g-docweb-display Portlet

Authorisation No. 7/2002 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

Authorisation No. 7/2002 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities   

The Garante per la protezione dei dati personali

On this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, members, and Mr. Giovanni Buttarelli, Secretary-General;

Having regard to Act no. 675 of 31.12.96 as subsequently amended and supplemented, concerning the protection of individuals and other subjects with regard to the processing of personal data;

Having regard to, in particular, Section 24(1) of said Act, which allows the personal data disclosing the judicial measures referred to therein to be also processed by public bodies "exclusively if this is permitted by express laws or a provision of the Garante in which the substantial public interest served by the processing, the categories of processed data and the operations specifically authorised are detailed";

Whereas a number of processing operations performed by public bodies in respect of the abovementioned data are regulated by legislative decree no. 135 of 11.05.99 and by provision no. 1/P/2000 as issued by the Garante and published on the Official Journal no. 26 of 26.02.2000;

Whereas the processing of said judicial data by public bodies for purposes other than those included in Chapter II of legislative decree no. 135 of 11.05.99 must be authorised by the Garante pursuant to Section 24 of Act no. 675/1996;

Whereas the processing of said data may be authorised by the Garante, even ex officio, by means of general provisions applying to specific categories of data controllers or processing operations in pursuance of Section 41(7) of Act no. 675/1996;

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation orders;

Whereas it is appropriate to grant new general authorisations to replace those due to expire on the 31st of January 2002 by streamlining their provisions in the light of the experience gathered so far;

Whereas specific safeguards are laid down for the above data and other categories of judicial data in Section 8(5) of EC Directive 95/46 of 24.10.95, which allows the processing of data concerning, more broadly, "offences, criminal convictions or security measures" "only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards", on condition that a "complete register" of criminal convictions be kept "only under the control of official authority";

Whereas with a view to fully transposing the above community legislation into national law, it is appropriate for this general authorisation to include no over-detailed provisions, in order for the activities of data controllers not to undergo major changes within a short time range subject to certain safeguards for data subjects;

Whereas it is necessary to enable continuation of documentation, analysis and research activities in the legal sector, especially as regards disclosure of data concerning decisions of courts, on account both of the similarity between said activities and the intellectual activities that are referred to in Sections 12, 20 and 25 of Act no. 675/1996 and of the possible issuing of provisions for the development of information technology in the judicial sector;

Whereas it is appropriate for these new provisional authorisations to be also time-limited in pursuance of Section 14 of Presidential Decree no. 501/1998 in view of the forthcoming adoption of a consolidated text of the provisions applying to personal data protection as required by Act no. 127/2001;

Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity;

Having regard to Section 35 of Act no. 675/1996;

Having regard to the regulations including provisions on the minimum security measures, as adopted by Presidential decree no. 318 of 28.07.99;

Having regard to Section 14 of Presidential decree no. 501 of 31.03.98;

Having regard to official documents;

Having regard to the considerations made, on behalf of the Office, by the Secretary General in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);

Acting on the report submitted by Prof. Giuseppe Santaniello,

Hereby authorises

the processing of personal data disclosing the measures referred to in Section 686(1), litt. a) and d), (2) and (3) of the Criminal Procedure Code, for the substantial reasons of public interest specified below in pursuance of Section 24 of Act no. 675/1996 and in accordance with the following requirements:

Chapter I - EMPLOYMENT CONTEXT

1) Scope and purposes of the processing

This authorisation shall be granted, without any request being necessary, to legal and natural persons, bodies, associations and organisations which:

a) are parties to an employer-employee relationship;

b) employ workers even according to atypical, part-time or temporary arrangements;

c) commit a professional task to advisors, self-employed professionals, agents, representatives and mandataries.

The processing must be absolutely necessary in order to comply or ensure compliance with specific obligations or else to fulfil specific duties laid down in laws, community legislation, regulations or collective agreements, even applying to individual businesses, for the sole purpose of managing employer-employee relationships as also related to self-employed workers, unpaid and honorary jobs.

This authorisation shall also be granted to entities carrying out dispute resolution activities pursuant to law insofar as the processing of data is absolutely necessary for said activities.

2) Data subjects

The processing may concern data relating to subjects who act or intend to act in the capacity of:

a) employees, including on a temporary basis or as trainees or apprentices, partners or associates, or else recipients of labour grants, or parties to similar relations;

b) directors or members of executive or supervisory bodies;

c) advisors and self-employed workers, agents, representatives and mandataries.

Chapter II - ASSOCIATIONS AND FOUNDATIONS

1) Scope and purposes of the processing

This authorisation shall be granted, without any request being necessary:

a) to associations, recognised or not, including political parties and movements, trade-union associations and organisations, assistance or voluntary organisations, foundations, committees and any other non-profit bodies, consortia or organisations, regardless of their having legal personality, and to the social cooperatives and mutual aid societies referred to in Act no. 381 of 08.11.1991 and Act no. 3818 of 15.04.1886, respectively;

b) to bodies and associations, recognised or not, which are in charge of assistance, rehabilitation, education, vocational training, social and health care assistance, charitable activities and protection of rights with regard either to the persons to whom the data refer or to their family members and cohabiters.

The processing must be absolutely necessary in order to achieve specific, lawful purposes as set out in the articles of incorporation or association, by-laws or collective agreements.

2) Data subjects

Processing may concern data relating to:

a) members of an association, partnership, society as well as any person applying for membership/accession if utilisation of the relevant data is provided for by the relevant articles of association or by-laws;

b) any person benefiting from, assisted by or using the activities and services delivered by the individual association, body or organisation.

Chapter III - SELF-EMPLOYED PROFESSIONALS

1) Scope and purposes of the processing

This authorisation shall be granted, without any request being necessary, to:

a) self-employed professionals, whether associated or not, who are required to be included in the relevant lists or registers for carrying out professional activities either alone or jointly with others, also in pursuance of legislative decree no. 96 of 02.02.01 or else in compliance with the implementing provisions of Section 24(2) of Act no. 266 of 07.08.97 concerning assistance and advisory activities;

b) any person who is included in the special registers or lists set up in pursuance of, inter alia, Section 34 of Royal decree-law no. 1578 of 27.11.33 as subsequently amended and supplemented - concerning regulations for the Bar;

c) substitutes, staff and trainees working with a self-employed professional in pursuance of Section 2232 of the Civil Code, whenever they are controllers of a separate processing operation or act as controllers, jointly with others, of the processing carried out by a self-employed professional.

2) Data subjects

Processing may concern data relating to clients.

Data concerning third parties may only be processed if this is absolutely necessary to carry out specific professional activities as requested by clients for specific, lawful purposes.

Chapter IV - BANKING AND INSURANCE COMPANIES AND OTHER TYPES OF PROCESSING

1) Scope and purposes of the processing

This authorisation shall be granted, without any request being necessary, to:

a) businesses authorised and/or intending to be authorised to carry out banking, crediting, insurance or pension fund-related activities, also in case of their compulsory winding-up, with a view to establishing:

1) moral qualifications of partners and holders of executive or elective offices, as provided for by the relevant laws and regulations;

2) personal qualifications and grounds for disqualification exclusively where this is provided for by law;

3) liability for accidents and/or events relating to human life;

4) the existence of an actual danger for appropriately discharging insurance functions, as regards offences that are directly related to said functions.

In the latter cases, the controller must provide the Garante with a detailed report on processing arrangements insofar as the processing concerns data included in a specific data bank pursuant to Section 1(2), litt. a), of Act no. 675/1996;

b) controllers of a processing operation in connection with requesting, collecting and delivering papers and documents from/to the competent public departments, these tasks having been committed by the relevant data subjects;

c) securities brokerage companies, open-end investment companies and savings and pension funds management companies in order to establish moral qualifications pursuant to legislative decrees no. 58 of 24.02.98 and no. 124 of 21.04.93, ministerial decrees no. 468 of 11.11.98 and no. 211 of 14.01.97, and to further laws and regulations where applicable.

2) Additional processing operations

This authorisation shall also be granted:

a) to any person whomsoever, for the establishment or defence of a legal claim even by third parties, including administrative proceedings and arbitration or settlement procedures in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that said claim is of an equal level compared with the data subject´s one and the data are processed exclusively for the above purposes and for no longer than is necessary therefor;

b) to any person whomsoever, with a view to the exercise of the right of access to administrative records in pursuance of the relevant laws and regulations;

c) to natural and legal persons, institutions, bodies and organisations carrying out private investigation activities based on a licence granted by the prefetto in pursuance of Section 134 of Royal decree no. 773 of 18.06.31, as subsequently amended and supplemented.

The processing must be necessary:

1) to enable the entity committing a specific task to establish or defend a legal claim having the same rank either as the data subject´s one or as a personality right or any other fundamental, inviolable right;

2) to detect and collect information in favour of the defendant on defence counsel´s instructions in connection with a criminal proceeding, whilst such information will only be used for the exercise of the right to submit evidence (as per Section 190 of the Criminal Procedure Code and Act no. 397 of 07.12.2000);

d) to any person whomsoever, in order to comply with the obligations laid down in laws concerning anti-Mafia communications and certifications or the prevention of Mafia-type crime and other serious, socially dangerous activities, including Act no. 55 of 19.03.90 as subsequently amended and supplemented, and in order to produce the documents required by law for submitting a tender for contracts;

e) to public bodies in order to allow establishing moral qualifications of any entity intending to submit a tender for contracts, in pursuance of the regulations applying to public tenders.

Chapter V - LEGAL DOCUMENTATION

1) Scope and purposes of the processing

This authorisation shall be granted with a view to the processing - including dissemination - of data for purposes of documentation, study and research in the legal sector, especially as regards collection and dissemination of data concerning court decisions.

Chapter VI - PROVISIONS APPLYING TO ALL PROCESSING OPERATIONS

To the extent that they are not regulated in the above chapters, the processing operations mentioned therein shall also be the subject of the following provisions.

1) Processing of data

Processing shall only concern such data as are necessary for the purposes for which it is authorised, provided that these purposes cannot be achieved, on a case by case basis, by processing either anonymous data or personal data of a different kind.

2) Processing arrangements

Data must be processed exclusively in accordance with such logical and organisational arrangements as are closely related to the obligations, tasks or purposes referred to above.

Apart from the cases referred to in chapters IV, item 2), and V, or where the information has been derived from a publicly available source, the data must be provided by data subjects in compliance with Section 689 of the Criminal Procedure Code concerning requests for certifications - without prejudice to Section 688 of said Code in respect of the acquisition of criminal records certifications by public administrative agencies and entities in charge of public services.

3) Data retention

In the light of the obligation laid down in Section 9(1), subheading e), of Act no. 675/1996, data may be kept for as long as required by laws or regulations and anyhow for no longer than is absolutely necessary in connection with the purposes to be achieved.

Pursuant to Section 9(1), subheadings c), d) and e) of the Act, the entities authorised must regularly check that the data are accurate and updated, and that they are relevant, complete, not excessive and necessary with regard to the purposes sought in the individual cases. In order to ensure that the data are relevant and not excessive with regard to said purposes, the entities authorised must specifically take account of the relationship between the data and the individual obligations, tasks and functions. The data that are found to be excessive, irrelevant or unnecessary, also as a result of the above controls, may not be used except in order to keep, as required by law, the instrument or document in which they are contained. Special care will have to be taken in checking that the data relating to persons other than those directly concerned by said obligations, tasks and functions are absolutely necessary.

4) Communication and dissemination

Data may be communicated and, if required by law, disseminated to public and private bodies insofar as this is necessary for the purposes sought and on condition that professional secrecy obligations and the abovementioned requirements are complied with.

5) Requests for authorisation

Where the processing falls within the scope of this authorisation, the relevant data controller shall not have to lodge a request for authorisation with the Garante - on condition that the planned processing operations are in line with the authorisation.

The requests for authorisation that have already been received, and those that will be received following the adoption of this authorisation, shall be regarded as granted under the conditions set out herein.

The Garante shall reserve the right to adopt such additional provisions as may be necessary with regard to processing operations that are not referred to in this authorisation.

As for the processing operations referred to herein, the Garante shall not consider any request to authorise processing operations that are not in line with the relevant provisions, unless such requests are to be granted on account of particular circumstances or else extraordinary situations which are not mentioned herein.

This authorisation shall be without prejudice to the obligations laid down in laws, regulations or Community legislation which impose stricter limitations or prohibitions on personal data processing - in particular as required by Section 8 of Act no. 300 of 20.05.70, which prohibits employers from investigating, also by the agency of third parties, the political, religious or trade-union opinions of (prospective) employees as well as any facts that are irrelevant to the assessment of an employee´s professional qualifications.

6) Effectiveness and transitional provisions

This authorisation shall be effective as of 1 February 2002 until 20 June 2003.

If, by the date on which this authorisation is published, the processing is not compliant with the provisions that are not included in Authorisation no. 7/2000, the data controller shall have to bring it into line with said provisions by the 31stMay 2002.

This authorisation shall be published in the Official Journal of the Italian Republic.

Done in Rome, this 31stday of January 2002.

THE PRESIDENT
Rodotà

THE RAPPORTEUR
Santaniello

THE SECRETARY GENERAL
Buttarelli

Scheda

Doc-Web
47961
Data
31/01/02

Tipologie

Autorizzazione generale