Authorisation no. 3/2002 Concerning Processing of Sensitive Data by Associations and Foundations

The Garante per la protezione dei dati personali

On this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, members, and Mr. Giovanni Buttarelli, Secretary-General;

Having regard to Act no. 675 of 31.12.1996, as subsequently amended and supplemented, concerning the protection of individuals and other subjects with regard to the processing of personal data;

Having regard to, in particular, Section 22(1) of said Act, in which "sensitive" data are referred to;

Having regard to Section 22(1-bis) and (1-ter) of Act no. 675/1996, as added by Section 5(1) of legislative decree no. 135 of 11.05.99 and Section 8(1) of legislative decree no. 467/2001, respectively;

Having regard to Section 22(4) of Act no. 675/1996 as amended by legislative decree no. 467/2001; whereas private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subject´s consent in writing;

Whereas the processing of sensitive data may be also authorised by the Garante ex officio by way of general provisions applying to specific categories of controller and/or processing in pursuance of Section 41(7) of Act no. 675/1996;

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation orders;

Whereas it is appropriate to grant new general authorisations to replace those due to expire on the 31^st of January 2002 by streamlining their provisions in the light of the experience gathered so far;

Whereas it is appropriate for these new provisional authorisations to be also time-limited in pursuance of Section 14 of Presidential Decree no. 501/1998 in view of the forthcoming adoption of a consolidated text of the provisions applying to personal data protection as required by Act no. 127/2001;

Whereas it is necessary to ensure compliance with certain principles aimed at minimising the risk of negatively affecting and/or jeopardising, on account of the processing, fundamental rights and freedoms as well as human dignity;

Whereas the processing of sensitive data is carried out, to a considerable extent, by associations and foundations for specific, legitimate purposes as set out in the relevant articles of association, by-laws or collective agreements;

Having regard to Section 35 of Act no. 675/1996;

Having regard to the regulations including provisions on the minimum security measures as adopted by Presidential decree no. 318 of 28.07.99;

Having regard to Section 14 of Presidential decree no. 501 of 31.03.98;

Having regard to official documents;

Having regard to the considerations made, on behalf of the Office, by the Secretary General in pursuance of Section 15 of the rules of procedure of the Garante no. 1/2000;

Acting on the report submitted by Mr. Mauro Paissan,

Hereby authorises

the processing of sensitive data as per Section 22(1) of Act no. 675/1996 by associations, foundations, committees and similar organisations, in compliance with the following requirements:

1) Scope and purposes of data processing

This authorisation shall be granted:

a) to associations, recognised or not, including religious denominations and communities, except as provided for in Section 22(1-bis) as added to the Act by Section 5(1) of legislative decree no. 135/1999, political parties and movements, trade-union associations and organisations, charities, trade associations, assistance or voluntary organisations as well as federations and confederations including the above entities in compliance with the relevant by-laws, articles of association or collective agreements, if any;

b) to foundations, committees and any other non-profit bodies, consortia or entities, regardless of their being legal persons, including non-profit organisations for social purposes [organizzazioni non lucrative di utilità sociale, Onlus];

c) to social co-operatives and mutual aid societies as per Act no. 381 of 08.11.91 and no. 3818 of 15.04.1886, respectively.

This authorisation shall also be granted to schools, regardless of their being associations or not, with regard to the processing of data disclosing religious beliefs and to the activities that are absolutely necessary in order to implement Section 310 of legislative decree no. 297 of 16.04.94.

This authorisation shall be granted for specific, legitimate purposes as set out in the relevant articles of association, by-laws or collective agreements, if any, in particular as regards cultural, religious, political or trade-union purposes, amateurial participation in sports activities or sports competitions, educational purposes including the freedom of choosing one´s religious education, training, scientific research, legal assistance in connection with trade-union activities, protection of environment and cultural and historical heritage, civil rights protection as well as charitable purposes, social work and health care.

This authorisation shall also be granted for the establishment or defence of a legal claim, even by third parties, including administrative proceedings and arbitration or settlement procedures in the cases provided for by laws, Community legislation, regulations or collective agreements, on condition that the claim is of an equal level compared with the data subject´s one if the data are such as to disclose health and sex life, and the data are processed exclusively for said purposes and for no longer than is necessary therefor.

This authorisation shall also be granted for the exercise of the right of access to administrative records in accordance with the relevant laws and regulations.

For the purposes referred to above, the processing of sensitive data may also concern the keeping of accounting books and records, lists, mailing lists and any other documents which are required with a view to managing administrative matters for the association, foundation, committee or entity, complying with tax regulations or circulating journals, bulletins and similar publications.

If the entities as per a), b) and c) employ legal persons or other profit-making entities for the above purposes, or if they apply to the latter for the supply of goods or services, this authorisation shall be granted to said profit-making entities and legal persons as well.

The entities as per a), b) and c) may disclose, to legal persons and profit-making organisations which process data as controllers on their own account, only such sensitive data as are absolutely necessary for the activities actually serving the above purposes - especially with regard to data subjects´ particulars and to mailing lists; to that end, a document must detail, in writing, the information disclosed, the arrangements made for its subsequent use and the specific security measures taken. The consent given in writing by data subjects must especially point out this fact and include specific information on the data controller(s) and the relevant purposes. In addition to the provisions laid down under 3) and 5) to ensure that data are relevant and not excessive, legal persons and profit-making entities may only process the data collected as above for ancillary purposes, or else for management and accounting purposes.

2) Data subjects

Processing may concern sensitive data in respect of:

a) members of an association, partners and, if this is absolutely necessary for the purposes referred to under 1), their respective family members and any cohabiting persons;

b) members, supporters or subscribers and any person applying for membership in or accession to or having regular contacts with an association, foundation or organisation;

c) any person holding offices, honorary or not;

d) entities using or benefiting from the activities or services delivered by the association or organisation, on condition that such entities are referred to in the relevant by-laws or articles of association - if any;

e) students registered or applying for registration with the institutions referred to under 1) and, if such students are under 18 years of age, their parents or any person having parental authority;

f) the association´s members´ or partners´ employees with regard to data disclosing membership of trade unions, associations or organisations with trade-union aims and to the activities required to fulfil specific obligations resulting from collective agreements also applying to individual businesses.

3) Categories of processed data

This authorisation shall not apply to data disclosing health or sex life, which are the subject of general authorisation no. 2/2002.

Processing may concern the other categories of sensitive data referred to in Section 22(1) of Act no. 675/1996, disclosing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organisations with a religious, philosophical, political or trade-union aim.

Processing may concern such data and operations as are required to achieve the purposes under 1) or anyhow to fulfil obligations provided for by laws, Community legislation, regulations and collective agreements, if those purposes and obligations cannot be fulfilled, on a case by case basis, by processing either anonymous data or personal data of a different kind.

To that end it shall be determined, also by way of regular controls, whether the data are relevant and not excessive with regard to the above purposes and obligations especially in respect of the data disclosing opinions and personal beliefs - including the data supplied on the data subject´s own initiative. The data that are found by said controls to be either excessive or irrelevant or unnecessary may not be used except with a view to keeping - as required by law - the instrument and/or document where the data are contained.

4) Processing arrangements

Without prejudice to the obligations laid down in Sections 9, 15, 17 and 28 of Act no. 675/1996 and in Presidential decree no. 318/1999, the processing of sensitive data shall only be carried out in accordance with such logic and organisational data arrangements as are closely related to the purposes and obligations referred to under 1).

The data shall be collected, as a rule, from the data subject.

This authorisation shall be without prejudice to the requirement of informing the data subject and obtaining his/her consent in writing, pursuant to Sections 10 and 22 of Act no. 675/1996 as amended by legislative decree no. 467/2001.

5) Data retention

In compliance with the obligation referred to in Section 9(1), subheading e), of Act no. 675/1996, sensitive data shall be kept for no longer than is necessary for the purposes as per 1), or else for fulfilling the obligations mentioned therein.

In the course of the assessment referred to under 3) it shall be also considered whether the data are relevant and not excessive with regard either to the activity carried out by the data subject or to the relationship between the latter and the relevant association, foundation, committee or entity - by also taking account of the performance, benefit or service delivered to the data subject and of the latter´s position in respect of the association, foundation, committee or entity.

6) Data communication and dissemination

Sensitive data may only be communicated and, if necessary, disseminated if they are absolutely relevant to the purposes and obligations referred to under 1) and by complying with the additional provisions mentioned above.

7) Requests for authorisation

Where a processing operation falls within the scope of application of this authorisation, no request for authorisation shall have to be filed with the Garante by the relevant controller on condition that the proposed processing is in line with the above provisions.

Any requests for authorisation which have already been received, or which will be received following the adoption of this authorisation, shall be regarded as granted insofar as they comply with the requirements laid down herein.

No requests to authorise processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted on account of special or exceptional circumstances which are not referred to in this authorisation.

8) Final provisions

Any laws, Community legislation or regulations imposing prohibitions or restrictions on the processing of personal data are hereby left unprejudiced.

This authorisation shall also be without prejudice to the provisions against discrimination, in particular as regards decree-law no. 122 of 26.04.93 as converted, with amendments, into Act no. 205 of 25.06.93 on discrimination for racial, ethnic, nationality or religious reasons and genocide.

9) Transitional effectiveness

This authorisation shall be effective as of 1 February 2002 until 30 June 2003.

If, by the date on which this authorisation is published, the processing is not compliant with the provisions that are not included in Authorisation no. 3/2000, the data controller shall have to bring it into line with said provisions by the 31st May 2002.

This authorisation shall be published on the Official Journal of the Italian Republic.

Done in Rome, this 31st day of January 2002

THE PRESIDENT
Rodotà

THE RAPPORTEUR
Paissan

THE SECRETARY GENERAL
Buttarelli