Authorisation No. 5/2002 Concerning Processing of Sensitive Data by Various Categories of Data Controllers

The Garante per la protezione dei dati personali

On this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, members, and Mr. Giovanni Buttarelli, Secretary-General;

Having regard to Act no. 675 of 31.12.1996, as subsequently amended and supplemented, concerning the protection of individuals and other subjects with regard to the processing of personal data;

Having regard to, in particular, Section 22(1) of said Act, in which "sensitive" data are referred to;

Whereas private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ consent in writing;

Whereas the processing of sensitive data may be also authorised by the Garante ex officio by way of general provisions applying to specific categories of controller and/or processing in pursuance of Section 41(7) of Act no. 675/1996;

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation orders;

Whereas it is appropriate to grant new general authorisations to replace those due to expire on the 31^st of January 2002 by streamlining their provisions in the light of the experience gathered so far;

Whereas it is appropriate for these new provisional authorisations to be also time-limited in pursuance of Section 14 of Presidential Decree no. 501/1998 in view of the forthcoming adoption of a consolidated text of the provisions applying to personal data protection as required by Act no. 127/2001;

Whereas it is necessary to ensure compliance with certain principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity;

Whereas the processing of sensitive data is carried out, to a considerable extent, by entities carrying out activities in various business sectors as specified below;

Having regard to Section 35 of Act no. 675/1996;

Having regard to the regulations including provisions on the minimum security measures as adopted by Presidential decree no. 318 of 28.07.99;

Having regard to Section 14 of Presidential decree no. 501 of 31.03.98;

Having regard to official documents;

Having regard to the considerations made, on behalf of the Office, by the Secretary General in pursuance of Section 15 of the rules of procedure for the Garante no. 1/2000;

Acting on the report submitted by Prof. Gaetano Rasi,

Hereby authorises

the processing of sensitive data as per Section 22(1) of Act no. 675/1996, except for those disclosing sex life, in accordance with the provisions set out below.

Chapter I - Activities in the banking, credit, insurance, fund management, tourism or transportation sector

1) Scope of the authorisation

a) any undertaking authorised to carry out banking, credit or insurance activities and the relevant associations, even in case of compulsory winding up;

b) companies and other entities managing pension or assistance funds, or social security funds;

c) financial brokerage companies or entities, particularly as regards management or brokerage of investment trusts or movables;

d) companies and any other entities issuing credit cards or other means of payment, or anyhow managing the relevant transactions;

e) undertakings carrying out, on their own behalf, activities that are closely related and instrumental to those mentioned above as regards risk assessment, factoring, processing of a large amount of records, data transmission, packing and sorting of mail and management of tax collectors´ offices [esattorie] or treasury departments [tesorerie];

f) undertakings in the tourism, hotelling or passenger transport sectors, travel agencies and tour operators.

2) Purposes of the processing

This authorisation shall be granted without any request being necessary in respect of such data and operations as are required in order to fulfil the obligations undertaken by the entities referred to under 1) within the relevant sectors of activity, even prior to entering into a contract, with a view to supplying specific goods or services that have been requested by a data subject.

This authorisation shall also be granted to enable or enforce compliance with obligations - including taxation-related obligations - laid down by laws, regulations, Community legislation or collective agreements, or else imposed by supervisory or control bodies or authorities in the cases mentioned in the relevant laws or regulations.

The processing operations performed for the above purposes may also concern the keeping of accounting registers and books, lists, mailing lists and any other documents that are necessary in connection with organisation or administrative management of businesses, companies, co-operatives or consortia.

3) Data subjects and data categories

Processing may concern sensitive data relating to any person to whom goods or services are supplied insofar as the data are closely relevant to the specific request(s) made by the data subject, who must have given his/her informed consent thereto in writing. Subject to the above limitations, the processing may also concern data relating to third parties, whenever said goods or services cannot otherwise be supplied to the recipients.

If the data subject´s consent is required in respect of individual data controllers, the indication of his/her wishes must refer specifically to each of them.

4) Data communication and dissemination

Sensitive data may be communicated, insofar as this is relevant to the purposes mentioned under 2), to public and private entities, including social security and assistance funds or subsidiary and related companies in pursuance of Section 2359 of the Civil Code, and, if necessary, to the data subject´s family members.

Data controllers must keep a list of the recipients, including the indication of the categories of data that have been communicated, also with a view to informing other controllers, if necessary, of any changes made to the data in response to a request made by data subjects (as per Section 13(1), subheading c), no. 4, of Act no. 675/1996).

No sensitive data may be disseminated.

Chapter II - Opinion polls and surveys

1) Scope of the authorisation and purposes of the processing

This authorisation shall be granted to undertakings, companies, institutions and other private or public entities and/or organisations exclusively for the purpose of carrying out opinion polls, market surveys or any other sample study.

Polls and surveys must be carried out for specific, legitimate purposes, of which the data subject shall have to be informed.

2) Data subjects and data categories

The processing may concern data in respect of entities who have given their informed consent and have answered questionnaires or interviews in connection with opinion polls, market surveys and any other sample studies.

The data subject´s consent must always be given in writing.

Sensitive data may only be processed if the processing of anonymous data does not allow achieving the purposes of the poll or survey.

3) Keeping of the data

After being collected, the data shall not be processed in a way allowing identification of the data subjects, even indirectly, by reference to any other kind of information.

Any personal data, whether in aggregate form or not, shall be destroyed or made anonymous immediately after being collected, at all events no later than at the time when the collected samples are recorded. Recording must take place without delay even if a large amount of samples has been collected.

This authorisation shall be without prejudice to the possibility for the data controller and the relevant processors or persons in charge of the processing to use the personal data within the above time span in order to verify reliability and accuracy of samples by accessing the data subjects.

4) Data communication

No sensitive data shall be communicated or disseminated.

Poll or survey samples may be communicated or disseminated, whether in aggregate form or not, on condition that they cannot be associated with identified or identifiable data subjects also by way of a processing operation.

Chapter III - Data processing activities

1) Scope of the authorisation

Undertakings, companies, institutions and any other private organisations or entities acting as controllers of an activity which is carried out on behalf of other entities and is based on data elaboration and additional processing operations either in the employment context or in connection with accounting, salaries, social security and assistance or taxation matters.

2) Applicable provisions

Processing shall be carried out in accordance with the following authorisations:

a) no. 1/2002 of 31.01.02, concerning the processing of sensitive data by, in particular, the parties to an employer-employee relationship on condition that the relevant purposes are in line with those referred to under item 3) of said authorisation;

b) no. 4/2002 of 31.01.02, concerning the processing of sensitive data by self-employed professionals and similar categories of controllers, on condition that the relevant purposes are in line with those referred to under item 3) of said authorisation.

If the data subject´s consent is to be given in respect of individual data controllers, the indication of his/her wishes must specifically refer to each of them.

Chapter IV - Staff selection

1) Scope of the authorisation and purposes of the processing

This authorisation shall be granted without any request being necessary to undertakings, companies, institutions and other private organisations or entities carrying out activities on behalf of third parties, even on their own initiative, exclusively for staff recruitment or selection purposes.

2) Data subjects and data categories

Processing may concern data disclosing health and racial and ethnic origin of applicants for employment or co-operation activities, on condition that the collection of said data serves specific, legitimate purposes and is absolutely necessary for the employment or co-operation.

The processing of data disclosing health of an applicant´s family members or cohabiters is allowed with the data subject´s written consent, on condition that it is aimed at granting a specific benefit to the applicant - such as, in particular, the fact of his being entitled to mandatory employment or the recognition of a specific title in connection with disability or sickness, war events or official duties.

If the data subject´s consent is required in respect of individual data controllers, the indication of his/her wishes must specifically refer to each of them.

The processing shall only concern information that is closely relevant to the above purposes regardless of whether the data are provided in response to a questionnaire that has been sent also by using electronic networks or upon the candidates´ own initiative - in particular via the submission of CVs.

It shall not be permitted to process data:

a) disclosing religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations with a religious, philosophical, political or trade-union aim, and sex life, or

b) relating to facts that are not relevant to the assessment of employees´ professional qualifications, or

c) in breach of provisions either applying to equal opportunity policies or against discrimination.

3) Data communication and dissemination

Data disclosing health and racial and ethnic origin may be communicated to the public or private entities that are specifically referred to in the data subject´s statement of consent, insofar as they are relevant to the purposes mentioned under 1) and 2).

No sensitive data may be disseminated.

Chapter V - Marriage bureaux

1) Scope of the authorisation

This authorisation shall be granted without any request being necessary to undertakings, companies, institutions and other organisations or private entities carrying out, even by means of authorised agencies, intermediation activities for matrimonial or cohabitation purposes.

2) Purposes of data processing

This authorisation shall be granted without any request being necessary exclusively in order to discharge the tasks that have been committed in pursuance of the relevant laws and regulations.

3) Data subjects

Processing may only concern the sensitive data relating to the persons who are directly interested in the matrimonial or cohabitation relationship.

No data may be processed in respect of persons who are minors either under the law of the nationality State or under Italian law.

4) Categories of processed data

Processing may only concern such data and operations as are necessary with regard to the specific profile or personality described and/or requested by the persons who are interested in the marriage or cohabitation.

The data must be provided directly by the data subjects.

The information to be provided prior to obtaining the data subject´s consent must especially point out the categories of processed data and the arrangements made for their communication to third parties.

5) Data communication

The data may be communicated insofar as they are relevant to the performance of the tasks specifically committed.

Data controllers must keep a list of the recipients, including the indication of the categories of data that have been communicated, also with a view to informing other controllers of any changes made to the data in response to a request made by data subjects (as per Section 13(1), subheading c), no. 4, of Act no. 675/1996).

The dissemination of certain sensitive data, also by means of electronic networks, must be the subject of a specific authorisation by this Authority.

6) Final provisions

This authorisation shall be without prejudice to further obligations laid down by laws or regulations, in particular as regards criminal law and public security and the protection of children.

Chapter VI - Provisions applying to all types of processing

Insofar as this is not regulated in the above chapters, the following provisions shall also apply to the processing operations mentioned therein:

1) Data disclosing health

The processing of data disclosing health shall also be carried out in accordance with authorisation no. 2/2002 as issued on 30.01.02.

The processing of genetic data shall not be allowed in the cases referred to in this authorisation.

2) Processing arrangements

Without prejudice to the obligations laid down in Sections 9, 15, 17 and 28 of Act no. 675/1996 and in Presidential decree no. 318/1999, processing of sensitive data shall only be carried out in accordance with such logic and organisational arrangements as are closely related to the purposes set out in the above Chapters.

Data shall be communicated as a rule either directly to the data subject or to the latter´s delegate subject to the provisions made in Section 23(2) of Act no. 675/1996, by using a closed envelope; alternatively, suitable measures shall be taken in order to prevent unauthorised persons from having access to said data, including the requirement of standing behind a line while waiting to be served.

This authorisation shall also be without prejudice to the requirement of informing the data subject in pursuance of Section 10(1) and (3) of Act no. 675/1996, even if the data are collected from a third party.

3) Data retention

Without prejudice to the obligation laid down in Section 9(1), subheading e) of Act no. 675 of 31.12.1996, sensitive data shall be kept for no longer than is necessary to achieve the purposes, fulfil the obligations or discharge the tasks referred to in the above Chapters. To that end it shall be determined, also by way of regular controls, whether the data are relevant and not excessive with regard to the existing, planned or terminated relationship, performance or tasks - including the data supplied on the data subject´s own initiative. The data that are found by said controls to be either excessive or irrelevant or unnecessary may not be used except with a view to keeping - as required by law - the instrument and/or document where the data are contained. Special attention shall be paid to relevance of the data concerning entities that are not immediately related to fulfilment of the abovementioned obligations and/or tasks.

This authorisation shall be without prejudice to any laws or regulations laying down different data retention periods.

The provisions of Chapter II applying to opinion polls and surveys are hereby left unprejudiced.

4) Requests for authorisation

Where a processing operation falls within the scope of this authorisation, no request for authorisation shall have to be filed with the Garante by the relevant controller, on condition that the proposed processing is in line with the above provisions.

Any requests for authorisation which have already been received, or which will be received following the adoption of this authorisation, shall be regarded as granted insofar as they comply with the requirements laid down herein.

No requests to authorise processing operations which are not in pursuance of the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted on account of special or exceptional circumstances which are not referred to in this authorisation.

5) Final provisions

Any laws, regulations or Community rules imposing further prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, in particular as regards:

a) Act no. 300 of 20.05.1970; and

b) Act no. 135 of 05.06.1990.

This authorisation shall also be without prejudice to the prohibition to disclose, on no legitimate grounds, or use, with a view to gain for oneself or another, information to which professional secrecy applies; any obligations resulting from professional ethics shall further apply, including those laid down in the codes of conduct that are adopted in pursuance of Section 20 of legislative decree no. 467/2001.

The possibility to disseminate anonymous data, including aggregate data, shall be also left unprejudiced.

6) Effectiveness and transitional provisions

This authorisation shall be effective as of 1 February 2002 until 30 June 2003.

If, by the date on which this authorisation is published, the processing is not compliant with the provisions that are not included in Authorisation no. 5/2000, the data controller shall have to bring it into line with said provisions by the 31^st May 2002.

This authorisation shall be published on the Official Journal of the Italian Republic.

Done in Rome, this 31^st day of January 2002.

THE PRESIDENT
Rodotà

THE RAPPORTEUR
Rasi

THE SECRETARY-GENERAL
Buttarelli