaluations and similar records within forensic medical reports drawn up for/by insurance companies have to be considered personal data and must be communicated to the data subject whenever he so requests.
The Garante had already pointed out in the past that if medical data collected during a visit carried out by a company's physician are communicated to the data subject, this communication should be made by a physician designated for this purpose either by the data subject or by the insurance company that is the controller of the processing. This issue is now regulated by Section 84 of the Code.
7.10. Access to Data of Deceased Persons
One of the most sensitive issues regarding access to personal data relates to accessing the data of deceased persons.
This issue was first addressed with regard to the banking sector. The right of lawful heirs to access the personal data of deceased relatives was recognised, including data relating to other individuals – e.g. joint holders of a bank account or persons authorized to perform transactions on said account – whenever the data subject's information and the data relating to others were so inextricably linked as to make the former, if extracted separately, unintelligible or distorted. Conversely, an access request concerning the personal data of a deceased processed by a bank was not accepted as it aimed at knowing specifically and directly the identity of the individual authorised by the said deceased to carry out specific bank transactions (Provision of 13.11.2003).
The data protection Code (see Section 9, para. 3) now refers to the entities that may have access to the personal data of a deceased, being any person that has an interest therein or else acts either in order to safeguard the data subject or for family-related reasons deserving protection.
In 2003, the Garante's opinion was sought on access to the personal data of the deceased in connection with insurance matters. On that occasion it was pointed out that the right of access to personal data of a deceased did not apply to information related to third parties such as the beneficiaries of insurance policies. This issue should now be taken into consideration in the light of the right of access to the records of insurance companies as regulated by the recently enacted Ministerial decree no. 74 of 20.02.2004.
The Garante also recognised the right by a relative to access the personal data relating to a deceased as contained in the latter's tax report, stressing that this right may be exercised by any person having an interest therein.
The Garante re-affirmed the principle that the right of access and the other rights now provided for by Section 7 of the Code – which may also be exercised in respect of publishers and directors of newspapers – applies to photos and other data disseminated through publications that are accessible via the Internet.
In its decision of 19.11.2003, the Garante ruled that a data subject's request aimed at knowing the identity of the person charged by RAI – Italy's Public Broadcasting Corporation – with the task of contacting him at his house within the framework of activities related to management and payment of the yearly subscription fee was inadmissible. In this respect, the Code now provides (Section 7, para. 2, subheading e)) that the data subject is also entitled to obtain from the data controller the names of the persons that, being either processors or persons in charge of the processing, may come to know his personal data.
8 ERASURE OF DATA
8.1. Erasure of Data Processed by Public Administrative Agencies
It is particularly important to recall the approach followed by the Garante regarding the request for erasing personal data included in a decision taken by a town council and posted on the town's bulletin board, which referred to a litigation involving the applicant.
The Garante rejected the complaint and highlighted that dissemination of the data subject's personal data was necessary in order for the administrative agency to fulfil its institutional obligations. Moreover, dissemination of the data was in line with the provisions in force regarding administrative procedure and publishing of administrative records (Section 124 of legislative decree 267/2000).
The decision appealed against did not include judicial data; the information disclosed was accurate and not excessive by having regard to the principle of transparency applying to the decisions of local authorities. However the Garante, striking a balance between confidentiality of personal data and transparency of administrative activities, re-affirmed the need to comply with the principles of relevance and proportionality.
8.2. Erasure of Data Regarding Payment of Debts
The issues concerning erasure of data related to payment of debts have been dealt with on several occasions. As regards exercise of the rights provided for by data protection legislation in respect of public registers of land, the Garante pointed out that privacy safeguards could not be claimed in order to obtain erasure of a recordation of attachment in breach of the regulations specifically applying to these matters. The Garante also considered a request for erasure of personal data contained in databases that had been set up and were managed by private companies extracting information from publicly available sources. This case is related to the broader requirement that financial information should be relevant and complete by having regard to the data subject's right to have his/her data retained for a limited period – i.e. for as long as is necessary to achieve the purposes for which the data were collected and subsequently processed (Section 11 of legislative decree no. 196/2003). In its decision, the Garante re-affirmed that processing of data extracted from public registers may be carried out also without the data subject's consent and referred to the provisions introduced by the Code in this sector; in particular, a specific code of conduct provided for therein will set out the new data retention periods regarding payment of debts (Section 119 of legislative decree no. 196/2003).
9 OBJECTING TO THE PROCESSING OF DATA
9.1. Taxation Matters
In an important decision of 12 January 2004, the Garante granted the complaint lodged by a taxpayer against communication of his data by a provincial licensee for tax collection. The data at stake concerned the complainant's credit records and had been disclosed to third parties with whom the latter was professionally related. As this communication was not provided for by any specific law and was in breach of relevance and proportionality principles by having regard to the purposes sought, the Garante ordered blocking of the processed data as a preventive measure.
In its decision of 02.07.2003, the Garante pointed out that the provisions set out in Presidential decree no. 600/1973 (Section 69) – whereby the list of taxpayers that have submitted their tax reports is publicly accessible at some financial offices as well as at the relevant municipalities – had not been either repealed or amended by the regulations concerning mechanisms to submit or transmit tax reports via electronic means (Presidential decree no. 322 of 22.07.1998). Therefore, a complaint lodged against dissemination of personal data contained in tax reports as resulting from publication of the aforementioned lists could not be granted, since the relevant publicity rules were adopted as part of a broader legislative policy aimed at enhancing transparency in respect of the data collected by public administrative agencies.
In its decision of 08.01.2004, the Garante dealt with the lawfulness of processing personal data contained in the items collected during investigations and then exhibited/produced within the framework of a judicial proceeding.
The Garante pointed out the principle whereby processing of data for the exercise of a specific right in the judicial context is allowed also without the data subject's consent if it is absolutely necessary for safeguarding the right at stake. Once the investigating activity is over, the processing must be discontinued in all respects, without prejudice to the immediate communication of the data to the defence counsel and/or the person that has conferred the task to investigate.
Data protection legislation has not amended the provisions of the Civil Code applying to condominiums (Section 1117 and following ones). However, condominiums may only process relevant, proportionate data in connection with management purposes. In particular tenants, who are considered joint controllers of the processing that is managed in concrete by the administrator, are entitled to know useful information regarding management and functioning of the relevant condominium including the tenants' payables/receivables as regards the condominium.
Therefore, the Garante ruled that providing information during the tenants' assembly on a tenant's payment defaults and subsequently reporting said information in the minutes sent to the tenants was compliant with data relevance and proportionality principles.
10 EMPLOYMENT CONTEXT
The Code on the protection of personal data introduced considerable innovations that are to be assessed jointly with the amendments recently provided for by legislative decree 276/2003, which was enacted further to the enabling powers granted to Government by Act no. 30/2003 in respect of occupational matters and job market regulation.
Special importance should be attached to the enhanced prohibition against investigating personal opinions and applying discriminatory treatments, as well as to the provisions relating to dissemination of data concerning exchange of information between job-seekers and job-offerers and to the communications provided by the press, the Internet, TV and other media. In particular, the provision regulating these communications took into account the Garante's view on the mechanisms to supply information to job applicants, i.e. the need to provide a complete information notice ever since the relevant job ad is published.
As regards the prohibition against remote surveillance of employees, the Garante has repeatedly dealt with different aspects of this subject matter and is expected to adopt a general provision applying to the surveillance by employers of the use made by employees of electronic means and e-mail facilities, with particular regard to the Internet.
Several petitions were addressed to the Garante by trade unions as regards video surveillance systems. In many cases it was recommended to the employers to comply with the provisions in force and/or with measures taken by the Garante. These cases concerned, in particular, surveillance devices deployed to protect corporate property, which at the same time could also film the employees at work.
11 SECURITY OF DATA AND SYSTEMS
In 2003, the Garante dealt with an important case regarding the security of personal data that were processed by a credit institution within the framework of e-banking services. Considerable attention was paid to this case, in particular in view of future developments and increased reliability of e-banking.
A customer using these services via the Internet, having accessed his data, decided to re-enter his site and check once more his accounts after a short period of time. In doing so, he happened to also access the files of other customers containing bank transactions, numbers of bank accounts, credit card data, tax payments and also salary information.
The bank maintained that the case reported by the complainant was exceptional and that the malfunctioning had occurred over a short time span.
After an accurate checking, the Garante established that the inappropriate organisation of systems and programs providing access to e-banking services failed to comply with the obligation to ensure secrecy of personal data in respect of a high number of customers as well as to prevent access by unauthorised entities. The security system was found to fall considerably short of the minimum level of protection required by law, which carried serious consequences in terms of civil and criminal liability.
The Garante stressed the need for the bank to update its risk assessment policy as related to the offer of e-banking services, so as to take preventative security measures that could ensure a high protection level for the data that may be accessed via these services. The Garante also ordered the bank to check and confirm that User-ID codes and passwords were used by both the employees in charge of the service and the users of e-banking services. A copy of the case file was forwarded to the competent judicial authority.
At the end of 2003, some proceedings were instituted regarding the measures taken by employers in connection with the retention of communications containing employees' personal data, in order to prevent access to said data by entities that are not involved in the events that are mentioned in said communications and/or are being disputed.
The Authority pointed out that the Code did not repeal the legislation applying to security of personal data that was enacted in 1996 – when the Data Protection Act was first passed. It re-affirmed the principle that the “minimum security measures” are only a part of the tools to be implemented with a view to security, even though failure to adopt such measures is a criminal offence. There is actually a more general obligation – which is also important in terms of civil liability – to retain personal data in such a way as to minimise the risk that the data may be destroyed, lost or processed unlawfully, or that they may be accessed inappropriately. There is additionally an obligation to deploy such protection devices as may be made available in the course of technical developments.
The list of “minimum security measures” was updated by the Code, which also specified some implementing arrangements via ad-hoc technical specifications. There are various measures to be adopted, depending inter alia on whether the processing is performed or not by electronic means and concerns sensitive or judicial data.
In a recent communication, the Garante pointed out that the minimum security measures also include the need for any entity processing sensitive and/or judicial data via electronic means to draw up the so-called Documento programmatico per la sicurezza (Security Policy Notice). The latter, though not a novelty, has some innovative features as regards its contents and the entities required to make it available. The Garante has provided a simplified basic model to carry out, especially in SMEs, the risk assessment relating to personal data, identify the measures to be taken in order to prevent data destruction and/or unlawful access to the data, and ensure training of staff.
The Garante has also set out the mechanisms to implement another important “minimum security measure” introduced by the Code, that is the obligation to communicate, in the report annexed to the annual balance-sheet, that the Security Policy Notice has been drawn up and/or updated. This requirement, which is aimed at making corporate top management aware of and responsible for the yearly planning of security policies, has already entered into force.
In its decision of 31 March 2004, the Garante specified additional data processing operations that are not to be notified to the Authority, in compliance with Section 37, para. 2, of the Code. The latter considerably simplified the notification mechanism, by requiring only some specific categories of processing to be notified to the Garante in advance, i.e. prior to commencement of the processing.
However, ever since the initial implementing phase of the new Code, the Garante considered it necessary to lay down additional exemptions applying, under specific conditions, to corporations, local entities, health care professionals, self-employed professionals, employers and persons responsible for video surveillance systems. In the relevant decision, the Garante took account of the suggestions made by some operators and trade associations.
No other processing operations could be detected so far in addition to those referred to in Section 37, para. 1, of the Code that may adversely affect data subjects' rights and freedoms and accordingly have to be notified. Conversely, it may not be ruled out that, at the end of this first implementing phase, other categories of processing are exempted from the notification obligation by having also regard to the submissions made by the relevant sectoral representatives.
III – PRIVACY AND OTHER RIGHTS
13 PROCESSING OF DATA SUITABLE FOR DISCLOSING HEALTH
Main issues addressed:
A) Communication of data disclosing health and sex life to entities other than the data subject. Under Section 26(4), letter c), Sections 60, 71, and 92(2) of the Code, this is only allowed if the right of the entity requesting the data is either a personal right or another fundamental right.
Main cases dealt with in 2003:
- Health care units are required to take special precautions in outsourcing factoring of medical bills and fees. In particular, the outsourcees have to be appointed as either data processors or persons in charge of the processing; data subjects must be informed in advance of the possibility that their personal data may be used for factoring purposes. The outsourcee will only have to be provided with the relevant data – i.e. no data on the medical tests carried out and/or the findings of such tests will have to be disclosed.
- Centres supporting and assisting drug addicts may lawfully notify judicial authorities of the existence of abandoned children since this activity falls within the scope of their duties as managers of public facilities; only the data that are relevant and necessary to give proof of the children's condition will have to be made available.
B) Scientific research. Under Sections 39 and 40 of the Code, no consent is required from data subjects if the research activity is provided for expressly by legislation and/or is part of a biomedical or health care research programme and the Garante has been notified thereof, or else if it is impossible to inform data subjects on account of specific reasons and the research programme has been evaluated favourably by the competent ethics committee AND authorised by the Garante.
Main cases dealt with in 2003:
- Work is in progress within an ad-hoc committee to evaluate the issues related to setting up of a system for epidemiologic surveillance of HIV-related infections.
C) Monitoring of health care expenditure. A decree enacted in 2003 requires a system to be set up to monitor public health care expenditure via standard prescriptions with OCR features and the creation of several databases.
The Garante pointed out the problems related to implementation of these provisions, in particular the risks to trace each patient's medical history via the personal identification data contained in the databases to be set up. To prevent any risks, no systematic processing of identification data is to be envisaged also to avoid discrimination between haves – citizens paying for their own health care and therefore not included in the public databases – and have-nots – citizens unable to afford the costs of medical treatment.
Work is in progress in cooperation with the Ministry for Economics and Finances to better outline the mechanisms for concretely implementing the decree in the various sectors.
Freedom of Association
14 ASSOCIATIONS, POLITICAL MOVEMENTS, AND PARTIES
Topical Issue: Consent. Under the DP Code, the data subject's consent and the Garante's authorisation are not required for associations (trade unions, trade associations, other types of association, etc.) to process the personal data concerning their own members. This also applies to political parties and religious confessions in respect of entities having regular contacts with them, on condition that the data are not disclosed to third parties and adequately secured.
Main cases dealt with in 2003:
- Use of the data concerning members of a sports federation for electoral propaganda purposes. The Garante clarified that, sports federations being private bodies, the rules on processing of personal data by private bodies applied; therefore either the members' informed, specific consent is obtained as related to the federation's memorandum and/or articles of association, or it is necessary to verify applicability of the other lawfulness prerequisites (fulfilment of contractual obligations, obligations set out by specific legislation, etc.).
B) Political Parties and Electoral Propaganda
Topical issue: Provision of an information notice for electoral propaganda purposes.
Main cases dealt with in 2003:
- The Garante clarified that, as a rule, clear-cut information must be provided to data subjects if census data contained in public and/or publicly available databases are used for electoral propaganda. For the purposes of the European and administrative elections scheduled in June 2004, the Garante dispensed candidates and parties making propaganda with the information requirement, which was found to be a disproportionate obligation, however exclusively if the data were taken from public lists and the data subjects were not contacted further.
No consent is required if the data are taken from lists, registers, documents, and instruments that are held by public bodies and freely accessible pursuant to laws or regulations (e.g. electoral lists held by municipalities, lists of members of professional rolls, etc.), or if telephone subscribers directories are used to send standard mail messages and/or make direct phone calls. In all other cases the data subject's prior, specific consent is necessary on the basis of an information notice specifying the purposes for which the data will be used.
C) Religious Confessions
Topical issue: Under the new DP Code, religious confessions do not need the data subjects' consent to process their sensitive data providing these data are not communicated/disseminated to third parties and the principles laid down in the Garante's authorisation are complied with.
Main cases dealt with in 2003:
- As to the claims lodged by citizens requesting that their personal data contained in the baptism registers kept in parish archives should be modified on account of their having changed their religious orientations, the Garante stressed that it was impossible to delete the claimants' names from the relevant baptism registers since the entries referred to an event that had taken place in reality. However, it was suggested that the baptism registers could be updated and supplemented by simply adding a rider to the information to be rectified.
Freedom of the Press
15 JOURNALISM AND THE MEDIA
The principles laid down in the Code with regard to journalistic activities and data protection, which have been re-affirmed and specified in the ad-hoc code of conduct in force ever since 1998, provided important guidance in the many decisions issued by the Garante in 2003 in connection with this topic.
Main cases addressed in 2003:
- Protection of children: no dissemination of the information concerning children that is excessive, irrelevant and such as to allow immediate identification of the children within the respective family groups. Several international instruments (UN Convention on the Child's Rights) and domestic law – including the Criminal Code – as well as the so-called “Charter of Treviso” adopted by the board of journalists in Italy already prohibit this approach.
- Forensic journalism: No publication of pictures of handcuffed defendants and/or convicts as this is in breach of human dignity.
- VIPs and privacy: Journalists are entitled to publish details of the private life of public figures insofar as this is relevant to the activities related to their public position. Thus, in a case concerning a well-known professional directing major public works, it was found that a newspaper could lawfully refer to the professional's fees and appointments, whilst the publication of data concerning the professional's and another person's health was irrelevant in this context and therefore punishable under the Code.
In this regard, mention should also be made of the judgment issued by the European Human Rights Court in July 2003 concerning the complaints lodged by Mr. Bettino Craxi, former Italian Prime Minister. The Court ruled that the Italian authorities (public prosecutor's office) did not protect confidentiality of Mr. Craxi's telephone communications because they allowed the contents of telephone interceptions, including the names and personal details of some of the called/calling parties, to be disclosed during a trial involving Mr. Craxi before Milan court.
- Disclosure of sensitive data: In a much publicized case concerning a lady's refusal to have her leg amputated despite her surgeon's pressing advice, the Garante recalled that journalists were required to safeguard dignity of the ill and therefore should refrain from disclosing irrelevant information such as the lady's address, particulars, and background.
Freedom of Enterprise
16 CREDITING AND INSURANCE
A huge number of complaints and claims were lodged in 2003 by citizens alleging the violation of basic data protection principles in connection with crediting and insurance activities. Special importance should be attached to those related to credit referencing agencies (CRAs) and banking and/or financial companies, which were focused mostly on non-compliance with the principles and obligations set out in a large-scope provision issued by the Garante in 2002. Such principles will be re-affirmed and strengthened in a forthcoming code of conduct, on which work is in progress.
Topical issues addressed in 2003:
- Deletion of data concerning defaults: Further to the principles laid down in the Garante's provision of 2002, all reports concerning defaults on payments that were subsequently performed without negative consequences for the banking institutions must be erased after one year. This deletion obligation means that it is unlawful for a CRA to add a rider (such as “remedied”) to the relevant file to show that the debt was repaid.
- Right to oblivion: the same principle (deletion of data after appropriate retention time) applies to “white” lists, i.e. to records concerning regular payments. The “right to oblivion” mandates deletion of these data after repayment of the loan in the absence of the data subjects' explicit consent to a longer retention period.
- Information to be provided to holders of insurance policies: The complex organisational structure of the insurance sector has required careful consideration of the wording to be used in the information notices for policyholders, in particular because – as pointed out by the Garante – a flawed privacy information notice makes the holder's consent inapplicable and accordingly prevents personal data from being processed lawfully under the DP Code. A standard information notice is being developed by the Garante in co-operation with insurance companies
- Processing of data suitable for disclosing health by insurance companies: Insurance companies are entitled to access medical data contained in policyholders' clinical records insofar as these data are absolutely necessary to provide the services requested from them; however, the policyholders' consent is mandatory, and only relevant and non-excessive data must be processed. Therefore, the Garante stressed that several complaints against acquisition of clinical records in full were grounded exactly because those records could include information of sensitive character that was irrelevant for the purposes at stake, i.e. checking on the actual existence of physical damage after accidents.
- Access to evaluation data: The Garante re-affirmed the concept that the personal information included in judgments and findings within the forensic medicine reports submitted to insurance companies was to be regarded as personal data and communicated to the relevant data subjects if they so requested.
Several complaints and questions lodged with the Garante in 2003 dealt with the interference in one's private life caused by the marketing of products and/or services.
Topical issues addressed in 2003:
- Use of electoral lists for marketing purposes: This is currently prohibited under the new DP Code, which only allows them to be made available for electoral purposes, for scientific/historical research activities, or else for the sake of an interest shared by the civil society at large.
- Customer profiling: Based on a survey carried out by the Garante in respect of the loyalty programs run by several retail chains, it appears that clarifications and guidance are required to ensure compliance with privacy legislation in particular as regards the provision of a suitable information notice if the data collected from customers are also used for profiling them and non-anonymous information is processed. Work is in progress on a code of conduct applying to data protection and direct marketing/interactive commercial communications; the guidance provided in the recently adopted FEDMA Code of Conduct will be taken duly into account.
IV – PRIVACY AND THE PUBLIC ADMINISTRATION
18 OVERVIEW : SENSITIVE AND JUDICIAL DATA
Topical Issue: The new data protection Code re-affirmed the principle whereby public administrative agencies are allowed to process personal data (whether sensitive or non-sensitive) if this is required for fulfilling their institutional duties, on condition that other relevant legislation is complied with. No consent from data subjects is required in the latter case.
As regards, in particular, sensitive and judicial data, their processing by public administrative bodies is permitted insofar as they are “indispensable” to discharge tasks that otherwise could not be fulfilled - again, unless laws and/or regulations expressly require such data to be processed. In the latter case, it is necessary for the laws/regulations in question to specify the substantial public interest pursued, the personal data to be processed, and the processing operations that may be performed.
The main problem that is yet to be coped with has to do with the need for public administrative bodies to set out – in ad-hoc regulations – the categories of personal data and the envisaged processing operations whenever these specifications are not contained in the laws requiring sensitive/judicial data to be processed for substantial public interests. This requirement has been abided by to a very limited extent by public administrative bodies so far, and the new deadline referred to in the Code (30 September 2004) will be a benchmark for their willingness to comply.
19 OPENNESS OF ADMINISTRATIVE PROCEEDINGS
Topical issue: Balancing openness of administrative proceedings as required by the law (Act no. 241/1990) with the right to privacy set out in the data protection Code.
Main cases addressed in 2003:
- Disclosure of the decisions adopted by local municipalities: The Garante confirmed, in several cases, the requirement that in publicising decisions adopted by a local municipality care should be taken not to breach the relevance and non-excessiveness principles, even though publicity of the relevant information is provided for by law. For instance, if said decisions refer to medical data (e.g. with a view to granting disability-related allowances), no personal identification data will have to be included in the documents that are posted on the public bills board.
- Access to administrative records: In addition to the considerations made above on balancing right of access to administrative records and right to privacy (see Paragraph 7), reference should be made to several cases concerning requests lodged by defence counsel in order to access medical records held by public health care bodies. Under the new data protection Code, access should be granted to such data further to the so-called “equal importance” principle – that is, processing personal data in order to enable access is only allowed if the right to be defended via the request for accessing administrative records is at least as important as the data subject's rights, or else consists in a personal right or another fundamental, inviolable right or freedom.
Additionally, the Garante specified that the assessment of the claims at stake was to be carried out on a concrete basis by ensuring the data subject's appropriate information and participation. If the access request is granted only in part, it will be necessary to abide by data relevance and non-excessiveness principles.
20 ELECTORAL CARD
Topical issue: Processing of personal data contained in the paper-based electoral card issued by Italy's Minister for Home Affairs in 2000.
Main cases addressed in 2003:
- We repeatedly pointed out the issues and risks related to using a paper-based electoral card rather than the forthcoming electronic ID-card, which is also scheduled to be used for voting purposes. In particular, the paper-based electoral card can disclose sensitive information on voting preferences as it is required to be stamped by each polling station also in connection with referendums – to certify that the holder has taken part in the voting.
21 CENSUS REGISTER DATA AND ELECTORAL MATTERS
Topical issue: Reconciling data protection legislation and processing of data contained in census registers, registers of births, deaths and marriages, and electoral lists – which are considered by law to be “public records”.
Main cases addressed in 2003:
- Disclosure to private entities of the information contained in census registers: The Garante re-affirmed that the provisions in force regulating census registers were left unprejudiced by the data protection legislation, therefore under the laws in force any person may request (and receive) information on someone's else domicile and registered family, plus any other information that is not in breach of serious and/or specific requirements serving the public interest.
- Use of census register data for institutional communications: This was found to be lawful by the Garante, in that a local municipality may use the data contained in its own census register to contact citizens in order to provide information on institutional (i.e. the local municipality's) initiatives.
- Disclosure of data contained in electoral lists: The Garante pointed out the new principles laid down in the data protection Code, whereby copies of the electoral lists held by local municipalities may only be made available to entities seeking to achieve purposes related to implementing election laws and/or the performance of scientific/historical/social research, or else in connection with the public interest at large. This amendment was introduced to comply with the purpose specification principle.
22 EDUCATION AND TEACHING
Topical issue: Protection of personal data and publicity of certain educational/teaching records, such as those concerning exams.
Main cases addressed in 2003:
- Use of students' personal data for commercial purposes: The Garante fined a teaching institution that had gathered students' personal data from the respective examination scores – which had been published as required by the law – in order to send them advertising material. This processing operation was found to be in conflict with the purposes for which the data had been publicised.
23 LOCAL AUTHORITIES
Topical issue: Ensuring implementation of the provisions set out in the Code concerning processing of sensitive and/or judicial data by public bodies, in particular via the ad-hoc regulations to be issued by each public body specifying the categories of data to be processed and the processing operations that are envisaged (see Paragraph 18).
Main cases addressed in 2003:
- National Directory of Census Registers (for the access to and exchange of census data): The Garante issued an opinion to the Ministry for Home Affairs concerning the draft regulations on management of said national directory; in particular, reference was made to the need for stipulating ad-hoc agreements with the entities authorised to access the registers in order to specify the purposes for which the data made available via this system might be used. It was pointed out that entities other than public bodies may only access the data further to laws and/or regulations, i.e. administrative decisions are not enough.
24 SERVICE OF NOTICES AND RECORDS
Topical issue: Safeguarding data subject's privacy in connection with the service of notices and records, pending the amendments to the applicable procedural rules.
Main cases addressed in 2003:
- Disclosure of personal data through inappropriate postage mechanisms: The Garante called upon a social security agency to modify the mechanisms for sending communications to citizens, in particular by refraining from using see-through envelopes that could allow disclosure of the addressees' personal data.
Reference should also be made to the changes brought about by the new data protection Code, which set out the principle whereby any official notices that cannot be delivered to the addressee in person are to be delivered in a sealed envelope bearing no reference to the specific contents.
25 PUBLIC REGISTERS, LISTS, AND PUBLICLY AVAILABLE INSTRUMENTS AND RECORDS
Topical issue: Lack of compliance with privacy protection principles in the processing of data coming from public registers and/or publicly available records.
Main cases addressed in 2003:
- Erasure of data concerning protested bills of exchange: The Garante dealt repeatedly with this issue, partly because the relevant legislation does not provide for harmonised rules in respect of retention period and prerequisites for striking off the information from the relevant lists. The need for complying with the purpose specification and proportionality principles was re-affirmed.
26 TAXATION AND FISCAL MATTERS
Main cases addressed in 2003:
- Requesting third parties for information concerning defaulting taxpayers: The Garante drew the attention of some licensed tax collection agencies to the violation of the data protection legislation resulting from the practice of asking third parties for information on defaulting taxpayers without the latter's knowledge. No laws and/or regulations allow such agencies to collect this type of data without the individual taxpayer's consent, in particular since information on the taxpayer's defaults is to be communicated to third parties; furthermore, the Garante pointed out that the data gathered in this manner were excessive in respect of the purposes to be achieved, since other tools are available for the agencies to collect the tax debts.
27 JUDICIAL ACTIVITIES, LEGAL INFORMATICS
Topical issue: Reconciling data protection provisions with the processing of personal data in connection with judicial proceedings.
Main cases addressed in 2003:
- Online publishing of judicial decisions: Further to the many cases submitted in the past few years to the Garante's attention, the new data protection Code set out provisions applying specifically to the online disclosure of personal data as contained in judicial decisions. In particular, the Code allows for the parties concerned to request the competent judicial authority – until the decision is final – to order that personally identifiable information be deleted from any judicial decisions and/or judgments to be published online.
Main cases addressed in 2003:
- Collection of personal data by the finance police: The Garante pointed out some inappropriate data collection mechanisms in connection with the controls carried out by the finance police on individuals that had been granted social benefits.
29 EMPLOYMENT CONTEXT
Topical issue: Ensuring data protection in the employment and social security context.
Main cases addressed in 2003:
- Processing of data concerning military and police personnel: A working party set up by the Garante in co-operation with the relevant military and police agencies has been considering the various issues related to processing of personal data, in particular those contained in employee personal files. Several instances could be identified in which adjustments to the current practices were required, in particular as regards inclusion of diagnosis information in the personal files (which is irrelevant and excessive based on labour legislation), processing of medical data to establish physical and mental qualifications, and processing of sensitive data in general (to ensure that no irrelevant data are processed).
- Processing of data concerning the disabled: Publication of a list of the disabled entitled to preferential employment on the web site of the employment policy department of a Province was found to be in breach of data protection legislation, and was subsequently blocked by the Garante.
30 STATISTICAL RESEARCH
Topical issue: Adoption of codes of conduct and professional practice applying to public and private bodies processing personal data for statistical and/or scientific purposes, where they are not included in the National Statistical System (Sistan). This is required by the new data protection Code and is expected to be carried out shortly.
Main cases addressed in 2003:
- So-called language census in Bozen/Bolzano “autonomous” province: This issue has been repeatedly addressed by the Garante. In particular, the need for bringing the relevant provincial legislation into line with data protection provisions has been pointed out; the language census mechanism – whereby all the citizens domiciled in the province are required, inter alia, to publicly declare the language group they opt for (i.e. German, Italian, Ladin) at the time the national census is carried out – would appear to fall short of data protection requirements, in particular since the data in question are of a sensitive nature as they entail information on ethnicity.
A complaint for breach of Community law is currently pending before the European Commission.
31 PROFESSIONAL ROLLS
Main issues addressed in 2003:
- Communicating the data contained in professional rolls to third parties: This was found to be lawful and is actually permitted under the new data protection Code, on condition the relevant laws and regulations and/or the by-laws to be set out by the individual professional rolls are complied with. The Garante pointed out that it was also allowed to disseminate (e.g. by posting the information on a web site) information on disciplinary measures adopted against a given professional, but this information was to be accurate, complete and updated.
V PRIVACY AND FUTURE CHALLENGES
32 TELEPHONY AND COMMUNICATION NETWORKS
The development of new technologies and electronic communication services has led to making further adjustments to personal data protection legislation both in Italy and abroad. The data protection Code followed a “technologically neutral” approach in this regard by introducing innovative features in respect of the provisions previously in force on processing of data in the telecommunications sector; at the same time, transposition of EC Directive 2002/58 could be completed.
32.2 Telephone Traffic Data
As for the retention of telephone traffic data, the Garante is expected to shortly lay down the measures and arrangements to be complied with in order to process said data for detecting and suppressing criminal offences – in line with Section 132(5) of the Code.
32.3 Itemised Billing and Other Issues
Also in 2003, the Garante addressed issues related to blanking of the final three digits of called telephone numbers in itemised bills sent to subscribers, which is one of the measures referred to in the Code to protect the privacy both of called subscribers and of users other than the relevant subscribers making phone calls from the terminals owned by said subscribers.
A provision is expected to be adopted shortly to address, once again, the possibility for the calls made from any terminal to be paid by alternative payment methods as well as the need to ensure that, in some cases, the caller's privacy as a natural person is safeguarded, eg. by using pre-paid phone cards (see Section 124(2) of the Code).
32.4 Unified Database of Fixed and Mobile Telephony Numbers, and New Telephone Directories
By a decision of the Authority for Communications Safeguards, it was provided that a database would be set up including some personal data in respect of all subscribers and pre-paid card holders, based on which new telephone directories in paper and/or electronic format will have to be created.
The providers of fixed and mobile telephony services are preparing, in co-operation with the Garante, revised versions of information and consent notices that are compliant with data protection legislation in order to include the subscribers' data into said database and, therefore, into the new telephone directories.
In this connection, the Code entrusted the Garante with the task of setting out, by an autonomous decision, the mechanisms to enter and use the personal data concerning subscribers (and pre-paid card holders) into publicly available paper and/or electronic directories (see Section 129). The Garante is therefore going to adopt said decision by specifying, in particular, suitable arrangements for data subjects to give their consent with regard both to inclusion of their data into directories and to any further processing of said data for purposes related to commercial or marketing activities, surveys, etc.
32.5 Other Instances of Co-operation with the Authority for Communications Safeguards
Further to the objectives laid down in a joint meeting between Garante and Authority for Communications Safeguards, the co-operation between these two entities was strengthened.
The Garante participated in the public consultation concerning introduction in Italy of the Enum (e-Number) protocol, which allows associating Internet addresses and phone numbers, in order to create a universal ID number; in particular, the participating operators' attention was drawn to some issues related to security and personal data protection.
Other meetings dealt with carrier pre-selection in particular as related to limitations and arrangements applying to processing of the data in connection with de-activation procedures.
32.6 Unsolicited Services and Data Subjects' Consent
The Garante paid considerable attention in 2003 to the difficult issues related to performance of fixed and mobile telephony agreements and services without the data subjects' prior consent; following the performance of some audits, a general provision is expected to be issued with a view to providing additional guidance and clarification in this regard.
32.7 Unsolicited Communications and Mobile Telephony
The practice of sending advertisements and/or information via mobile telephony services attained unprecedented proportions given the effectiveness of SMS-messaging to communicate in real time with a huge number of entities – according to mechanisms that may actually prove highly intrusive, e.g. whenever the messages are received at nighttime. Therefore, specific precautions are required in sending SMS messages, lawful as this may be, and the Garante pointed out the relevant requirements in some provisions.
The Garante highlighted the principles to be complied with by providers of TLC services and public administrative agencies in sending SMS messages of an “institutional” nature, i.e. the messages used by central and/or local authorities to wage information and awareness-raising campaigns or else to disseminate publicly relevant information.
In its provision of 12th March 2003, the Garante drew a distinction between the messages sent by telephone service providers at the request of public administrative agencies and those sent directly by public bodies.
In the former case, the subscribers' explicit consent will not be required exclusively if the messages are sent in connection with natural disasters and other emergency situations, further to the adoption by the relevant public body – if so allowed under the law – of an emergency measure for the purposes of ordre public, public health and hygiene. In the latter case, i.e. when SMS-messages are sent directly by public bodies, no consent will be required in respect of “institutional” communications as such. However, in both cases the telephone operators and the public bodies concerned, respectively, will have to provide prior, adequate information to users in respect of mechanisms and purposes of the processing performed on the personal data in question as well as in respect of the possibility of receiving institutional messages.
The Garante stressed in June 2003 that it is unlawful to send ads via SMS-messages without the subscribers' prior free, informed consent; it is also unlawful for a telephone service provider to make conclusion of the subscription agreement and/or activation of a pre-paid phone card conditional upon the person's consent to receive advertising messages. Investigations were subsequently started by the Garante to establish whether the circumstances were such as to require imposition of fines and/or adoption of other measures – ultimately including the preferment of information to criminal judicial authorities.
32.8 Multi-Media Messaging (MMS) and Video-Calls
Having completed a survey of the issues related to MMS-messaging as reported in a provision issued in March 2003, the Garante is preparing guidance on the processing of personal data carried out via the so-called video calls, which may entail collection of images concerning the called and calling party as well as other individuals nearby.
32.9 Location Data
Enactment of the data protection Code also resulted into the adoption of specific regulations concerning location data, whereby ad-hoc safeguards are envisaged in connection with processing location data other than traffic data (see Section 126 of the code). In particular, a specific information notice is to be given by the controller prior to service activation, and specific rules apply to withdrawal of the data subject's consent and/or temporary “freezing” of the service on offer. An ad-hoc provision is expected to be adopted shortly by the Garante to clarify the issues at stake, given the sensitivity of these data.
33 PROCESSING OF PERSONAL DATA ON THE INTERNET
33.1 In General
In the light of the peculiarities of the electronic communications sector and the quick pace of technological development, including the ever increasing amount of personal data that are transferred and/or exchanged on the Net, the codes of conduct and professional practice provided for by the data protection Code in this regard are bound to play a key role in terms of regulating processing operations and affording effective safeguards to data subjects.
The multifarious issues to be addressed in this area point to the need for international co-operation, which the Garante is carrying on in the relevant fora such as the OECD, European Commission, and Article 29 Working Party.
33.2 Unsolicited Mail
In May 2003, the Garante adopted a general provision concerning unsolicited messages sent for direct marketing, advertising and promotional purposes. The opt-in principle was re-affirmed, by stating that e-mail addresses that are publicly available on the web, on discussion groups or on registrars' directories are not to be used to send unsolicited messages, unless the addressee has given his prior consent and has been informed of the rights arising from the data protection law. Therefore, the Garante prohibited further unlawful data processing aimed either at sending advertisements or carrying out direct marketing activities, or performing market polls or interactive commercial communication.
However, the opt-in principle was partly softened in the new data protection Code pursuant to the approach followed in the e-privacy Directive (2002/58/EC). In particular, a company may send commercial communications to its own customers in connection with the sale of products and/or services, on condition that the customers have already provided their e-mail addresses after being adequately informed, in particular of the possibility to object to this practice, and that the products and/or services in question are similar to those previously supplied.
In consideration of the transnational nature of the problem, the Garante has been actively taking part in international networks such as the CIRCA-based one, aimed at fostering cooperation between DPAs and dealing with international complaints. The anti-spam initiatives undertaken by the OECD are also followed with special interest.
33.3 The Code of Conduct
The Garante plans to rapidly finalise the code of conduct applying to processing of personal data by providers of communication and information services via electronic networks, in pursuance of Section 133 of the data protection Code. The code of conduct is expected to provide additional guidance to ensure users' awareness and adequate information as well as to foster openness and fairness of processing operations by fully complying with the principles set out in Section 11 of the data protection Code.
34 TRANSBORDER DATA FLOWS
The data protection Code upgraded the provisions on transborder data flows (Part I – Chapter VII) by completing transposition of EC Directive 95/46. Basically, data flows to a third country are only allowed if said country affords adequate protection of personal data; alternatively, one of the lawfulness prerequisites set out in domestic law must be fulfilled. The Commission's decisions on adequacy of the level of protection existing in Canada and Guernsey were transposed by the Garante in 2003 via own authorisations.
Reference should also be made to the survey carried out by the Garante concerning transborder data flows by major Italian companies, with particular regard to the safeguards implemented to protect data subjects' rights. The findings of this survey showed that about 84% of the companies transferred data abroad; in 40% of the cases, the personal data transferred abroad concerned employees and, to a lesser extent, other companies. Data are usually transferred on the basis of the data subjects' consent, although other lawfulness conditions are applied as well. Only in a limited number of cases (5% of the whole) did the companies at stake use the Commission's Standard Contractual Clauses, partly on account of their being relatively new as a legal instrument.
35 STANDARD CONTRACTUAL CLAUSES
Several enterprises and company groups operating on the international market have applied to the Garante for clarification and guidance on implementation of the provisions concerning transborder data flows.
In particular, the Garante dealt with a project envisaging implementation of a centralised information system at international level for managing a corporate group's human resources, to be outsourced to a US-based company. Outsourcer and outsourcee had already entered into a so-called global agreement based on the EU's standard contractual clauses for transborder data flows between data controllers; this agreement was supplemented by an addendum based on standard contractual clauses for the transfer of personal data from the EU to processors established in third countries. The Garante welcomed the company's decision – further to the advice provided by our authority – to retain, in the revised addendum, the clause concerning the data exporter's and importer's joint and several liability for damage caused to data subjects on account of the infringement of contractual obligations.
Reference should also be made in this connection to the work in progress within the Article 29 Working Party concerning, in particular, the so-called Binding Corporate Rules – i.e. binding corporate codes of practice – and their capability to afford sufficient safeguards in respect of transborder data flows between entities that belong to the same multinational group.
Public and Private Security
36 TRANSFER OF PNR (PASSENGER NAME RECORD) DATA
The issues related to transfer of passengers' personal data to the authorities of non-EU countries rose in importance during 2003 on account of the submission of requests similar to those coming from the USA by countries such as Canada and Australia; this sparked a debate in Europe as well as internationally on the right balance to be struck between border controls, fight against terrorism, and protection of the fundamental right to personal data protection.
In particular, reference should be made to the contribution given by the Garante to the activities performed by the Article 29 Working Party in the attempt to provide guidance to the Commission and US authorities during the negotiations on how to develop transfer mechanisms that could be compatible with personal data protection principles. The Working Party re-affirmed the need for abiding by at least the fundamental principles set out in the EU privacy directive – namely, purpose specification (PNR data should only be used for fighting terrorism and other specific terrorism-related offences and disclosed exclusively to specific entities), proportionality (only such PNR data as are necessary for the purposes in question should be transferred), data retention (retention should be limited to a short period), prohibition against processing sensitive data, and ensuring that data subjects can exercise their rights. The criticisms levelled by the Working Party were supported by the European Parliament, which adopted several resolutions inviting the European Commission to lay down a clear-cut legal framework for the transfer and suggesting the conclusion of an international – possibly multilateral – agreement in this sector.
Of note, the system developed by Australia for the purpose of obtaining PNR data was judged favourably by the Article 29 Working Party as it envisages transfer of a more limited number of data for specific purposes and does not entail systematic retention of the collected data.
37 VIDEO SURVEILLANCE
It should be pointed out that the Article 29 Working Party recently adopted an opinion containing a “decalogue” on the precautions and principles to be abided by in connection with video surveillance, including the processing operations performed for public security and/or crime prosecution purposes by means of video surveillance.
37.1 Video Surveillance and Public Bodies
Several complaints and reports were lodged with the Garante concerning the use of video surveillance by public bodies, partly on account of the increasing deployment of video surveillance systems in the public sector – especially as regards local authorities. Several data controllers also submitted requests for clarification and guidance.
A provision of a general nature was therefore adopted by the Garante in April 2004 to set out more specific principles and precautions in connection with video surveillance, in view of the forthcoming adoption of an ad-hoc code of conduct as per section 134 of the data protection Code.
37.2 Video Surveillance and Private Bodies
The Garante had to deal repeatedly with the use of video surveillance systems in the private sector; in particular, the principles set out in a general provision issued in 2000 were re-affirmed – again, pending finalisation of the ad-hoc code of conduct. The scope of application of data protection laws as regards installation of video surveillance equipment for security purposes in tenements and/or areas opposite the entrance to private dwellings was clarified; other interesting cases had to do with the deployment of video surveillance systems that could potentially allow remote monitoring of employees, and with a project envisaging experimental installation of video surveillance systems on train cars travelling along specific railway routes where vandalism and/or petty crimes are frequent.
As pointed out by both the Article 29 Working Party and other international fora such as OECD's Working Party on Information Security and Privacy, biometric data carry highly sensitive information; using them may entail severe dangers related to the unauthorised and/or blanket exploitation of information derived from markers such as fingerprints – even though it should be acknowledged that they can contribute to securing access to data, equipment and/or systems by reducing the application of other personal data that allow identification more directly, e.g. a person's name and address.
38.1 Biometric Data: Issues Addressed by the Garante
Given the risks related to the use of biometric systems, the Garante enhanced its supervisory activities in this sector. Special attention was paid, for instance, to the deployment of such systems to monitor accesses to the workplace and/or university canteens.
Reference should be made to a project called S-Travel, submitted by an international consortium. This project envisaged initial tests at the Athens and Milan Malpensa airports on the use of biometric authentication technologies – based on fingerprints and/or iris scans – with particular regard to check-in and boarding operations. The Garante pointed out that it was necessary to comply with data minimisation and proportionality principles as well as with data relevance and non-excessiveness requirements. In the case at stake, the technologies to be implemented were only partly suitable for achieving enhanced security of airport controls; furthermore, the collection of biometric data related to both fingerprints and iris scans of both eyes was found to be excessive and disproportionate compared with the purposes of the processing.
Compliance with the aforementioned principles was pointed out as a fundamental requirement also in connection with the installation of biometrics-based systems by some banks to monitor accesses to their branch offices.
The Garante took part in the activities of the so-called Electronic Passport Working Party set up at the Ministry for Foreign Affairs in order to deal with the issues related to inclusion of biometric data in passports; the Garante's opinion was sought by the Ministry for Home Affairs in connection with the new electronic form to request residence permits, which envisages the use of biometric data.
39 POLICE ACTIVITIES
Some reports were submitted to the Garante in 2003, either directly or following access requests lodged by data subjects with the Public Security Department at the Ministry for Home Affairs, to complain about the recording of inaccurate, incomplete and/or obsolete data by the Data Processing Centre at said Department – mostly in connection with judicial and administrative measures that allegedly had not been taken into account.
The Garante has repeatedly pointed out that the data stored in the Data Processing Centre and/or processed for the prevention, detection or suppression of criminal offences should be lawful, relevant and non-excessive; the new data protection Code has strengthened these principles further and actually enabled Government to issue ad-hoc regulations in order to better specify the application of these principles to processing operations performed by the police.
40 SCHENGEN INFORMATION SYSTEM – NEW DEVELOPMENTS
The activities undertaken by the Schengen Joint Supervisory Authority (JSA) in 2003 should be also mentioned, the Garante being a member of the JSA. The Garante's Secretary General acted as JSA Chairman throughout 2002 and 2003.
The 6th Report covering the JSA's activities in 2002 and 2003 was published in December 2003. In particular, the JSA set out to raise awareness of the proposed changes to the Schengen Information System (SIS) and to influence the development of the second-generation SIS (SIS II).
Deployment of an expanded version of the SIS is scheduled to come into operation in 2006. The Report mentions the initiatives undertaken by several Member States in this regard, highlighting the main areas of concern to the JSA - i.e. the proposed expansion of the scope of the information held in the SIS (such as biometric data) and the definition of the mechanisms regulating access to and use of the data held in the SIS. The JSA, though recognising that the current proposals mark a historic point in the development of the European Union, has warned that they would result in a fundamental change to the nature of the system, which would be turned at least partly into an investigation tool. The JSA expressed its concern about the moves to allow organisations such as Europol and Eurojust access to the SIS, and requested a more thorough examination of the implications of storing biometric data in the SIS.
At the same time, the JSA made efforts to bring the debate on changing the SIS to the fore. Two public hearings held at the European Parliament on 25 March and 6 October 2003 provided the opportunity for the JSA to make its position clear; the JSA was encouraged to note that there was considerable interest from Members of the European Parliament, particularly with regard to the implications of the resulting system on the rights of individuals.
As required under the data protection Code, a copy of the JSA's Report is attached to this Annual Report (available at www.garanteprivacy.it).
42 GENETIC DATA – THE GARANTE'S TASKS AND INTERVENTIONS
The Garante re-affirmed the principle – already set out in the data protection Act – whereby genetic data may only be processed further to an ad-hoc authorisation issued by the Garante (see Section 90). Said authorisation is expected to be released within 2004, after hearing the Minister of Health's opinion; pending publication of this general authorisation, the provisions made in respect of genetic data processing in another ad-hoc authorisation issued in 2002 will have to be complied with.
A specific issue addressed by the Garante in 2003 had do to with an in-depth genetic study carried out in the Südtirol (Bozen/Bolzano) province concerning populations living in isolated mountain areas; several precautions were pointed out to comply with the relevant provisions in the data protection Code. Reference should also be made to assisted reproduction issues, as the Garante co-operated with the Ministry of Health in connection with enactment of the relevant legislation (Act no. 40/2004) – the aim being to prevent the centres carrying out assisted reproduction procedures from being obliged to disclose the names of all the entities availing themselves of assisted reproduction. Useful guidance was also provided in this regard by the Working Document adopted by the Article 29 Working Party on 17 March 2004.
VI ACTIVITIES PERFORMED BY THE GARANTE
50 HANDLING OF COMPLAINTS
The number of “formal” complaints dealt with in 2003 rose to 608, which shows that this remedy has become familiar to the public at large as well as to legal professionals. This is due partly to the expeditiousness of the relevant proceeding, the small costs involved, and the possibility for data subjects to protect their rights without being obliged to seek legal counsel. In particular, the right of access – whose impaired exercise can give rise to these “formal” complaints – is being used in connection with an ever-increasing number of issues.
Only in very few cases were the Garante's decisions challenged, and anyhow they were subsequently upheld by the appellate courts. In this regard, reference should be made to the recognition given by judicial authorities to the circumstance that the evaluation data contained in forensic medicine reports are to be regarded as personal data.
The data protection Code has amended some of the provisions regulating these complaints, by extending the period available to data controllers/processors in order to comply with the requests made by data subjects to access their personal data (currently 15 days); the term for the Garante to issue a decision on a complaint – which may only be lodged if the above requests have not been complied with in full - was also increased to 60 days, which better serves the principle whereby both parties should have the possibility of being heard. Finally, the Code now provides that the Garante's decision on awarding of procedural costs is an enforceable instrument.
As for the subject matters of these complaints, they related mostly to the banking, financial and insurance sectors, the so-called “credit reference agencies”, telecommunications matters, and public administrative agencies.
51 INSPECTIONS AND IMPOSITION OF ADMINISTRATIVE SANCTIONS
Inspections are regulated by Sections 157-160 of the data protection Code. They may be initiated either by reports and complaints lodged with the Garante, the need to investigate issues arising in the course of other proceedings, or upon the Garante's initiative – e.g. to verify that certain categories of data controller abide by the relevant requirements, or else following news and information coming to the Garante's knowledge. It should be pointed out that the entities concerned by such inspections are required to co-operate and allow the investigations to be carried out; however, an authorisation from judicial authorities is required to access “private premises or dwellings”.
In performing inspections, the Garante may avail itself of the collaboration of the police, in particular the Finance Police – which recently signed a memorandum of understanding with the Garante in order to strengthen co-operation further.
Some of the most important cases that were investigated by the Garante in 2003 concerned activation of telephone paycards without informing the relevant subscribers, spamming, and application of security measures to e-banking activities. During the inspections it was found that major company groups tend to set up veritable “privacy departments” to deal with these matters, whereas there is more resistance in the public sector to the implementation of data protection principles.
As for sanctions, the new Code draws a distinction between administrative violations and criminal offences, and empowers the Garante to impose penalties (fines) in the former case. Most administrative violations were related to the failure to provide information to data subjects and/or the provision of flawed information notices, non-compliance with the Garante's request to produce documents and provide information, and the failure to notify processing operations or the submission of incomplete notification forms.
52 INFORMATION AND COMMUNICATION ACTIVITIES
Information and awareness-raising activities concerning all the issues addressed by the Garante were enhanced further during 2003. The Garante's work was covered in depth by all communication media, including the Internet.
It should be pointed out that the Garante has developed different information products to meet the different requirements of both specialists and the public at large. A weekly newsletter – which is also available online – describes the decisions and activities by the Garante at national and international level. A CD-ROM is published yearly containing a digital, hyperlinked archive with the Garante's decisions, the relevant legislation, Annual Reports and all other available publications. Ad-hoc flyers and leaflets have also been created to clarify several data protection issues. A bi-monthly publication called “Garanteprivacy.it” has been devised as a tool addressed, in particular, to top-level representatives from institutions and the industry. The web site managed by the Garante is also continuously updated and provides an insight into the multifarious activities pursued by our authority as well as making available several tools to simplify compliance with administrative requirements - e.g. online notification system, downloadable access application forms, etc. .
Reference should be made here to the Public Relations Department, which started operating in a full-fledged version in 2003 and quickly became a key component in implementing the communication policy followed by the Garante. The topics most frequently addressed by the PRD in 2003 had to do with spamming, credit reference agencies, exercising access rights, video surveillance, processing of personal data in the employment context, transborder data flows, and balancing right to privacy and right to access administrative records. Several thousands of questions and requests for documentation were e-mailed to the Department and a considerable number of requests were dealt with on the phone.
Finally, in order to actively participate in fostering the culture of data protection in the public and private sectors as well as to ensure streamlined implementation of legislation and compliance with the relevant requirements, the Garante started several training initiatives that focused, in particular, on the organisation of workshops and courses targeted to private bodies and public administrative agencies.