g-docweb-display Portlet

Authorisation No. 5/2004 Concerning Processing of Sensitive Data by Various Categories of Data Controller - 30 giugno 2004 [1115349]

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web. n. 1115349]

[versione italiana doc. web. n. 1037063]

Authorisation No. 5/2004 Concerning Processing of Sensitive Data by Various Categories of Data Controller

 

THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI 

As of this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General;

Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;

Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;

Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;

Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;

Whereas after entry into force of the Code it is appropriate to grant new general authorisations replacing those due to expire on June 30, 2004 by streamlining their provisions in the light of the experience gathered so far as well as by having regard to the codes of conduct and professional practice referred to in Sections 106 and 140 of the Code;

Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for a twelve-month term by having regard to the initial implementing phase of the new provisions contained in the Code as well as to the on-going work in view of adopting the codes of conduct and professional practice applying to some specific sectors that are addressed herein (Sections 111 and 140 of the Code);

Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;

Whereas the processing of sensitive data is carried out, to a considerable extent, by entities working in several industry sectors as specified herein;

Having regard to Section 167 of the Code;

Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;

Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;

Having regard to Section 41 of the Code;

Having regard to official records;

Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);

Acting on the report submitted by Prof. Gaetano Rasi;

 

Hereby authorises

the processing of sensitive data as per Section 4(1), letter d), of the Code, except for those suitable for disclosing sex life, in accordance with the provisions set out below.

Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of personal an/or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.

 

Chapter I - Banking, Credit, Insurance, Fund Management, Tourism, and Transportations

1) Scope of the Authorisation

a) any undertaking authorised to carry out banking, credit or insurance activities and the relevant associations, including those that are the subject of compulsory administrative liquidation;

b) companies and other entities managing pension or benefit funds, or social security funds;

c) financial brokerage companies or entities, particularly as regards management and/or brokerage of investment funds and/or movables;

d) companies and any other entities issuing credit cards or other means of payment, or anyhow managing the relevant transactions;

e) undertakings carrying out, on their own behalf, activities that are closely related and instrumental to those mentioned above as regards risk assessment, factoring, processing of a large amount of records, data transmission, packing and/or sorting of mail, and management of tax collectors´ offices [esattorie] or treasury departments [tesorerie];

f) undertakings in the tourism, hotelling or transport sectors, travel agencies, and tour operators.

 

2) Purposes of the Processing

This authorisation shall be granted without any request being necessary in respect of such data and operations as are indispensable in order to fulfil the obligations, including pre-contractual obligations, undertaken by the entities referred to under 1) within the relevant sectors of activity, with a view to supplying specific goods or services that have been requested by a data subject.

This authorisation shall also be granted to comply or enforce compliance with obligations - including tax and accounting obligations - under Community legislation, laws, regulations, or collective agreements, or else imposed by supervisory or control bodies or authorities in the cases mentioned in the relevant laws or regulations.

The processing operations performed for the above purposes may also concern the keeping of accounting registers and books, lists, mailing lists and any other documents that are necessary in connection with organisation or administrative management of businesses, companies, co-operatives or consortia.

 

3) Data Subjects and Data Categories

Processing may concern sensitive data relating to any person to whom goods or services are supplied insofar as the data are closely relevant to the specific request(s) made by the data subject, who must have given his/her informed consent thereto in writing. Subject to the above limitations, the processing may also concern data relating to third parties, whenever said goods or services cannot be supplied otherwise to the recipients.

If the data subject´s consent is required in respect of separate data controllers, the indication of his/her wishes must refer specifically to each of them.

 

4) Data Communication and Dissemination

Sensitive data may be communicated, insofar as this is closely relevant to the purposes mentioned under 2), to public and private entities, including social security and assistance funds and/or subsidiary and related companies in pursuance of Section 2359 of the Civil Code, as well as, if necessary, to the data subject´s family members.

Data controllers must keep a list of the recipients of the communications in question, including the specification of the categories of data that have been communicated, also with a view to informing other data controllers of any changes made to the data in response to a request lodged by data subjects (as per Section 7(3), letter c) of the Code).

No sensitive data may be disseminated.

 

Chapter II - Opinion Polls and Surveys

1) Scope of the Authorisation and Purposes of the Processing

This authorisation shall be granted to undertakings, companies, institutions and other private or public entities and/or organisations exclusively for the purpose of carrying out opinion polls, market surveys or any other sample-based study.

Polls and surveys must be carried out for specific, legitimate purposes, of which the data subject shall have to be informed.

 

2) Data Subjects and Data Categories

The processing may concern data in respect of entities who have given their informed consent and have answered questionnaires or interviews in connection with opinion polls, market surveys and any other sample-based studies.

The data subject´s consent must always be given in writing.

Sensitive data may only be processed if the processing of anonymous data does not allow achieving the purposes of the poll or survey.

 

3) Data Retention

The processing operations carried out after collecting the data shall not allow identifying data subjects, indirectly or not, by way of reference to any other information.

Any personal data, whether in aggregate form or not, shall be destroyed or made anonymous immediately after being collected, at all events no later than at the time when the collected samples are stored. Storage must take place without delay also if a large amount of samples has been collected.

This authorisation shall be without prejudice to the possibility for the data controller and the relevant processors or persons in charge of the processing to use the personal data within the aforementioned time span in order to verify reliability and accuracy of samples by accessing the data subjects.

 

4) Data Communication

No sensitive data may be communicated or disseminated.

Poll or survey samples may be communicated or disseminated, whether in aggregate form or not, on condition that they cannot be associated with identified or identifiable data subjects also by way of a processing operation.

 

Chapter III - Data Processing Activities

1) Scope of the Authorisation

Undertakings, companies, institutions, and any other private organisations or entities acting as autonomous controllers of an activity that is carried out for the benefit of other entities and is based on data elaboration and additional processing operations either in the employment context or for the purposes of accounting, payment of wages, social security, social care, and taxation.

 

2) Applicable Provisions

Processing shall be carried out in accordance with the following authorisations:

a) no. 1/2004 as granted on June 30, 2004, concerning the processing of sensitive data by, in particular, the parties to an employer-employee relationship if the purposes sought are those referred to under item 3) of said authorisation;

b) no. 4/2004 as granted on June 30, 2004, concerning the processing of sensitive data by either self-employed professionals or equivalent entities, if the purposes sought are those referred to under item 3) of said authorisation.

If the data subject´s consent is to be given in respect of separate data controllers, the indication of his/her wishes must specifically refer to each of them.

 

Chapter IV - Personnel Selection

1) Scope of the Authorisation and Purposes of the Processing

This authorisation shall be granted without any request being necessary to undertakings, companies, institutions, and other private organisations or entities carrying out activities on behalf of third parties, even on their own initiative, exclusively for personnel recruitment or selection purposes.

 

2) Data Subjects and Data Categories

Processing may concern data suitable for disclosing health and racial and ethnic origin of applicants for employment or co-operation activities, on condition that the collection of said data serves specific, legitimate purposes and is absolutely indispensable for setting up the aforementioned employment or co-operation relationship.

The processing of data suitable for disclosing health of an applicant’s family members or cohabiters is allowed with the data subject´s written consent, if it is aimed at awarding a specific benefit to the applicant - in particular, with a view to the latter’s mandatory recruitment or else in order to grant preferential treatment in connection with disability or sickness, war events or official duties.

If the data subject´s consent is required in respect of separate data controllers, the indication of his/her wishes must specifically refer to each of them.

The processing shall only concern information that is closely relevant to the above purposes regardless of whether the data are provided in response to a questionnaire that has been sent also by using electronic networks or upon the applicant’s own initiative - in particular via the submission of CVs.

It shall not be permitted to process data:

a) suitable for disclosing religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations with a religious, philosophical, political or trade-union aim, racial and ethnic origin, and sex life, or

b) concerning facts that are irrelevant in order to assess employees’ professional qualifications, or

c) in breach of provisions either applying to equal opportunity policies or against discrimination.

 

3) Data Communication and Dissemination

Data suitable for disclosing health and racial and ethnic origin may be communicated to the public or private entities that are specifically referred to in the data subject´s statement of consent, insofar as they are closely relevant to the purposes mentioned under 1) and 2).

No sensitive data may be disseminated.

 

4) Final Provisions

Any additional obligations set out in laws and regulations are hereby left unprejudiced.

 

Chapter V - Marriage Brokers

1) Scope of the Authorisation

This authorisation shall be granted to undertakings, companies, institutions, and other private organisations or entities acting as brokers for the purpose of setting up marriage and/or cohabitation relationships, also by means of authorised agencies.

 

2) Purposes of Data Processing

This authorisation shall be granted exclusively in order to discharge the tasks that have been committed in pursuance of the relevant laws and regulations.

 

3) Data Subjects

Processing may only concern the sensitive data relating to the persons who are directly involved in the matrimonial and/or cohabitation relationship.

No data may be processed in respect of individuals who are underage either under the law of the nationality State or under Italian law.

 

4) Categories of Processed Data

Processing may only concern such data and operations as are indispensable with regard to the specific profile or personality described and/or requested by the persons who are interested in the marriage or cohabitation.

The data must be provided directly by the data subjects.

The information to be provided prior to obtaining the data subject´s written consent must especially point out the categories of processed data and the arrangements made for their communication to third parties.

 

5) Data Communication

The data may be communicated insofar as they are closely relevant to performance of the tasks specifically committed.

Data controllers must keep a list of the recipients of the communications in question, including the specification of the categories of data that have been communicated, also with a view to informing other data controllers of any changes made to the data in response to a request lodged by data subjects (as per Section 7(3), letter c) of the Code).

The dissemination of certain sensitive data, also by means of electronic networks, shall be subjected to a specific authorisation by this Authority.

 

6) Final Provisions

This authorisation shall be without prejudice to additional obligations laid down by laws or regulations, in particular as regards criminal law, public security, and the protection of children.

 

Chapter VI - Provisions Applying to all Types of Processing

Insofar as this is not regulated in the above chapters, the following provisions shall also apply to the processing operations mentioned therein:

 

1) Data Suitable for Disclosing Health

The processing of data disclosing health shall also be carried out in accordance with authorisation no. 2/2004 as issued on June 30, 2004.

The processing of genetic data shall not be allowed in the cases referred to in this authorisation.

 

2) Processing Arrangements

Without prejudice to the obligations laid down in Sections 11 and 14 of the Code, in Sections 31 and following ones of the Code, and in Annex B) to the Code, processing of sensitive data shall only be carried out by means of such operations and in accordance with such logic and organisational arrangements as are closely related to the purposes set out in the above Chapters.

Data shall be communicated as a rule either directly to the data subject or to the latter’s delegate subject to the provisions made in Section 84(1) of the Code, by using either a closed envelope or any means suitable for preventing unauthorised persons from having access to said data, including the requirement of standing behind a line while waiting to be served.

This authorisation shall also be without prejudice to the requirement of informing the data subject in pursuance of Section 13, paragraphs 1, 3 and 5 of the Code, also if the data are collected from a third party.

 

3) Data Retention

Without prejudice to the obligation laid down in Section 11(1), letter a) of the Code, sensitive data may be kept for no longer than is necessary to achieve the purposes, fulfil the obligations or discharge the tasks referred to in the above Chapters. To that end it shall be continuously verified, also by way of regular controls, whether the data are relevant, not excessive, and indispensable with regard to the existing, planned or terminated relationship, performance or tasks - including the data supplied on the data subject’s own initiative. The data that are found to be either excessive or irrelevant or unnecessary also following said verification may not be used except with a view to keeping - as required by law - the instrument and/or document where the data are contained. Special attention shall be paid to indispensability of the data concerning entities other than those directly concerned by the aforementioned obligations and/or tasks.

This authorisation shall be without prejudice to any laws or regulations laying down different data retention periods.

The provisions of Chapter II applying to opinion polls and surveys are hereby left unprejudiced.

 

4) Authorisation Requests

No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.

The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.

No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.

 

5) Final Provisions

Any laws, regulations or Community rules imposing further prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, in particular as regards:

a) Act no. 300 of 20.05.1970; and

b) Act no. 135 of 05.06.1990.

This authorisation shall also be without prejudice to the prohibition to disclose, on no legitimate grounds, or use, with a view to gain for oneself or another, information to which professional secrecy applies; any obligations resulting from professional ethics shall further apply, including those laid down in the codes of conduct that are adopted in pursuance of Section 12 of the Code.

The possibility to disseminate anonymous data, including aggregate data, shall be also left unprejudiced.

 

6) Effectiveness and Transitional Provisions

This authorisation shall be effective as of July 1, 2004 until June 30, 2005.

If the processing is not compliant with the provisions that were not included in Authorisation no. 5/2002 as of the date on which this authorisation is published, the data controller shall have to make the necessary adjustments by September 30, 2004.

This authorisation shall be published in the Official Journal of the Italian Republic.

 

Done in Rome, this 30th day of June 2004

 

THE PRESIDENT
Rodotà

THE RAPPORTEUR
Rasi

THE SECRETARY-GENERAL
Buttarelli