|
|
 |
|
Studio Legale
NewsLetter |
Authorisation No. 7/2005 Concerning Processing of Judicial Data by Private Entities, Profit-Seeking Public Bodies and Public Entities
The Garante per la protezione dei dati personali
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;
Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;
Having regard to, in particular, Sections 21(1) and 27 of the Code, which allow judicial data to be processed by public and/or private bodies or profit-seeking public bodies, respectively, exclusively if this is expressly permitted by laws or a Garante's provision in which the substantial public interest served by the processing, the categories of processed data, and the operations specifically authorised are detailed;
Having regard to Section 20, paragraphs 2 and 4, and to the provisions concerning specific sectors as contained in Part II of the Code, in particular Chapters III and IV of Title IV, where purposes in the substantial public interest are referred to such as to allow for the processing of judicial data by public bodies;
Having regard to Section 22 of the Code, setting out the principles applying to the processing of sensitive and/or judicial data by public bodies;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;
Whereas it is appropriate to grant new authorisations replacing those due to expire on December 31, 2005 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for a eighteen-month term;
Having regard to Sections 51 and 52 of the Code concerning law informatics; having regard to the need for fostering the continuation of documentation, study and research activities in the legal sector with particular regard to dissemination of information on case-law partly because of the similarities existing between said activities and those related to freedom of expression as regulated by Section 137 of the Code;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;
Having regard to Section 167 of the Code;
Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;
Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;
Having regard to Section 41 of the Code;
Having regard to official records;
Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Mr. Giuseppe Chiaravalloti,
Hereby authorises
The processing of judicial data for the purposes in the substantial public interest specified hereinafter in pursuance of Sections 21 and 27 of the Code, in accordance with the requirements set forth below.
Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of either personal data or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.
Chapter I - EMPLOYMENT CONTEXT
1) Scope of
Application and Purposes of the Processing
This authorisation shall be granted, without any request being
necessary, to legal and natural persons, bodies, associations and organisations
which:
a) are parties to an employer-employee relationship;
b) avail themselves of workers also according to atypical, part-time or temporary arrangements;
c) commit a professional task to consultants, self-employed professionals, agents, representatives, and mandataries.
The processing must be indispensable in order to comply or ensure compliance with specific obligations or else to fulfil specific tasks laid down in laws, Community legislation, regulations or collective agreements, also if applying to individual businesses, for the sole purpose of managing employer-employee relationships as also related to self-employed workers, unpaid and honorary jobs.
This authorisation shall also be granted to entities carrying out dispute resolution activities pursuant to law insofar as the processing of data is indispensable for said activities.
2) Data Subjects
The processing may concern data relating to entities that act or intend
to act in the capacity as:
a) employees – including those that are parties to contracts for traineeship, apprenticeship, occupational inclusion, job sharing, intermittent and/or on-request jobs –, individuals working within the framework of a staff leasing contract, trainees, (joint) partners, or holders of employment scholarships, or in a similar capacity;
b) directors or members of executive or supervisory bodies;
c) consultants and self-employed professionals, agents, representatives, and mandataries.
Chapter II - ASSOCIATIONS AND FOUNDATIONS
1) Scope of
Application and Purposes of the Processing
This authorisation shall be granted, without any request being
necessary:
a) to associations, recognised or not, including political parties and movements, trade-union associations and organisations, assistance or voluntary organisations, foundations, committees and any other non-profit bodies, consortia or organisations, regardless of their having legal personality, and to the social cooperatives and mutual aid societies referred to in Act no. 381 of 08.11.1991 and Act no. 3818 of 15.04.1886, respectively;
b) to bodies and associations, recognised or not, which are in charge of assistance, rehabilitation, education, vocational training, social and health care assistance, charitable activities and protection of rights with regard either to the data subjects or to their family members and cohabiters.
The processing must be indispensable in order to achieve specific, lawful purposes as set out in articles or memorandums of association, or in a collective agreement.
2) Data Subjects
Processing may concern data relating to:
a) members, partners, and adherents as well as any entity applying for membership/accession if utilisation of the relevant data is provided for by the relevant articles or memorandum of association;
b) any entity benefiting from, assisted by or using the activities and services delivered by the individual association, body or organisation.
Chapter III - SELF-EMPLOYED PROFESSIONALS
1) Scope of
Application and Purposes of the Processing
This authorisation shall be granted, without any request being
necessary, to:
a) self-employed professionals, whether associated or not, who are required to be included in the relevant lists or registers for carrying out professional activities either alone or jointly with others, also in pursuance of legislative decree no. 96 of 02.02.01 or else in compliance with the implementing provisions of Section 24(2) of Act no. 266 of 07.08.97 concerning assistance and advisory activities;
b) any entity that is included in the special registers or lists set up in pursuance of, inter alia, Section 34 of Royal decree-law no. 1578 of 27.11.33 as subsequently amended and supplemented - concerning regulations for the Bar;
c) substitutes, staff and trainees working with a self-employed professional in pursuance of Section 2232 of the Civil Code, whenever they are controllers of a separate processing operation or act as joint controllers of the processing carried out by a self-employed professional.
2) Data Subjects
Processing may concern data relating to clients.
Data concerning third parties may only be processed if this is absolutely indispensable to carry out specific professional activities as requested by clients for specific, lawful purposes.
Chapter IV - BANKING AND INSURANCE COMPANIES AND
OTHER TYPES OF PROCESSING
1) Scope of
Application and Purposes of the Processing
This authorisation shall be granted, without any request being necessary, to:
a) businesses authorised and/or intending to be authorised to carry out banking, crediting, insurance or pension fund-related activities, also in case of their compulsory winding-up, with a view to establishing:
b) controllers of a processing operation that is performed in connection with requesting, acquiring, and delivering instruments and documents from/to the competent public departments, these tasks having been committed by the relevant data subjects;
c) securities brokerage companies, SICAV companies, and asset and pension fund management companies in order to establish moral qualifications pursuant to the provisions applying to financial brokerage, social security and/or private pension schemes as well as further to other laws and regulations, if any.
2) Additional Processing Operations
This authorisation shall also be granted:
a) to any person whomsoever, for the establishment or defence of a legal claim even by third parties, including administrative proceedings and arbitration or settlement proceedings in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that said claim is not overridden by the data subject's one and the data are processed exclusively for the above purposes and for no longer than is absolutely necessary therefor;
b) to any person whomsoever, with a view to the exercise of the right of access to administrative records in pursuance of the relevant laws and regulations;
c) to natural and legal persons, institutions, bodies, and organisations carrying out private investigation activities as licensed by the prefetto in pursuance of Section 134 of Royal decree no. 773 of 18.06.31, as subsequently amended and supplemented.
The processing must be necessary:
1) to enable the entity committing a specific task to establish or defend a legal claim that is not overridden by the data subject's one, or else a personal right or any other fundamental, inviolable right;
2) to detect and collect information in favour of a client on the defence counsel's instructions in connection with a criminal proceeding, whereby such information will only be used for the exercise of the right to submit evidence (as per Section 190 of the Criminal Procedure Code and Act no. 397 of 07.12.2000);
d) to any person whomsoever, in order to comply with the obligations laid down in laws concerning anti-Mafia communications and certifications or the prevention of Mafia-type crime and other serious, socially dangerous activities, as also contained in Act no. 55 of 19.03.90 as subsequently amended and supplemented, or else in order to produce the documents required by law to participate in calls for tenders;
e) to any person whomsoever in order to allow establishing moral qualifications of any entity intending to participate in calls for tender, in pursuance of the relevant legislation.
Chapter V - LEGAL DOCUMENTATION
1) Scope of Application and Purposes of the Processing
This authorisation shall be granted with a view to the processing of data – including dissemination – for purposes of documentation, study and research in the legal sector, especially as regards collection and dissemination of data concerning case law in compliance with Sections 51 and 52 of the Code.
Chapter VI - PROVISIONS APPLYING TO ALL PROCESSING OPERATIONS
To the extent that they are not regulated in the above chapters,
the processing operations mentioned therein shall also be the subject of the
following provisions.
1) Processed Data
Processing shall only concern such data as are indispensable for the
purposes for which it is authorised, provided that these purposes cannot be
achieved, on a case by case basis, by processing either anonymous data or
personal data of a different kind.
2) Processing Arrangements
Data must be processed exclusively by means of such operations and in
accordance with such logic and organisational arrangements as are closely
indispensable to the obligations, tasks or purposes referred to above. Apart
from the cases referred to in chapters IV, item 2), and V, or where the
information has been derived from a publicly available source, the data must be
provided by data subjects in compliance with the requirements set forth in
Presidential Decree no. 313 of 14 November 2002.
3) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of
the Code, the data may be kept for as long as set out by laws and/or
regulations, and anyhow for no longer than is absolutely necessary to achieve
the purposes being sought.
Under Section 11(1), letters c), d), and e) of the Code, the authorised entities shall verify at regular intervals that the data are accurate and updated, relevant, complete, not excessive, and necessary with regard to the purposes that are sought in the individual cases. With a view to ensuring that the data are closely relevant, not excessive, and indispensable in respect of said purposes, the authorised entities shall specifically assess the relationship between the data and the individual obligations, tasks and/or performance. Any data that is found to be either excessive or irrelevant or non indispensable, also based on said verification, may not be used except with a view to keeping – as required by law – the instrument and/or document containing the data in question. Special attention shall be paid to indispensability of the data related to entities other than those that are directly concerned by the aforementioned obligations, tasks and/or performance.
4) Communication and
Dissemination
Data may be communicated and, if required by law, disseminated to
public and private bodies insofar as this is absolutely indispensable for the
purposes sought and on condition that professional secrecy obligations and the
aforementioned requirements are complied with.
5) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante
by a data controller falling within the scope of application of this
authorisation, if the proposed processing is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
The Garante reserves the right to adopt additional provisions with regard to processing operations that are not referred to in this authorisation.
As for the processing operations considered herein, no authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.
This authorisation shall be without prejudice to the obligations laid down in laws, regulations or Community legislation that impose stricter limitations or prohibitions on personal data processing - in particular under Section 8 of Act no. 300 of 20.05.70, which was left unprejudiced by Section 113 of the Code, whereby employers are prohibited from investigating, with a view to recruitment as well as in the course of the employer-employee relationship, also by the agency of third parties, workers' political, religious or trade-union opinions and/or circumstances that are irrelevant to the assessment of their professional qualifications, and under Section 10 of legislative decree no. 276 of 10 September 2003, which prohibits employment agencies and any other authorised and/or recognised private entities from performing certain investigations and/or data processing operations and/or workers' preselection.
6) Effectiveness and Transitional Provisions
This authorisation shall be effective as of January 1, 2006 until June
30, 2007 subject to such amendments as the Garante may decide to make on account
of regulatory developments concerning this subject matter.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 21st day of December 2005
THE PRESIDENT
Pizzetti
THE RAPPORTEUR
Chiaravalloti
THE SECRETARY GENERAL
Buttarelli
