g-docweb-display Portlet

Authorisation No. 7/2009 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities - 16 decembr...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1705708]

 versione italiana 

Authorisation No. 7/2009 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities

The Garante per la protezione dei dati personali

Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Filippo Patroni Griffi, Secretary-General;

Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;

Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;

Having regard to, in particular, Sections 21(1) and 27 of the Code, which allow judicial data to be processed by public and/or private bodies or profit-seeking public bodies, respectively, exclusively if this is expressly permitted by laws or a Garante´s provision in which the substantial public interest served by the processing, the categories of processed data, and the operations specifically authorised are detailed;

Having regard to Section 20, paragraphs 2 and 4, and to the provisions concerning specific sectors as contained in Part II of the Code, in particular Chapters III and IV of Title IV, where purposes in the substantial public interest are referred to such as to allow for the processing of judicial data by public bodies;

Having regard to Section 22 of the Code, setting out the principles applying to the processing of sensitive and/or judicial data by public bodies;

Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;

Whereas it is appropriate to grant new authorisations replacing those due to expire on 31 December 2009 by streamlining their provisions in the light of the experience gathered so far;

Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for a twelve-month term;

Having regard to Sections 51 and 52 of the Code concerning law informatics; having regard to the need for fostering the continuation of documentation, study and research activities in the legal sector with particular regard to dissemination of information on case-law partly because of the similarities existing between said activities and those related to freedom of expression as regulated by Section 137 of the Code;

Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;

Having regard to Section 167 of the Code;

Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;

Having regard to Section 31 et seq. in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;

Having regard to Section 41 of the Code;

Having regard to Section 42 et seq. of the Code concerning cross-border data flows;

Having regard to official records;

Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);

Acting on the report submitted by Mr. Giuseppe Chiaravalloti,

Hereby authorises

The processing of judicial data for the purposes in the substantial public interest specified hereinafter in pursuance of Sections 21 and 27 of the Code, in accordance with the requirements set forth below.

Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of either personal data or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.

Chapter I

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary, to legal and natural persons, bodies, associations and organisations which:

a) are parties to an employer-employee relationship;

b) avail themselves of workers also according to atypical, part-time or temporary arrangements;

c) commit a professional task to consultants, self-employed professionals, agents, representatives, and mandatees.

The processing must be indispensable in order to:

A. comply or ensure compliance with specific obligations or else to fulfil specific tasks laid down in laws, Community legislation, regulations or collective agreements, also if applying to individual businesses, for the sole purpose of managing employer-employee relationships as also related to self-employed workers, unpaid and honorary jobs;

B. check moral qualifications of the staff from rating companies, providing only data that is absolutely necessary is processed.

This authorisation shall also be granted to entities carrying out dispute resolution activities pursuant to the law insofar as the processing of data is indispensable for such  activities.

2) Data Subjects
The processing may concern data relating to entities that act or intend to act in their  capacity as:

a) employees – including those that are parties to contracts for traineeship, apprenticeship, occupational inclusion, job sharing, intermittent and/or on-request jobs –, individuals working within the framework of a staff leasing contract, trainees, (joint) partners, or holders of employment scholarships, or in a similar capacity, and such employees as are actually in charge of rating activities with regard to the provisions set forth in point 1 B. above;

b) directors or members of executive or supervisory bodies;

c) consultants and self-employed professionals, agents, representatives, and mandatees.

Chapter II

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary:

a) to associations, recognised or not, including political parties and movements, trade-union associations and organisations, assistance or voluntary organisations, foundations, committees and any other non-profit bodies, consortia or organisations, regardless of their having legal personality, and to the social cooperatives and mutual aid societies referred to in Act no. 381 of 08.11.1991 and Act no. 3818 of 15.04.1886, respectively;

b) to bodies and associations, recognised or not, which are in charge of assistance, rehabilitation, education, vocational training, social and health care assistance, charitable activities and protection of rights with regard either to the data subjects or to their family members and cohabiters.

The processing must be indispensable in order to achieve specific, lawful purposes as set out in articles or memorandums of association, or in a collective agreement.

2) Data Subjects
Processing may concern data relating to:

a) members, partners, and adherents as well as any entity applying for membership/accession if utilisation of the relevant data is provided for by the relevant articles or memorandum of association;

b) any entity benefiting from, assisted by or using the activities and services delivered by the individual association, body or organisation.

Chapter III

1) Scope of Application and Purposes of the Processing
This authorisation shall be granted, without any request being necessary, to:

a) self-employed professionals, whether associated or not, who are required to be included in the relevant lists or registers for carrying out professional activities either alone or jointly with others, also in pursuance of legislative decree no. 96 of 02.02.01 or else in compliance with the implementing provisions of Section 24(2) of Act no. 266 of 07.08.97 concerning assistance and advisory activities;

b) any entity that is included in the special registers or lists set up in pursuance of, inter alia, Section 34 of Royal decree-law no. 1578 of 27.11.33 as subsequently amended and supplemented - concerning regulations for the Bar;

c) substitutes, staff and trainees working with a self-employed professional in pursuance of Section 2232 of the Civil Code, whenever they are controllers of a separate processing operation or act as joint controllers of the processing carried out by a self-employed professional.

2) Data Subjects
Processing may concern data relating to clients.

Data concerning third parties may only be processed if this is absolutely indispensable to carry out specific professional activities as requested by clients for specific, lawful purposes.

Chapter IV

1) Scope of Application and Purposes of the Processing
This authorisation shall be granted, without any request being necessary, to:

a) businesses authorised and/or intending to be authorised to carry out banking, crediting, insurance or pension fund-related activities, also in case of their compulsory winding-up, with a view to establishing:

1) moral qualifications of partners and holders of executive and/or elective offices, as provided for by the relevant laws and regulations;

2) personal qualifications and grounds for disqualification exclusively where this is provided for by law;

3) liability for accidents and/or events relating to human life;

4) the existence of a concrete danger affecting appropriate discharge of insurance functions, as regards offences that are directly related to said functions. In the latter cases, the controller must provide the Garante with a detailed report on processing arrangements insofar as the processing concerns data contained in a specific database pursuant to Section 4(1), letter p), of the Code;

b) controllers of a processing operation that is performed in connection with requesting, acquiring, and delivering instruments and documents from/to the competent public departments, these tasks having been committed by the relevant data subjects;

c) securities brokerage companies, SICAV companies, and asset and pension fund management companies in order to establish moral qualifications pursuant to the provisions applying to financial brokerage, social security and/or private pension schemes as well as further to other laws and regulations, if any;

d) rating companies with regard to such information as is absolutely indispensable to check whether moral qualifications are fulfilled by the partners in charge of auditing Italian companies that have issued listed financial instruments on non-national financial markets, in respect of any conduct that is established as a criminal offence under national law, as well as in order to enable the company in question and the partners thereof to be registered with the governmental bodies in charge of ensuring stability and transparency of the relevant financial markets.

2) Additional Processing Operations
This authorisation shall also be granted:

a) to any person whomsoever, for the establishment or defence of a legal claim even by third parties, including administrative proceedings and arbitration or settlement proceedings in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that said claim is not overridden by the data subject´s one and the data are processed exclusively for the above purposes and for no longer than is absolutely necessary therefor;

b) to any person whomsoever, with a view to the exercise of the right of access to administrative records in pursuance of the relevant laws and regulations;

c) to natural and legal persons, institutions, bodies, and organisations carrying out private investigation activities as licensed by the prefetto in pursuance of Section 134 of Royal decree no. 773 of 18.06.31, as subsequently amended and supplemented.

The processing must be necessary:

1) to enable the entity committing a specific task to establish or defend a legal claim that is not overridden by the data subject´s one, or else a personal right or any other fundamental, inviolable right;

2) to detect and collect information in favour of a client on the defence counsel´s instructions in connection with a criminal proceeding, whereby such information may only be used for the exercise of the right to submit evidence (as per Section 190 of the Criminal Procedure Code and Act no. 397 of 07.12.2000) in compliance with the rules of conduct set forth in the "Code of Conduct and Professional Practice Applying to the Processing of Personal Data for the Purposes of Defence Investigations" (as per the DPA´s Resolution no. 60 dated 6 November 2008 published in Italy´s Official Journal no. 275 dated 24 November 2008) – which are an essential precondition in order for any lawyer to process personal data lawfully and fairly when discharging the respective professional task(s) as per Section 12(3) of the DP Code;

d) to any person whomsoever, in order to comply with the obligations laid down in laws concerning anti-Mafia communications and certifications or the prevention of Mafia-type crime and other serious, socially dangerous activities, including Act no. 55 of 19.03.90 as subsequently amended and supplemented, or else in order to produce the documents required by law to participate in calls for tenders;

e) to any person whomsoever in order to allow establishing moral qualifications of any entity intending to participate in calls for tender, in pursuance of the relevant legislation.

Chapter V

1) Scope of Application and Purposes of the Processing
This authorisation shall be granted with a view to the processing of data – including dissemination – for purposes of documentation, study and research in the legal sector, especially as regards collection and dissemination of data concerning case law in compliance with Sections 51 and 52 of the Code.

Chapter VI

To the extent that they are not regulated in the above chapters, the processing operations mentioned therein shall also be the subject of the following provisions.

1) Processed Data
Processing shall only concern such data as is indispensable for the purposes for which the processing is authorised, providing those purposes cannot be achieved, on a case by case basis, by processing either anonymous data or personal data of a different kind.

2) Processing Arrangements
Data must be processed exclusively by means of such operations and in accordance  with such logic and organisational arrangements as are closely indispensable to the obligations, tasks or purposes referred to above. Apart from the cases referred to in chapters IV, item 2), and V, or where the information has been derived from a publicly available source, the data must be provided by data subjects in compliance with the requirements set forth in Presidential Decree no. 313 of 14 November 2002 as subsequently amended.

3) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of the Code, the data may be kept for as long as is provided for by laws and/or regulations, and anyhow for no longer than is absolutely necessary to achieve the purposes being sought.

Under Section 11(1), letters c), d), and e) of the Code, the authorised entities shall verify regularly that the data are accurate, updated, relevant, complete, not excessive, and necessary with regard to the purposes that are sought in the individual cases. With a view to ensuring that the data are closely relevant, not excessive, and indispensable for the said purposes, the authorised entities shall specifically assess the relationship between the data and the individual obligations, tasks and/or performance. Any data that is found to be either excessive or irrelevant or non indispensable, also based on the said verification, may not be used except with a view to keeping – as required by law – the instrument and/or document containing the data in question. Special attention shall be paid to indispensability of the data related to entities other than those that are directly concerned by the aforementioned obligations, tasks and/or performance.

4) Communication and Dissemination
Data may be communicated and, if required by law, disseminated to public and private bodies insofar as this is absolutely indispensable for the purposes sought and on condition that professional secrecy obligations and the aforementioned requirements are complied with.

5) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.

The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.

The Garante reserves the right to adopt additional provisions with regard to processing operations that are not referred to in this authorisation.

As for the processing operations considered herein, no authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.

This authorisation shall be without prejudice to the obligations laid down in laws, regulations or Community legislation that impose stricter limitations or prohibitions on personal data processing - in particular under Section 8 of Act no. 300 of 20.05.70, which was left unprejudiced by Section 113 of the Code, whereby employers are prohibited from investigating, with a view to recruitment as well as in the course of the employer-employee relationship, also by the agency of third parties, workers´ political, religious or trade-union opinions and/or circumstances that are irrelevant to the assessment of their professional qualifications, and under Section 10 of legislative decree no. 276 of 10 September 2003, which prohibits employment agencies and any other authorised and/or recognised private entities from performing certain investigations and/or data processing operations and/or pre-selecting candidates.

6) Effectiveness and Transitional Provisions
This authorisation shall be effective as of 1 January 2010 until 30 June 2011 subject to such amendments as the Garante may decide to make on account of regulatory developments concerning this subject matter.

This authorisation shall be published in the Official Journal of the Italian Republic.

Done in Rome, this 16th day of the month of December 2009.



Patroni Griffi