Protection of individualsand other subjects with regard to the processing of personal data

ACT no. 675 of 31.12.1996

As amended by Legislative Decree no. 123 of 09.05.1997, no. 255 of 28.07.1997, no. 135 of 08.05.1998, no. 171 of 13.05.1998, no. 389 of 6.11.1998, no. 51 of 26.02.1999, no. 135 of 11.05.1999, no. 281 of 30.07.1999, no. 282 of 30.07.1999 and no. 467 of 28.12.2001.
Amendments are shown in italics

 

FOREWORD

Personal data laws are becoming increasingly a tool for the overall protection of fundamental human rights, thereby adding significantly to the conventional privacy framework. The recent Italian Data Protection Act (no. 675 of 31.12.1996) regards privacy protection as a part of a larger whole-taking also account of guidelines already included in the European Directive of 1995: indeed, personal data are to be processed "by respecting the rights, fundamental freedoms and dignity of natural persons, in particular with regard to privacy and personal identity". Thus, privacy becomes a fundamental component of the "electronic citizenship" which will be a basic features of the next millennium.

This ambitious target cannot be achieved solely through an Act ensuring a high level of protection to citizens: powerful social legitimation is also required.

The level of protection ensured by the Italian Act is considerable. This is partly due to the fact that Parliament chose to include, from the very beginning, significant provisions of the EU Directive into domestic legislation; hence, the protection of personal data processed in Italy is, at least currently, in many instances greater than that ensured by countries in which this is long-standing practice.

Social legitimation also results from the fact that the supervisory authority is direct, exclusive expression of Parliamentary activity. The four members of the Supervisory Authority (i.e., the "Garante") for Personal Data Protection are elected by both Houses, and the chairman is, in turn, elected by the members. This means that no undue pressure 1s exercised by Government, which obviously enhances the independence of the authority. Further, being directly linked to popular sovereignty - through the election by Parliament - the authority is especially qualified to carry out activities which are aimed, firstly and above all, at protecting values and fundamental rights to which all citizens are entitled.

Thus, the Garante is not entrusted exclusively with the task of monitoring or auditing data hanks: in fact, it has considerable power of action, including data hanks to which no supervision usually applies (see Article 4). This is the case, for instance, of intelligence services, which may not dismiss the requests made by the Garante on grounds of State secrecy - as is often the case in respect of similar requests made by judicial authorities.

The Garante is also committed the difficult task of striking a balance between diverging interests. This is apparent as regards the relationships between privacy and freedom of the press, hut also applies to other matters - such as sensitive data; processing of such data is allowed only with the data subject's consent and with the authorization by the Garante.

Act no. 675 is accompanied by another Act (no. 676) which provides flexibility and can be said to be a gateway to the future. Self-amendment arrangements are provided for: based on the experience gained in the implementation of the Act, the Government may issue decrees supplementing and/or amending the Act so as to bring the latter fully into line with actual requirements. Two such decrees have already been issued. Furthermore, the Government was enabled to issue, by the end of 1998, a number of decrees which should allow supplementing the existing legislation in especially complex areas or in sectors showing innovations due to the development of information and communication technology. This entails the commitment towards laying down provisions applying to the whole issue of telematics networks by the term stated - which will prevent leaving out the very sectors in which the protection of fundamental human rights is especially necessary and involves a greater effort.

THE GARANTE        

 

Table of Contents

Chapter I   - GENERAL PRINCIPLES

Chapter II  - OBLIGATIONS RELATING TO THE CONTROLLER

Chapter III - PROCESSING OF PERSONAL DATA

Part I - Collection and quality of personal data

Part II - Data subject’s rights in respect of data processing

Part III - Security in data processing, limitations on the

utilization of data and payment of damages

Part IV - Communication and dissemination of data

Chapter IV  - PROCESSING OF SPECIAL CATEGORIES OF DATA

Chapter V   - PROCESSING SUBJECT TO SPECIFIC PROVISIONS

Chapter VI  - ADMINISTRATIVE AND JUDICIAL REMEDIES

Chapter VII  - SUPERVISORY AUTHORITY

Chapter VIII - PENALTIES

Chapter IX  - TRANSITIONAL, FINAL AND REPEALED PROVISIONS

Chapter X   - FUNDING AND ENTRY INTO FORCE

 

 

CHAPTER I
GENERAL PRINCIPLES

Article 1
(
Purposes and definitions)

1. This Act shall ensure that the processing of personal data is carried out by respecting the rights, fundamental freedoms and dignity of natural persons, particularly with regard to privacy and personal identity; it shall further ensure the protection of the rights of legal persons and of any other body or association.

2. For the purposes of this Act:

a) "data bank" shall mean any set of personal data, divided into one or more units located in one or more places, organized according to specific criteria such as to facilitate their processing;

b) "processing" shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organization, keeping, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data;

c) "personal data" shall mean any information relating to natural or legal persons, bodies or associations that are or can be identified, even indirectly, by reference to any other information including a personal identification number;

d) "controller" shall mean any natural or legal person, public administration, body, association or other agency that is competent to determine purposes and methods of the processing of personal data, as also related to security;

e) "processor" shall mean any natural or legal person, public administration, body, association or other agency that processes personal data on behalf of the controller;

f) "data subject" shall mean any natural or legal person, body or association that is the subject of the personal data;

g) "communication" shall mean the disclosure of personal data to one or more identified subjects other than the data subject, in any form whatsoever, including by making available or searching such data;

h) "dissemination" shall mean the disclosure of personal data to unidentified subjects, in any form whatsoever, including by making available or searching such data;

i) "anonymous data" shall mean any data which in origin, or by its having been processed, cannot be associated with any identified or identifiable data subject;

l) "blocking" shall mean the keeping of personal data with temporary suspension of any other processing;

m) "Garante" shall mean the supervisory authority set up as per article 30.

Article 2
(Scope)

1. This Act shall apply to the processing of personal data carried out by any person whomsoever on the State's territory.

1-bis. This Act shall further apply to the processing of personal data that is performed by an entity established on the territory of a country outside the European Union, where said entity makes use in connection with the processing of equipment, whether automated, electronic or otherwise, situated on the State's territory, unless such equipment is used only for purposes of transit through the territory of the European Union. (*)

1-ter. In the cases referred to in paragraph 1-bis, the controller established on the territory of a country outside the European Union must designate a representative established in the State's territory with a view to implementing the provisions of this Act. (*)

Article 3
(Processing for exclusively personal purposes)

1. This Act shall not apply to the processing of personal data carried out by natural persons for exclusively personal purposes, provided that the data are not intended for systematic communication or dissemination.

2. The provisions relating to data protection as per article 15 and the provisions laid down in Article 18 (*) shall apply to the processing referred to in paragraph 1.

Article 4
(Specific types of processing in the public sector)

1. This Act shall not apply to the processing of personal data carried out:

a) by the data processing centre referred to in article 8 of Act no. 121 of 1 April 1981, as amended by para. 1 of article 43 of this Act, and in respect of the data that are to be transferred to the said centre under the law, also pursuant to the agreement for the accession to the Convention implementing the Schengen Agreement as enforced by Act no. 388 of 30 September 1993;

b) by the agencies referred to in articles 3, 4 and 6 of Act no. 801 of 24 October 1977, or with respect of data to which official secret applies as per article 12 of said Act;

c) within the scope of activity of the criminal records service as per Title IV of Book X of the Criminal Procedure Code and per royal decree no. 778 of 18 June 1931, as subsequently amended, or, pursuant to law, within the scope of activity of the pending criminal prosecutions service;

d) in implementation of paragraph 3 of article 371bis of the Criminal Procedure Code or, for purposes of justice, within the scope of activity of judicial offices, the Higher Council of the Judiciary and the Ministry of Justice;

e) by any other public authority for purposes of defence or relating to State security, or for the prevention, detection or control of crimes, as expressly required by laws which specifically provide for such processing.

2. The provisions as per articles 9, 15, 17, 18, 31, 32, para. 6 and 7, and 36 as well as those included in articles 7 and 34, except for the processing referred to under subheading b), shall apply to the processing mentioned in para. 1.

Article 5
(Processing carried out without electronic means)

1. The processing of personal data carried out without electronic or, at all events, automated means shall be governed by the same provisions applying to the processing carried out with the aforesaid means.

Article 6
(Processing of data kept in a foreign country)

1. The provisions of this Act shall apply to the processing, on the State"s territory, of personal data kept in a foreign country.

2. Where the processing as per para. 1 consists in transferring personal data across national borders, article 28 shall apply.

CHAPTER II
OBLIGATIONS RELATING TO THE CONTROLLER

Article 7
(Notification)

1. A controller intending to process personal data falling within the scope of application of this Act shall have to notify the Garante thereof, exclusively in the cases and manner set out in the regulations as per Article 33(3), if the processing is liable to adversely affect the data subject's rights and freedoms on account of either the relevant mechanisms or the nature of the personal data (*).

2. The notification shall have to be given in advance and once only, by means of a registered letter or any other means suitable for certifying its receipt, regardless of the number of operations to be performed and of the duration of the processing, and may concern one or more processing operations for related purposes. A new notification shall only be made necessary by changes in the information that must be specified (*) and must be given before such changes are made.

The provisions referred to following paragraphs 3, 4, 5, 5-bis, 5-ter, 5-quater and 5-quinquies shall be repealed as of the date of entry into force of the amendments to be made to the regulations referred to in article 33(3), in pursuance of paragraph 1 of this article.

3. The notification shall be undersigned both by the subject giving it and by the processor.

4. The notification shall specify:

a) the name, denomination or trade name, the domicile, residence or registered office of the controller;

b) the purposes and methods of the processing;

c) the nature of the data, the place where they are kept and the categories of data subjects to which they refer;

d) the communication and dissemination sphere of the data;

e) any proposed transfer of the data either to countries not belonging to the European Union or, where such transfer concerns any of the data as per articles 22 and 24, outside national borders;

f) a general description allowing assessment of the adequacy of technical and organizational safeguards adopted for data security;

g) the data bank(s) to which the processing refers and any link with other processing operations or data banks, including those outside the State"s territory;

h) the name, denomination or trade name, the domicile, residence or registered office of office of the data controller's representative on the State's territory and at least one data processor, the latter being the entity referred to for the purposes set out in Article 13 (**); in default of such data, the person giving the notification shall be regarded as the processor;

i) qualification and title of the person giving said notification.

5. Any person who is required by law to registrate into the company register as per article 2188 of the Civil Code or to provide the information as per para. 8, subheading d), of article 8 of Act no. 580 of 29 December 1993 to the Chambers of Commerce, Industry, Trade and Agriculture, may notify the authority by the agency of the said Chambers in accordance with the arrangements laid down in the regulations referred to in article 33(3). Small-scale businesses and craftsmen may give said notification by the agency of the associations representing them; any person who is included in a professional roll may notify the Garante by the agency of the relevant professional association. Paragraph 3 is hereby left unprejudiced.

5-bis. Simplified notifications may omit certain items of information referred to in paragraph 4, subheadings b), c), e) and g), as specified by the Garante pursuant to the regulations referred to in Article 33(3), whenever the processing is carried out:

a) by not-for-profit public bodies, based either on specific laws in pursuance of Article 22(3) and 24 or on the provision referred to in said Article 24;

b) in the exercise of the journalistic profession and for the sole purposes related thereto, or by the persons referred to in paragraph 4-bis of Article 25, in compliance with the code of conduct as per the selfsame Article;

c) temporarily without electronic or automated means, for the sole purposes of and in accordance with arrangements closely related to internal organization of the controller"s activity, as regards data other than those referred to in Articles 22 and 24 that are not recorded in a data bank;

c-bis) for historical, scientific research and statistics purposes in compliance with laws, regulations, community legislation and the codes of conduct and professional ethics undersigned in pursuance of Article 31.

5-ter. Except as provided for in Article 4, no notification shall be required if:

a) the processing is necessary to comply with obligations laid down by laws, regulations or Community legislation and concerns data other than those referred to in Articles 22 and 24;

b) the processing concerns data included in or retrieved from public registers, lists, acts or documents which are publicly available, without prejudice to the limitations and arrangements laid down in Article 20(1), subheading b);

c) the processing is carried out exclusively for purposes related to the filing system as regards data which are required for classifying correspondence sent for purposes other than those referred to in Article 13(1), subheading e), especially in respect of the data subject's name and address, position and employer;

d) the processing concerns telephone notebooks or similar contrivances which are not intended for dissemination and are used exclusively for office or work purposes and anyhow for purposes other than those referred to in Article 13(1), subheading e);

e) the processing is carried out exclusively in order to comply with specific obligations concerning accounting, salaries, social security, benefits and fiscal issues and applies only to such categories of data, data subjects and persons to whom the data are communicated or disseminated as are closely related to the above purpose, on condition that the data are kept for no longer than is necessary for said purpose;

f) except as provided for in paragraph 5-bis, subheading b), the processing is carried out by self-employed workers who are included in professional rolls or registers, exclusively for purposes that are closely related to the performance of specific obligations, without prejudice to professional secrecy;

g) the processing is carried out by small businesses as per Article 2083 of the Civil Code exclusively for purposes that are closely related to the performance of the relevant activities and on condition that the categories of data, data subjects and persons to whom the data are communicated or disseminated and the time for which the data are kept are necessary to achieve said purposes;

h) the processing is aimed at keeping professional rolls or registers in compliance with laws and regulations;

i) the processing is carried out exclusively for the ordinary management of libraries, museums and exhibitions in pursuance of laws and regulations, or for organizing cultural or sports initiatives or setting up catalogues and bibliographic lists;

l) the processing is carried out by associations, foundations, committees even of a political, philosophical, religious or trade-unionistic character, or by the organs representing them, which have been set up as not-for-profit bodies and for lawful purposes, as regards data concerning members and persons who have regular contact with said associations, foundations or organs in connection with the above purposes, without prejudice to the obligation to inform the data subjects and have their consent - where necessary;

m) the processing is carried out by the voluntary organizations referred to in Act no. 266 of 11.08.91 in compliance with the limitations laid down under subheading l) and pursuant to the authorizations and provisions referred to in Articles 22 and 23;

n) the processing is carried out on a temporary basis exclusively in order to publish or circulate papers, essays and other intellectual works, in compliance with the code as per Article 25;

o) the processing is carried out, even with electronic or automated means, to edit journals or publications addressing law matters, as regards data extracted from provisions issued by judicial or other authorities;

p) the processing is carried out, on a temporary basis, exclusively in order to canvass support to bills put forward by citizens, applications for referenda, petitions or appeals;

q) the processing is aimed exclusively at the management of condominia as per Article 1117 and subsequent ones of the Civil Code, in respect of such categories of data, data subjects and persons to whom the data are communicated as are necessary for the management of the jointly owned property, on condition that the data are kept for no longer than is necessary for the protection of the relevant rights;

q-bis) the processing is part either of the national programme for statistics or of statistics programming measures which are provided for by law, and it is carried out in compliance with laws, regulations, community legislation and the codes of conduct and professional ethics undersigned in pursuance of Article 31.

5-quater. Simplified notification or the exemption as per paragraphs 5-bis and 5-ter may apply in respect of a data controller if the processing is carried out exclusively for the purposes and concerns the categories of data, data subjects and persons to whom the data are communicated or disseminated which are referred to, as also related to the period for which the data may be kept, in paragraphs 5-bis and 5-ter as well as:

a) in the laws, regulations or Community legislation referred to in paragraphs 5-bis, subheading a), and 5-ter, subheadings a) and m), as regards the relevant cases;

b) in the code of conduct referred to in para. 5-bis, subheading b);

c) in the authorization granted by the Garante pursuant to the arrangements which are laid down in Article 41(7) or, in respect of data other than those as per Articles 22 and 24, in similar provisions issued by said authority.

5-quinquies. Any controller applying the exemption as per paragraph 5-ter must provide the information referred to in paragraph 4 to any person requesting it.

Article 8
(Processor)

1. Where designated, the processor shall be a person having adequate knowledge, experience and reliability so as to ensure thorough compliance with the provisions in force applying to processing, as also related to security issues.

2. The processor shall abide by the instructions given by the controller in carrying out the aforementioned processing. The controller shall verify, also through periodic controls, that the provisions as per para. 1 and his own instructions are fully complied with.

3. If necessary on account of organizational needs, more than one person may be appointed as processor, even by subdividing the relevant tasks.

4. The tasks committed to the processor shall be detailed in writing.

5. The persons in charge of the processing shall have to process the personal data to which they have access by complying with the instructions given by the controller or processor.

CHAPTER III
PROCESSING OF PERSONAL DATA

PART I

COLLECTION AND QUALITY OF PERSONAL DATA

Article 9
(Modalities for the collection and quality of personal data)

1. Personal data undergoing processing shall be:

a) processed lawfully and fairly;

b) collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is not inconsistent with said purposes;

c) accurate and, when necessary, kept up to date;

d) adequate, relevant and not excessive in relation to the purposes for which they are collected or subsequently processed;

e) kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed.

1-bis. Processing of personal data for historical, scientific research or statistics purposes shall be consistent with the purposes for which the data are collected or subsequently processed and may be carried out even after expiry of the period that is necessary for the latter purposes.

Article 10
(Information provided when collecting the data)

1. The data subject as well as whoever is requested to provide personal data shall be preliminarly informed, either orally or in writing, as to:

a) the purposes and modalities of the processing for which the data are intended;

b) the obligatory or voluntary nature of providing the requested data;

c) the consequences if he fails to reply;

d) the subjects or the categories of subjects to whom the data can be communicated and the area within which the data may be disseminated;

e) the rights as per article 13;

f) the name, denomination or trade name and the domicile, residence, or registered office of the controller, the controller's representative on the State's territory and at least one data processor, the latter being the entity referred to for the purposes set out in Article 13, by specifying either the site in the communications network or the mechanisms for accessing, without constraint, the updated list of data processor (**).

2. The information as per paragraph 1 may not include those items which are already known to the subject providing the data or the knowledge of which may hinder supervisory or control activities carried out by public bodies for the purposes referred to in para 1, subheading e), of article 4 and in para. 1, subheading d), of article 14.

3. Whenever personal data are not collected from the data subject, the information as per para. 1 shall be provided to the data subject at the time of recording such data or, if their disclosure is envisaged, no later than the time when the data are first disclosed.

4. Paragraph 3 shall not apply where the provision of information to the data subject involves an effort which is declared by the Garante to be manifestly disproportionate as compared with the right which is to be protected, or if it proves impossible in the opinion of the Garante or the data are processed in compliance with an obligation imposed by a law, regulations or Community legislation. Further, paragraph 3 shall not apply where the data are processed for carrying out the investigations by defence counsel as per Act no. 397 of 07.12.2000 (*), or else for the exercise or defence of a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor.

PART II

DATA SUBJECT'S RIGHTS IN RESPECT OF THE PROCESSING

Article 11
(Data subject's consent)

1. Processing of personal data by private entities or profit-seeking public bodies shall be deemed lawful only if the data subject gives his express consent.

2. The data subject's consent may relate to the overall processing or to one or more of the operations thereof.

3. The data subject's consent shall be deemed to be effective only if it has been given freely, in a specific form and in writing and if the data subject was provided with the information as per article 10.

Article 12
(Cases in which the data subject's consent is not required)

1. The data subject's consent shall not be required:

a) if the processing concerns data collected and kept in compliance with an obligation imposed by a law, regulations or Community legislation;

b) if the processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or in order to take steps at the data subject's request prior to entering into a contract (*), or for the performance of a lawful obligation;

c) if the processing concerns data extracted from public registers, lists, documents or records which are publicly available;

d) if the processing is carried out exclusively for scientific research or statistics purposes and complies with the codes of conduct and professional ethics undersigned in pursuance of Article 31;

e) if the processing is carried out within the scope of the journalistic profession and for the sole purposes related thereto. In the latter case, the code of conduct referred to in article 25 shall apply;

f) if the processing concerns data relating to economic activities which have been collected, inter alia, for the purposes mentioned in para. 1, subheading e), of article 13 without prejudice to the laws in force regarding business and industrial secrecy;

g) if the processing is necessary to safeguard life or bodily integrity either of the data subject or of a third party, and the data subject cannot give his consent because of physical or legal incapacity or mental disorder;

h) if the processing is necessary for carrying out the investigations by defence counsel as per Act no. 397 of 07.12.2000 (*), or else for the exercise or defence of a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor.

h-bis) if the processing is necessary to pursue a legitimate interest of either the data controller or a third party recipient in the cases specified by the Garante on the basis of the principles set out in the Act, unless said interest is overridden by the data subject's rights and fundamental freedoms, dignity or legitimate interests. (***)

Article 13
(Data subject's rights)

1. In respect of the processing of personal data, any data subject shall have the right to:

a) be informed, by having access, free of charge, to the register mentioned under paragraph 1, subheading a), of article 31, of the existence of the processing of data that may concern him;

The provisions referred to following subheading b) shall be repealed as of the date of entry into force of the amendments to be made to the regulations referred to in article 33(3), in pursuance of paragraph 1, of article 7.

b) be informed of what is mentioned under paragraph 4, subheadings a), b) and h), of article 7;

c) obtain, without delay, either from the controller or from the processor:

1) confirmation as to whether or not personal data relating to him exist, regardless of their being already recorded, and the intelligible communication of such data and their source, as well as of the logic and the purposes underlying the processing; such request is renewable at intervals of not less than ninety days, unless there are well-grounded reasons therefor;

2) the erasure, blocking or transformation into an anonymous form of data which have been processed unlawfully, including those the keeping of which is not necessary for the purposes for which they were collected or subsequently processed;

3) the updating, rectification or, where interested therein, completion of the data;

4) the statement that the operations as per 2) and 3) above have been notified, as also related to their contents, to the subjects to whom the data were communicated or disseminated, except when the provision of such information proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;

d) object, in whole or in part, on legitimate grounds, to the processing of personal data relating to him, even though relevant to the purpose of the collection;

e) object, in whole or in part, to the processing of personal data relating to him which is carried out for purposes of commercial information or advertising or direct marketing, or else for the performance of market or interactive commercial communication surveys, and be informed by the controller, no later than at the time when the data are communicated or disseminated, of the possibility to exercise such right free of charge.

2. Where it is not confirmed that personal data relating to the data subject exist, the latter may be charged a sum which shall not be greater than the expenses actually incurred, for each request as per para. 1, subheading c), number 1), in accordance with the modalities and within the limits set out by the regulations as per article 33(3).

3. The rights as per paragraph 1, where relating to the personal data of a deceased, may be exercised by anyone who is interested in them.

4. The data subject may grant, in writing, power of attorney or representation to natural persons or associations in the exercise of the rights as per paragraph 1.

5. The provisions concerning professional secrecy of the journalistic profession shall further apply as related to the source of the information.

Article 14
(Limitations on the exercise of rights)

1. The rights as per paragraph 1, letters c) and d), of article 13 may not be exercised with regard to the processing of personal data which have been collected:

a) pursuant to the provisions of decree-law no. 143 of 3 May 1991, as converted, with amendments, into Act no. 197 of 5 July 1991 and subsequently amended;

b) pursuant to the provisions of decree-law no. 419 of 31 December 1991, as converted, with amendments, into Act no. 172 of 18 February 1992 and subsequently amended;

c) by parliamentary Commissions of Inquiry set up as per article 82 of the Constitution;

d) by a public body other than a profit-seeking public authority, where this is expressly required by a law, for purposes solely relating to currency and financial policy, the system of payments, the control of brokers and credit and financial markets and the protection of their stability;

e) in pursuance of para. 1, subheading h), of article 12, as regards the period during which the performance of the investigations or the exercise of the rights as per the aforesaid subheading h) might be adversely affected.

e-bis) by providers of publicly available telecommunications services in respect of the personal data allowing calling line identification, unless this may be prejudicial to performance of the investigations by defence counsel as per Act no. 397 of 07.12.2000. (*)

2. In the cases as per paragraph 1 of this article, the Garante, also following a report submitted by the data subject as per paragraph 1, letter d), of article 31, shall carry out all the necessary controls in pursuance of paragraphs 6 and 7 of article 32, determine the changes and additions required and verify that the latter have been implemented.

PART III

SECURITY IN DATA PROCESSING,
LIMITATIONS ON THE UTILIZATION OF DATA
AND PAYMENT OF DAMAGES

Article 15
(Data security)

1. Personal data undergoing processing shall be kept and controlled, also in consideration of technological innovations, of their nature and the specific characteristics of the processing, in such a way as to limit to the very minimum, by means of suitable security measures, the risk of their destruction or loss, even if accidental, of unauthorized access to the data or of their being processed unlawfully or in a way that is not consistent with the purposes for which they have been collected.

2. The minimum security standards to be adopted as a preventative measure shall be laid down within one hundred and eighty days of the date of entry into force of this Act by means of regulations issued through a presidential decree, as per paragraph 1, subheading a), of article 17 in Act no. 400 of 23 August 1988, upon proposal by the Minister of Justice and after consulting the Authority for Information Technology in the Public Administration and the Garante.

3. The standards as per paragraph 2 above shall be updated in connection with the technical innovations and experience in the field, within two years of the date of entry into force of this Act and thereafter at intervals of not more than two years, by means of subsequent regulations to be issued in pursuance of said paragraph 2.

4. The security measures relating to the data processed by the agencies as per para. 1, subheading b), of article 4 shall be laid down in a decree of the Chairman of the Council of Ministers in compliance with the provisions applying to this subject-matter.

Article 16
(Discontinuation of data processing)

1. Should data processing be discontinued, for whatever reason, the controller shall be bound to preliminarly notify the destination of such data to the Garante.

2. Data may be:

a) destroyed;

b) transferred to another controller, provided they are intended for a processing which is carried out for purposes similar to those for which they have been collected;

c) kept for exclusively personal purposes, without being intended for systematic communication or dissemination;

c-bis) kept or transferred to another controller, for historical, scientific research or statistics purposes, in compliance with laws, regulations, community legislation and the codes of conduct and professional ethics undersigned in pursuance of Article 31.

3. Transfer of data in breach of the provisions as per subheading b) of paragraph 2 or of other provisions applying to the processing of personal data shall be void and punishable in pursuance of para. 1 of article 39.

Article 17
(Limitations on the utilization of personal data)

1. No judicial or administrative action or measure involving the assessment of a person"s conduct may be based solely on the automated processing of personal data aimed at defining the data subject's profile or personality.

2. The data subject may challenge any other decision which is based on the processing referred to in paragraph 1 above, pursuant to paragraph 1, subheading d), of article 13, unless such decision was taken for the conclusion or the performance of a contract, in compliance with a proposal made by the data subject or on the basis of adequate safeguards provided for by law.

Article 18
(Damage resulting from the processing of personal data)

1. Whoever causes damage to another as a consequence of the processing of personal data shall be liable to pay damages as per article 2050 of the Civil Code.

 

PART IV

COMMUNICATION AND DISSEMINATION OF DATA

Article 19
(Persons in charge of the processing)

1. Communication shall not be deemed to include the knowledge of the personal data by the persons who have been entrusted by the controller or processor, in writing, with the task of carrying out the processing and who operate under their direct supervision.

Article 20
(Requirements for communication and dissemination of personal data)

1. Communication and dissemination of personal data by private individuals and profit-seeking public bodies shall be allowed:

a) with the data subject's express consent;

a-bis) if they are necessary for the performance of obligations resulting from a contract to which the data subject is a party, or in order to take steps at the data subject's request prior to entering into a contract; (*)

b) if the data are extracted from public registers, lists, documents or records which are publicly available, without prejudice to the limitations and modalities laid down by laws and regulations with regard to their disclosure and publicity;

c) in the performance of an obligation imposed by a law, regulations or Community legislation;

d) within the scope of the journalistic profession and for the sole purposes related thereto. This shall be without prejudice to the restrictions imposed on freedom of the press to safeguard privacy and particularly to the material character of the information as related to facts of public interest. The code of conduct referred to in article 25 shall further apply;

e) if the data refer to the performance of economic activities, pursuant to the laws in force concerning business and industrial secrecy;

f) when necessary to safeguard life or bodily integrity either of the data subject or of a third party, where the data subject cannot give his consent because of physical or legal incapacity or mental disorder;

g) as regards communication, if the latter is necessary for carrying out the investigations by defence counsel as per Act no. 397 of 07.12.2000 (*), or else for the exercise or defence of a legal claim, in compliance with subheading e) of this paragraph, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor;

h) as regards communication, if the latter takes place for the same purposes for which the data have been collected either within the banking groups referred to in article 60 of the consolidated statute on banking and financial matters, approved by legislative decree no. 385 of 1 September 1993 and subsequently amended, or between subsidiary and related companies as per article 2359 of the Civil Code, provided that these processing operations for related purposes have been notified in pursuance of article 7(2).

h-bis) as regards communication, if the latter is necessary to pursue a legitimate interest of either the data controller or a third party recipient in the cases specified by the Garante on the basis of the principles set out in the Act, unless said interest is overridden by the data subject's rights and fundamental freedoms, dignity or legitimate interests. (*)

2. Article 27 shall apply to the communication and dissemination of personal data by public entities other than profit-seeking public bodies.

Article 21
(Ban on communication and dissemination)

1. It shall be prohibited to communicate and disseminate personal data for purposes other than those specified in the notification as per article 7.

2. Further, it shall be prohibited to communicate and disseminate personal data of which the erasure has been ordered, as well as after the expiry of the term mentioned in paragraph 1, subheading e), of article 9.

3. The Garante may prohibit the dissemination of some of the data relating to individual subjects, or categories of subjects, where this dissemination is contrary to especially important public interests. The latter provision may be challenged pursuant to paragraphs 6 and 7 of article 29.

4. Communication and dissemination of data shall be always permitted:

a) where they are necessary for scientific research or statistics purposes and are carried out in compliance with the codes of conduct and professional ethics undersigned in pursuance of Article 31;

b) where they are requested by the subjects as per para. 1, subheadings b), d) and e), of article 4, for purposes of defence or relating to State security, or for the prevention, detection or control of crimes, in compliance with the laws governing such matters.

 

CHAPTER IV

PROCESSING OF SPECIAL CATEGORIES OF DATA

Article 22
(Sensitive data)

1. Personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade-unions, associations or organizations of a religious, philosophical, political or trade-unionistic character, as well as of health conditions and sex life may be processed only if the data subject gives his consent in writing, subject to authorization by the Garante.

1-bis. Paragraph 1 shall not apply to data concerning members of religious establishments where the relationships of the latter with the State are governed by agreements or conventions in pursuance of Articles 7 and 8 of the Constitution; further, it shall not apply to data concerning entities having regular contact with said establishments for exclusively religious purposes - on condition that such data are processed by the relevant organs or bodies recognised under civil law and are not communicated or disseminated outside said establishments.

The latter shall lay down suitable safeguards with regard to the processing operations performed.

1-ter. Paragraph 1 shall not be applicable, in addition, to the data concerning trade-union and/or trade associations or organisations joining other trade-union and/or trade associations, organisations or confederations. (*)

2. The Garante shall communicate its decision concerning the request for authorization within thirty days; in default of such communication at the expiry of said term, the request shall be regarded as dismissed. Along with the authorization or thereafter, based also on appropriate checks, the Garante may provide for measures and precautions in order to safeguard the data subject, which the controller shall be bound to apply.

3. Processing of the data as per paragraph 1 by public bodies, apart from profit-seeking public entities, shall be allowed only where expressly authorised by a law specifying the data that may be processed, the operations that may be performed and the particularly important instance of public interest served by the processing. Failing an express authorization provided for by law, and apart from the cases referred to in the legislative decrees amending and supplementing this Act in pursuance of Act no. 676 of 31.12.96, public entities may request the Garante to determine, until this is specified by law, the activities that serve particularly important instances of public interest among those they are required to carry out under the law. Processing of the data referred to in paragraph 1 shall be authorized with regard to said activities in pursuance of paragraph 2 above.

3-bis. Whenever the particularly important instance of public interest is specified in pursuance of paragraph 3 and no reference is made to the data categories and the operations that may be carried out, public entities shall, pursuant to this Act and the legislative decrees implementing Act no. 676 of 31.12.96 with regard to sensitive data, specify and disclose, in accordance with the respective regulations, the data categories and operations that are closely relevant and necessary in respect of the purposes sought in the individual cases, and update such information at regular intervals.

4. The personal data referred to in paragraph 1 may be processed subject to the Garante's authorisation: (*)

a) if the processing is carried out for lawful purposes by not-for-profit associations, bodies or organisations, whether recognised or not, of political, philosophical, religious or trade-unionist nature, including political parties and groups, religious denominations and communities, with regard to personal data concerning members and/or entities having regular contacts with said associations, bodies or organisations in connection with the abovementioned purposes, provided that the data are not communicated or disclosed outside the relevant scope and the bodies, associations or organisations lay down suitable safeguards in respect of the processing operations performed; (****)

b) if the processing is necessary to protect the data subject's or a third party's life or bodily integrity and the data subject is unable to give his/her consent because(s)he is physically unable to do so, legally incapable or unable to distinguish right and wrong; (*)

c) if the processing is necessary for the performance of the investigations by defence counsel referred to in Act no. 397 of 07.12.2000 or otherwise to establish or defend a legal claim, which must not be overridden by the data subject's claim where the data can disclose health and sex life, provided that the data are processed exclusively for the above purposes and for no longer than is necessary to achieve those purposes. The Garante shall lay down the measures and precautions referred to in paragraph 2 and stimulate adoption of a specific code of conduct and professional practice in accordance with the arrangements referred to in Article 31(1), subheading h). The provisions included in Article 43(2) are hereby left unprejudiced. (*)

Article 23
(Medical data)

1. Health professionals and public health institutions may, even without being authorised by the Garante, process personal data disclosing health exclusively with regard to the data and operations required in order to safeguard the data subject's bodily integrity and health. Where the selfsame purposes concern a third party or the public as a whole and the data subject fails to give his consent, the data may be processed upon authorization by the Garante.

1-bis. Simplified arrangements for providing the information referred to in Article 10 and obtaining data subjects' consent, as well as for processing the relevant data, shall be laid down with regard to public health care bodies, health care bodies and professionals who have entered an agreement with the National Health Service or are anyhow recognized as such by the latter, based on a decree of the Minister for Health which shall be adopted in pursuance of Article 17(3) of Act no. 400 of 23.08.88, having heard both the Permanent Conference for the Relationships between State, Regions and Trento and Bolzano Autonomous Provinces and the Garante. The following criteria shall apply:

a) the relevant information may be provided by a single entity, in particular by the general practitioner chosen by the data subject, on behalf of a plurality of data controllers;

b) the consent given in pursuance of Article 11(3) on behalf of a plurality of data controllers shall be valid with regard to a plurality of data controllers, as also related to requests for specialist care, drug prescriptions, collection by the general practitioner of data that are kept by other data controllers, and to the different medical care activities carried out by a single data controller;

c) those cases shall be identified in which, on account of urgency of the matter as well as because of the circumstances referred to in paragraph 1-ter, information and consent may be provided after the request for the relevant item of medical care has been made;

d) arrangements shall be made for applying paragraph 2 of this Article to health care professionals other than physicians who have direct relationships with patients;

e) measures shall have to be taken in order to ensure respect for the rights laid down in Article 1 as regards organization of services and health care.

1-ter. The decree referred to in paragraph 1 shall also include provisions concerning the matters which are mentioned in Article 22(3-bis) of the Act.

1-quater. In case of legal incapacity of a person, or else if a person is bodily or mentally incapacitated, consent to the processing of data disclosing health shall be given, as regards health care professionals and bodies, by the entity who/which is legally authorized to act on behalf of said person or by a relative, a next of kin, a cohabiter or, failing these, the person or entity who/which is legally in charge of the premises where the person is hosted, respectively.

2. Personal data disclosing health may be communicated to the data subject or else to the entities referred to in paragraph 1-ter only by a physician who must have been designated either by the data subject or by the controller.

3. The authorization as per paragraph 1 shall be granted, except in cases of special urgency, after consulting the Higher Council for Health Care [Consiglio Superiore di Sanità]. It shall be prohibited to communicate data obtained in breach of the limitations laid down in said authorization.

4. Dissemination of data disclosing health shall be prohibited, except where it is necessary for the prevention, detection or control of offences, subject to compliance with the provisions applying to this sector.

Article 24
(Data concerning the measures as per article 686
of the Criminal Procedure Code
)

1. Processing of personal data allowing the disclosure of measures as per para. 1, subheadings a) and d), 2 and 3 of article 686 of the Criminal Procedure Code shall be permitted only where expressly authorized by a law or an order of the Garante specifying the reasons of substantial public interest underlying such processing, the data to be processed and the operations that may be performed.

Article 24-bis. (***)
(Other Special Categories of Data)

1. Processing of data other than those referred to in Articles 22 and 24 shall be allowed in accordance with such measures and precautions as are laid down to safeguard data subjects, if the processing is likely to present specific risks to data subjects' fundamental rights and freedoms and dignity on account of the nature of the data, the arrangements applying to the processing or the effects the latter may produce.

2. The measures and precautions referred to in paragraph 1 shall be laid down by the Garante on the basis of the principles set out in the Act within the framework of a check to be performed prior to the start of the processing as also related to specific categories of controller or processing, following the request, if any, submitted by the data controller.

Article 25
(Processing of specific data within the scope of the journalistic profession)

1. The provisions concerning data subject's consent and authorization by the Garante as well as the limitations laid down in article 24 shall not apply if the processing of the data as per articles 22 and 24 is carried out within the scope of the journalistic profession and for the sole purposes related thereto. Journalists shall comply with the limitations imposed on freedom of the press, particularly as regards the material character of the information as related to facts of public interest, without prejudice to the possibility of processing the data concerning circumstances or events that have been made known either directly by the data subject or on account of the latter's public conduct.

2. The Garante shall encourage, in accordance with the arrangements laid down in para. 1, subheading h), of article 31, the adoption of a specific code of conduct by the National Council of the Press Association as regards processing of the data as per paragraph 1 of this article within the scope of the journalistic profession; such code shall include measures and provisions to safeguard data subjects as appropriate in respect of the nature of the data, particularly as regards those disclosing health and sex life. In the course of drawing up said code, or thereafter, the Garante in cooperation with the Council shall lay down measures and provisions to safeguard the data subjects, which the Council shall have to adopt. The Garante shall be responsible for having the code published in the Official Journal; the code shall enter into force fifteen days after its publication.

3. Where the code of conduct as per paragraph 2 is not adopted by the National Council of the Press Association within six months of the proposal submitted by the Garante, it shall be adopted in its stead by the Garante and be effective until a different code is adopted as required by paragraph 2. Upon infringement of the provisions laid down in the code of conduct, the Garante may prohibit the processing under para. 1, subheading l), of article 31.

4. The code referred to in para. 2 and 3 shall also include provisions relating to personal data other than those mentioned in articles 22 and 24. The code may lay down simplified arrangements for providing the information pursuant to article 10.

4-bis. The provisions of this Act concerning the exercise of the journalistic profession shall also apply to the processing carried out by persons included in the list of free-lance journalists or in the roll of trainee journalists as per articles 26 and 33 of Act no. 69 of 03.02.63, and to any temporary processing carried out exclusively for the purposes of publication or occasional circulation of articles, essays and other intellectual works.

Article 26
(Data relating to legal persons)

1. Processing and discontinuation of the processing of data relating to legal persons, bodies or associations shall not be subject to notification.

2. Article 28 shall not apply to data relating to legal persons, bodies or associations.

CHAPTER V

PROCESSING SUBJECT TO SPECIFIC PROVISIONS

Article 27
(Processing by public bodies)

1. Except as provided for in paragraph 2, processing of personal data by public entities other than profit-seeking public bodies shall be permitted exclusively for carrying out the functions conferred by law on such bodies, in compliance with the limitations set forth by laws and regulations.

2. Communication and dissemination of processed data to public entities other than profit-seeking public bodies shall be permitted if this is envisaged by laws or regulations or is anyhow necessary for carrying out the functions conferred by law on such bodies. In the latter case, the Garante must be preliminarly informed as required by para. 2 and 3 of article 7 and may prohibit, by means of a grounded provision, communication or dissemination in breach of this Act.

3. Communication and dissemination of personal data by public entities to private individuals or profit-seeking public bodies shall be only permitted in compliance with laws or regulations.

4. The organizational criteria applying to public administration as per article 5 of legislative decree no. 29 of 3 February 1993 shall be implemented in compliance with the provisions of this Act.

Article 28
(Transfer of personal data across national borders)

1. Cross-border transfer of personal data undergoing processing, temporarily or not, in any form and by any means whatsoever, shall have to be notified in advance to the Garante if the country of destination is not a Member State of the European Union and any of the circumstances specified in pursuance of Article 7(1) obtain. (*)

2. Said transfer may be carried out no earlier than fifteen days after the date of notification; the term shall be of twenty days where the transfer concerns any of the data as per articles 22 and 24.

3. The transfer shall be prohibited where the laws of the country of destination or transit do not ensure an adequate level of protection of individuals. Account shall also be taken of the methods used for the data transfer and the proposed processing, of the purposes thereof, the nature of the data and the relevant security measures.

4. Transfer shall be anyhow permitted:

a) if the data subject has given his consent either expressly or, where the transfer concerns the data as per articles 22 and 24, in writing;

b) if it is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or to take steps at the data subject's request prior to entering into a contract, (*) or for the conclusion or performance of a contract made in the interest of the data subject;

c) if it is necessary for safeguarding a specially important public interest as defined by laws or regulations or else specified in pursuance of articles 22(3) and 24, where the transfer concerns any of the data mentioned therein;

d) if it is necessary for carrying out the investigations by defence counsel as per Act no. 397 of 07.12.2000 (*), or else for the exercise or defence of a legal claim, provided that the data are transferred exclusively for said purposes and for no longer than is necessary therefor;

e) if it is necessary to safeguard life or bodily integrity either of the data subject or of a third party, and the data subject cannot give his consent because of physical or legal incapacity or mental disorder;

f) if it is carried out in response to a request for access to administrative documents or for information included in a public register, list, act or document which are publicly available, in compliance with the provisions applying to this subject-matter;

g) if it is authorized by the Garante on the basis of adequate guarantees for the data subject's rights, as also resulting from contractual clauses, or else specified by the European Commission by way of the decisions mentioned in Article 25(6) and in Article 26(4) of Directive 95/46/EC of the European Parliament and the Council of 24 October 1995; (*)

g-bis) if the processing is carried out exclusively for scientific research or statistics purposes and complies with the codes of conduct and professional ethics undersigned in pursuance of Article 31.

5. The prohibition as per paragraph 3 above may be challenged pursuant to paragraphs 6 and 7 of article 29.

6. This article shall not apply to the transfer of personal data carried out within the scope of the journalistic profession and for the sole purposes related thereto.

The provisions referred to following paragraphs 7 shall be repealed as of the date of entry into force of the amendments to be made to the regulations referred to in Article 33(3), in pursuance of paragraph 1 of Article 7.

7. The notification as per paragraph 1 of this article shall be given pursuant to article 7 and entered in the relevant section of the register as per paragraph 1, subheading a), of article 31. This notification may be given together with the one referred to in article 7.



CHAPTER VI

ADMINISTRATIVE AND JUDICIAL REMEDIES

Article 29
(Remedies)

1. The rights as per paragraph 1 of article 13 may be enforced by referring the case either to a judicial authority or to the Garante. Referral of the case to the Garante shall not be permitted if an action regarding the same matter and between the same parties has already been brought before a judicial authority.

2. Except where the running of time would cause imminent and irreparable harm to a person, referral to the Garante shall be permitted only after five days from the date on which an application was filed with the processor regarding the same matter. Referral to the Garante shall prevent an action from being brought by the same parties and for the same matter before a judicial authority.

3. If the case is referred to the Garante, data controller, processor and data subject shall have the right of being heard, personally or through a special agent, and of submitting pleadings or documents. The Garante may order, even ex officio, that a technical assessment be carried out.

4. Having gathered the necessary information, the Garante shall order by a decision with a statement of reasons, if the complaint is found to be grounded, that the controller and the processor abstain from the unlawful behaviour, also designating the remedies to enforce the data subject's rights and fixing a term for their implementation. The order shall be communicated without delay to the parties concerned by the authority"s Office. If no decision is rendered within thirty days of the date of referral, the complaint shall have to be regarded as dismissed.

5. If so required by the specific case, the Garante may provisionally order the partial or total blocking of some of the data, or the immediate interruption of one or more processing operations. Such order shall cease to be effective if the decision mentioned under paragraph 4 is not rendered within the ensuing twenty days and may be challenged together with said decision.

6. The controller or data subject may challenge the order or the dismissal referred to in paragraph 4 before the Court of the controller's place of residence, within thirty days of the date of communication of the order or dismissal. Challenging shall not suspend enforcement.

6-bis. Running of time as per paragraphs 4, 5 and 6 shall be stopped by operation of law from the 1st up to the 30th day of August of each year and will start again as from the end of the latter period. Should time start running during said period, the start shall be postponed to the end of the selfsame period. Running of time shall not be stopped whenever it may lead to the harm referred to in paragraph 2, nor shall the fact of its being stopped prevent adopting the measures referred to in paragraph 5.

7. The Court shall deal with the case as provided for by articles 737 and subsequent ones of the Civil Procedure Code, even by derogating from the prohibition as per article 4 of Act no. 2248 of 20 March 1865, annex E), and may suspend, on application, enforcement of the measures. The order issued by the Court may be challenged solely before the Court of Cassation.

8. Ordinary judicial authorities shall be competent to decide on all disputes, including those which concern granting of the authorization as per paragraph 1 of article 22 or the enforcement of this Act.

9. Non-pecuniary damage shall entitle to compensation even upon infringement of article 9.

CHAPTER VII

GARANTE FOR THE PROTECTION OF PERSONAL DATA

Article 30
(Garante)

1. The Garante for the protection of personal data is hereby set up.

2. The Garante shall be empowered to act autonomously and independently in its decisions and assessments.

3. The Garante shall be a body composed of four members, of whom two shall be elected by the Chamber of Deputies and two by the Senate through a specific voting procedure. The members thus elected shall appoint their chairman, who shall have the casting vote in the case where votes are equal. The members shall be persons ensuring independence and with proven experience in the field of law or computer science; experts from both sectors shall have to be included.

4. Chairman and members shall hold office for four years; their appointment shall not be renewable more than once. For the entire term of their office, chairman and members shall not be allowed - under penalty of losing office - to carry out professional or advisory activities, or to act as managers or be employees of public or private bodies or hold elective offices.

5. Once chairman and members have accepted their appointment, if they are employees in the public administration or judges/prosecutors not yet retired, they shall be assigned to the temporary staff; if they are professors at an University, they shall be put on leave of absence with no allowances as per article 13 of Presidential decree no. 382 of 11 July 1980 as subsequently amended. Staff members who have been assigned to the temporary staff or put on leave of absence may not be replaced.

6. The chairman shall be entitled to an allowance not exceeding the one paid to the judge presiding over the Court of Cassation (Corte di Cassazione). The members shall be entitled to an allowance not exceeding two-thirds of that to which the chairman is entitled. The aforementioned allowances shall be determined pursuant to the regulations as per article 33(3) in such a way as to be included in the ordinary budget.

Article 31
(Duties of the Garante)

1. The duties of the Garante shall be:

a) setting up and keeping a general register of processing operations based on the notifications received;

b) verifying whether data processing is carried out in compliance with laws and regulations in force as well as with said notification;

c) informing controllers or processors as to the changes which are necessary or appropriate (*) for the processing to comply with the provisions in force;

d) receiving reports and complaints lodged either by data subjects or by associations representing the latter, in respect of the infringement of laws or regulations, and taking steps as appropriate with regard to the complaints lodged pursuant to article 29;

e) taking the measures provided for by laws or regulations;

f) checking on all cases of termination of a processing, regardless of the cause;

g) reporting any acts, amounting to offences to be prosecuted ex officio, with which it has become acquainted in the performance of its duties or by reason thereof;

h) encouraging, within the categories concerned and in conformity with the principle of representation, the drawing up of codes of ethics and conduct for specific sectors, checking on their compliance with laws and regulations by also taking account of the considerations made by the subjects concerned, and contributing to the adoption of and compliance with such codes;

i) disseminating information among the public as to the laws governing this subject-matter and the purposes thereof as well as regarding the data security measures referred to in article 15;

l) prohibiting the processing of data, in whole or in part, or blocking such processing processing if the latter is found to be unlawful or incorrect partly because of the failure to take the necessary measures as per subheading c), or else (*) if there is an actual risk that it may adversely affect one or more of the data subjects, having regard to the nature of the data or the arrangements applying to the processing or the effects thereof;

m) informing the Government of the need for introducing legislative measures as required by the developments in this sector;

n) drawing up a yearly report on the activity performed and the implementation of this Act, which shall be submitted to Parliament and the Government by the 30th of April of the year following that to which the report refers;

o) as designated authority for the purposes of international cooperation, pursuant to article 13 of Convention no. 108 on the protection of individuals with regard to the automated processing of personal data, adopted in Strasbourg on 28 January 1981 and enforced in Italy by Act no. 98 of 21 February 1989, carrying out the assistance activity mentioned under Chapter IV of aforesaid Convention;

p) supervising the processing as per Article 4 and checking, also in response to the data subject's request, on its compliance with the laws or regulations in force.

2. The Chairman of the Council of Ministers and each Minister shall consult the Garante when drawing up regulations and administrative measures which may concern the sectors to which this Act applies.

3. The register referred to in paragraph 1, subheading a), of this article shall be kept as provided for in paragraph 5 of article 33. Within one year of its setting up, the Garante shall make suitable agreements with provinces and, possibly, other public bodies in order to allow searching the data contained in the aforesaid register by means of at least a computer terminal to be located in each province - preferably within the premises of the public relations department referred to in Article 12 of legislative decree no. 29 of 3 February 1993, as subsequently amended.

4. The prohibition as per subheading l) of paragraph 1 may be challenged pursuant to paragraphs 6 and 7 of article 29.

5. The Garante and the Authority for information technology in public administration shall cooperate in the performance of the relevant duties; to that end, each shall invite the chairman of the other one, or a member delegated by the latter, to take part in its meetings and contribute to the analysis of issues of common interest included in the agenda. Each may further request the cooperation of specialized staff working with the other authority.

6. Paragraph 5 shall also apply to the relationships between the Garante and the authorities competent to supervise crediting, insurance, broadcasting and publishing activities.

Article 32
(Checking and investigation)

1. In the performance of its duties, the Garante may request the processor, the controller, the data subject or a third party to provide such information and documents as may be necessary.

2. The Garante may order - availing itself, if necessary, of the cooperation of other public authorities - accesses to the data banks or other investigations and controls in the places where the processing is carried out or where information is to be gathered for supervisory purposes, whenever this is necessary to check on compliance with the provisions relating to the processing of personal data.

3. The investigations as per paragraph 2 shall be ordered upon authorization by the presiding judge of the Court having territorial competence on the place of investigation; said judge shall promptly take steps as regards the request of the Garante by issuing an order with a statement of reasons. The relevant performance modalities shall be set forth in the regulations referred to in article 33(3).

4. Those who are involved in the said investigations shall have to allow their being carried out.

5. This article shall be without prejudice to article 220 of the implementing, coordination and transitional provisions of the Criminal Procedure Code, as approved by legislative decree no. 271 of 28 July 1989.

6. With regard to the processing as per Article 4 and Article 14(1), the investigations shall be carried out by the agency of a member designated by the Garante. Should the processing fail to comply with the laws or regulations in force, the Garante shall point out the appropriate changes and additions to the processor or controller and verify that they are implemented. Where the request for the investigations was made by the data subject, the latter shall be informed of its outcome unless this is contrary either to the provisions of paragraph 4 of article 10 of Act no. 121 of 1 April 1981, as replaced by para. 1 of article 42 of this Act, or to reasons concerning the State defense or security.

7. The investigations as per paragraph 6 may not be committed to a third person. Where necessary on account of the specific nature of the checking, the member designated as above may be assisted by specialized staff who shall be subject to professional secrecy rules as per Article 33(6). All acts and documents, once acquired, shall be kept in such a way as to ensure their confidentiality and may be disclosed to the chairman and members of the Garante as well as, where necessary for the performance of the duties of such authority, to a limited number of employees in the relevant department, to be designated by the Garante pursuant to criteria laid down in the regulations as per Article 33(3). With regard to investigations into the bodies and data as per Article 4(1), subheading b), the designated member shall inspect the relevant acts and documents and report on them orally during the meetings of the Garante.

Article 33
(Office of the Garante)

1. The Garante shall be the head of an office including, in the initial implementing stage of this Act, State employees and employees of other public administrations; said employees shall be appointed to a temporary position on the conditions of the respective jurisdictions, while their functions at the office of the Garante shall be regarded for all legal purposes as equal to those performed in their respective administrations of origin. The staff shall include no more than forty-five employees, as designated, on proposal of the Garante, by decree of the Chairman of the Council of Ministers in agreement with the Ministers of the Treasury and of the Civil Service within ninety days of the date of election of the Garante. The Secretary General may be a member of the ordinary or administrative judiciary.

1-bis. An establishment table for the staff of the Garante is hereby set up. The Garante shall determine by its own regulations: a) career patterns and recruitment arrangements in pursuance of the procedure laid down in Article 36 of legislative decree no. 29 of 03.02.93, as subsequently amended; b) arrangements for inclusion into said establishment table of the staff already employed on the date of entry into force of above regulations; c) staff regulations and salaries by having regard to the provisions laid down in Act no. 249 of 31.07.97 and, in respect of managerial staff, in Article 19(6) of said legislative decree no. 29 as replaced by Article 13 of legislative decree no. 80 of 31.03.98, also taking account of specific functional and organisational requirements. The regulations shall be published in the Official Journal. Pending the general harmonisation of the salary conditions applying to independent administrative authorities, the staff of the Garante shall be granted eighty per cent of the salary paid to the staff employed by the Authority for safeguards in telecommunications. With regard to the period from the 8th of May 1997 up to the date of entry into force of said regulations, the allowance referred to in Article 41 of Presidential Decree no. 231 of 10.07.91 and granted to the staff already employed shall be left unprejudiced. The difference between the new salary and that already applying to staff, including said functional allowance, shall also be paid with regard to the period from the 1st of January 1998 up to the date of entry into force of said regulations.

1-ter. Staff from the State's civil service, other public administrative bodies or public bodies in general may be employed by the Office for specific reasons. Said staff shall number twenty persons in all and include no more than twenty percent of managerial staff; they shall be either removed from the relevant establishment table pursuant to staff regulations or put on leave of absence pursuant to Article 13 of Presidential Decree no. 382 of 11.07.80 as subsequently amended. The corresponding number of posts shall be left available in the relevant establishment. The staff referred to herein shall be granted an allowance amounting to the difference, if any, between the salary paid by the administrative body or entity of origin and that granted to the corresponding establishment staff; said allowance shall not be anyhow lower than that referred to in Article 41 of Presidential Decree no. 231 of 1991.

1-quater. The Garante shall, by its own regulations, set out the distribution of executing and managerial staff in accordance with the establishment table, for a total amount not in excess of one hundred persons; organization and operation of the Office, levying and utilization of office charges, including those paid as from the 8th of May 1997, and management of expenditures even by departing from general State accounting rules shall be provided for in said regulations. The regulations shall be published in the Official Journal.

1-quinquies. In addition to the staff included in the establishment table, the Office may directly hire employees on a temporary basis pursuant to private law rules; such employees shall number twenty persons in all, including the consultants hired on a temporary basis as per paragraph 4.

1-sexies. In order to ensure accountability and independence pursuant to Act no. 241 of 07.08.90, as subsequently amended, and to legislative decree no. 29 of 03.02.93, as subsequently amended, to the Office of the Garante there shall apply the principles concerning appointment and functions of officers in charge of the individual cases, those relating to the separation between guidance and supervisory powers conferred on top-level executives as well as those concerning management functions of executive staff.

2. The operational expenses for the office of the Garante shall be borne by a fund set up for this purpose in the national budget and included as a specific item in the budget of the Ministry of the Treasury. The statement of expenses shall undergo the control of the State Auditors" Department (Corte dei Conti).

3. In the initial implementing stage of this Act, the rules regarding organization and functioning of the office as well as collection of office charges and management of expenses, even by departing from the provisions applying to national income accounting, shall be adopted by a Presidential decree to be issued within three months of the date of entry into force of this Act, following a resolution of the Council of Ministers, after having heard the Council of State, on proposal of the Chairman of the Council of Ministers in agreement with the Ministers of the Treasury, of Justice and for Home Affairs, and with the consent of the Garante. Said decree shall lay down the allowance referred to in Article 30(6) and also include the provisions governing the proceeding before the Garante as per paragraphs 1 to 5 of article 29, in such a way as to ensure both an expeditious proceeding and full compliance with adversarial rules. The above decree shall further include the provisions governing the exercise of the rights referred to in article 13 and the notification as per article 7 via computerised or magnetic media, or through registered letter with notice of receipt or any other suitable means. The Council of State shall deliver its opinion concerning the draft regulations within thirty days of the receipt of the relevant application, after which date the regulations shall be adopted in any case.

3-bis. As of the date of entry into force of the regulations referred to in paragraph 1-quater, any measures taken pursuant to paragraph 3, first sentence, shall cease to take effect.

4. Where necessary because of the technical or sensitive nature of the subject-matter, the Garante may be assisted by consultants, who shall be paid in accordance with current professional fees or else hired on a temporary basis for a period not in excess of two years, the hiring contract being renewable twice only.

5. In the performance of its duties, the office of the Garante may use computer processing systems and telematic equipment either of its own or, without prejudice to the safeguards provided for in this Act, belonging to the Authority for information technology in the public administration or, where not available otherwise, to public bodies in accordance with specific agreements.

6. Staff and consultants working for the office of the Garante shall be subject to secrecy rules as regards the information to which they have access, in the performance of their duties, regarding data banks and processing operations.

6-bis. The staff from the Office of the Garante in charge of the investigations referred to in Article 32, numbering no more than five persons, shall be regarded as judicial police staff in respect of the tasks committed and in accordance with the respective powers.


CHAPTER VIII

PENALTIES

Article 34 (*)
(Failure to Submit a Notification and Submission of an Incomplete Notification)

1. Whoever fails to promptly submit the notification required under Articles 7, 16(1) and 28 or provides incomplete information in a notification, in breach of his/her duties, shall be the subject of an administrative sanction entailing payment of an amount ranging between Lit 10 million (i.e., euro 5.164,6) and Lit 60 million (i.e., euro 30.987,4), as well as of the additional sanction consisting in publication of the relevant injunction/order.

2. The provisions laid down in Sections 100, 101 and 102 of legislative decree no. 507 of 30.12.99 shall apply, as appropriate, to breaches of paragraph 1 of this article, where they were committed prior to entry into force of legislative decree no. 467 of 28.12.01.

Article 35
(Unlawful processing of personal data)

1. Any person who, with a view to gain for himself or another or with intent to cause loss to another, processes personal data in breach of articles 11, 20 and 27, shall be punished by imprisonment for up to two years or, if the fact consists in the communication or dissemination of data, by imprisonment for between three months and two years, unless the offence is more serious.

2. Any person who, with a view to gain for himself or another or with intent to cause loss to another, processes (*) personal data in breach of articles 21, 22, 23, 24 or 24-bis, or (*) 24, or of the prohibition as per article 28(3), shall be punished by imprisonment for between three months and two years, unless the offence is more serious.

3. Should the facts referred to in paragraphs 1 and 2 cause damage to another, the punishment shall be imprisonment for between one and three years.

Article 36 (*)
(Failure to Take Measures Required for Data Security)

1. Whoever fails to take the measures required in order to ensure security of personal data, in breach of his/her duties and the regulations as per paragraphs 2 and 3 of Article 15, shall be punished either by imprisonment for up to two years or by a fine of between Lit 10 million (i.e., euro 5.164,6) and Lit 80 million (i.e., euro 41.316,6).

2. A time limit shall be fixed either upon detecting the abovementioned offence or, in complex cases, by way of a subsequent provision issued by the Garante, for the offender to comply with the requirements referred to above. Said time limit shall not exceed the time span that is technically required; however, it may be extended in especially complex cases or else because of objective difficulties in complying, but it shall not be longer than six months. Within sixty days of the expiry of the above deadline, the offender shall be permitted by the Garante to pay an amount corresponding to one-fourth of the highest fine that can be imposed in connection with the offence referred to here, on condition that the relevant requirements have been complied with. Compliance and performance of the abovementioned payment shall extinguish the offence. The body in charge of fixing the time limit and the public prosecutor shall abide by the provisions made in Sections 21, 22, 23 and 24 of legislative decree no. 758 of 19.12.1994 as appropriate.

"With regard to criminal proceedings in connection with the offence referred to in article 36, the offender may, within forty days of entry into force of the legislative decree no. 467 of 28.12.01 [i.e., 1st February 2002], apply to the judicial authority for his/her case to be dealt with in accordance with the procedure described in article 36(2). The judicial authority shall stay the proceeding(s) and transfer the case file to the Garante, which shall deal with it pursuant to said article 36(2)."

Article 37
(Failure to comply with measures taken by the Garante)

1. Whoever fails to comply with measures taken by the Garante pursuant to paragraph 2 of article 22, or to paragraphs 4 and 5 of Article 29 or paragraph 1, subheading l) of Article 31, (*) shall be punished by imprisonment for between three months and two years.

Article 37-bis. (*)
(False Representations and False Notifications to the Garante)

1. Whoever declares or attests to false information or circumstances, or else exhibits forged records or documents, in connection either with the notifications mentioned in Articles 7, 16(1) and 28 or with records, documents or statements that are exhibited or made, respectively, in a proceeding before the Garante or in the course of investigations, shall be punished by imprisonment for between six months and three years, unless the offence is more serious.

Article 38
(Collateral punishment)

1. Conviction for any of the offences as per this Act shall entail the collateral punishment of having the relevant judgment published in the press.

Article 39
(Administrative sanctions)

1. Whoever fails to provide the information or to produce the documents requested by the Garante pursuant to article 29(4) and article 32(1) shall be punished by an administrative sanction consisting in the payment of a sum of between Lit five million (i.e., euro 2.582,3) and Lit thirty million (i.e., euro 15.493,7) (*).

2. Breach of the provisions referred to in Article 10 shall entail the administrative sanction of paying an amount ranging between Lit 3 (i.e., euro 1.549,4) and 18 million (i.e., euro 9.296,2); in the cases referred to in Articles 22, 24 and 24-bis or if greater harm is suffered by one or more data subjects, said amount shall range between Lit 5 (i.e., euro 2.582,3) and 30 million (i.e., euro 15.493,7). The amount of the sanction may be increased up to three times as much if it is found to be ineffective on account of the offender's economic status. Breach of the provision referred to in Article 23(2) shall be entail the administrative sanction of paying an amount ranging between Lit five hundred thousand (i.e., euro 258,2) and Lit three million (i.e., euro 1.549,4). (*)

3. The Garante shall be competent for receiving the report and imposing the sanctions referred to in this chapter (*). Act no. 689 of 24 November 1981, as subsequently amended, shall apply as appropriate. Fifty percent of the annual proceeds shall be paid into the fund referred to in Article 33(2) and shall only be used for performing the functions referred to in Article 31(1), litt. i), and in Article 32.

CHAPTER IX

TRANSITIONAL AND FINAL PROVISIONS
REPEALED PROVISIONS

Article 40
(Communications to the Garante)

1. A copy of any measure taken by judicial authorities with regard to this Act and Act no. 547 of 23 December 1993 shall be transmitted to the Garante by the court clerk"s office.

Article 41
(Transitional provisions)

1. Without prejudice to the exercise of the rights as per articles 13 and 29, the provisions of this Act concerning the data subject's consent shall not apply to personal data either collected before the date of entry into force of this Act or the processing of which began before the aforementioned date. This article shall be without prejudice to the implementation of the provisions concerning communication and dissemination of data as per this Act.

The provisions of this paragraph shall remain in force until the 30th June 2003. (*)

2. In respect of the processing of personal data which began before 1 January 1998, the notification as per articles 7 and 28 shall have to be given from 1 January 1998 up to 31 March 1998, or from 1 April 1998 up to 30 June 1998 as regards both the processing referred to in article 5 in respect of data other than those mentioned in articles 22 and 24 and the processing referred to in Article 4(1), subheadings c), d) and e).

3. The minimum security standards as per article 15(2) shall be adopted within six months of the date of entry into force of the regulations mentioned therein. Before the expiry of such term, all personal data shall have to be kept in such a way as to avoid increasing the risks referred to in article 15(1).

4. The measures as per article 15(3) shall be adopted within six months of the date of entry into force of the regulations mentioned therein.

5. During the twenty-four months following the date of entry into force of this Act, processing by public entities, other than profit-seeking public bodies, of the data referred to in article 22(3) and in article 24 may continue even in the absence of the provisions referred to in said articles, subject to communication to the Garante.

6. The chairman of the Authority for information technology in the public administration shall act as supervisory authority during the initial implementing stage of this Act, until the Garante for data protection is elected pursuant to article 30, except as regards hearing the complaints referred to in article 29.

7. The provisions of this Act concerning the granting of an authorization by the Garante shall apply, as regards said authorization and except for article 28(4), subheading g), as from 30 November 1997. The aforesaid provisions may also be applied by the Garante by granting authorizations relating to specific categories of controllers or processing.

7-bis. As regards the initial implementing stage of this Act, the information and communications referred to in articles 10(3) and 27(2) may be provided within 30 November 1997.

Article 42
(Amendments to laws in force)

1. For article 10 in Act no. 121 of 1 April 1981 there shall be substituted the following:

"Article 10. - (Controls)
1. Controls on the data processing centre shall be carried out by the Garante for the protection of personal data pursuant to laws and regulations in force.

2. The data and information stored in the archives of the aforementioned centre may be used in judicial or administrative proceedings only upon acquisition of the original sources mentioned in article 7(1), without prejudice to the provisions of article 240 of the Criminal Procedure Code. If, during a judicial or administrative proceeding, the aforesaid data or information are found to be incorrect or incomplete or to have been processed unlawfully, the authority in charge of said proceeding shall inform the Garante for the protection of personal data.

3. Any data subject may request the office referred to under subheading a) of article 5(1) to confirm the existence of personal data relating to him, to communicate such data in an intelligible form and, where said data are found to have been processed in breach of laws or regulations in force, to have them erased or made anonymous.

4. Having carried out the necessary investigations, the office shall inform the applicant, no later than twenty days after the date of the application, as to the decision given. The office may omit to respond if this may adversely affect actions or interventions for the protection of public security and order or for preventing and prosecuting criminal offences, and shall inform thereof the Garante for the protection of personal data.

5. Any person who becomes acquainted with the existence of personal data relating to him which have been processed, even without automated means, in breach of laws or provisions in force, may request the court of the controller"s place of residence to carry out the necessary investigations and to order correction, completion, erasure or transformation into an anonymous form of the aforementioned data. The court shall comply with the above request as per articles 737 and subsequent ones of the Civil Procedure Code."

2. For paragraph 1 of article 4 of legislative decree no. 39 of 12 February 1993 there shall be substituted the following:

"1. An Authority for information technology in the public administration [Autorità per l"informatica nella pubblica amministrazione], referred to as "Authority" for the purposes of this decree, is hereby set up; the aforesaid Authority shall be fully autonomous in its operation and independent as to its judgments and evaluations."

3. For paragraph 1 of article 5 of legislative decree no. 39 of 12 February 1993 there shall be substituted the following:

"1. Any provisions concerning organization and operation of the Authority, establishment of the staff regulations, legal status and wages, career patterns and management of the expenses as provided for in this decree, even by derogating from the provisions governing the State accounting system, shall be adopted by Presidential decree, subject to a resolution by the Council of Ministers and after consulting the Council of State, upon the Prime Minister's proposal in agreement with the Minister of the Treasury and with the consent of said Authority. The opinion of the Council of State on the draft regulation shall be delivered within thirty days of the receipt of the relevant request, after which date the regulation shall be issued in any case. Salaries shall be determined as provided for regarding the staff of the supervisory authority for publishing and radiobroadcasting activities, or the staff of the body committed with the relevant functions, if any, without prejudice to the maximum total amount being put at one-hundred and fifty units. This article shall also be without prejudice to the appropriations referred to in paragraph 2 as determined for 1995, taking account of the increase limits laid down for category IV in the 1996 to 1998 period."

4. For the words "Garante for data protection" in article 9(2) and article 10(2) of Act no. 388 of 30 September 1993 there shall be substituted the following: "Garante for the protection of personal data".

Article 43
(Repealed provisions)

1. Laws and regulations which are incompatible with this Act, in particular article 8(4) and article 9(4) of Act no. 121 of 1 April 1981, are hereby repealed. Within six months of the date of issue of the decree as per article 33(1), the Minister for Home Affairs shall transmit to the office of the Garante the information collected up to that date pursuant to said article 8 of Act no. 121 of 1981.

2. This Act shall be without prejudice to Act no. 300 of 20 May 1970, as subsequently amended, Act no. 135 of 5 June 1990, as subsequently amended, legislative decree no. 322 of 6 September 1989 and the regulations in force with respect to access to administrative documents and national archives. The laws providing for further limitations or prohibitions as regards the processing of certain personal data shall further apply.

3. With regard to the processing operations as per paragraph 1, subheading e), of article 4 of this Act, the obligation to provide data and information as per paragraph 1, subheading a), of article 6 of Act no. 121 of 1 April 1981 shall further apply.


CHAPTER X

FUNDING AND ENTRY INTO FORCE

Article 44
(Funding)

1. The costs resulting from the implementation of this Act, put at Lit 8,029 million for 1997 and Lit 12,045 million from 1998, shall be borne by reducing accordingly the appropriation in the 1997-1999 budget under item 6856 of the budget of the Ministry of the Treasury for 1997. To that end, the appropriation pertaining to the Ministry for Foreign Affairs and that pertaining to the Office of the Chairman of the Council of Ministers shall be utilized at to Lit. 4,553 million and Lit. 3,476 million, respectively, for 1997; as to 1998 and 1999, the estimated appropriation for these years concerning the Ministry for Foreign Affairs and the Office of the Chairman of the Council of Ministers shall be utilized up to Lit. 6,830 million and Lit. 5,215 million, respectively.

2. The Ministry of the Treasury shall be authorized to introduce the necessary changes in its budget by decree.

Article 45
(Entry into force)

1. This Act shall enter into force one-hundred and twenty days after its publication in the Official Journal [Gazzetta Ufficiale]. With regard to the processing without electronic or automated means of data other than those referred to in articles 22 and 24, this Act shall apply as of 1 January 1998. Without prejudice to article 9(2) of Act no. 388 of 30 September 1993, this Act shall enter into force on the day following that of its publication in the Official Journal as regards both the processing of data which is carried out pursuant to the agreement as per para. 1, subheading a), of article 4 and the appointment of the Garante.



REFERENCES

(*) this provision will be applicable as of the 1st February 2002
(**) this provision will be applicable as of the 1st March 2002
(***) this provision shall be taken within 120 days of the 1st October 2002
(****) associations or organisations shall lay down suitable safeguards within 30 of June 2002.