g-docweb-display Portlet

Authorisation No. 7/2004 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities - 30 giugno ...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web. n. 1115375]

[versione italiana doc. web. n. 1037074]

Authorisation No. 7/2004 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities



As of this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General;

Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;

Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;

Having regard to, in particular, Sections 21(1) and 27 of the Code, which allow judicial data to be processed by public and/or private bodies or profit-seeking public bodies, respectively, exclusively if this is expressly permitted by laws or a Garante´s provision in which the substantial public interest served by the processing, the categories of processed data, and the operations specifically authorised are detailed;

Having regard to Section 20, paragraphs 2 and 4, and to the provisions concerning specific sectors as contained in Part II of the Code, in particular Chapters III and IV of Title IV, where purposes in the substantial public interest are referred to such as to allow for the processing of judicial data by public bodies;

Having regard to Section 22 of the Code, setting out the principles applying to the processing of sensitive and/or judicial data by public bodies;

Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;

Whereas after entry into force of the Code it is appropriate to grant new general authorisations replacing those due to expire on June 30, 2004 by streamlining their provisions in the light of the experience gathered so far;

Having regard to Sections 51 and 52 of the Code concerning law informatics; having regard to the need for fostering the continuation of documentation, study and research activities in the legal sector with particular regard to dissemination of information on case-law partly because of the similarities existing between said activities and those related to freedom of expression as regulated by Section 137 of the Code;

Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for a twelve-month term by having regard to the initial implementing phase of the new provisions contained in the Code;

Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;

Whereas a considerable number of processing operations involving sensitive data are carried out by self-employed professionals included in the relevant registers and lists in order to discharge the respective professional tasks;

Having regard to Section 167 of the Code;

Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;

Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;

Having regard to Section 41 of the Code;

Having regard to official records;

Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);

Acting on the report submitted by Prof. Giuseppe Santaniello,


Hereby authorises

The processing of judicial data for the purposes in the substantial public interest specified hereinafter in pursuance of Sections 21 and 27 of the Code, in accordance with the requirements set forth below.

Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of either personal data or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.

Chapter I - Employment context 

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary, to legal and natural persons, bodies, associations and organisations which:

a) are parties to an employer-employee relationship;

b) employ workers even according to atypical, part-time or temporary arrangements;

c) commit a professional task to consultants, self-employed professionals, agents, representatives, and mandataries.

The processing must be indispensable in order to comply or ensure compliance with specific obligations or else to fulfil specific tasks laid down in laws, Community legislation, regulations or collective agreements, also if applying to individual businesses, for the sole purpose of managing employer-employee relationships as also related to self-employed workers, unpaid and honorary jobs.

This authorisation shall also be granted to entities carrying out dispute resolution activities pursuant to law insofar as the processing of data is indispensable for said activities.

2) Data Subjects

The processing may concern data relating to entities that act or intend to act in the capacity as:

a) employees, including on a temporary basis or as trainees or apprentices, partners or associates, or else recipients of labour grants, or parties to similar relations;

b) directors or members of executive or supervisory bodies;

c) consultants and self-employed workers, agents, representatives, and mandataries.


Chapter II - Associations and foundations

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary:

a) to associations, recognised or not, including political parties and movements, trade-union associations and organisations, assistance or voluntary organisations, foundations, committees and any other non-profit bodies, consortia or organisations, regardless of their having legal personality, and to the social cooperatives and mutual aid societies referred to in Act no. 381 of 08.11.1991 and Act no. 3818 of 15.04.1886, respectively;

b) to bodies and associations, recognised or not, which are in charge of assistance, rehabilitation, education, vocational training, social and health care assistance, charitable activities and protection of rights with regard either to the entities the data refer to or to their family members and cohabiters.

The processing must be indispensable in order to achieve specific, lawful purposes as set out in articles or memorandums of association, or in a collective agreement.

2) Data Subjects

Processing may concern data relating to:

a) members, partners, and adherents as well as any entity applying for membership/accession if utilisation of the relevant data is provided for by the relevant articles or memorandum of association;

b) any entity benefiting from, assisted by or using the activities and services delivered by the individual association, body or organisation.


Chapter III - Self-employed professionals

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary, to:

a) self-employed professionals, whether associated or not, who are required to be included in the relevant lists or registers for carrying out professional activities either alone or jointly with others, also in pursuance of legislative decree no. 96 of 02.02.01 or else in compliance with the implementing provisions of Section 24(2) of Act no. 266 of 07.08.97 concerning assistance and advisory activities;

b) any entity that is included in the special registers or lists set up in pursuance of, inter alia, Section 34 of Royal decree-law no. 1578 of 27.11.33 as subsequently amended and supplemented - concerning regulations for the Bar;

c) substitutes, staff and trainees working with a self-employed professional in pursuance of Section 2232 of the Civil Code, whenever they are controllers of a separate processing operation or act as joint controllers of the processing carried out by a self-employed professional.

2) Data Subjects

Processing may concern data relating to clients.

Data concerning third parties may only be processed if this is absolutely indispensable to carry out specific professional activities as requested by clients for specific, lawful purposes.


Chapter IV - Banking and insurance companies and other types of processing

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary, to:

a) businesses authorised and/or intending to be authorised to carry out banking, crediting, insurance or pension fund-related activities, also in case of their compulsory winding-up, with a view to establishing:

  1. moral qualifications of partners and holders of executive and/or elective offices, as provided for by the relevant laws and regulations;
  2. personal qualifications and grounds for disqualification exclusively where this is provided for by law;
  3. liability for accidents and/or events relating to human life;
  4. the existence of a concrete danger affecting appropriate discharge of insurance functions, as regards offences that are directly related to said functions. In the latter cases, the controller must provide the Garante with a detailed report on processing arrangements insofar as the processing concerns data contained in a specific data bank pursuant to Section 4(1), letter p), of the Code;

b) controllers of a processing operation in connection with requesting, acquiring, and delivering instruments and documents from/to the competent public departments, these tasks having been committed by the relevant data subjects;

c) securities brokerage companies, open-end investment companies, and savings and pension funds management companies in order to establish moral qualifications pursuant to the provisions applying to financial brokerage, social security and/or supplementary pension schemes as well as further to other laws and regulations, if any.


2) Additional Processing Operations

This authorisation shall also be granted:

a) to any person whomsoever, for the establishment or defence of a legal claim even by third parties, including administrative proceedings and arbitration or settlement procedures in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that said claim is not overridden by the data subject´s one and the data are processed exclusively for the above purposes and for no longer than is absolutely necessary therefor;

b) to any person whomsoever, with a view to the exercise of the right of access to administrative records in pursuance of the relevant laws and regulations;

c) to natural and legal persons, institutions, bodies, and organisations carrying out private investigation activities as licensed by the prefetto in pursuance of Section 134 of Royal decree no. 773 of 18.06.31, as subsequently amended and supplemented.

The processing must be necessary:

  1. to enable the entity committing a specific task to establish or defend a legal claim that is not overridden by the data subject´s one, or else a personal right or any other fundamental, inviolable right;
  2. to detect and collect information in favour of a client on the defence counsel´s instructions in connection with a criminal proceeding, whereby such information will only be used for the exercise of the right to submit evidence (as per Section 190 of the Criminal Procedure Code and Act no. 397 of 07.12.2000);

d) to any person whomsoever, in order to comply with the obligations laid down in laws concerning anti-Mafia communications and certifications or the prevention of Mafia-type crime and other serious, socially dangerous activities, as also contained in Act no. 55 of 19.03.90 as subsequently amended and supplemented, or else in order to produce the documents required by law to participate in calls for tenders;

e) to any person whomsoever in order to allow establishing moral qualifications of any entity intending to participate in calls for tender, in pursuance of the relevant legislation.


Chapter V - Legal documentation

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted with a view to the processing of data - including dissemination - for purposes of documentation, study and research in the legal sector, especially as regards collection and dissemination of data concerning case law in compliance with Sections 51 and 52 of the Code.


Chapter VI - Provisions applying to all processing operations 

To the extent that they are not regulated in the above chapters, the processing operations mentioned therein shall also be the subject of the following provisions.

1) Processed Data

Processing shall only concern such data as are indispensable for the purposes for which it is authorised, provided that these purposes cannot be achieved, on a case by case basis, by processing either anonymous data or personal data of a different kind.


2) Processing Arrangements

Data must be processed exclusively by means of such operations and in accordance with such logical and organisational arrangements as are closely indispensable to the obligations, tasks or purposes referred to above. Apart from the cases referred to in chapters IV, item 2), and V, or where the information has been derived from a publicly available source, the data must be provided by data subjects in compliance with the requirements set forth in Presidential Decree no. 313 of 14 November 2002.


3) Data Retention

In compliance with the obligation referred to in Section 11(1), letter e), of the Code, the data may be kept for as long as set out by laws and/or regulations, and anyhow for no longer than is absolutely necessary to achieve the purposes being sought.

Under Section 11(1), letters c), d), and e) of the Code, the authorised entities shall verify at regular intervals that the data are accurate and updated, relevant, complete, not excessive, and necessary with regard to the purposes that are sought in the individual cases. With a view to ensuring that the data are closely relevant, not excessive, and indispensable in respect of said purposes, the authorised entities shall specifically assess the relationship between the data and the individual obligations, tasks and/or performance. Any data that is found to be either excessive or irrelevant or non indispensable, also based on said verification, may not be used except with a view to keeping - as required by law - the instrument and/or document containing the data in question. Special attention shall be paid to indispensability of the data related to entities other than those that are directly concerned by the aforementioned obligations, tasks and/or performance.


4) Communication and Dissemination

Data may be communicated and, if required by law, disseminated to public and private bodies insofar as this is absolutely indispensable for the purposes sought and on condition that professional secrecy obligations and the aforementioned requirements are complied with.


5) Authorisation Requests

No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.

The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.

The Garante reserves the right to adopt additional provisions with regard to processing operations that are not referred to in this authorisation.

As for the processing operations considered herein, no authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.

This authorisation shall be without prejudice to the obligations laid down in laws, regulations or Community legislation that impose stricter limitations or prohibitions on personal data processing - in particular as required by Section 8 of Act no. 300 of 20.05.70, which was left unprejudiced by Section 113 of the Code and prohibits employers from investigating, with a view to recruitment as well as in the course of the employer-employee relationship, also by the agency of third parties, workers´ political, religious or trade-union opinions and/or circumstances that are irrelevant to the assessment of their professional qualitifications, and by Section 10 of legislative decree no. 276 of 10 September 2003, which prohibits employment agencies and any other authorised and/or recognised private entities from performing certain investigations and/or data processing operations and/or workers´ preselection.


6) Effectiveness and Transitional Provisions

This authorisation shall be effective as of July 1, 2004 until June 30, 2005.

If the processing is not compliant with the provisions that were not included in Authorisation no. 7/2002 as of the date on which this authorisation is published, the data controller shall have to make the necessary adjustments by September 30, 2004.

This authorisation shall be published in the Official Journal of the Italian Republic.

Done in Rome, this 30th day of June 2004