g-docweb-display Portlet

Authorisation No. 7/2014 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities [3826271]

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

VERSIONE ITALIANA

 

[doc. web n. 3826271]

Authorisation No. 7/2014 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities
Published in Italy´s Official Journal No. 301 of 30 December 2014

The Garante per la protezione dei dati personali

Having convened today, with the participation of  Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary-General;

Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code (hereinafter "the Code");

Having regard to, in particular, Section 4(1), letter e), of the abovementioned Code, in which judicial data are referred to;

Having regard to, in particular, Sections 21(1) and 27 of the Code, which allow judicial data to be processed by public and/or private bodies or profit-seeking public bodies, respectively, exclusively if this is expressly permitted by laws or a  provision by the Garante in which the substantial public interest served by the processing, the categories of processed data, and the operations specifically authorised are detailed;

Having regard to Section 20, paragraphs 2 and 4, Section 21, paragraph 2, and to the provisions concerning specific sectors as contained in Part II of the Code, in particular Chapters III and IV of Title IV, where purposes in the substantial public interest are referred to such as to allow for the processing of judicial data by public bodies;

Having regard to Section 22 of the Code, setting out the principles applying to the processing of sensitive and/or judicial data by public bodies;

Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;

Whereas it is appropriate to grant new authorisations replacing those due to expire on 31 December 2014 by streamlining their provisions in the light of the experience gathered so far;

Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for twenty-four months;

Having regard to legislative decree No. 28 of 4 March 2010 on "Implementing Section 60 of Act No. 69 of 18 June 2009, as Amended by Act No. 98 of 9 August 2013 Concerning Mediation for the Purpose of Conciliation in Civil and Commercial Disputes" as well as to the Regulation mentioned in Ministerial Decree No. 180/2010 as issued in pursuance of the aforementioned legislative decree - providing that mediation organisations, training bodies and the Ministry of Justice may process judicial data to establish compliance with moral eligibility requirements in respect of mediators as well as of the members, associates, managers and representatives of the aforementioned private bodies, and empowering the Ministry of Justice to carry out supervision and control as regards the said requirements;

Having regard to Sections 51 and 52 of the Code concerning law informatics; having regard to the need for fostering the continuation of documentation, study and research activities in the legal sector with particular regard to dissemination of information on case-law partly because of the similarities existing between said activities and those related to freedom of expression as regulated by Section 137 of the Code;

Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;

Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;

Having regard to Section 31 et seq. in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;

Having regard to Section 41 of the Code;

Having regard to Section 42 et seq. of the Code concerning cross-border data flows;

Having regard to Section 167 of the Code;

Having regard to official records;

Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);

Acting on the report submitted by Ms. Augusta Iannini;

Hereby authorises

The processing of judicial data as per Section 4(1)e) of the Code for the purposes in the substantial public interest specified hereinafter in pursuance of Sections 21 and 27 of the Code, in accordance with the requirements set forth below.

Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of either personal data or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.

Chapter I
EMPLOYMENT CONTEXT

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary, to legal and natural persons, bodies, associations and organisations which:

a) are parties to an employer-employee relationship;

b) avail themselves of workers also according to atypical, part-time or temporary arrangements;

c) commit a professional task to consultants, self-employed professionals, agents, representatives, and mandatees.

The processing must be indispensable in order to:

A. comply or ensure compliance with specific obligations or else to fulfil specific tasks laid down in laws, Community legislation, regulations or collective agreements, also if applying to individual businesses, for the sole purpose of managing employer-employee relationships as also related to self-employed workers, unpaid and honorary jobs;

B. check moral qualifications of the staff from rating companies, providing only data that is absolutely necessary is processed.

This authorisation shall also be granted to entities carrying out dispute resolution activities pursuant to the law insofar as the processing of data is indispensable for such  activities.

2) Data Subjects

The processing may concern data relating to entities that act or intend to act in their  capacity as:

a) employees – including those that are parties to contracts for traineeship, apprenticeship, occupational inclusion, job sharing, intermittent and/or on-request jobs –, individuals working within the framework of a staff leasing contract, trainees, (joint) partners, or holders of employment scholarships, or in a similar capacity, and such employees as are actually in charge of rating activities with regard to the provisions set forth in point 1 B. above;

b) directors or members of executive or supervisory bodies;

c) consultants and self-employed professionals, agents, representatives, and mandatees.

Chapter II
ASSOCIATIONS AND FOUNDATIONS

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary:

a) to associations, recognised or not, including political parties and movements, trade-union associations and organisations, assistance or voluntary organisations, foundations, committees and any other non-profit bodies, consortia or organisations, regardless of their having legal personality, and to the social cooperatives and mutual aid societies referred to in Act no. 381 of 08.11.1991 and Act no. 3818 of 15.04.1886, respectively;

b) to bodies and associations, recognised or not, which are in charge of assistance, rehabilitation, education, vocational training, social and health care assistance, charitable activities and protection of rights with regard either to the data subjects or to their family members and cohabiters.

The processing must be indispensable in order to achieve specific, lawful purposes as set out in articles or memorandums of association, or in a collective agreement.

2) Data Subjects

Processing may concern data relating to:

a) members, partners, and adherents as well as any entity applying for membership/accession if utilisation of the relevant data is provided for by the relevant articles or memorandum of association;

b) any entity benefiting from, assisted by or using the activities and services delivered by the individual association, body or organisation.

Chapter III
SELF-EMPLOYED PROFESSIONALS

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted, without any request being necessary, to:

a) self-employed professionals who are required to be included in the relevant lists or registers for carrying out professional activities either alone or in association or partnership with others, also in pursuance of legislative decree no. 96 of 02.02.01 and Section 10 of Act No. 183 of 12 November 2011;

b) any entity that is included in the special registers or lists set up in pursuance of, inter alia, Section 34 of Royal decree-law no. 1578 of 27.11.33 as subsequently amended and supplemented – concerning regulations for the Bar

c) substitutes, staff and trainees working with a self-employed professional in pursuance of Section 2232 of the Civil Code, whenever they are controllers of a separate processing operation or act as joint controllers of the processing carried out by a self-employed professional.

2) Data Subjects

Processing may concern data relating to clients.

Data concerning third parties may only be processed if this is absolutely indispensable to carry out specific professional activities as requested by clients for specific, lawful purposes.

Chapter IV
MEDIATION FOR THE PURPOSE OF CONCILIATION IN CIVIL AND COMMERCIAL DISPUTES

1) Scope of Application and Purposes of the Processing

a. The following entities shall be authorised to process the judicial data referred to in Section 4(1)e) of the Code in pursuance of the substantial public interest purpose mentioned in Section 69 of the Code (Awards, Rewards, and Acknowledgments), also without requesting to do so, in order to fulfil obligations arising out of legal and regulatory provisions on mediation for the purpose of conciliation in civil and commercial disputes:

i. The mediation organisations that are private entities as referred to in section 1(1)d. of legislative decree no. 28/2010, including subsequent amendments and additions thereof, as regards data on members, associates, managers and representatives, as well as on registered mediators;

ii. The mediation organisations that are public bodies as referred to in section 1(1)d. of legislative decree no. 28/2010, including subsequent amendments and additions thereof, as regards data on registered mediators;

iii. The training bodies referred to in section 16(5) of legislative decree no. 28/2010, including subsequent amendments and additions thereof, as regards data on members, associates, managers and representatives.

b. The Ministry of Justice shall be authorised to process the judicial data referred to in section 4(1)e) of the Code in pursuance of section 16 of legislative decree No. 28/2010, including subsequent amendments and additions thereof along with the relevant implementing rules, in order to manage the register of mediation organisations and the list of training bodies as well as to verify the moral eligibility requirements mentioned in ministerial decree No. 180/2010 with regard to members, associates, managers and representatives of mediation organisations and training bodies that are private entities as well as to the individual mediators, for the substantial public interest purposes set forth in section 69 (Awards, Rewards and Acknowledgments) and in section 67 (Supervisory and Inspection Activities) of the Code.

2) Data Subjects

Processing shall only concern the judicial data relating to the moral eligibility requirements set forth in Ministerial Decree No. 180/2010 as applying to members, associates, managers and representatives of the mediation organisations and training bodies that are private entities and to the individual mediators (i.e. "not having been the subject of a final sentence for non-negligent offences or not having been sentenced to a custodial penalty without suspension thereof; not having been disqualified, temporarily or not, from holding public offices; not having been the subject of precautionary and/or security measures") – see Section 4 of Ministerial Decree no. 180/2010.

3) Data Categories and Processing Operations

Processing shall only concern such judicial data and processing operations as are found to be indispensable, relevant, and not excessive with regard to the specific purpose(s) under the terms set forth in laws and regulations.

4) Data Communication

The Ministry of Justice may communicate the judicial data referred to in section 4(1)e. of the Code to the following entities within the framework of the supervisory and control powers conferred on it by the sector-specific legislation:

-  Mediation organisations and training bodies that are private entities with regard to the moral eligibility requirements set forth in section 4(2)c) and section 18(2)b) of Ministerial Decree No. 180/2010 as for the respective members, associates, managers and representatives;

- Public and private mediation organisations with regard to the moral eligibility requirements set forth in section 4(3)c) of Ministerial Decree No. 180/2010 as for the mediators included in the respective registers.

Chapter V
BANKING AND INSURANCE COMPANIES AND OTHER TYPES OF PROCESSIN

1) Scope of Application and Purposes of  the Processing

This authorisation shall be granted, without any request being necessary, to:

a) businesses authorised and/or intending to be authorised to carry out banking, crediting, insurance or pension fund-related activities, also in case of their compulsory winding-up, with a view to establishing:

1) moral qualifications of partners and holders of executive and/or elective offices, as provided for by the relevant laws and regulations;

2) personal qualifications and grounds for disqualification exclusively where this is provided for by law;

3) liability for accidents and/or events relating to human life;

4) the existence of a concrete danger affecting appropriate discharge of insurance functions, as regards offences that are directly related to said functions. In the latter cases, the controller must provide the Garante with a detailed report on processing arrangements insofar as the processing concerns data contained in a specific database pursuant to Section 4(1), letter p), of the Code;

b) controllers of a processing operation that is performed in connection with requesting, acquiring, and delivering instruments and documents from/to the competent public departments, these tasks having been committed by the relevant data subjects;

c) securities brokerage companies, SICAV companies, and asset and pension fund management companies in order to establish moral qualifications pursuant to the provisions applying to financial brokerage, social security and/or private pension schemes as well as further to other laws and regulations, if any;

d) rating companies with regard to such information as is absolutely indispensable to check whether moral qualifications are fulfilled by the partners in charge of auditing Italian companies that have issued listed financial instruments on non-national financial markets, in respect of any conduct that is established as a criminal offence under national law, as well as in order to enable the company in question and the partners thereof to be registered with the governmental bodies in charge of ensuring stability and transparency of the relevant financial markets.

2) Additional Processing Operations

This authorisation shall also be granted:

a) to any person whomsoever, for the establishment or defence of a legal claim even by third parties, including administrative proceedings and arbitration, mediation  or conciliation proceedings in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that said claim is not overridden by the data subject´s one and the data are processed exclusively for the above purposes and for no longer than is absolutely necessary therefor;

b) to any person whomsoever, with a view to the exercise of the right of access to administrative records in pursuance of the relevant laws and regulations;

c) to natural and legal persons, institutions, bodies, and organisations carrying out private investigation activities as licensed by the prefetto in pursuance of Section 134 of Royal decree no. 773 of 18.06.31, as subsequently amended and supplemented.

The processing must be necessary:

1) to enable the entity committing a specific task to establish or defend a legal claim that is not overridden by the data subject´s one, or else a personal right or any other fundamental, inviolable right;

2) to detect and collect information in favour of a client on the defence counsel´s instructions in connection with a criminal proceeding, whereby such information may only be used for the exercise of the right to submit evidence (as per Section 190 of the Criminal Procedure Code and Act no. 397 of 07.12.2000) in compliance with the rules of conduct set forth in the "Code of Conduct and Professional Practice Applying to the Processing of Personal Data for the Purposes of Defence Investigations" (as per the DPA´s Resolution no. 60 dated 6 November 2008 published in Italy´s Official Journal no. 275 dated 24 November 2008) – which are an essential precondition in order for any lawyer to process personal data lawfully and fairly when discharging the respective professional task(s) as per Section 12(3) of the DP Code;

d) to any person whomsoever, in order to comply with the obligations laid down in laws concerning anti-Mafia communications and certifications or the prevention of Mafia-type crime and other serious, socially dangerous activities, including Act no. 55 of 19.03.90 as subsequently amended and supplemented and Legislative Decree no. 159 of 6 September 2011 containing the "Code of Anti-Mafia Legislation and Prevention Measures and New Provisions on Anti-Mafia Communications and Certifications Pursuant to Sections 1 and 2 of Act no. 136 of 13 August 2010", as amended and supplemented thereafter, or else in order to produce the documents required by law to participate in calls for tenders;

e) to any person whomsoever in order to allow establishing moral qualifications of any entity intending to participate in calls for tender, in pursuance of the relevant legislation.

Chapter VI
LEGAL DOCUMENTATION

1) Scope of Application and Purposes of the Processing

This authorisation shall be granted with a view to the processing of data relating to judgments and other judicial instruments – including dissemination thereof – for purposes of legal information and/or documentation, study and research in the legal sector. The processing in question, which is regulated in Sections 51 and 52 of the Code, shall be performed in compliance with the guidance set forth in the "Guidelines on the Processing of Personal Data As Related to the Reproduction of Judicial Measures for Legal Information Purposes" (DPA´s Resolution dated 2 December 2010 as published in Italy´s Official Journal no. 2 dated 4 January 2011).

Chapter VII
PROVISIONS APPLYING TO ALL PROCESSING OPERATIONS

To the extent that they are not regulated in the above chapters, the processing operations mentioned therein shall also be the subject of the following provisions.

1) Processed Data

Processing shall only concern such data as is indispensable for the purposes for which the processing is authorised, providing those purposes cannot be achieved, on a case by case basis, by processing either anonymous data or personal data of a different kind.

2) Processing Arrangements

Data must be processed exclusively by means of such operations and in accordance  with such logic and organisational arrangements as are closely indispensable to the obligations, tasks or purposes referred to above. Apart from the cases referred to in chapters V, item 2), and VI, or where the information has been derived from a publicly available source, the data must be provided by data subjects in compliance with the requirements set forth in Presidential Decree no. 313 of 14 November 2002 as subsequently amended.

3) Data Retention

In compliance with the obligation referred to in Section 11(1), letter e), of the Code, the data may be kept for as long as is provided for by laws and/or regulations, and anyhow for no longer than is absolutely necessary to achieve the purposes being sought.

Under Section 11(1), letters c), d), and e) of the Code, the authorised entities shall verify regularly that the data are accurate, updated, relevant, complete, not excessive, and necessary with regard to the purposes that are sought in the individual cases. With a view to ensuring that the data are closely relevant, not excessive, and indispensable for the said purposes, the authorised entities shall specifically assess the relationship between the data and the individual obligations, tasks and/or performance. Any data that is found to be either excessive or irrelevant or non indispensable, also based on the said verification, may not be used except with a view to keeping – as required by law – the instrument and/or document containing the data in question. Special attention shall be paid to indispensability of the data related to entities other than those that are directly concerned by the aforementioned obligations, tasks and/or performance.

4) Communication and Dissemination

Data may be communicated and, if required by law, disseminated to public and private bodies insofar as this is absolutely indispensable for the purposes sought and on condition that professional secrecy obligations and the aforementioned requirements are complied with.

5) Authorisation Requests

No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.

The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.

The Garante reserves the right to adopt additional provisions with regard to processing operations that are not referred to in this authorisation.

As for the processing operations considered herein, no authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.

6) Final Provisions

This authorisation shall be without prejudice to the obligations laid down in laws, regulations or Community legislation that impose stricter limitations or prohibitions on personal data processing - in particular under Section 8 of Act no. 300 of 20.05.70, which was left unprejudiced by Section 113 of the Code, whereby employers are prohibited from investigating, with a view to recruitment as well as in the course of the employer-employee relationship, also by the agency of third parties, workers´ political, religious or trade-union opinions and/or circumstances that are irrelevant to the assessment of their professional qualifications, and under Section 10 of legislative decree no. 276 of 10 September 2003, which prohibits employment agencies and any other authorised and/or recognised private entities from performing certain investigations and/or data processing operations and/or pre-selecting candidates.

The legal ban on disclosing, without justification, and using, with a view to gain for oneself or others, information that is covered by professional secrecy shall be left unprejudiced as well. This shall also apply to good practice and/or ethical requirements applying to the individual professions.

7) Effectiveness

This authorisation shall be effective as of 1 January 2015 until 31 December 2016 subject to such amendments as the Garante may decide to make on account of regulatory developments concerning this subject matter.

This authorisation shall be published in the Official Journal of the Italian Republic.

Done in Rome, this 11th day of the month of December 2014.

THE PRESIDENT
Soro

THE RAPPORTEUR
Iannini

THE SECRETARY GENERAL
Busia