Legislative Decree N° 196 of 30 June 2003 Personal Data Protection Code
THE PRESIDENT OF THE REPUBLIC
HAVING EXAMINED Articles 76 and 87 in the Constitution;
HAVING EXAMINED Article 1 of Law N° 127 of 24 March 2001, 127, enabling Government to issue a consolidated text on the processing of personal data;
HAVING EXAMINED Article 26 of Law N° 14 of 3 February 2003, setting out provisions to ensure compliance with obligations related to Italy’s membership in the European Communities (Community Law of 2002);
HAVING EXAMINED Law N° 675 of 31 December 1996, as subsequently amended;
HAVING EXAMINED Law N° 676 of 31 December 1996, 676, enabling Government to pass legislation concerning protection of individual and other entities with regard to the processing of personal data;
HAVING EXAMINED Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
HAVING EXAMINED Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, on the processing of personal data and the protection of private life in the electronic communications sector;
HAVING EXAMINED the preliminary resolution adopted by the Council of Ministers at its meeting of 9 May 2003;
HAVING HEARD the Data Protection Commissioner;
HAVING OBTAINED the opinion of the competent Parliamentary committees at the Chamber of Deputies and the Senate of the Republic;
HAVING EXAMINED the Council of Ministers’ resolution adopted at the meeting of 27 June 2003;
ACTING ON THE PROPOSAL put forward by the Prime Minister, the Minister for Public Administration and the Minister for Community Policies, in agreement with the Ministers of Justice, of Economy and Finance, of Foreign Affairs and Communications;
ISSUES the following legislative decree:
PART I - GENERAL PROVISIONS
Title I - GENERAL PRINCIPLES
Article 1. Right to the Protection of Personal Data
1. Everyone has the right to protection of the personal data concerning him or her.
Article 2. Purposes
1. This consolidated statute, hereinafter referred to as the "Code", shall ensure that personal data are processed by respecting data subjects’ rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection.
2. The processing of personal data shall be regulated by affording a high level of protection for the rights and freedoms referred to in paragraph 1 in compliance with the principles of simplification, harmonisation and effectiveness of the mechanisms by which data subjects can exercise such rights and data controllers can fulfil the relevant obligations.
Article 3. Data Minimisation Principle
1. Information systems and software shall be configured by minimising the use of personal data and identification data, in such a way as to rule out their processing if the purposes sought in the individual cases can be achieved by using either anonymous data or suitable arrangements to allow identifying data subjects only in cases of necessity, respectively.
Article 4. Definitions
1. For the purposes of this Code:
a) "processing" shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, cancellation and destruction of data, whether the latter are contained or not in a data bank;
b) "personal data" shall mean any information relating to natural or legal persons, bodies or associations that are or can be identified, even indirectly, by reference to any other information including a personal identification number;
c) "identification data" shall mean personal data allowing a data subject to be directly identified;
d) "sensitive data" shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life;
e) "judicial data" shall mean personal data disclosing the measures referred to in Article 3(1), letters a) to o) and r) to u), of Presidential Decree N° 313 of 14 November 2002 concerning the criminal record office, the register of offence-related administrative sanctions and the relevant current charges, or the status of being either defendant or the subject of investigations pursuant to Articles 60 and 61 of the Criminal Procedure Code;
f) "data controller" shall mean any natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine purposes and methods of the processing of personal data and the relevant means, including security matters;
g) "data processor" shall mean any natural or legal person, public administration, body, association or other agency that processes personal data on the controller’s behalf;
h) "persons in charge of the processing" shall mean the natural persons that have been authorised by the data controller or processor to carry out processing operations;
i) "data subject" shall mean any natural or legal person, body or association that is the subject of the personal data;
l) "communication" shall mean disclosing personal data to one or more identified entities other than the data subject, the data controller’s representative in the State’s territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data;
m) "dissemination" shall mean disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data;
n) "anonymous data"’ shall mean any data that either in origin or on account of its having been processed cannot be associated with any identified or identifiable data subject;
o) "blocking" shall mean keeping personal data by temporarily suspending any other processing operation;
p) "data bank" shall mean any organised set of personal data, divided into one or more units located in one or more places;
q) "Data Protection Commissioner", shall mean the authority referred to in Article 153 as set up under Law N° 675 of 31 December 1996 675.
2. Furthermore, for the purposes of this Code:
a) "electronic communication"’ shall mean any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable or identified subscriber or user receiving the information;
b) "call" means a connection established by means of a publicly available telephone service allowing two-way communication in real time;
c) "electronic communications network"’ shall mean transmission systems and switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, networks used for radio and television broadcasting, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, and cable television networks, irrespective of the type of information conveyed;
d) "public communications network" shall mean an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services;
e) "electronic communications service" shall mean a service which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, to the extent that this is provided for in Article 2, letter c) of Directive 2202/21/EC of the European Parliament and of the Council of 7 March 2002;
f) "subscriber" shall mean any natural or legal person, body or association who or which is party to a contract with the provider of publicly available electronic communications services for the supply of such services, or is anyhow the recipient of such services by means of pre-paid cards;
g) "user"’ shall mean a natural person using a publicly available electronic communications service for private or business purposes, without necessarily being a subscriber to such service;
h) "traffic data" shall mean any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;
i) "location data" shall mean any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;
l) "value added service"’ shall mean any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof;
m) "electronic mail" shall mean any text, voice, sound or image message sent over a public communications network, which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
3. And for the purposes of this Code:
a) "minimum measures" shall mean the technical, informational, organizational, logistics and procedural security measures affording the minimum level of protection which is required by having regard to the risks mentioned in Article 31;
b) "electronic means" shall mean computers, computer software and any electronic and/or automated device used for performing the processing;
c) "computerised authentication" shall mean a set of electronic tools and procedures to verify identity also indirectly;
d) "authentication credentials" shall mean the data and devices in the possession of a person, whether known by or uniquely related to the latter, that are used for computer authentication;
e) "password" shall mean the component of an authentication credential associated with and known to a person, consisting of a sequence of characters or other data in electronic format;
f) "authorisation profile" shall mean the information uniquely associated with a person that allows determining the data that may be accessed by said person as well as the processing operations said person may perform;
g) "authorisation system" shall mean the tools and procedures enabling access to the data and the relevant processing mechanisms as a function of the requesting party’s authorisation profile.
4. For the purposes of this Code:
a) "historical purposes" shall mean purposes related to studies, investigations, research and documentation concerning characters, events and situations of the past;
b) "statistical purposes" shall mean purposes related to statistical investigations or the production of statistical results, also by means of statistical information systems;
c) "scientific purposes" shall mean purposes related to studies and systematic investigations that are aimed at developing scientific knowledge in a given sector.
Article 5. Subject-Matter and Scope of Application
1. This Code shall apply to the processing of personal data, including data held abroad, where the processing is performed by any entity established either in the State’s territory or in a place that is under the State’s sovereignty.
2. This Code shall also apply to the processing of personal data that is performed by an entity established in the territory of a country outside the European Union, where said entity makes use in connection with the processing of equipment, whether electronic or otherwise, situated in the State’s territory, unless such equipment is used only for purposes of transit through the territory of the European Union. If this Code applies, the data controller shall designate a representative established in the State’s territory with a view to implementing the provisions concerning processing of personal data.
3. This Code shall only apply to the processing of personal data carried out by natural persons for exclusively personal purposes if the data are intended for systematic communication or dissemination. The provisions concerning liability and security referred to in Articles 15 and 31 shall apply in any case.
Article 6. Regulations Applying to Processing Operations
1. The provisions contained in this Part shall apply to any processing operations except as specified in connection with some processing operations by the provisions contained in Part II that amend and/or supplement those laid down herein.
Title II - DATA SUBJECT’S RIGHTS
Article 7. Right to Access Personal Data and Other Rights
1. A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form.
2. A data subject shall have the right to be informed:
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;
d) of the identification data concerning data controller, data processors and the representative designated as per Article 5(2);
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.
3. A data subject shall have the right to obtain:
a) updating, rectification or, where interested therein, integration of the data;
b) cancellation, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;
c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part:
a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.
Article 8. Exercise of Rights
1. The rights referred to in Article 7 may be exercised by making a request to the data controller or processor without formalities, also by the agency of a person in charge of the processing. A suitable response shall be provided to said request without delay.
2. The rights referred to in Article 7 may not be exercised by making a request to the data controller or processor, or else by lodging a complaint pursuant to Article 145, if the personal data are processed:
a) pursuant to the provisions of decree-law N° 143 of 3 May 1991, as converted, with amendments, by Law N°197 of July 1991, and subsequently amended, concerning money laundering;
b) pursuant to the provisions of decree-law N° 419 of 31 December 1991, as converted, with amendments, by Law N° 172 of 18 February 1992 and subsequently amended, concerning support for victims of extortion;
c) by parliamentary Inquiry Committees set up as per Article 82 of the Constitution;
d) by a public body other than a profit-seeking public body, where this is expressly required by a law for purposes exclusively related to currency and financial policy, the system of payments, control of brokers and credit and financial markets and protection of their stability;
e) pursuant to Article 24(1), letter f), as regards the period during which performance of the investigations by defence counsel or establishment of the legal claim might be actually and concretely prejudiced;
f) by providers of publicly available electronic communications services in respect of incoming phone calls, unless this may be actually and concretely prejudicial to performance of the investigations by defence counsel as per Law N° 397 of 7 December 2000 ;
g) for reasons of justice by judicial authorities at all levels and of all instances as well as by the Higher Council of the Judiciary or other self-regulatory bodies, or else by the Ministry of Justice;
h) pursuant to Article 53, without prejudice to Law N° 121 of 1 April 1981. 121.
3. In the cases referred to in paragraph 2, letters a), b), d), e) and f), the Data Protection Commissioner, also following a report submitted by the data subject, shall act as per Articles 157, 158 and 159; in the cases referred to in letters c), g) and h) of said paragraph, the Data Protection Commissioner shall act as per Article 160.
4. Exercise of the rights referred to in Article 7 may be permitted with regard to data of non-objective character on condition that it does not concern rectification of or additions to personal evaluation data in connection with judgments, opinions and other types of subjective assessment, or else the specification of policies to be implemented or decision-making activities by the data controller.
Article 9. Mechanisms to Exercise Rights
1. The request addressed to the data controller or processor may also be conveyed by means of a registered letter, facsimile or e-mail. The Data Protection Commissioner may specify other suitable arrangements with regard to new technological solutions. If the request is related to exercise of the rights referred to in Article 7(1) and (2), it may also be made verbally; in this case, it will be written down in summary fashion by either a person in charge of the processing or the data processor.
2. The data subject may grant, in writing, power of attorney or representation to natural persons, bodies, associations or organisations in connection with exercise of the rights as per Article 7. The data subject may also be assisted by a person of his/her choice.
3. The rights as per Article 7, where related to the personal data concerning a deceased, may be exercised by any entity that is interested therein or else acts to protect a data subject or for family-related reasons deserving protection.
4. The data subject’s identity shall be verified on the basis of suitable information, also by means of available records or documents or by producing or attaching a copy of an identity document. The person acting on behalf of the data subject must produce or attach a copy of either the proxy or the letter of attorney signed by the data subject in the presence of a person in charge of the processing or signed and presented together with a non-authenticated photocopy of an ID document of the data subject. If the data subject is a legal person, a body or association, the relevant request shall be made by the natural person that is legally authorized thereto based on the relevant regulations or articles of association.
5. The request referred to in Article 7(1) and (2) may be worded freely without any constraints and may be renewed at intervals of not less than ninety days, unless there are well-grounded reasons.
Article 10. Response to Data Subjects
1. With a view to effectively exercising the rights referred to in Article 7, data controllers shall take suitable measures in order to, in particular:
a) facilitate access to personal data by the data subjects, including by means of appropriate computer software for accurate selection of data concerning individual identified or identifiable data subjects;
b) simplify the arrangements and reduce the delay for the responses, also with regard to public relations departments or offices.
2. The data processor or the person(s) in charge of the processing shall be responsible for retrieval of the data, which may be communicated to the requesting party also verbally, or else displayed by electronic means - on condition that the data are easily intelligible in such cases also in the light of the nature and amount of the information The data shall be reproduced on paper or magnetic media, or else transmitted via electronic networks, whenever this is requested.
3. The response provided to the data subject shall include all the personal data concerning him/her that are processed by the data controller, unless the request concerns either a specific processing operation or specific personal data or categories of personal data. If the request is made to a health care professional or health care body, Article 84(1) shall apply.
4. If data retrieval is especially difficult, the response to the data subject’s request may also consist in producing or delivering copy of records and documents containing the personal data at stake.
5. The right to obtain communication of the data in intelligible form does not apply to personal data concerning third parties, unless breaking down the processed data or eliminating certain items from the latter prevents the data subject’s personal data from being understandable.
6. Data are communicated in intelligible form also by using legible handwriting. If codes or abbreviations are communicated, the criteria for understanding the relevant meanings shall be made available also by the agency of the persons in charge of the processing.
7. Where it is not confirmed that personal data concerning the data subject exist, further to a request as per Article 7(1) and (2), letters a), b) and c), the data subject may be charged a fee which shall not be in excess of the costs actually incurred for the inquiries made in the specific case.
8. The fee referred to in paragraph 7 may not be in excess of the amount specified by the Data Protection Commissioner in a generally applicable provision, which may also refer to a lump sum to be paid in case the data are processed by electronic means and the response is provided verbally. Through said instrument the Data Protection Commissioner may also provide that the fee may be charged if the personal data are contained on special media whose reproduction is specifically requested, or else if a considerable effort is required by one or more data controllers on account of the complexity and/or amount of the requests and existence of data concerning the data subject can be confirmed.
9. The fee referred to in paragraphs 7 and 8 may also be paid by bank or postal draft, or else by debit or credit card, if possible upon receiving the relevant response and anyhow within fifteen days of said response.
Title III - GENERAL DATA PROCESSING RULES
CHAPTER I - RULES APPLYING TO ALL PROCESSING OPERATIONS
Article 11. Processing Methods and Data Requirements
1. Personal data undergoing processing shall be:
a) processed lawfully and fairly;
b) collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is not inconsistent with said purposes;
c) accurate and, when necessary, kept up to date;
d) relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed;
e) kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed.
2. Any personal data that is processed in breach of the relevant provisions concerning the processing of personal data may not be used.
Article 12. Codes of Conduct and Professional Practice
1. The Data Protection Commissioner shall encourage, within the framework of the categories concerned and in conformity with the principle of representation, by having regard to the guidelines set out in Council of Europe recommendations on the processing of personal data, the drawing up of codes of conduct and professional practice for specific sectors, verify their compliance with laws and regulations by also taking account of the considerations made by the entities concerned, and contribute to adoption of and compliance with such codes.
2. The Data Protection Commissioner shall be responsible for having the codes published in the Official Journal of the Italian Republic; the codes shall be included into Annex A) to this Code based on a decree by the Minister of Justice.
3. Compliance with the provisions included in the codes referred to in paragraph 1 shall be a prerequisite for the processing of personal data by public and private entities to be lawful.
4. The provisions of this Article shall also apply to the code of conduct on the processing of data for journalistic purposes as adopted further to the encouragement provided by the Data Protection Commissioner pursuant to paragraph 1 and Article 139.
Article 13. Information to Data Subjects
1. The data subject as well as any entity from whom or which personal data are collected shall be preliminarily informed, either orally or in writing, as to:
a) the purposes and modalities of the processing for which the data are intended;
b) the obligatory or voluntary nature of providing the requested data;
c) the consequences if (s)he fails to reply;
d) the entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of said data;
e) the rights as per Article 7;
f) the identification data concerning the data controller and, where designated, the data controller’s representative in the State’s territory pursuant to Article 5 and the data processor. If several data processors have been designated by the data controller, at least one among them shall be referred to and either the site on the communications network or the mechanisms for easily accessing the updated list of data processors shall be specified. If a data processor has been designated to provide responses to data subjects in case the rights as per Article 7 are exercised, such data processor shall be referred to.
2. The information as per paragraph 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain items if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defence or State security, or else for the prevention, suppression or detection of offences.
3. The Data Protection Commissioner may issue a provision to set out simplified information arrangements as regards, in particular, telephone services providing assistance and information to the public.
4. Whenever the personal data are not collected from the data subject, the information as per paragraph 1, also including the categories of processed data, shall be provided to the data subject at the time of recording such data or, if their communication is envisaged, no later than when the data are first communicated.
5. Paragraph 4 shall not apply:
a) if the data are processed in compliance with an obligation imposed by a law, regulations or Community legislation;
b) if the data are processed either for carrying out the investigations by defence counsel as per Law N° 397 of 7 December 2000, or to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary for this purpose;
c) if the provision of information to the data subject involves an effort that is declared by the Data Protection Commissioner to be manifestly disproportionate compared with the right to be protected, in which case the Data Protection Commissioner shall lay down suitable measures, if any, or if it proves impossible in the opinion of the Data Protection Commissioner.
Article 14. Definition of Profiles and the Personality of Data Subjects
1. No judicial or administrative act or measure involving the assessment of a person’s conduct may be based solely on the automated processing of personal data aimed at defining the data subject’s profile or personality.
2. The data subject may challenge any other decision that is based on the processing referred to in paragraph 1, pursuant to Article 7(4), letter a), unless such decision has been taken for the conclusion or performance of a contract, further to a proposal made by the data subject or on the basis of adequate safeguards laid down either by this Code or in a provision issued by the Data Protection Commissioner pursuant to Article 17.
Article 15. Damage Caused by the Processing
1. Whoever causes damage to another as a consequence of the processing of personal data shall be liable to pay damages pursuant to Article 2050 of the Civil Code
2. Compensation for non-pecuniary damage shall be also due upon infringement of Article 11.
Article 16. Termination of Processing
1. Should data processing be terminated, for whatever reason, the data shall be:
b) assigned to another data controller, provided they are intended for processing under terms that are compatible with the purposes for which the data have been collected;
c) kept for exclusively personal purposes, without being intended for systematic communication or dissemination;
d) kept or assigned to another controller for historical, scientific or statistical purposes, in compliance with laws, regulations, Community legislation and the codes of conduct and professional practice adopted pursuant to Article 12.
2. Assignment of data in breach either of paragraph 1, letter b), or of other relevant provisions applying to the processing of personal data shall be void.
Article 17. Processing Operations that Carry Specific Risks
1. Processing of data other than sensitive and judicial data shall be allowed in accordance with such measures and precautions as are laid down to safeguard data subjects, if the processing is likely to present specific risks to data subjects’ fundamental rights and freedoms and dignity on account of the nature of the data, the arrangements applying to the processing or the effects the latter may produce.
2. The measures and precautions referred to in paragraph 1 shall be laid down by the Data Protection Commissioner on the basis of the principles set out in this Code within the framework of a check to be performed prior to start of the processing as also related to specific categories of data controller or processing, following the request, if any, submitted by the data controller.