Hard the Investigation in Italy: ITALY DATA PROTECTION CODE
Published on 10/11/2006
This is Privacy Law about Data Protection code in Italy:

Italy’s data protection code (Legislative Decree no. 196/2003) came into force on January 1st 2004.

The Code is unique in that it brings together all the various laws, codes and regulations relating to data protection since 1996. There are three key guiding principles behind the code, which are outlined in Section 2:

1. Simplification
2. Harmonisation
3. Effectiveness

The code is divided into three parts. The first part sets out the general data protection principles that apply to all organisations. Part two of the code provides additional measures that will need to be undertaken by organisations in certain areas, for example, healthcare, telecommunications, banking and finance, or human resources. Part three relates to sanctions and remedies. It is expected that the second part of the code will be developed further through the introduction of sectoral codes of practice. Seven codes are planned (including surveillance, with particular regard to video surveillance, human resources, private investigators, and advertising/marketing) which will be developed in consultation with industry groups.

Scope of the Italian data protection code - The code applies to all processing within the State and its territories. It will also affect outside organisations that make use of equipment located within Italy, which could include e.g. PCs and other computer-based systems (see Section 5 of the code). This means that the use of cookies is covered by the Italian code, which will have important ramifications for online businesses.

If an organisation outside the EU is processing data on Italian territory, it must appoint a representative in Italy for the application of Italian rules (this will be necessary for notifying with the Garante, and providing data subjects with information notices) .

Main Features of the New Data Protection Code

Notification - One of the key targets for simplification was the notification process. The new system is in line with the EU Data Protection Directive which allows the notification process to be simplified in cases where data processing does not adversely affect the rights and freedoms of data subjects (see Article 18, paragraph 2 of the directive). Under the Italian code, organisations are only required to notify the Garante when processing higher-risk categories of data. These include genetic and biometric data, data processed for the purpose of analysing or profiling individuals, and credit-related information (see Section 37 of the code for additional details). This approach is also aimed at making the process more transparent and understandable for individuals.

Data minimisation - Section 3 of the code introduces the element of data minimisation into Italian data protection. The code encourages organisations to make use of non-personal data whenever possible.

Data subjects’ rights/Decision taking - The code aims to strengthen individuals’ data protection rights, allowing them to exercise their rights and instigate proceedings more easily. Individuals do not have to demonstrate that damage or distress has been caused as a result of a data protection breach, they merely have to demonstrate that their privacy has been breached. In an effort to simplify the complaints process, the Garante has published a complaints form on its website.

The Garante can also order businesses to abide by compliance requirements set out in its decisions. When responding to investigations, businesses now have 15 days to comply, compared to the previous 5-day timeframe.
The turnaround for dealing with complaints has been raised to 60 days. Previously the Garante had a 30-day deadline, but this deadline was found to be too tight and did not allow the Garante to work effectively, nor were the parties enabled to prepare their pleadings appropriately.

International Data Transfers - The new data protection code has incorporated and, to some extent, updated the previous rules on data transfers (data transfers are addressed in Sections 42-45 of the code). Whereas previously businesses had to notify the Garante of their intention to transfer data outside the EU, under the new system companies will only have to provide notification in cases in which the transfer of data could prejudice data subjects’ rights (see the Notification section).

The rules for legitimising transfers to non-EU countries can be found in Section 43 of the code and include consent, meeting contractual obligations, public interest requirements, safeguarding life/health, investigations by defence counsel, use of publicly available data, processing for statistical/historical purposes.

Additional provisions for legitimising transfers are laid out in Section 44 of the code and include transfers to countries deemed adequate by the European Commission, or the adoption of contractual safeguards.

Main Features in Respect of Specific Processing Operations

Human Resources Data - The new code has fully implemented Article 8 (b) of the EU directive which applies to the processing of sensitive data. Organisations processing sensitive data that wish to find an alternative to the somewhat unreliable issues of employee consent, can look at the exemptions laid out in Section 26 of the code. For example, Section 26 (4d) allows the processing of sensitive data without consent if necessary to meet obligations under employment law.

The code has also incorporated a new legislative provision on recruitment (set out in law 276/2003) which applies to areas such as the processing of curriculum vitae (for example, candidates must be provided with a data protection notice), employment agencies, and job advertisements. When recruiting staff, businesses are prohibited from collecting data relating to religion, trade union membership, political beliefs, marital status, health status, ethnic origin etc. The only exemption to this rule is if the specific job requires that this type of data be collected.

Health data - As in the past, there are two basic requirements for processing data in the healthcare sector: (1) data subjects’ consent, and (2) authorisation from the Garante. The private sector will need to satisfy both requirements (see Sections 75-76 of the code). However, the code simplifies the methods for obtaining consent so that processors do not necessarily have to get consent in writing. Consent can, in some cases, be given verbally. Consent for data to be processed across different healthcare organisations or departments can be given in a single, one-off statement.

Electronic Communications Data - The new code has implemented the provisions contained in the E-Communications Privacy Directive (see Title 10, Part 2 of the code).

One of the main principles is on electronic marketing which requires organisations to obtain prior consent before sending electronic marketing to consumers (see Section 130). This applies to all forms of e-marketing, including e-mail, fax, SMS/MMS etc.
There is also a ban on sending e-marketing from anonymous addresses - this is a breach of the data protection code as the data controller has withheld its identity.

As for data retention, communications service providers (CSPs) are permitted to retain data for only a six-month period in order to deal with disputes over billing and subscriber services. CSPs are also required to retain telephone traffic data for the purpose of detecting and preventing crime, although that period has been reduced from five to four years; moreover, a two-stage system is envisaged whereby for the first twenty-four months access to telephone traffic data is allowed for said purposes further to a request submitted to the competent judicial authority by the public prosecutor and/or any party to a judicial proceeding. Conversely, as regards the following twenty-four months access is only allowed for detecting and/or suppressing serious criminal offences (organised crime and/or computer crime) and only upon a specific reasoned order issued by judicial authorities.

Main Features as to Compliance and Enforcement
Complaints - Data subjects can settle disputes either through the courts or by lodging a complaint with the Garante in case they have been prevented from exercising access/erasure/updating rights (as per Section 7 of the code).
The code has changed the time period for responding to subject access requests. Previously, organisations had 5 days to respond, which was difficult, considering the amount of data that organisations are required to search through. Organisations now have 15 days to respond and can appeal to the Garante for more time. The Garante will then have 60 days to consider the request (see above "Data Subjects’ Rights/Decision Taking").

Inspections - The Garante’s inspection powers are laid out in Section 158 of the code. When investigating organisations, the Garante can request information and documents, although these requests are not legally binding. However, if there is no cooperation, and the organisations refuses access to its systems, the Garante can apply for a judicial order to carry out an investigation.
When carrying out formal inspections, the Garante can demand copies of manual records and databases, which are then passed onto the judicial authorities. A report of the outcome is then published.

Legislative Decree no. 196/2003

On line users: Users today: Total Users: