Authorisation to Process Sensitive Data in Mediation Activities Aimed at...
Authorisation to Process Sensitive Data in Mediation Activities Aimed at Conciliation of Civil and Commercial Disputes ? 21 April 2011 
[doc. web n. 1898443]
Authorisation to Process Sensitive Data in Mediation Activities Aimed at Conciliation of Civil and Commercial Disputes – 21 April 2011
(As published in Italy´s Official Journal no. 101 dated 3 May 2011)
The Garante per la protezione dei dati personali
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Daniele De Paoli, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;
Having regard to, in particular, Section 4(1), letter d., of the abovementioned Code, in which sensitive data are referred to;
Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisations;
Having regard to legislative decree no. 28 dated 4 March 2010, implementing Section 60 of Act no. 69 dated 18 June 2009 on mediation for the purpose of conciliation of civil and commercial disputes; having regard to ministerial decree no. 180 dated 18 October 2010, issued in pursuance of section 16 of the aforementioned legislative decree;
Whereas a considerable number of processing operations concerning personal data are performed by the entities defined as per section 1(1)d. of decree no. 28/2010 in order to discharge the respective tasks;
Having regard to the general authorisation no. 2/2009 to process data suitable for disclosing health and sex life, which was also granted if the processing is necessary "to establish or defend a legal claim also by third parties, including administrative proceedings and arbitration or settlement proceedings in the cases referred to in laws, Community legislation, regulations or collective agreements, providing the said claim either is of an equal level compared with the data subject´s one or consists in a personal right or another fundamental, inviolable right or freedom and the data are processed exclusively for said purposes and for no longer than is absolutely necessary therefor" (1.3, letter a.);
Whereas the processing of sensitive data performed by mediation organisations in pursuance of legislative decree no. 28/2010 does not fall within the scope of general authorisation no. 5/2009 for the processing of sensitive data by various categories of data controller on account of both the entities such processing concerns and the respective requirements;
Whereas it is accordingly necessary to grant a new authorisation for the processing of sensitive data in order to enable the processing of sensitive data in connection with mediation activities aimed at the conciliation of civil and commercial disputes pursuant to legislative decree no. 28/2010;
Having regard to section 27 in the Code, which allows judicial data to be processed by private bodies and/or profit-seeking public bodies on condition this is authorised by explicit provisions in a law or else by a decision of the Italian DPA, which in any case must specify the substantial public interest purposes that underlie the processing along with the categories of processed data and the processing operations that may be performed;
Having regard to general authorisation no. 7/2009 for the processing of judicial data by private bodies, profit-seeking public bodies, and public bodies, which was granted "to any person whomsoever, for the establishment or defence of a legal claim even by third parties, including administrative proceedings and arbitration or settlement proceedings in the cases provided for by laws, Community legislation, regulations or collective agreements […]" (2a.) and is accordingly applicable to the processing of judicial data that is indispensable in connection with the mediation activities referred to in legislative decree no. 28/2010;
Whereas it is appropriate for this new authorisation to also be provisional and time-limited in pursuance of section 41(5) of the Code; whereas it is appropriate, in particular, to provide for such authorisation to be in force until 30 June 2012 pending the initial implementation of legislative decree no. 28/2010, since the arrangements to be made in order to implement section 16 of decree no. 28/2010 pursuant to the criteria laid down in section 4 of ministerial decree no. 180/2010 are expected to be in place by the above deadline, whereupon the relevant regulatory framework will be completed;
Whereas it is necessary to ensure compliance with principles that are aimed at minimizing the risk of harming or endangering fundamental rights and freedoms and personal dignity on account of the processing in question, which applies, in particular, to the right to the protection of personal data laid down in section 1 of the Code;
Having regard to section 167 of the Code;
Having regard to section 11(2) of the code, whereby any data that is processed in breach of the relevant personal data protection legislation may not be used;
Having regard to section 31 et seq. of the Code as well as to the technical specifications contained in Annex B thereto, which lay down rules and requirements applying to security measures;
Having regard to section 41 of the Code;
Having regard to section 42 et seq. of the Code as for the transfer of personal data abroad;
Having regard to the records on file;
Having regard to the considerations by the Office as submitted by the Secretary General in pursuance of article 15 of the Italian DPA´s Rules of Procedure no. 1/2000;
Acting on the report submitted by Prof. Francesco Pizzetti;
AUTHORISES THE FOLLOWING
1. Authorised Entities
The mediation organisations mentioned in section 1(1) of legislative decree no. 28 dated 4 March 2010 as amended subsequently shall be authorised to process the sensitive data referred to in section 4(1)d. of the Code in accordance with the requirements below, also without lodging a specific request to that effect.
2. Purposes of the Processing
Sensitive data may only be processed to discharge one of the tasks the entities mentioned under 1. are permitted to carry out under decree no. 28/2010 - including subsequent amendments and additions thereof; in particular, such data may be processed to support two or more entities both in achieving an amicable agreement to settle a dispute and in drafting a proposal for the resolution of the said dispute where such an agreement cannot be achieved. If the data is suitable for disclosing health or sex life, the claim to be established or defended must not be overridden by the data subject´s right or else must consist in a personal right or another fundamental, inviolable right or freedom.
3. Data Subjects
The processing shall only concern the sensitive data relating to the entities involved in the dispute to be settled.
Any sensitive data relating to third parties may be processed if this is absolutely indispensable for the purposes of mediation.
4. Data Categories and Processing Operations
Processing shall only concern such data and processing operations as are found to be indispensable, relevant, and not excessive with regard to the specific dispute that is the subject of mediation as well as in connection with activities that may not be performed by processing anonymous data and/or other categories of personal data.
The processing of data suitable for disclosing health and sex life shall be also performed in compliance with the aforementioned general authorisation no. 2/2009.
5. Data Communication
Sensitive data may be communicated, where indispensable, to the parties to the mediation proceeding aimed at conciliation of civil and commercial disputes insofar as this is relevant to discharge of the specific mediation tasks, in compliance with legislative decree no. 28/2010.
No sensitive data may be disseminated.
6. Data Preservation
Under the terms of the obligations set forth in section 11(1)e. of the Code, sensitive data may be kept for as long as provided for by Community laws, legislation and/or secondary legislation and anyhow for no longer than is absolutely necessary to manage mediation activities.
To that end, it shall be verified that the data are absolutely relevant, not excessive, and indispensable vis-à-vis the mediation activities – whether in progress, prospective, or completed – by having also regard to such data as is made available on the data subject´s own initiative; regular checks may be carried out for the said purposes. Any data that, also on verification, is found to be excessive, irrelevant and/or dispensable may not be used - except for the legally required preservation of the record and/or document containing it. Special care shall be taken in assessing indispensability of any data that relates to entities other than those that are directly concerned by the discharge of the relevant tasks and obligations.
7. Authorisation Requests
Where a data controller falls under the scope of application of this authorisation, no authorisation request shall have to be lodged with the Italian DPA if the processing to be performed is in line with the foregoing requirements.
Such authorisation requests as may have already been received and those that will be received after the date of adoption of this authorisation shall be considered to be granted under the terms set forth herein.
The Italian DPA shall not consider authorisation requests in respect of processing operations that are not in accordance with the requirements set forth herein, unless such requests are to be granted in pursuance of section 41 of the Code because of highly peculiar circumstances and/or on account of exceptional situations that are not covered by this authorisation.
8. Final Provision
Any and all obligations contained in laws, regulations and/or Community legislation that set forth more restrictive limitations or prohibitions on the processing of personal data shall be left unprejudiced.
The legal ban on disclosing, without just cause, and using, with a view to gain for oneself or others, information that is covered by professional secrecy shall be left unprejudiced as well. This shall also apply to good practice and/or ethical requirements applying to the individual professions.
9. Sunset Provision
This authorisation shall be effective until 31 December 2012¹ subject to such amendments as the Italian DPA may deem appropriate on account of relevant regulatory changes.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 21st day of the month of April 2011.
THE SECRETARY GENERAL
(1) Effectiveness was extended to 31 December 2012 by a Resolution of the DPA dated 28 June 2012, available here: http://www.garanteprivacy.it/garante/doc.jsp?ID=1908626