General information on new italian data protection code

"Sed quis custodiet ipsos custodes?"
Giovenale (circa 60-130 d. C.), Satire, 6, 347

ITALIAN PERSONAL DATA PROTECTION CODE

Legislative Decree no. 196 of 30 June 2003

PART 1 – GENERAL PROVISIONS............................................................

TITLE I – GENERAL PRINCIPLES..........................................................................................

Section 1................................................................................................................................

(Right to the Protection of Personal Data).........................................................................

Section 2................................................................................................................................

(Purposes)..........................................................................................................................

Section 3................................................................................................................................

(Data Minimisation Principle)...........................................................................................

Section 4................................................................................................................................

(Definitions)......................................................................................................................

Section 5................................................................................................................................

(Subject-Matter and Scope of Application).......................................................................

Section 6................................................................................................................................

(Regulations Applying to Processing Operations).............................................................

TITLE II – DATA SUBJECT’S RIGHTS..................................................................................

Section 7................................................................................................................................

(Right to Access Personal Data and Other Rights)............................................................

Section 8................................................................................................................................

(Exercise of Rights)...........................................................................................................

Section 9................................................................................................................................

(Mechanisms to Exercise Rights)......................................................................................

Section 10..............................................................................................................................

(Response to Data Subjects)..............................................................................................

TITLE III – GENERAL DATA PROCESSING RULES...........................................................

CHAPTER I – RULES APPLYING TO ALL PROCESSING OPERATIONS.............................

Section 11..............................................................................................................................

(Processing Arrangements and Data Quality)....................................................................

Section 12..............................................................................................................................

(Codes of Conduct and Professional Practice)...................................................................

Section 13..............................................................................................................................23

(Information to Data Subjects)...........................................................................................23

Section 14..............................................................................................................................24

(Profiling of Data Subjects and Their Personality)............................................................24

Section 15..............................................................................................................................25

(Damage Caused on Account of the Processing)...............................................................25

Section 16..............................................................................................................................25

(Termination of Processing Operations)............................................................................25

Section 17..............................................................................................................................25

(Processing Operations Carrying Specific Risks)..............................................................25

CHAPTER II – ADDITIONAL RULES APPLYING TO PUBLIC BODIES..............................26

Section 18..............................................................................................................................26

(Principles Applying to All Processing Operations Performed by Public Bodies)............26

Section 19..............................................................................................................................26

(Principles Applying to the Processing of Data Other Than Sensitive and Judicial Data)26

Section 20..............................................................................................................................26

(Principles Applying to the Processing of Sensitive Data)................................................26

Section 21..............................................................................................................................27

(Principles Applying to the Processing of Judicial Data)..................................................27

Section 22..............................................................................................................................27

(Principles Applying to the Processing of Sensitive Data as well as to Judicial Data).....27

CHAPTER III – ADDITIONAL RULES APPLYING TO PRIVATE BODIES...........................28

AND PROFIT-SEEKING PUBLIC BODIES.............................................................................28

Section 23..............................................................................................................................28

(Consent)...........................................................................................................................28

Section 24..............................................................................................................................29

(Cases in Which No Consent Is Required for Processing Data)........................................29

Section 25..............................................................................................................................30

(Bans on Communication and Dissemination)..................................................................30

Section 26..............................................................................................................................30

(Safeguards Applying to Sensitive Data)...........................................................................30

Section 27..............................................................................................................................31

(Safeguards Applying to Judicial Data).............................................................................31

TITLE IV – ENTITIES PERFORMING PROCESSING OPERATIONS..............................32

Section 28..............................................................................................................................32

(Data Controller)................................................................................................................32

Section 29..............................................................................................................................32

(Data Processor).................................................................................................................32

Section 30..............................................................................................................................32

(Persons in Charge of the Processing)...............................................................................32

TITLE V – DATA AND SYSTEM SECURITY.........................................................................33

CHAPTER I – SECURITY MEASURES.....................................................................................33

Section 31..............................................................................................................................33

(Security Requirements)....................................................................................................33

Section 32..............................................................................................................................33

(Specific Categories of Data Controller)...........................................................................33

CHAPTER II – MINIMUM SECURITY MEASURES................................................................34

Section 33..............................................................................................................................34

(Minimum Security Measures)..........................................................................................34

Section 34..............................................................................................................................34

(Processing by Electronic Means)......................................................................................34

Section 35..............................................................................................................................35

(Processing without Electronic Means).............................................................................35

Section 36..............................................................................................................................35

(Upgrading).......................................................................................................................35

TITLE VI – PERFORMANCE OF SPECIFIC TASKS............................................................35

Section 37..............................................................................................................................35

(Notification of the Processing).........................................................................................35

Section 38..............................................................................................................................36

(Notification Mechanisms)................................................................................................36

Section 39..............................................................................................................................37

(Communication Obligations)............................................................................................37

Section 40..............................................................................................................................37

(General Authorisations)....................................................................................................37

Section 41..............................................................................................................................38

(Authorisation Requests)....................................................................................................38

TITLE VII – TRANSBORDER DATA FLOWS.........................................................................38

Section 42..............................................................................................................................38

(Data Flows in the EU)......................................................................................................38

Section 43..............................................................................................................................38

(Permitted Data Transfers to Third Countries)..................................................................38

Section 44..............................................................................................................................39

(Other Permitted Data Transfers).......................................................................................39

Section 45..............................................................................................................................40

(Prohibited Data Transfers)................................................................................................40

PART II – PROVISIONS APPLYING TO SPECIFIC SECTORS....................41

TITLE I – PROCESSING OPERATIONS IN THE JUDICIAL SECTOR.............................42

CHAPTER I – IN GENERAL.....................................................................................................42

Section 46..............................................................................................................................42

(Data Controllers)..............................................................................................................42

Section 47..............................................................................................................................42

(Processing Operations for Purposes of Justice)................................................................42

Section 48..............................................................................................................................43

(Data Banks of Judicial Offices)........................................................................................43

Section 49..............................................................................................................................43

(Implementing Provisions).................................................................................................43

CHAPTER II – CHILDREN.......................................................................................................43

Section 50..............................................................................................................................43

(Reports or Images Concerning Underage Persons)..........................................................43

CHAPTER III – LEGAL INFORMATION SERVICES..............................................................43

Section 51..............................................................................................................................43

(General Principles)...........................................................................................................43

Section 52..............................................................................................................................44

(Information Identifying Data Subjects)............................................................................44

TITLE II – PROCESSING OPERATIONS BY THE POLICE................................................45

CHAPTER I – IN GENERAL.....................................................................................................45

Section 53..............................................................................................................................45

(Scope of Application and Data Controllers).....................................................................45

Section 54..............................................................................................................................45

(Processing Mechanisms and Data Flows)........................................................................45

Section 55..............................................................................................................................46

(Specific Technology)........................................................................................................46

Section 56..............................................................................................................................46

(Safeguards for Data Subjects)..........................................................................................46

Section 57..............................................................................................................................46

(Implementing Provisions).................................................................................................46

TITLE III – STATE DEFENCE AND SECURITY....................................................................47

CHAPTER I – IN GENERAL.....................................................................................................47

Section 58..............................................................................................................................47

(Applicable Provisions)......................................................................................................47

TITLE IV – PROCESSING OPERATIONS IN THE PUBLIC SECTOR..............................48

CHAPTER I – ACCESS TO ADMINISTRATIVE RECORDS....................................................48

Section 59..............................................................................................................................48

(Access to Administrative Records)..................................................................................48

Section 60..............................................................................................................................48

(Data Disclosing Health and Sex Life)..............................................................................48

CHAPTER II – PUBLIC REGISTERS AND PROFESSIONAL REGISTERS............................48

Section 61..............................................................................................................................48

(Use of Public Information)...............................................................................................48

CHAPTER III – REGISTERS OF BIRTHS, DEATHS AND MARRIAGES, CENSUS

REGISTERS AND ELECTORAL LISTS.....................................................................................49

Section 62..............................................................................................................................49

(Sensitive and Judicial Data)..............................................................................................49

Section 63..............................................................................................................................49

(Interrogation of Records)..................................................................................................49

CHAPTER IV – PURPOSES IN THE SUBSTANTIAL PUBLIC INTEREST............................50

Section 64..............................................................................................................................50

(Citizenship, Immigration and Alien Status).....................................................................50

Section 65..............................................................................................................................50

(Political Rights and Public Disclosure of the Activities of Certain Bodies)....................50

Section 66..............................................................................................................................51

(Taxation and Customs Matters)........................................................................................51

Section 67..............................................................................................................................51

(Auditing and Controls).....................................................................................................51

Section 68..............................................................................................................................52

(Grants and Certifications).................................................................................................52

Section 69..............................................................................................................................52

(Honours, Rewards and Incorporation)..............................................................................52

Section 70..............................................................................................................................53

(Voluntary Organisations and Conscientious Objection)..................................................53

Section 71..............................................................................................................................53

(Imposition of Sanctions and Precautionary Measures)....................................................53

Section 72..............................................................................................................................53

(Relationships with Religious Denominations).................................................................53

Section 73..............................................................................................................................54

(Other Purposes Related to Administrative and Social Matters).......................................54

CHAPTER V – SPECIFIC PERMITS........................................................................................54

Section 74..............................................................................................................................54

(Car Permits and Access to Town Centres).......................................................................54

TITLE V – PROCESSING OF PERSONAL DATA IN THE HEALTH CARE SECTOR...55

CHAPTER I – IN GENERAL.....................................................................................................55

Section 75..............................................................................................................................55

(Scope of Application).......................................................................................................55

Section 76..............................................................................................................................55

(Health Care Professionals and Public Health Care Bodies).............................................55

CHAPTER II – SIMPLIFIED ARRANGEMENTS CONCERNING INFORMATION AND

CONSENT.................................................................................................................................56

Section 77..............................................................................................................................56

(Simplification).................................................................................................................56

Section 78..............................................................................................................................56

(Information Provided by General Practitioners and Paediatricians)................................56

Section 79..............................................................................................................................57

(Information Provided by Health Care Bodies).................................................................57

Section 80..............................................................................................................................58

(Information Provided by Other Public Bodies)................................................................58

Section 81..............................................................................................................................58

(Providing One’s Consent)................................................................................................58

Section 82..............................................................................................................................58

(Emergency and Protection of Health and Bodily Integrity).............................................58

Section 83..............................................................................................................................59

(Other Provisions to Ensure Respect for Data Subjects’ Rights).......................................59

Section 84..............................................................................................................................60

(Data Communication to Data Subjects)...........................................................................60

CHAPTER III – PURPOSES IN THE SUBSTANTIAL PUBLIC INTEREST............................60

Section 85..............................................................................................................................60

(Tasks of the National Health Service)..............................................................................60

Section 86..............................................................................................................................61

(Other Purposes in the Substantial Public Interest)...........................................................61

CHAPTER IV – MEDICAL PRESCRIPTIONS..........................................................................62

Section 87..............................................................................................................................62

(Drugs Paid for by the National Health Service)...............................................................62

Section 88..............................................................................................................................63

(Drugs Not Paid for by the National Health Service)........................................................63

Section 89..............................................................................................................................63

(Special Cases)...................................................................................................................63

CHAPTER V – GENETIC DATA...............................................................................................63

Section 90..............................................................................................................................63

(Processing of Genetic Data and Bone Marrow Donors)..................................................63

CHAPTER VI – MISCELLANEOUS PROVISIONS..................................................................64

Section 91..............................................................................................................................64

(Data Processed by Means of Cards).................................................................................64

Section 92..............................................................................................................................64

(Clinical Records)..............................................................................................................64

Section 93..............................................................................................................................64

(Certificate of Attendance at Birth)...................................................................................64

Section 94..............................................................................................................................65

(Data Banks, Registers and Filing Systems in the Health Care Sector)............................65

TITLE VI – EDUCATION............................................................................................................65

CHAPTER I – IN GENERAL.....................................................................................................65

Section 95..............................................................................................................................65

(Sensitive and Judicial Data)..............................................................................................65

Section 96..............................................................................................................................66

(Processing of Data Concerning Students)........................................................................66

TITLE VII – PROCESSING FOR HISTORICAL, STATISTICAL OR SCIENTIFIC

PURPOSES................................................................................................................................66

CHAPTER I – IN GENERAL.....................................................................................................66

Section 97..............................................................................................................................66

(Scope of Application).......................................................................................................66

Section 98..............................................................................................................................66

(Purposes in the Substantial Public Interest)......................................................................66

Section 99..............................................................................................................................67

(Compatibility between Purposes and Duration of Processing)........................................67

Section 100............................................................................................................................67

(Data Concerning Studies and Researches).......................................................................67

CHAPTER II – PROCESSING FOR HISTORICAL PURPOSES..............................................68

Section 101............................................................................................................................68

(Processing Arrangements)................................................................................................68

Section 102............................................................................................................................68

(Code of Conduct and Professional Practice)....................................................................68

Section 103............................................................................................................................68

(Interrogating Documents Kept in Archives).....................................................................68

CHAPTER III – PROCESSING FOR STATISTICAL OR SCIENTIFIC PURPOSES...............69

Section 104............................................................................................................................69

(Scope of Application and Identification Data for Statistical or Scientific Purposes).......69

Section 105............................................................................................................................69

(Processing Arrangements)................................................................................................69

Section 106............................................................................................................................69

(Codes of Conduct and Professional Practice)...................................................................69

Section 107............................................................................................................................70

(Processing of Sensitive Data)...........................................................................................70

Section 108............................................................................................................................71

(National Statistical System)..............................................................................................71

Section 109............................................................................................................................71

(Statistical Data Concerning Birth Events)........................................................................71

Section 110............................................................................................................................71

(Medical, Biomedical and Epidemiological Research)......................................................71

TITLE VIII – OCCUPATIONAL AND SOCIAL SECURITY ISSUES...................................72

CHAPTER I – IN GENERAL.....................................................................................................72

Section 111............................................................................................................................72

(Code of Conduct and Professional Practice)....................................................................72

Section 112............................................................................................................................72

(Purposes in the Substantial Public Interest)......................................................................72

CHAPTER II – JOB ADS AND EMPLOYEE DATA..................................................................73

Section 113............................................................................................................................73

(Data Collection and Relevance).......................................................................................73

CHAPTER III – BAN ON DISTANCE MONITORING AND TELEWORK...............................73

Section 114............................................................................................................................73

(Distance Monitoring)........................................................................................................73

Section 115............................................................................................................................74

(Telework and Home-Based Work)...................................................................................74

CHAPTER IV – ASSISTANCE BOARDS AND SOCIAL WORK...............................................74

Section 116............................................................................................................................74

(Availability of Data under the Terms Agreed upon with Data Subjects).........................74

TITLE IX – BANKING, FINANCIAL AND INSURANCE SYSTEMS....................................74

CHAPTER I – INFORMATION SYSTEMS................................................................................74

Section 117............................................................................................................................74

(Reliability and Timeliness in Payment-Related Matters).................................................74

Section 118............................................................................................................................75

(Commercial Information).................................................................................................75

Section 119............................................................................................................................75

(Data Concerning Payment of Debts)................................................................................75

Section 120............................................................................................................................75

(Car Accidents)..................................................................................................................75

TITLE X – ELECTRONIC COMMUNICATIONS....................................................................75

CHAPTER I – ELECTRONIC COMMUNICATION SERVICES...............................................76

Section 121............................................................................................................................76

(Services Concerned).........................................................................................................76

Section 122............................................................................................................................76

(Information Collected with Regard to Subscribers or Users)...........................................76

Section 123............................................................................................................................76

(Traffic Data).....................................................................................................................76

Section 124............................................................................................................................77

(Itemised Billing)...............................................................................................................77

Section 125............................................................................................................................77

(Calling Line Identification)..............................................................................................77

Section 126............................................................................................................................78

(Location Data)..................................................................................................................78

Section 127............................................................................................................................79

(Nuisance and Emergency Calls).......................................................................................79

Section 128............................................................................................................................79

(Automatic Call Forwarding).............................................................................................79

Section 129............................................................................................................................80

(Directories of Subscribers)...............................................................................................80

Section 130............................................................................................................................80

(Unsolicited Communications)..........................................................................................80

Section 131............................................................................................................................81

(Information Provided to Subscribers and Users)..............................................................81

Section 132............................................................................................................................81

(Traffic Data Retention for Other Purposes)......................................................................81

CHAPTER II – INTERNET AND ELECTRONIC NETWORKS................................................82

Section 133............................................................................................................................82

(Code of Conduct and Professional Practice)....................................................................82

CHAPTER III – VIDEO SURVEILLANCE................................................................................82

Section 134............................................................................................................................82

(Code of Conduct and Professional Practice)....................................................................82

TITLE XI – SELF-EMPLOYED PROFESSIONALS AND PRIVATE DETECTIVES.........83

CHAPTER I – IN GENERAL.....................................................................................................83

Section 135............................................................................................................................83

(Code of Conduct and Professional Practice)....................................................................83

TITLE XII – JOURNALISM AND LITERARY AND ARTISTIC EXPRESSION..................83

CHAPTER I – IN GENERAL.....................................................................................................83

Section 136............................................................................................................................83

(Journalistic Purposes and Other Intellectual Works)........................................................83

Section 137............................................................................................................................83

(Applicable Provisions)......................................................................................................83

Section 138............................................................................................................................84

(Professional Secrecy)........................................................................................................84

CHAPTER II – CODE OF PRACTICE......................................................................................84

Section 139............................................................................................................................84

(Code of Practice Applying to Journalistic Activities)......................................................84

TITLE XIII – DIRECT MARKETING.........................................................................................85

CHAPTER I – IN GENERAL.....................................................................................................85

Section 140............................................................................................................................85

(Code of Conduct and Professional Practice)....................................................................85

PART III – REMEDIES AND SANCTIONS..................................................86

TITLE I – ADMINISTRATIVE AND JUDICIAL REMEDIES..................................................87

CHAPTER I – REMEDIES AVAILABLE TO DATA SUBJECTS..............................................87

BEFORE THE GARANTE.........................................................................................................87

I – GENERAL PRINCIPLES......................................................................................................87

Section 141............................................................................................................................87

(Available Remedies).........................................................................................................87

II – ADMINISTRATIVE REMEDIES.........................................................................................87

Section 142............................................................................................................................87

(Lodging a Claim)..............................................................................................................87

Section 143............................................................................................................................88

(Handling a Claim).............................................................................................................88

Section 144............................................................................................................................88

(Reports)............................................................................................................................88

III – NON-JUDICIAL REMEDIES............................................................................................88

Section 145............................................................................................................................88

(Complaints).....................................................................................................................88

Section 146............................................................................................................................89

(Prior Request to Data Controller or Processor)................................................................89

Section 147............................................................................................................................89

(Lodging a Complaint).......................................................................................................89

Section 148............................................................................................................................90

(Inadmissible Complaints).................................................................................................90

Section 149............................................................................................................................90

(Handling a Complaint).....................................................................................................90

Section 150............................................................................................................................91

(Measures Taken Following a Complaint).........................................................................91

Section 151............................................................................................................................92

(Challenging)....................................................................................................................92

CHAPTER II – JUDICIAL REMEDIES.....................................................................................92

Section 152............................................................................................................................92

(Judicial Authorities)..........................................................................................................92

TITLE II – THE SUPERVISORY AUTHORITY.......................................................................93

CHAPTER I – THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI...................94

Section 153............................................................................................................................94

(The Garante).....................................................................................................................94

Section 154............................................................................................................................94

(Tasks)...............................................................................................................................94

CHAPTER II - THE GARANTE'S OFFICE...............................................................................96

Section 155............................................................................................................................96

(Applicable Principles)......................................................................................................96

Section 156............................................................................................................................96

(Permanent and Other Staff)..............................................................................................96

CHAPTER III - INQUIRIES AND CONTROLS........................................................................98

Section 157............................................................................................................................98

(Request for Information and Production of Documents).................................................98

Section 158............................................................................................................................98

(Inquiries)..........................................................................................................................98

Section 159............................................................................................................................98

(Arrangements)..................................................................................................................98

Section 160............................................................................................................................99

(Specific Inquiries).............................................................................................................99

TITLE III - SANCTIONS...........................................................................................................100

CHAPTER I - BREACH OF ADMINISTRATIVE RULES.......................................................100

Section 161...........................................................................................................................100

(Providing No or Inadequate Information to Data Subjects)...........................................100

Section 162...........................................................................................................................100

(Other Types of Non-Compliance)..................................................................................100

Section 163...........................................................................................................................100

(Submitting No or an Incomplete Notification)...............................................................100

Section 164...........................................................................................................................101

(Failure to Provide Information or Produce Documents to the Garante).........................101

Section 165...........................................................................................................................101

(Publication of Provisions by the Garante)......................................................................101

Section 166...........................................................................................................................101

(Implementing Procedure)...............................................................................................101

CHAPTER II - CRIMINAL OFFENCES..................................................................................101

Section 167...........................................................................................................................101

(Unlawful Data Processing).............................................................................................101

Section 168...........................................................................................................................102

(Untrue Declarations and Notifications Submitted to the Garante).................................102

Section 169...........................................................................................................................102

(Security Measures).........................................................................................................102

Section 170...........................................................................................................................102

(Failure to Comply with Provisions Issued by the Garante)............................................102

Section 171...........................................................................................................................103

(Other Offences)..............................................................................................................103

Section 172...........................................................................................................................103

(Additional Punishments)................................................................................................103

TITLE IV - AMENDMENTS, REPEALS, TRANSITIONAL AND FINAL PROVISIONS..103

CHAPTER I - AMENDMENTS................................................................................................103

Section 173...........................................................................................................................103

(Convention Implementing the Schengen Agreement)....................................................103

Section 174...........................................................................................................................104

(Service of Process and Judicial Sales)............................................................................104

Section 175...........................................................................................................................106

(Police)............................................................................................................................106

Section 176...........................................................................................................................107

(Public Bodies).................................................................................................................107

Section 177...........................................................................................................................107

(Census Registers, Registers of Births, Deaths and Marriages, and Electoral Lists)......107

Section 178...........................................................................................................................108

(Provisions Concerning the Health Care Sector).............................................................108

Section 179...........................................................................................................................109

(Other Amendments)........................................................................................................109

CHAPTER II - TRANSITIONAL PROVISIONS.......................................................................109

Section 180...........................................................................................................................109

(Security Measures).........................................................................................................109

Section 181...........................................................................................................................110

(Other Transitional Provisions)........................................................................................110

Section 182...........................................................................................................................111

(Office of the Garante).....................................................................................................

CHAPTER III - REPEALS.......................................................................................................

Section 183...........................................................................................................................

(Repealed Provisions).....................................................................................................

CHAPTER IV - FINAL PROVISIONS....................................................................................

Section 184...........................................................................................................................

(Transposition of European Directives)..........................................................................

Section 185...........................................................................................................................

(Annexed Codes of Conducts and Professional Practice)................................................

Section 186..........................................................................................................................

(Entry into Force).............................................................................................................

ANNEXES.................................................................................................................................

CODES OF CONDUCT (ANNEX A).......................................................................................

A.1 – PROCESSING OF PERSONAL DATA IN THE EXERCISE OF JOURNALISTIC

ACTIVITIES.......................................................................................................................

A.2 – PROCESSING OF PERSONAL DATA FOR HISTORICAL PURPOSES.............

A.3 – PROCESSING OF PERSONAL DATA FOR STATISTICAL PURPOSES WITHIN

THE FRAMEWORK OF THE SI.STA.N. [NATIONAL STATISTICAL SYSTEM].......

TECHNICAL SPECIFICATIONS CONCERNING MINIMUM SECURITY MEASURES

(ANNEX B)..............................................................................................................................

THE PRESIDENT OF THE REPUBLIC

HAVING REGARD to Articles 76 and 87 in the Constitution,

HAVING REGARD to Section 1 of Act no. 127 of 24 March 2001, enabling Government to issue a

consolidated text on the processing of personal data,

HAVING REGARD to Section 26 of Act no. 14 of 3 February 2003, setting out provisions to

ensure compliance with obligations related to Italy’s membership in the European Communities

(Community Act of 2002),

HAVING REGARD to Act no. 675 of 31 December 1996 as subsequently amended,

HAVING REGARD to Act no. 676 of 31 December 1996, enabling Government to pass legislation

concerning protection of individual and other entities with regard to the processing of personal data,

HAVING REGARD to Directive 95/46/EC of the European Parliament and of the Council of 24

October 1995, on the protection of individuals with regard to the processing of personal data and on

the free movement of such data,

HAVING REGARD to Directive 2002/58/EC of the European Parliament and of the Council of 12

July 2002, on the processing of personal data and the protection of private life in the electronic

communications sector,

HAVING REGARD to the preliminary resolution adopted by the Council of Ministers at its

meeting of 9 May 2003,

HAVING HEARD the Garante per la protezione dei dati personali,

HAVING ACQUIRED the opinion by the competent Parliamentary committees at the Chamber of

Deputies and the Senate of the Republic,

HAVING REGARD to the Council of Ministers’ resolution adopted at the meeting of 27 June

2003,

ACTING ON THE PROPOSAL put forward by the Prime Minister, the Minister for Public

Administration and the Minister for Community Policies, in agreement with the Ministers of

Justice, of Economy and Finance, of Foreign Affairs and Communications,

ISSUES

the following legislative decree:

PART 1 – GENERAL PROVISIONS

TITLE I – GENERAL PRINCIPLES

Section 1

(Right to the Protection of Personal Data)

1. Everyone has the right to protection of the personal data concerning him or her.

Section 2

(Purposes)

1. This consolidated statute, hereinafter referred to as “Code”, shall ensure that personal data are

processed by respecting data subjects’ rights, fundamental freedoms and dignity, particularly with

regard to confidentiality, personal identity and the right to personal data protection.

2. The processing of personal data shall be regulated by affording a high level of protection for the

rights and freedoms referred to in paragraph 1 in compliance with the principles of simplification,

harmonisation and effectiveness of the mechanisms by which data subjects can exercise such rights

and data controllers can fulfil the relevant obligations.

Section 3

(Data Minimisation Principle)

1. Information systems and software shall be configured by minimising the use of personal data and

identification data, in such a way as to rule out their processing if the purposes sought in the

individual cases can be achieved by using either anonymous data or suitable arrangements to allow

identifying data subjects only in cases of necessity, respectively.

Section 4

(Definitions)

1. For the purposes of this Code,

a) ‘processing’ shall mean any operation, or set of operations, carried out with or without the help

of electronic or automated means, concerning the collection, recording, organisation, keeping,

interrogation, elaboration, modification, selection, retrieval, comparison, utilization,

interconnection, blocking, communication, dissemination, erasure and destruction of data, whether

the latter are contained or not in a data bank;

b) ‘personal data’ shall mean any information relating to natural or legal persons, bodies or

associations that are or can be identified, even indirectly, by reference to any other information

including a personal identification number;

c) ‘identification data’ shall mean personal data allowing a data subject to be directly identified;

d) ‘sensitive data’ shall mean personal data allowing the disclosure of racial or ethnic origin,

religious, philosophical or other beliefs, political opinions, membership of parties, trade unions,

associations or organizations of a religious, philosophical, political or trade-unionist character, as

well as personal data disclosing health and sex life;

e) ‘judicial data’ shall mean personal data disclosing the measures referred to in Section 3(1), letters

a) to o) and r) to u), of Presidential Decree no. 313 of 14 November 2002 concerning the criminal

record office, the register of offence-related administrative sanctions and the relevant current

charges, or the status of being either defendant or the subject of investigations pursuant to Sections

60 and 61 of the Criminal Procedure Code;

f) ‘data controller’ shall mean any natural or legal person, public administration, body, association

or other entity that is competent, also jointly with another data controller, to determine purposes and

methods of the processing of personal data and the relevant means, including security matters;

g) ‘data processor’ shall mean any natural or legal person, public administration, body, association

or other agency that processes personal data on the controller’s behalf;

h) ‘persons in charge of the processing” shall mean the natural persons that have been authorised by

the data controller or processor to carry out processing operations;

i) ‘data subject’ shall mean any natural or legal person, body or association that is the subject of the

personal data;

l) ‘communication’ shall mean disclosing personal data to one or more identified entities other than

the data subject, the data controller’s representative in the State’s territory, the data processor and

persons in charge of the processing in any form whatsoever, including by making available or

interrogating such data;

m) ‘dissemination’ shall mean disclosing personal data to unidentified entities, in any form

whatsoever, including by making available or interrogating such data;

n) ‘anonymous data’ shall mean any data that either in origin or on account of its having been

processed cannot be associated with any identified or identifiable data subject;

o) ‘blocking’ shall mean keeping personal data by temporarily suspending any other processing

operation;

p) ‘data bank’ shall mean any organised set of personal data, divided into one or more units located

in one or more places;

q) ‘Garante’ shall mean the authority referred to in Section 153 as set up under Act no. 675 of 31

December 1996.

2. Furthermore, for the purposes of this Code,

a) ‘electronic communication’ shall mean any information exchanged or conveyed between a finite

number of parties by means of a publicly available electronic communications service. This does

not include any information conveyed as part of a broadcasting service to the public over an

electronic communications network except to the extent that the information can be related to the

identifiable or identified subscriber or user receiving the information;

b) ‘call’ means a connection established by means of a publicly available telephone service

allowing two-way communication in real time;

c) ‘electronic communications network’ shall mean transmission systems and switching or routing

equipment and other resources which permit the conveyance of signals by wire, by radio, by optical

or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched,

including Internet) and mobile terrestrial networks, networks used for radio and television

broadcasting, electricity cable systems, to the extent that they are used for the purpose of

transmitting signals, and cable television networks, irrespective of the type of information

conveyed;

d) ‘public communications network shall mean an electronic communications network used wholly

or mainly for the provision of publicly available electronic communications services;

e) ‘electronic communications service’ shall mean a service which consists wholly or mainly in the

conveyance of signals on electronic communications networks, including telecommunications

services and transmission services in networks used for broadcasting, to the extent that this is

provided for in Article 2, letter c) of Directive 2202/21/EC of the European Parliament and of the

Council of 7 March 2002;

f) ‘subscriber’ shall mean any natural or legal person, body or association who or which is party to a

contract with the provider of publicly available electronic communications services for the supply

of such services, or is anyhow the recipient of such services by means of pre-paid cards;

g) ‘user’ shall mean a natural person using a publicly available electronic communications service

for private or business purposes, without necessarily being a subscriber to such service;

h) ‘traffic data’ shall mean any data processed for the purpose of the conveyance of a

communication on an electronic communications network or for the billing thereof;

i) ‘location data’ shall mean any data processed in an electronic communications network,

indicating the geographic position of the terminal equipment of a user of a publicly available

electronic communications service;

l) ‘value added service’ shall mean any service which requires the processing of traffic data or

location data other than traffic data beyond what is necessary for the transmission of a

communication or the billing thereof;

m) ‘electronic mail’ shall mean any text, voice, sound or image message sent over a public

communications network, which can be stored in the network or in the recipient’s terminal

equipment until it is collected by the recipient.

3. And for the purposes of this Code,

a) ‘minimum measures’ shall mean the technical, informational, organizational, logistics and

procedural security measures affording the minimum level of protection which is required by

having regard to the risks mentioned in Section 31;

b) ‘electronic means’ shall mean computers, computer software and any electronic and/or

automated device used for performing the processing;

c) “computerised authentication” shall mean a set of electronic tools and procedures to verify

identity also indirectly,

d) “authentication credentials” shall mean the data and devices in the possession of a person,

whether known by or uniquely related to the latter, that are used for computer authentication,

e) “password” shall mean the component of an authentication credential associated with and known

to a person, consisting of a sequence of characters or other data in electronic format,

f) “authorisation profile” shall mean the information uniquely associated with a person that allows

determining the data that may be accessed by said person as well as the processing operations said

person may perform,

g) “authorisation system” shall mean the tools and procedures enabling access to the data and the

relevant processing mechanisms as a function of the requesting party’s authorisation profile.

4. For the purposes of this Code,

a) "historical purposes" shall mean purposes related to studies, investigations, research and

documentation concerning characters, events and situations of the past;

b) "statistical purposes" shall mean purposes related to statistical investigations or the production of

statistical results, also by means of statistical information systems;

c) "scientific purposes" shall mean purposes related to studies and systematic investigations that are

aimed at developing scientific knowledge in a given sector.

Section 5

(Subject-Matter and Scope of Application)

1. This Code shall apply to the processing of personal data, including data held abroad, where the

processing is performed by any entity established either in the State’s territory or in a place that is

under the State’s sovereignty.

2. This Code shall also apply to the processing of personal data that is performed by an entity

established in the territory of a country outside the European Union, where said entity makes use in

connection with the processing of equipment, whether electronic or otherwise, situated in the

State’s territory, unless such equipment is used only for purposes of transit through the territory of

the European Union. If this Code applies, the data controller shall designate a representative

established in the State’s territory with a view to implementing the provisions concerning

processing of personal data.

3. This Code shall only apply to the processing of personal data carried out by natural persons for

exclusively personal purposes if the data are intended for systematic communication or

dissemination. The provisions concerning liability and security referred to in Sections 15 and 31

shall apply in any case.

Section 6

(Regulations Applying to Processing Operations)

1. The provisions contained in this Part shall apply to any processing operations except as specified

in connection with some processing operations by the provisions contained in Part II that amend

and/or supplement those laid down herein.

TITLE II – DATA SUBJECT’S RIGHTS

Section 7

(Right to Access Personal Data and Other Rights)

1. A data subject shall have the right to obtain confirmation as to whether or not personal data

concerning him exist, regardless of their being already recorded, and communication of such data in

intelligible form.

2. A data subject shall have the right to be informed

a) of the source of the personal data;

b) of the purposes and methods of the processing;

c) of the logic applied to the processing, if the latter is carried out with the help of electronic

means;

d) of the identification data concerning data controller, data processors and the

representative designated as per Section 5(2);

e) of the entities or categories of entity to whom or which the personal data may be

communicated and who or which may get to know said data in their capacity as designated

representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.

3. A data subject shall have the right to obtain

a) updating, rectification or, where interested therein, integration of the data;

b) erasure, anonymization or blocking of data that have been processed unlawfully,

including data whose retention is unnecessary for the purposes for which they have been collected

or subsequently processed;

c) certification to the effect that the operations as per letters a) and b) have been notified, as

also related to their contents, to the entities to whom or which the data were communicated or

disseminated, unless this requirement proves impossible or involves a manifestly disproportionate

effort compared with the right that is to be protected.

4. A data subject shall have the right to object, in whole or in part,

a) on legitimate grounds, to the processing of personal data concerning him/her, even though

they are relevant to the purpose of the collection;

b) to the processing of personal data concerning him/her, where it is carried out for the

purpose of sending advertising materials or direct selling or else for the performance of market or

commercial communication surveys.

Section 8

(Exercise of Rights)

1. The rights referred to in Section 7 may be exercised by making a request to the data controller or

processor without formalities, also by the agency of a person in charge of the processing. A suitable

response shall be provided to said request without delay.

2. The rights referred to in Section 7 may not be exercised by making a request to the data controller

or processor, or else by lodging a complaint in pursuance of Section 145, if the personal data are

processed:

a) pursuant to the provisions of decree-law no. 143 of 3 May 1991, as converted, with

amendments, into Act no. 197 of 5 July 1991 and subsequently amended, concerning money

laundering;

b) pursuant to the provisions of decree-law no. 419 of 31 December 1991, as converted, with

amendments, into Act no. 172 of 18 February 1992 and subsequently amended, concerning support

for victims of extortion;

c) by parliamentary Inquiry Committees set up as per Article 82 of the Constitution;

d) by a public body other than a profit-seeking public body, where this is expressly required

by a law for purposes exclusively related to currency and financial policy, the system of payments,

control of brokers and credit and financial markets and protection of their stability;

e) in pursuance of Section 24(1), letter f), as regards the period during which performance

of the investigations by defence counsel or establishment of the legal claim might be actually and

concretely prejudiced;

f) by providers of publicly available electronic communications services in respect of

incoming phone calls, unless this may be actually and concretely prejudicial to performance of the

investigations by defence counsel as per Act no. 397 of 7 December 2000;

g) for reasons of justice by judicial authorities at all levels and of all instances as well as by

the Higher Council of the Judiciary or other self-regulatory bodies, or else by the Ministry of

Justice;

h) in pursuance of Section 53, without prejudice to Act no. 121 of 1 April 1981.

3. In the cases referred to in paragraph 2, letters a), b), d), e) and f), the Garante, also following a

report submitted by the data subject, shall act as per Sections 157, 158 and 159; in the cases referred

to in letters c), g) and h) of said paragraph, the Garante shall act as per Section 160.

4. Exercise of the rights referred to in Section 7 may be permitted with regard to data of non-

objective character on condition that it does not concern rectification of or additions to personal

evaluation data in connection with judgments, opinions and other types of subjective assessment, or

else the specification of policies to be implemented or decision-making activities by the data

controller.

Section 9

(Mechanisms to Exercise Rights)

1. The request addressed to the data controller or processor may also be conveyed by means of a

registered letter, facsimile or e-mail. The Garante may specify other suitable arrangements with

regard to new technological solutions. If the request is related to exercise of the rights referred to in

Section 7(1) and (2), it may also be made verbally; in this case, it will be written down in summary

fashion by either a person in charge of the processing or the data processor.

2. The data subject may grant, in writing, power of attorney or representation to natural persons,

bodies, associations or organisations in connection with exercise of the rights as per Section 7. The

data subject may also be assisted by a person of his/her choice.

3. The rights as per Section 7, where related to the personal data concerning a deceased, may be

exercised by any entity that is interested therein or else acts to protect a data subject or for family-

related reasons deserving protection.

4. The data subject’s identity shall be verified on the basis of suitable information, also by means of

available records or documents or by producing or attaching a copy of an identity document. The

person acting on instructions from the data subject must produce or attach a copy of either the proxy

or the letter of attorney, which shall have been undersigned by the data subject in the presence of a

person in charge of the processing or else shall bear the data subject's signature and be produced

jointly with a copy of an ID document from the data subject, which shall not have to be certified true

pursuant to law. If the data subject is a legal person, a body or association, the relevant request shall

be made by the natural person that is legally authorized thereto based on the relevant regulations or

articles of association.

5. The request referred to in Section 7(1) and (2) may be worded freely without any constraints and

may be renewed at intervals of not less than ninety days, unless there are well-grounded reasons.

Section 10

(Response to Data Subjects)

1. With a view to effectively exercising the rights referred to in Section 7, data controllers shall

take suitable measures in order to, in particular,

a) facilitate access to personal data by the data subjects, even by means of ad hoc software

allowing accurate retrieval of the data concerning individual identified or identifiable data subjects;

b) simplify the arrangements and reduce the delay for the responses, also with regard to

public relations departments or offices.

2. The data processor or the person(s) in charge of the processing shall be responsible for retrieval

of the data, which may be communicated to the requesting party also verbally, or else displayed by

electronic means - on condition that the data are easily intelligible in such cases also in the light of

the nature and amount of the information. The data shall be reproduced on paper or magnetic media,

or else transmitted via electronic networks, whenever this is requested.

3. The response provided to the data subject shall include all the personal data concerning him/her

that are processed by the data controller, unless the request concerns either a specific processing

operation or specific personal data or categories of personal data. If the request is made to a health

care professional or health care body, Section 84(1) shall apply.

4. If data retrieval is especially difficult, the response to the data subject’s request may also consist

in producing or delivering copy of records and documents containing the personal data at stake.

5. The right to obtain communication of the data in intelligible form does not apply to personal data

concerning third parties, unless breaking down the processed data or eliminating certain items from

the latter prevents the data subject’s personal data from being understandable.

6. Data are communicated in intelligible form also by using legible handwriting. If codes or

abbreviations are communicated, the criteria for understanding the relevant meanings shall be made

available also by the agency of the persons in charge of the processing.

7. Where it is not confirmed that personal data concerning the data subject exist, further to a request

as per Section 7(1) and (2), letters a), b) and c), the data subject may be charged a fee which shall

not be in excess of the costs actually incurred for the inquiries made in the specific case.

8. The fee referred to in paragraph 7 may not be in excess of the amount specified by the Garante in

a generally applicable provision, which may also refer to a lump sum to be paid in case the data are

processed by electronic means and the response is provided verbally. Through said instrument the

Garante may also provide that the fee may be charged if the personal data are contained on special

media whose reproduction is specifically requested, or else if a considerable effort is required by

one or more data controllers on account of the complexity and/or amount of the requests and

existence of data concerning the data subject can be confirmed.

9. The fee referred to in paragraphs 7 and 8 may also be paid by bank or postal draft, or else by

debit or credit card, if possible upon receiving the relevant response and anyhow within fifteen days

of said response.

TITLE III – GENERAL DATA PROCESSING RULES

CHAPTER I – RULES APPLYING TO ALL PROCESSING OPERATIONS

Section 11

(Processing Arrangements and Data Quality)

1. Personal data undergoing processing shall be:

a) processed lawfully and fairly;

b) collected and recorded for specific, explicit and legitimate purposes and used in further

processing operations in a way that is not inconsistent with said purposes;

c) accurate and, when necessary, kept up to date;

d) relevant, complete and not excessive in relation to the purposes for which they are

collected or subsequently processed;

e) kept in a form which permits identification of the data subject for no longer than is

necessary for the purposes for which the data were collected or subsequently processed.

2. Any personal data that is processed in breach of the relevant provisions concerning the

processing of personal data may not be used.

Section 12

(Codes of Conduct and Professional Practice)

1. The Garante shall encourage, within the framework of the categories concerned and in

conformity with the principle of representation, by having regard to the guidelines set out in

Council of Europe recommendations on the processing of personal data, the drawing up of codes of

conduct and professional practice for specific sectors, verify their compliance with laws and

regulations by also taking account of the considerations made by the entities concerned, and

contribute to adoption of and compliance with such codes.

2. The Garante shall be responsible for having the codes published in the Official Journal of the

Italian Republic; the codes shall be included into Annex A) to this Code based on a decree by the

Minister of Justice.

3. Compliance with the provisions included in the codes referred to in paragraph 1 shall be a

prerequisite for the processing of personal data by public and private entities to be lawful.

4. The provisions of this Section shall also apply to the code of conduct on the processing of data

for journalistic purposes as adopted further to the encouragement provided by the Garante in

pursuance of paragraph 1 and Section 139.

Section 13

(Information to Data Subjects)

1. The data subject as well as any entity from whom or which personal data are collected shall be

preliminarily informed, either orally or in writing, as to:

a) the purposes and modalities of the processing for which the data are intended;

b) the obligatory or voluntary nature of providing the requested data;

c) the consequences if (s)he fails to reply;

d) the entities or categories of entity to whom or which the data may be communicated, or

who/which may get to know the data in their capacity as data processors or persons in charge of the

processing, and the scope of dissemination of said data;

e) the rights as per Section 7;

f) the identification data concerning the data controller and, where designated, the data

controller’s representative in the State’s territory pursuant to Section 5 and the data processor. If

several data processors have been designated by the data controller, at least one among them shall

be referred to and either the site on the communications network or the mechanisms for easily

accessing the updated list of data processors shall be specified. If a data processor has been

designated to provide responses to data subjects in case the rights as per Section 7 are exercised,

such data processor shall be referred to.

2. The information as per paragraph 1 shall also contain the items referred to in specific provisions

of this Code and may fail to include certain items if the latter are already known to the entity

providing the data or their knowledge may concretely impair supervisory or control activities

carried out by public bodies for purposes related to defence or State security, or else for the

prevention, suppression or detection of offences.

3. The Garante may issue a provision to set out simplified information arrangements as regards, in

particular, telephone services providing assistance and information to the public.

4. Whenever the personal data are not collected from the data subject, the information as per

paragraph 1, also including the categories of processed data, shall be provided to the data subject at

the time of recording such data or, if their communication is envisaged, no later than when the data

are first communicated.

5. Paragraph 4 shall not apply

a) if the data are processed in compliance with an obligation imposed by a law, regulations

or Community legislation;

b) if the data are processed either for carrying out the investigations by defence counsel as

per Act no. 397 of 07.12.2000 or to establish or defend a legal claim, provided that the data are

processed exclusively for said purposes and for no longer than is necessary therefor;

c) if the provision of information to the data subject involves an effort that is declared by the

Garante to be manifestly disproportionate compared with the right to be protected, in which case the

Garante shall lay down suitable measures, if any, or if it proves impossible in the opinion of the

Garante.

Section 14

(Profiling of Data Subjects and Their Personality)

1. No judicial or administrative act or measure involving the assessment of a person’s conduct may

be based solely on the automated processing of personal data aimed at defining the data subject’s

profile or personality.

2. The data subject may challenge any other decision that is based on the processing referred to in

paragraph 1, pursuant to Section 7(4), letter a), unless such decision has been taken for the

conclusion or performance of a contract, further to a proposal made by the data subject or on the

basis of adequate safeguards laid down either by this Code or in a provision issued by the Garante

in pursuance of Section 17.

Section 15

(Damage Caused on Account of the Processing)

1. Whoever causes damage to another as a consequence of the processing of personal data shall be

liable to pay damages pursuant to Section 2050 of the Civil Code.

2. Compensation for non-pecuniary damage shall be also due upon infringement of Section 11.

Section 16

(Termination of Processing Operations)

1. Should data processing be terminated, for whatever reason, the data shall be

a) destroyed;

b) assigned to another data controller, provided they are intended for processing under terms

that are compatible with the purposes for which the data have been collected;

c) kept for exclusively personal purposes, without being intended for systematic

communication or dissemination;

d) kept or assigned to another controller for historical, scientific or statistical purposes, in

compliance with laws, regulations, Community legislation and the codes of conduct and

professional practice adopted in pursuance of Section 12.

2. Assignment of data in breach either of paragraph 1, letter b), or of other relevant provisions

applying to the processing of personal data shall be void.

Section 17

(Processing Operations Carrying Specific Risks)

1. Processing of data other than sensitive and judicial data shall be allowed in accordance with such

measures and precautions as are laid down to safeguard data subjects, if the processing is likely to

present specific risks to data subjects’ fundamental rights and freedoms and dignity on account of

the nature of the data, the arrangements applying to the processing or the effects the latter may

produce.

2. The measures and precautions referred to in paragraph 1 shall be laid down by the Garante on the

basis of the principles set out in this Code within the framework of a check to be performed prior to

start of the processing as also related to specific categories of data controller or processing,

following the request, if any, submitted by the data controller.

CHAPTER II – ADDITIONAL RULES APPLYING TO PUBLIC BODIES

Section 18

(Principles Applying to All Processing Operations Performed by Public Bodies)

1. The provisions of this Chapter shall apply to all public bodies except for profit-seeking public

bodies.

2. Public bodies shall only be permitted to process personal data in order to discharge their

institutional tasks.

3. In processing the data, public bodies shall abide by the prerequisites and limitations set out in this

Code, by having also regard to the different features of the data, as well as in laws and regulations.

4. Subject to the provisions of Part II as applying to health care professionals and public health care

organisations, public bodies shall not be required to obtain the data subject’s consent.

5. The provisions laid down in Section 25 as for communication and dissemination shall apply.

Section 19

(Principles Applying to the Processing of Data Other Than Sensitive and Judicial Data)

1. Public bodies may process data other than sensitive and judicial data also in the absence of laws

or regulations providing expressly for such processing, subject to Section 18(2).

2. Communication by a public body to other public bodies shall be permitted if it is envisaged by

laws or regulations. Failing such laws or regulations, communication shall be permitted if it is

necessary in order to discharge institutional tasks and may be started upon expiry of the term

referred to in Section 39(2) if it has not been provided otherwise as specified therein.

3. Communication by a public body to private entities or profit-seeking public bodies as well as

dissemination by a public body shall only be permitted if they are provided for by laws or

regulations.

Section 20

(Principles Applying to the Processing of Sensitive Data)

1. Processing of sensitive data by public bodies shall only be allowed where it is expressly

authorised by a law specifying the categories of data that may be processed and the categories of

operation that may be performed as well as the substantial public interest pursued.

2. Whenever the substantial public interest is specified by a law in which no reference is made to

the categories of sensitive data and the operations that may be carried out, processing shall only be

allowed with regard to the categories of data and operation that have been specified and made

public by the entities processing such data, having regard to the specific purposes sought in the

individual cases and in compliance with the principles referred to in Section 22, via regulations or

regulations-like instruments that shall be adopted pursuant to the opinion rendered by the Garante

under Section 154(1), letter g), also on the basis of draft models.

3. If the processing is not provided for expressly by a law, public bodies may request the Garante to

determine the activities that pursue a substantial public interest among those they are required to

discharge under the law. Processing of sensitive data shall be authorised in pursuance of Section

26(2) with regard to said activities, however it shall only be allowed if the public bodies also

specify and make public the categories of data and operation in the manner described in paragraph

2.

4. The specification of the categories of data and operation referred to in paragraphs 2 and 3 shall be

updated and supplemented regularly.

Section 21

(Principles Applying to the Processing of Judicial Data)

1. Processing of judicial data by public bodies shall only be permitted where expressly authorized

by a law or an order of the Garante specifying the purposes in the substantial public interest

underlying such processing, the categories of data to be processed and the operations that may be

performed.

2. Section 20(2) and (4) shall also apply to processing of judicial data.

Section 22

(Principles Applying to the Processing of Sensitive Data as well as to Judicial Data)

1. Public bodies shall process sensitive and judicial data in accordance with arrangements aimed at

preventing breaches of data subjects’ rights, fundamental freedoms and dignity.

2. When informing data subjects as per Section 13, public bodies shall expressly refer to the

provisions setting out the relevant obligations or tasks, on which the processing of sensitive and

judicial data is grounded.

3. Public bodies may process exclusively such sensitive and judicial data as are indispensable for

them to discharge institutional tasks that cannot be performed, on a case by case basis, by

processing anonymous data or else personal data of a different nature

4. Sensitive and judicial data shall be collected, as a rule, from the data subject.

5. In pursuance of Section 11(1), letters c), d) and e), public bodies shall regularly check that

sensitive and judicial data are accurate and updated, and that they are relevant, complete, not

excessive and indispensable with regard to the purposes sought in the individual cases - including

the data provided on the data subject's initiative. With a view to ensuring that sensitive and judicial

data are indispensable in respect of their obligations and tasks, public bodies shall specifically

consider the relationship between data and tasks to be fulfilled. No data that is found to be

excessive, irrelevant or unnecessary, also as a result of the above checks, may be used, except for

the purpose of keeping - pursuant to law - the record or document containing said data. Special care

shall be taken in checking that sensitive and judicial data relating to entities other than those which

are directly concerned by the service provided or the tasks to be fulfilled are indispensable.

6. Sensitive or judicial data that are contained in lists, registers or data banks kept with electronic

means shall be processed by using encryption techniques, identification codes or any other system

such as to make the data temporarily unintelligible also to the entities authorised to access them and

allow identification of the data subject only in case of necessity, by having regard to amount and

nature of the processed data.

7. Data disclosing health and sex life shall be kept separate from any other personal data that is

processed for purposes for which they are not required. Said data shall be processed in accordance

with the provisions laid down in paragraph 6 also if they are contained in lists, registers or data

banks that are kept without the help of electronic means.

8. Data disclosing health may not be disseminated.

9. As for the sensitive and judicial data that are necessary pursuant to paragraph 3, public bodies

shall be authorized to carry out exclusively such processing operations as are indispensable to

achieve the purposes for which the processing is authorized, also if the data are collected in

connection with discharging supervisory, control or inspection tasks.

10. Sensitive and judicial data may not be processed within the framework of psychological and

behavioural tests aimed at defining the data subject’s profile or personality. Sensitive and judicial

data may only be matched as well as processed in pursuance of Section 14 if the grounds therefor

are preliminarily reported in writing.

11. In any case, the operations and processing referred to in paragraph 10, if performed by using

data banks from different data controllers, as well as the dissemination of judicial and sensitive data

shall only be allowed if they are expressly provided for by law.

12. This Section shall set out principles that are applicable to the processing operations provided for

by the Office of the President of the Republic, the Chamber of Deputies, the Senate of the Republic

and the Constitutional Court, in pursuance of their respective regulations.

CHAPTER III – ADDITIONAL RULES APPLYING TO PRIVATE BODIES

AND PROFIT-SEEKING PUBLIC BODIES

Section 23

(Consent)

1. Processing of personal data by private entities or profit-seeking public bodies shall only be

allowed if the data subject gives his/her express consent

2. The data subject’s consent may refer either to the processing as a whole or to one or more of the

operations thereof.

3. The data subject’s consent shall only be deemed to be effective if it is given freely and

specifically with regard to a clearly identified processing operation, if it is documented in writing,

and if the data subject has been provided with the information referred to in Section 13.

4. Consent shall be given in writing if the processing concerns sensitive data.

Section 24

(Cases in Which No Consent Is Required for Processing Data)

1. Consent shall not be required in the cases referred to in Part II as well as if the processing

a) is necessary to comply with an obligation imposed by a law, regulations or Community

legislation;

b) is necessary for the performance of obligations resulting from a contract to which the data

subject is a party, or else in order to comply with specific requests made by the data subject prior to

entering into a contract;

c) concerns data taken from public registers, lists, documents or records that are publicly

available, without prejudice to the limitations and modalities laid down by laws, regulations and

Community legislation with regard to their disclosure and publicity;

d) concerns data relating to economic activities that are processed in compliance with the

legislation in force as applying to business and industrial secrecy;

e) is necessary to safeguard life or bodily integrity of a third party. If this purpose concerns

the data subject and the latter cannot give his/her consent because (s)he is physically unable to do

so, legally incapable or unable to distinguish right and wrong, the consent shall be given by the

entity legally representing the data subject, or else by a next of kin, a family member, a person

cohabiting with the data subject or, failing these, the manager of the institution where the data

subject is hosted. Section 82(2) shall apply;

f) is necessary for carrying out the investigations by defence counsel referred to in Act no.

397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are processed

exclusively for said purposes and for no longer than is necessary therefor by complying with the

legislation in force concerning business and industrial secrecy, dissemination of the data being ruled

out;

g) is necessary to pursue a legitimate interest of either the data controller or a third party

recipient in the cases specified by the Garante on the basis of the principles set out under the law,

also with regard to the activities of banking groups and subsidiaries or related companies, unless

said interest is overridden by the data subject’s rights and fundamental freedoms, dignity or

legitimate interests, dissemination of the data being ruled out;

h) except for external communication and dissemination, is carried out by no-profit

associations, bodies or organisations, recognised or not, with regard either to entities having regular

contacts with them or to members in order to achieve specific, lawful purposes as set out in the

relevant memorandums, articles of association or collective agreements, whereby the mechanisms

of utilisation are laid down expressly in a resolution that is notified to data subjects with the

information notice provided for by Section 13,

i) is necessary exclusively for scientific and statistical purposes in compliance with the

respective codes of professional practice referred to in Annex A), or else exclusively for historical

purposes in connection either with private archives that have been declared to be of considerable

historical interest pursuant to Section 6(2) of legislative decree no. 499 of 29 October 1999,

adopting the consolidated statute on cultural and environmental heritage, or with other private

archives pursuant to the provisions made in the relevant codes.

Section 25

(Bans on Communication and Dissemination)

1. Communication and dissemination shall be prohibited if an order to this effect has been issued by

either the Garante or judicial authorities, as well as

a) with regard to personal data that must be erased by order, or else upon expiry of the term

referred to in Section 11(1), letter e),

b) for purposes other than those specified in the notification, whenever the latter is to be

submitted.

2. This shall be without prejudice to communication and dissemination of the data as requested,

pursuant to law, by police, judicial authorities, intelligence and security agencies and other public

bodies according to Section 58(2), for purposes of defence or relating to State security, or for the

prevention, detection or suppression of offences.

Section 26

(Safeguards Applying to Sensitive Data)

1. Sensitive data may only be processed with the data subject’s written consent and the Garante’s

prior authorisation, by complying with the prerequisites and limitations set out in this Code as well

as in laws and regulations.

2. The Garante shall communicate its decision concerning the request for authorisation within forty-

five days; failing a communication at the expiry of said term, the request shall be regarded as

dismissed. Along with the authorisation or thereafter, based also on verification, the Garante may

provide for measures and precautions in order to safeguard the data subject, which the data

controller shall be bound to apply.

3. Paragraph 1 shall not apply to processing

a) of the data concerning members of religious denominations and entities having regular

contact with said denominations for exclusively religious purposes, on condition that the data are

processed by the relevant organs or bodies recognised under civil law and are not communicated or

disseminated outside said denominations. The latter shall lay down suitable safeguards with regard

to the processing operations performed by complying with the relevant principles as set out in an

authorisation by the Garante;

b) of the data concerning affiliation of trade unions and/or trade associations or

organisations to other trade unions and/or trade associations, organisations or confederations.

4. Sensitive data may also be processed without consent, subject to the Garante’s authorisation,

a) if the processing is carried out for specific, lawful purposes as set out in the relevant

memorandums, articles of association or collective agreements by not-for-profit associations, bodies

or organisations, whether recognised or not, of political, philosophical, religious or trade-unionist

nature, including political parties and movements, with regard to personal data concerning members

and/or entities having regular contacts with said associations, bodies or organisations in connection

with the aforementioned purposes, provided that the data are not communicated or disclosed outside

and the bodies, associations or organisations lay down suitable safeguards in respect of the

processing operations performed by expressly setting out the arrangements for using the data

through a resolution that shall be made known to data subjects at the time of providing the

information under Section 13;

b) if the processing is necessary to protect a third party’s life or bodily integrity. If this

purpose concerns the data subject and the latter cannot give his/her consent because (s)he is

physically unable to do so, legally incapable or unable to distinguish right and wrong, the consent

shall be given by the entity legally representing the data subject, or else by a next of kin, a family

member, a person cohabiting with the data subject or, failing these, the manager of the institution

where the data subject is hosted. Section 82(2) shall apply;

c) if the processing is necessary for carrying out the investigations by defence counsel

referred to in Act no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that

the data are processed exclusively for said purposes and for no longer than is necessary therefor.

Said claim must not be overridden by the data subject’s claim, or else must consist in a personal

right or another fundamental, inviolable right or freedom, if the data can disclose health and sex

life;

d) if the processing is necessary to comply with specific obligations and/or tasks laid down

by laws, regulations or Community legislation in the employment context, also with regard to

occupational and population hygiene and safety and to social security and assistance purposes, to

the extent that it is provided for in the authorisation and subject to the requirements of the code of

conduct and professional practice referred to in Section 111.

5. Data disclosing health may not be disseminated.

Section 27

(Safeguards Applying to Judicial Data)

1. Processing of judicial data by private entities and profit-seeking public bodies shall be permitted

only where expressly authorized by a law or an order by the Garante specifying the reasons in the

substantial public interest underlying such processing, the categories of processed data and the

operations that may be performed.

TITLE IV – ENTITIES PERFORMING PROCESSING

OPERATIONS

Section 28

(Data Controller)

1. Whenever processing operations are carried out by a legal person, a public administrative agency

or any other body, association or organisation, the data controller shall be either the entity as a

whole or the department or peripheral unit having fully autonomous decision-making powers in

respect of purposes and mechanisms of said processing operations as also related to security

matters.

Section 29

(Data Processor)

1. The data processor may be designated by the data controller on an optional basis.

2. Where designated, the data processor shall be selected among entities that can appropriately

ensure, on account of their experience, capabilities and reliability, thorough compliance with the

provisions in force applying to processing as also related to security matters.

3. If necessary on account of organizational requirements, several entities may be designated as data

processors also by subdividing the relevant tasks.

4. The tasks committed to the data processor shall be detailed in writing by the data controller.

5. The data processor shall abide by the instructions given by the data controller in carrying out the

processing. The data controller shall supervise over thorough compliance with both said instructions

and the provisions referred to in paragraph 2, also by means of regular controls.

Section 30

(Persons in Charge of the Processing)

1. Processing operations may only be performed by persons in charge of the processing that act

under the direct authority of either the data controller or the data processor by complying with the

instructions received.

2. The aforementioned persons shall be nominated in writing by specifically referring to the scope

of the processing operations that are permitted. This requirement shall be also fulfilled if a natural

person is entrusted with the task of directing a department, on a documentary basis, whereby the

scope of the processing operations that may be performed by the staff working in said department

has been specified in writing.

TITLE V – DATA AND SYSTEM SECURITY

CHAPTER I – SECURITY MEASURES

Section 31

(Security Requirements)

1. Personal data undergoing processing shall be kept and controlled, also in consideration of

technological innovations, of their nature and the specific features of the processing, in such a way

as to minimise, by means of suitable preventative security measures, the risk of their destruction or

loss, whether by accident or not, of unauthorized access to the data or of processing operations that

are either unlawful or inconsistent with the purposes for which the data have been collected.

Section 32

(Specific Categories of Data Controller)

1. The provider of a publicly available electronic communications service shall take suitable

technical and organisational measures under Section 31 that are adequate in the light of the existing

risk, in order to safeguard security of its services and integrity of traffic data, location data and

electronic communications against any form of unauthorised utilisation or access.

2. Whenever security of service or personal data makes it necessary to also take measures applying

to the network, the provider of a publicly available electronic communications service shall take

those measures jointly with the provider of the public communications network. Failing an

agreement between said providers, the dispute shall be settled, at the instance of either provider, by

the Authority for Communications Safeguards in pursuance of the arrangements set out in the

legislation in force.

3. In case of a particular risk of a breach of network security, the provider of a publicly available

electronic communications service shall inform subscribers and, if possible, users concerning said

risk and, when the risk lies outside the scope of the measures to be taken by said provider pursuant

to paragraphs 1 and 2, of all the possible remedies including an indication of the likely costs

involved. This information shall be also provided to the Garante and the Authority for

Communications Safeguards.

CHAPTER II – MINIMUM SECURITY MEASURES

Section 33

(Minimum Security Measures)

1. Within the framework of the more general security requirements referred to in Section 31, or else

provided for by specific regulations, data controllers shall be required in any case to adopt the

minimum security measures pursuant either to this Chapter or to Section 58(3) in order to ensure a

minimum level of personal data protection.

Section 34

(Processing by Electronic Means)

1. Processing personal data by electronic means shall only be allowed if the minimum security

measures referred to below are adopted in accordance with the arrangements laid down in the

technical specifications as per Annex B:

a) computerised authentication,

b) implementation of authentication credentials management procedures,

c) use of an authorisation system,

d) regular update of the specifications concerning scope of the processing operations that

may be performed by the individual entities in charge of managing and/or maintenancing electronic

means,

e) protection of electronic means and data against unlawful data processing operations,

unauthorised access and specific software,

f) implementation of procedures for safekeeping backup copies and restoring data and

system availability,

g) keeping an up-to-date security policy document,

h) implementation of encryption techniques or identification codes for specific processing

operations performed by health care bodies in respect of data disclosing health and sex life.

Section 35

(Processing without Electronic Means)

1. Processing personal data without electronic means shall only be allowed if the minimum security

measures referred to below are adopted in accordance with the arrangements laid down in the

technical specifications as per Annex B:

a) regular update of the specifications concerning scope of the processing operations that

may be performed by the individual entities in charge of the processing and/or by the individual

organisational departments,

b) implementing procedures such as to ensure safekeeping of records and documents

committed to the entities in charge of the processing for the latter to discharge the relevant tasks,

c) implementing procedures to keep certain records in restricted-access filing systems and

regulating access mechanisms with a view to enabling identification of the entities in charge of the

processing.

Section 36

(Upgrading)

1. The technical specifications as per Annex B concerning the minimum measures referred to in this

Chapter shall be regularly updated by a decree of the Minister of Justice issued in agreement with

the Minister for Innovation and Technologies by having regard to both technical developments and

the experience gathered in this sector.

TITLE VI – PERFORMANCE OF SPECIFIC TASKS

Section 37

(Notification of the Processing)

1. A data controller shall notify the processing of personal data he/she intends to perform

exclusively if said processing concerns:

a) genetic data, biometric data, or other data disclosing geographic location of individuals or

objects by means of an electronic communications network,

b) data disclosing health and sex life where processed for the purposes of assisted

reproduction, provision of health care services via electronic networks in connection with data banks

and/or the supply of goods, epidemiological surveys, diagnosis of mental, infectious and epidemic

diseases, seropositivity, organ and tissue transplantation and monitoring of health care expenditure,

c) data disclosing sex life and the psychological sphere where processed by not-for-profit

associations, bodies or organisations, whether recognised or not, of a political, philosophical,

religious or trade-union character,

d) data processed with the help of electronic means aimed at profiling the data subject and/or

his/her personality, analysing consumption patterns and/or choices, or monitoring use of electronic

communications services except for such processing operations as are technically indispensable to

deliver said services to users,

e) sensitive data stored in data banks for personnel selection purposes on behalf of third

parties, as well as sensitive data used for opinion polls, market surveys and other sample-based

surveys,

f) data stored in ad-hoc data banks managed by electronic means in connection with

creditworthiness, assets and liabilities, appropriate performance of obligations, and unlawful and/or

fraudulent conduct.

2. The Garante may specify, by means of a decision that shall be adopted also in pursuance of

Section 17, additional processing operations that are liable to affect the data subjects’ rights and

freedoms on account of the relevant mechanisms and/or the nature of the personal data at stake. By

means of a similar decision to be published in the Official Journal of the Italian Republic, the

Garante may also specify the processing operations among those referred to in paragraph 1 that are

not liable to be prejudicial in the way described above and are therefore exempted from notification.

3. The notification shall be submitted by means of a single form also if the processing entails

transborder data flows.

4. The Garante shall enter the notifications submitted as above into a publicly available register of

processing operations and shall set out the mechanisms for such register to be interrogated free of

charge via electronic networks, also by means of agreements with public bodies or else at the Office

of the Garante. Any information that is accessed by interrogating said register may only be

processed for the purpose of implementing personal data protection legislation.

Section 38

(Notification Mechanisms)

1. The notification of processing operations shall have to be submitted to the Garante in advance of

the processing and once only, regardless of the number of operations to be performed and the

duration of the processing, and may concern one or more processing operations for related

purposes.

2. A notification shall only be effective if it is transmitted via electronic networks by using the form

made available by the Garante and following the latter’s instructions, also with regard to the

arrangements applying to digital signature and receipt confirmation.

3. The Garante shall enhance both availability of the electronic form and submission of notifications

also by means of agreements with authorised entities pursuant to the legislation in force, including

trade associations and professional councils.

4. A new notification shall only have to be submitted either prior to termination of processing

operations or in connection with the modification of any of the items to be specified in the

notification.

5. The Garante may set out further appropriate arrangements for notification by having regard to

new technological solutions as referred to in the legislation in force.

6. Where a data controller is not required to submit a notification to the Garante in pursuance of

Section 37, he/she shall make available the information contained in the form as per paragraph 2 to

any person requesting it, unless the processing operations concern public registers, lists, records or

publicly available documents.

Section 39

(Communication Obligations)

1. Data controllers shall be required to communicate what follows in advance to the Garante:

a) that personal data are to be communicated by a public body to another public body in the

absence of specific laws or regulations, irrespective of the form taken by such communication and

also in case the latter is based on an agreement,

b) that data disclosing health are to be processed in pursuance of the biomedical or health

care research programme referred to in Section 110(1), first sentence.

2. The processing operations that are the subject of a communication as per paragraph 1 may start

after 45 days have elapsed since receipt of the relevant communication, except as provided

otherwise by the Garante also thereafter.

3. The communication as per paragraph 1 shall be given by using the form drawn up and made

available by the Garante; it shall be transmitted to the latter either electronically in compliance with

the digital signature and receipt confirmation mechanisms outlined in Section 38(2), or by fac-

simile or registered letter.

Section 40

(General Authorisations)

1. The provisions of this Code referring to an authorisation to be granted by the Garante shall also

be implemented by issuing authorisations applying to specific categories of data controller or

processing, which shall be published in the Official Journal of the Italian Republic.

Section 41

(Authorisation Requests)

1. Data controllers falling under the scope of application of an authorisation issued pursuant to

Section 40 shall not be required to lodge an authorisation request with the Garante if the processing

they plan to perform is compliant with the relevant provisions.

2.If an authorisation request concerns a processing operation that has been authorised pursuant to

Section 40, the Garante may decide nevertheless to take steps regarding said request on account of

the specific modalities of the processing.

3. Any authorisation request shall be submitted by using exclusively the form drawn up and made

available by the Garante, and shall be transmitted to the latter electronically in compliance with the

arrangements applying to digital signature and receipt confirmation as per Section 38(2). Said

request and authorisation may also be transmitted by fac-simile or registered letter.

4. If the requesting party is called upon by the Garante to provide information or produce

documents, the forty-five-day period referred to in Section 26(2) shall start running from the date of

expiry of the term for complying with the above request.

5. Under special circumstances, the Garante may issue a provisional, time-limited authorisation.

TITLE VII – TRANSBORDER DATA FLOWS

Section 42

(Data Flows in the EU)

1. The provisions of this Code shall not be applied in such a way as to restrict or prohibit the free

movement of personal data among EU Member States, subject to the taking of measures under this

Code in case data are transferred in order to escape application of said provisions.

Section 43

(Permitted Data Transfers to Third Countries)

1. Personal data that are the subject of processing may be transferred from the State’s territory to

countries outside the European Union, temporarily or not and in any form and by any means

whatsoever,

a) if the data subject has given his/her consent either expressly or, where the transfer

concerns sensitive data, in writing;

b) if the transfer is necessary for the performance of obligations resulting from a contract to

which the data subject is a party, or to take steps at the data subject’s request prior to entering into a

contract, or for the conclusion or performance of a contract made in the interest of the data subject;

c) if the transfer is necessary for safeguarding a substantial public interest that is referred to

by laws or regulations, or else that is specified in pursuance of Sections 20 and 21 where the

transfer concerns sensitive or judicial data;

d) if the transfer is necessary to safeguard a third party’s life or bodily integrity. If this

purpose concerns the data subject and the latter cannot give his/her consent because (s)he is

physically unable to do so, legally incapable or unable to distinguish right and wrong, the consent

shall be given by the entity legally representing the data subject, or else by a next of kin, a family

member, a person cohabiting with the data subject or, failing these, the manager of the institution

where the data subject is hosted. Section 82(2) shall apply;

e) if the transfer is necessary for carrying out the investigations by defence counsel referred

to in Act no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data

are transferred exclusively for said purposes and for no longer than is necessary therefor in

compliance with the legislation in force applying to business and industrial secrecy;

f) if the transfer is carried out in response to a request for access to administrative records or

for information contained in a publicly available register, list, record or document, in compliance

with the provisions applying to this subject-matter;

g) if the transfer is necessary, pursuant to the relevant codes of conduct referred to in Annex

A), exclusively for scientific or statistical purposes, or else exclusively for historical purposes, in

connection with private archives that have been declared to be of considerable historical interest

under Section 6(2) of legislative decree no. 490 of 29 October 1999, enacted to adopt the

consolidated statute on cultural and environmental heritage, or else in connection with other private

archives pursuant to the provisions made in said codes;

h) if the processing concerns data relating to legal persons, bodies or associations.

Section 44

(Other Permitted Data Transfers)

1. The transfer of processed personal data to a non-EU Member State shall also be permitted if it is

authorised by the Garante on the basis of adequate safeguards for data subjects’ rights

a) as determined by the Garante also in connection with contractual safeguards,

b) as determined via the decisions referred to in Articles 25(6) and 26(4) of Directive

95/46/EC of the European Parliament and of the Council, of 24 October 1995, through which the

European Commission may find that a non-EU Member State affords an adequate level of

protection, or else that certain contractual clauses afford sufficient safeguards.

Section 45

(Prohibited Data Transfers)

1. Apart from the cases referred to in Sections 43 and 44, it shall be prohibited to transfer personal

data that are the subject of processing from the State’s territory to countries outside the European

Union, temporarily or not and in any form and by any means whatsoever, if the laws of the country

of destination or transit of the data do not ensure an adequate level of protection of individuals.

Account shall also be taken of the methods used for the transfer and the envisaged processing

operations, the relevant purposes, nature of the data and security measures.

PART II – PROVISIONS APPLYING TO SPECIFIC

SECTORS

TITLE I – PROCESSING OPERATIONS IN THE JUDICIAL

SECTOR

CHAPTER I – IN GENERAL

Section 46

(Data Controllers)

1. Judicial offices at all levels and of all instances, the Higher Council of the Judiciary, the other

self-regulatory bodies and the Ministry of Justice shall act as controllers of the processing

operations concerning personal data in connection with the tasks respectively conferred on them by

laws and/or regulations.

2. The non-occasional processing operations referred to in paragraph 1 that are performed by

electronic means shall be specified in a decree by the Minister of Justice as per Annex C) to this

Code where they concern data banks that are either centralised or interconnected with regard to

several offices and/or data controllers. The provisions by which the Higher Council of the Judiciary

and the other self-regulatory bodies referred to in paragraph 1 specify the processing operations

they respectively perform shall be included into Annex C) pursuant to a decree by the Minister of

Justice.

Section 47

(Processing Operations for Purposes of Justice)

1. As for the processing of personal data carried out by judicial offices at all levels and of all

instances, by the Higher Council of the Judiciary, other self-regulatory bodies and the Ministry of

Justice, the following provisions of the Code shall not apply if the processing is carried out for

purposes of justice:

a) Sections 9, 10, 12, 13 and 16, 18 to 22, 37, 38 (paragraphs 1 to 5), and 39 to 45;

b) Sections 145 to 151.

2. For the purposes of this Code, personal data shall be considered to be processed for purposes of

justice if the processing is directly related to the judicial handling of matters and litigations, or if it

produces direct effects on the functioning of courts as regards legal and economic status of

members of the judiciary, as well as if it is related to auditing activities carried out in respect of

judicial offices. Conventional administrative and management activities regarding personnel, assets

or facilities shall not be considered to be carried out for purposes of justice if they do not affect the

secrecy of acts that are directly related to the handling of matters and litigations referred to above.

Section 48

(Data Banks of Judicial Offices)

1. Where judicial authorities at all levels and of all instances may acquire data, information, records

and documents from public bodies pursuant to the procedural regulations in force, such acquisition

may also take place electronically. To that end, judicial offices may avail themselves of the standard

agreements made by the Minister of Justice with public bodies in order to facilitate interrogation by

said offices of public registers, lists, filing systems and data banks via electronic communication

networks, whereby compliance with the relevant provisions as well as with the principles laid down

in Sections 3 and 11 of this Code shall have to be ensured.

Section 49

(Implementing Provisions)

1. The regulatory provisions required to implement the principles of this Code with regard to civil

and criminal matters shall be adopted by means of a decree of the Minister of Justice, which shall

also supplement the provisions laid down in decree no. 334 of 30 September 1989 by the Minister

of Justice

CHAPTER II – CHILDREN

Section 50

(Reports or Images Concerning Underage Persons)

1. The prohibition to publish and disseminate, by any means whatsoever, reports or images allowing

an underage person to be identified, which is referred to in Section 13 of Presidential Decree no.

448 of 22 September 1988, shall also apply if an underage person is involved for whatever reason in

judicial proceedings concerning non-criminal matters.

CHAPTER III – LEGAL INFORMATION SERVICES

Section 51

(General Principles)

1. Without prejudice to procedural regulations on viewing and obtaining abstracts and copies of

records and documents, the data identifying matters pending before judicial authorities at all levels

and of all instances shall be made accessible to any entity interested therein also by means of

electronic communications networks, including the institutional sites of said authorities on the

Internet.

2. Judgments and other decisions of judicial authorities at all levels and of all instances that have

been deposited with the court’s clerk’s office shall be made accessible also by means of the

information systems and institutional sites of said authorities on the Internet, in compliance with the

precautions referred to in this Chapter.

Section 52

(Information Identifying Data Subjects)

1. Without prejudice to the provisions that regulate drawing up and contents of judgments and other

measures by judicial authorities at all levels and of all instances, a data subject may request on

legitimate grounds, by depositing the relevant application with either the court’s clerk’s office or

the secretariat of the authority in charge of the proceeding, prior to finalisation of the latter, that said

office or secretariat add a notice to the original text of the judgment or measure to the effect that the

data subject’s name and other identification data as reported in the judgment or measure must not be

referred to if said judgment or measure are to be reproduced in whatever form for legal information

purposes on legal journals, electronic media or else by means of electronic communication

networks.

2. The judicial authority issuing the judgment and/or taking the measure at stake shall decide on the

request referred to in paragraph 1 by an order without further formalities. Said authority may order

of its own motion that the notice as per paragraph 1 be added in order to protect data subjects’ rights

or dignity.

3. In the cases as per paragraphs 1 and 2, the court’s clerk’s office or secretariat shall add and

undersign, also by stamping it, the following notice upon depositing the relevant judgment or

measure, by also referring to this Section: “In case of disclosure, leave out name(s) and other

identification data concerning …”.

4. If judgments or other measures, or the corresponding headnotes, bearing the notice as per

paragraph 2 are disclosed also by third parties, the data subject’s name and other identification data

shall be omitted.

5. Without prejudice to Section 734-bis of the Criminal Code as applying to victims of sexual

violence, whoever discloses judgments or other measures by judicial authorities at all levels and of

all instances shall be required to omit, in any case, name(s), other identification data and other

information, also concerning third parties, that may allow detecting - directly or not - the identity of

children or else of parties to proceedings concerning family law and civil status – irrespective of the

absence of the notice referred to in paragraph 2.

6. The provisions of this Section shall also apply in case an award under Section 825 of the Civil

Procedure Code is deposited. A party may lodge the request as per paragraph 1 with the arbitrators

prior to issuing of the relevant award, and the arbitrators shall add the notice referred to in

paragraph 3 to their award also in pursuance of paragraph 2. The arbitration panel set up at the

Arbitration Chamber for Public Works under Section 32 of Act no. 109 of 11 February 1994 shall

proceed accordingly in case a party lodges the relevant request.

7. Except for the cases referred to in this Section, the contents of judgments and other judicial

measures may be disclosed in full in whatever form.

TITLE II – PROCESSING OPERATIONS BY THE POLICE

CHAPTER I – IN GENERAL

Section 53

(Scope of Application and Data Controllers)

1. The following provisions of this Code shall not apply to the processing of personal data that is

carried out either by the Data Processing Centre at the Public Security Department or by the police

with regard to the data that are intended to be transferred to said centre under the law, or by other

public bodies or public security entities for the purpose of protecting public order and security, the

prevention, detection or suppression of offences as expressly provided for by laws that specifically

refer to such processing:

a) Sections 9, 10, 12, 13 and 16, 18 to 22, 37, 38(1) to (5), and 39 to 45;

b) Sections 145 to 151.

2. The non-occasional processing operations referred to in paragraph 1 as performed by electronic

means and the relevant data controllers shall be specified in a decree by the Minister for Home

Affairs, which shall be annexed to this Code as Annex C).

Section 54

(Processing Mechanisms and Data Flows)

1. Whenever public security authorities or the police may acquire data, information, records and

documents from other entities in accordance with the laws and regulations in force, such acquisition

may also take place by electronic means. To that end, the bodies or offices concerned may avail

themselves of agreements aimed at facilitating interrogation by said bodies or offices, via electronic

communication networks, of public registers, lists, filing systems and data banks in pursuance of the

relevant provisions as well as of the principles laid down in Sections 3 and 11. Such standard

agreements shall be adopted by the Minister for Home Affairs following a favourable opinion given

by the Garante, and shall set out arrangements for connections and accesses also with a view to

ensuring selective access exclusively to the data required to achieve the purposes referred to in

Section 53.

2. The data processed for the purposes referred to in Section 53 shall be kept separately from those

that are stored for administrative purposes, which do not require their use.

3. Subject to the provisions made in Section 11, the Data Processing Centre referred to in Section

53 shall be responsible for ensuring that the personal data undergoing processing are regularly

updated, relevant and not excessive, also by interrogating – as authorised – the register held by the

Criminal Records Office and the register of pending criminal proceedings at the Ministry of Justice

pursuant to Presidential Decree no. 313 of 14 November 2002 as well as other police data banks

that are required for the purposes referred to in Section 53.

4. Police bodies, offices and headquarters shall regularly verify compliance with the requirements

referred to in Section 11 with regard to the data processed with or without electronic means, and

shall update such data also based on the procedures adopted by the Data Processing Centre in

pursuance of paragraph 3; alternatively, notices and other remarks may be added to the documents

containing the processed data if the processing is carried out without electronic means.

Section 55

(Specific Technology)

1. Where the processing of personal data carries higher risks of harming data subjects by having

regard, in particular, to genetic or biometric data banks, technology based on location data, data

banks based on particular data processing techniques and the implementation of special technology,

the measures and precautions aimed at safeguarding data subjects shall have to be complied with as

required by Section 17 and prior communication shall have to be given to the Garante as per

Section 39.

Section 56

(Safeguards for Data Subjects)

1. The provisions referred to in Section 10, paragraphs 3 to 5, of Act no. 121 of 1 April 1981 as

subsequently amended shall also apply to data that are processed with electronic means by police

bodies, offices or headquarters as well as to the data that are intended to be transferred to the Data

Processing Centre referred to in Section 53.

Section 57

(Implementing Provisions)

1. A Presidential Decree issued following a resolution by the Council of Ministers, acting on a

proposal put forward by the Minister for Home Affairs in agreement with the Minister of Justice,

shall set out the provisions implementing the principles referred to in this Code with regard to data

processing operations performed by the Data Processing Centre as well as by police bodies, offices

and headquarters for the purposes mentioned in Section 53, also with a view to supplementing and

amending Presidential Decree no. 378 of 3 May 1982, and by putting into practice Council of

Europe’s Recommendation No. R(87)15 of 17 September 1987 as subsequently modified. Said

provisions shall be set out by having regard, in particular, to

a) the principle by which data collection should be related to the specific purpose sought, in

connection with preventing a concrete danger or suppressing offences, in particular as regards

processing operations for analysis purposes,

b) regular updating of the data, also in connection with assessment operations carried out under the

law, the different arrangements applying to data that are processed without electronic means and the

mechanisms to notify the updated information to the other bodies and offices that had previously

received the original data,

c) the prerequisites to carry out processing operations on transient grounds or else in connection

with specific circumstances, also with a view to verifying data quality requirements as per Section

11, identifying data subject categories and keeping such data separate from other data for which

they are not required,

d) setting out specific data retention periods in connection with nature of the data or the means used

for processing such data as well as with the type of proceeding in whose respect they are to be

processed or the relevant measures are to be taken,

e) communication of the data to other entities, also abroad, or else with a view to exercising a right

or a legitimate interest, as well as to dissemination of the data, where this is necessary under the

law,

f) use of specific data processing and retrieval techniques, also by means of reverse search systems.

TITLE III – STATE DEFENCE AND SECURITY

CHAPTER I – IN GENERAL

Section 58

(Applicable Provisions)

1. As regards the processing operations carried out by the entities referred to in Sections 3, 4 and 6

of Act no. 801 of 24 October 1977, as well as the data to which State secret applies under Section

12 of said Act, the provisions of this Code shall apply insofar as they are set out in Sections 1 to 6,

11, 14, 15, 31, 33, 58, 154, 160 and 169.

2. As regards the processing operations carried out by public bodies for purposes of defence or

relating to State security, as expressly required by laws that specifically provide for such processing

operations, the provisions of this Code shall apply insofar as they are set out in paragraph 1 as well

as in Sections 37, 38 and 163.

3. The security measures relating to the data processed by the agencies as per paragraph 1 shall be

laid down and regularly updated in a decree by the Prime Minister’s Office in compliance with the

provisions applying to this subject matter.

4. The arrangements to implement the applicable provisions of this Code with regard to categories

of data, data subject, permitted processing operation and entities in charge of the processing, also

with a view to updating and retaining the data, shall be laid down in a decree by the Prime

Minister’s Office.

TITLE IV – PROCESSING OPERATIONS IN THE PUBLIC

SECTOR

CHAPTER I – ACCESS TO ADMINISTRATIVE RECORDS

Section 59

(Access to Administrative Records)

1. Subject to the provisions made in Section 60, prerequisites for, mechanisms of, and limitations

on exercise of the right to access administrative records containing personal data, and the relevant

judicial remedies shall be regulated further by Act no. 241 of 7 August 1990 as subsequently

amended and by the other laws concerning this subject-matter, as well as by the relevant

implementing regulations, also with regard to the categories of sensitive and judicial data and the

processing operations that may be performed to comply with a request for access. The activities

aimed at implementing the relevant provisions shall be regarded to be in the substantial public

interest.

Section 60

(Data Disclosing Health and Sex Life)

1. Where the processing concerns data disclosing health or sex life, it shall be allowed if the legal

claim to be defended by means of the request for accessing administrative records is at least equal

in rank to the data subject’s rights, or else if it consists in a personal right or another fundamental,

inviolable right or freedom.

CHAPTER II – PUBLIC REGISTERS AND PROFESSIONAL REGISTERS

Section 61

(Use of Public Information)

1. The Garante shall encourage adoption, pursuant to Section 12, of a code of conduct and

professional practice for processing personal data from archives, registers, lists, records or

documents held by public bodies, by also specifying the cases in which the source of the data is to

be mentioned and laying down suitable safeguards in connection with matching data from different

archives, and by taking account of the provisions made in Council of Europe’s Recommendation

No. R(91)10 as regards Section 11.

2. For the purposes of implementing this Code, personal data other than sensitive or judicial data

that are to be entered into a professional register pursuant to laws or regulations may be

communicated to public and private bodies and disseminated also by means of electronic

communication networks, in pursuance of Section 19, paragraphs 2 and 3. Reference may also be

made to the existence of measures that either provide for disqualification from practising a

profession or produce effects on such practice.

3. The relevant professional board or society may, at the request of the member interested therein,

supplement the information referred to in paragraph 2 by additional, relevant and not excessive data

in connection with professional activities.

4. At the data subject’s request, the relevant professional board or society may also provide third

parties with information or data concerning, in particular, professional qualifications that are not

mentioned in the register, or else the availability to undertake tasks or the consent to receive

scientific information materials also concerning meetings and workshops.

CHAPTER III – REGISTERS OF BIRTHS, DEATHS AND MARRIAGES,

CENSUS REGISTERS AND ELECTORAL LISTS

Section 62

(Sensitive and Judicial Data)

1. The purposes consisting in keeping the registers of births, deaths and marriages, census registers

for the resident population in Italy and Italian nationals resident abroad, and electoral lists, as well

as in issuing identification documents or providing for name changes shall be regarded to be in the

substantial public interest pursuant to Sections 20 and 21.

Section 63

(Interrogation of Records)

1. The records concerning the registers of births, deaths and marriages as kept in State Archives

may be interrogated insofar as this is provided for by Section 107 of legislative decree no. 490 of 29

October 1999.

CHAPTER IV – PURPOSES IN THE SUBSTANTIAL PUBLIC INTEREST

Section 64

(Citizenship, Immigration and Alien Status)

1. For the purposes of Sections 20 and 21, the activities aimed at implementing the provisions

concerning citizenship, immigration, asylum, alien and refugee status and displaced persons shall be

considered to be in the substantial public interest.

2. For the purposes referred to in paragraph 1, it shall be allowed to process, in particular, sensitive

and judicial data that are indispensable in order to:

a) issue visas, permits, certifications, authorizations and documents, including medical

documents;

b) recognise right of asylum or refugee status, or implement temporary protection and any

other humanitarian measures, or else fulfil legal obligations related to immigration policy;

c) fulfil the obligations imposed on employers and employees, allow reunification of

families, implement legislation in force applying to education and housing, enable participation in

public life and social integration.

3. This Section shall not apply to the processing of sensitive and judicial data that is performed to

implement the agreements and conventions referred to in Section 154(2), letters a) and b), or for

purposes related to State defence or security or else for preventing, detecting and suppressing

offences as based on legislation that specifically provides for such processing.

Section 65

(Political Rights and Public Disclosure of the Activities of Certain Bodies)

1. For the purposes of Sections 20 and 21, the activities aimed at implementing the provisions

concerning

a) electors and elected and exercise of other political rights, in compliance with secrecy of

voting, and exercise of the mandate conferred on representation bodies or keeping of the general

lists of jurors,

b) documentation of the institutional activities carried out by public bodies

shall be considered to be in the substantial public interest.

2. Processing of sensitive and judicial data for the purposes referred to in paragraph 1 shall be

allowed in order to discharge specific tasks as laid down in laws and regulations including, in

particular, those related to

a) polling operations and checks on their conformity with the law;

b) petitions for referenda, the relevant polling and checks on their conformity with the law;

c) establishing the grounds for ineligibility for or disqualification from a public office, the grounds

for removal or suspension from a public office, or else for suspension or dissolution of an organ;

d) evaluation of reports, petitions, applications and community-sponsored bills, the activity of

investigation committees, relationships with political groups;

e) nominating and appointing representatives in committees, bodies and offices.

3. For the purposes of this Section, it shall be allowed to disseminate sensitive and judicial data for

the purposes referred to in paragraph 1, letter a), with particular regard to underwriters of electoral

lists, submission of candidates, tasks conferred within political organizations or associations,

institutional offices and elected organs.

4. For the purposes of this Section, in particular, it shall be allowed to process sensitive and judicial

data that are indispensable

a) to draw up minutes and reports of the activity of representatives' meetings, committees and other

collegiate organs or assemblies,

b) exclusively to carry out activities consisting in supervision, political guidance and inspection,

and to access documents as permitted by laws and regulations concerning the relevant bodies

exclusively for purposes that are directly related to discharge of an electoral mandate.

5. Sensitive and judicial data that are processed for the purposes referred to in paragraph 1 may be

communicated and disseminated in accordance with the relevant legislation. It shall not be

permitted to disclose sensitive and judicial data that are not indispensable to ensure compliance with

the publicity principle applying to institutional activities, subject to the ban on disseminating data

disclosing health.

Section 66

(Taxation and Customs Matters)

1. For the purposes of Sections 20 and 21, the activities of public bodies aimed at implementing,

even through the relevant licensees, the provisions concerning taxation in respect of taxpayers and

those concerning tax deductions and exemptions, as well as the activities aimed at implementing the

provisions that must be enforced by customs offices, shall be considered to be in the substantial

public interest.

2. Furthermore, as regards taxation matters, the activities aimed at preventing and suppressing

breaches of the relevant obligations, taking the measures provided for in laws, regulations and

Community legislation, checking and enforcing full compliance with said obligations, paying

reimbursement, allocating taxation quotas, managing and selling State-owned property, making the

inventory of and evaluating property and keeping land registries shall be considered to be in the

substantial public interest for the purposes of Sections 20 and 21.

Section 67

(Auditing and Controls)

1. For the purposes of Sections 20 and 21, the activities aimed at

a) verifying lawfulness, fairness and impartiality of administrative activities and compliance

of the latter with rational, cost-effective, and efficient criteria, in the light of the fact that public

bodies are anyhow entrusted by law with control, verification and inspection tasks concerning other

entities,

b) inquiring into sensitive and judicial data, in compliance with the relevant institutional

purposes, with regard to complaints and petitions as well as to the controls and inspections referred

to in Section 65(4)

shall be regarded to be in the substantial public interest.

Section 68

(Grants and Certifications)

1. For the purposes of Sections 20 and 21, the activities aimed at implementing the provisions for

granting, paying, modifying and withdrawing benefits, allowances, gifts, other types of payment

and certifications shall be considered to be in the substantial public interest.

2. The processing operations falling within the scope of this Section shall also include such

processing operations as are indispensable with regard to:

a) communications, certificates and information provided for in anti-Mafia legislation;

b) granting allowances as laid down in laws and regulations concerning extortion and victims of

extortion;

c) payment of war pensions and granting benefits to victims of political persecution and persons

detained in concentration camps as well as to their relatives;

d) granting disability claims;

e) granting allowances in connection with vocational training;

f) granting allowances, funds, gifts and further benefits as laid down in laws, regulations and

Community legislation as also related to associations, foundations and other bodies;

g) granting exemptions, allowances or price reductions, and tax allowances, or else licences also in

the broadcasting sector, permits, authorisations, registrations and further certifications as provided

for by laws, regulations and Community legislation.

3. Processing may also include dissemination if this is indispensable to ensure transparency of the

activities referred to in this Section under the law as well for purposes of supervision and control in

connection with said activities, subject to the ban on dissemination of data disclosing health.

Section 69

(Honours, Rewards and Incorporation)

1. For the purposes of Sections 20 and 21, the activities aimed at implementing the provisions for

granting honours and rewards, recognising legal personality of associations, foundations and other

bodies, including religious denominations, assessing – to the extent that it falls within the

competence of a public body – moral character and professional qualifications for appointment to

an office, including a church office, or to management posts in corporations, businesses and non-

public schooling institutions, as well as for granting and withdrawing authorizations or

certifications, granting sponsorship, patronage and symbolic prizes, participating in boards of

honours and getting access to official ceremonies and meetings shall be considered to be in the

substantial public interest.

Section 70

(Voluntary Organisations and Conscientious Objection)

1. For the purposes of Sections 20 and 21, the activities aimed at implementing the provisions

concerning relationships between public entities and voluntary organizations – in particular as

regards granting funds for their support, keeping the general registers of said organizations and

international cooperation – shall be considered to be in the substantial public interest.

2. The activities aimed at implementing Act no. 230 of 08.07.98 and further legislation applying to

conscientious objection shall also be considered to be in the substantial public interest.

Section 71

(Imposition of Sanctions and Precautionary Measures)

1. For the purposes of Sections 20 and 21, the activities aimed at

a) implementing the provisions concerning administrative sanctions and complaints,

b) allowing exercise of the right of defence in administrative or judicial matters, also by third

parties and in pursuance of Section 391-quarter of the Criminal Procedure Code, or directly at

remedying miscarriages of justice, or else in case of either breach of the due process principle or

unfair restriction of personal freedom,

shall be considered to be in the substantial public interest.

2. Where the processing concerns data disclosing health or sex life, it shall be allowed if the claim

to establish or defend as per letter b) of paragraph 1 is at least equal in rank to the data subject's one

or else if it consists in a personal right or another fundamental, inviolable right or freedom.

Section 72

(Relationships with Religious Denominations)

1. For the purposes of Sections 20 and 21, the activities aimed at managing institutional

relationships with ecclesiastical bodies, religious denominations and communities shall be

considered to be in the substantial public interest.

Section 73

(Other Purposes Related to Administrative and Social Matters)

1. For the purposes of Sections 20 and 21, the activities aimed at providing social assistance shall be

regarded to be in the substantial public interest within the framework of the activities entrusted by

law to public bodies, in particular as for

a) psychological and social support and training for youths and other entities with social, economic

or family disadvantages,

b) measures – including medical care – for disadvantaged, non self-sufficient or disabled entities,

including economic or home assistance services, tele-aid, personal assistance and transport services,

c) assistance to children also in connection with judicial proceedings,

d) psychological and social investigations related to national and international adoption

proceedings,

e) monitoring in connection with foster care children,

f) supervision and support with regard to the stay of nomadic groups,

g) measures related to architectural barriers.

2. For the purposes of Sections 20 and 21, the following activities shall also be regarded to be in the

substantial public interest within the framework of those entrusted by law to public bodies:

a) management of kindergartens,

b) management of school canteens or provision of grants, contributions and educational materials,

c) recreational initiatives and promotion of cultural and sports activities, with particular regard to

organisation of holidays, exhibitions, conferences and sports events as well as to the use of

immovables and occupancy of public areas,

d) provision of public housing units,

e) conscription services,

f) administrative policing, including local policing, subject to the provisions made in Section 53,

with particular regard to public hygiene services and supervision over handling of corpses, and to

controls concerning environment, protection of water resources and land,

g) activities carried out by public relations departments,

h) civil protection,

i) support for employee recruitment and training, in particular as regards local initiative centres for

employment and one-stop employment counters,

l) regional and local ombudsmen.

CHAPTER V – SPECIFIC PERMITS

Section 74

(Car Permits and Access to Town Centres)

1. The permits issued for whatever reason to allow driving and parking vehicles serving disabled

people, or else to allow driving through and parking in restricted access areas, which must be placed

visibly on the relevant vehicles, shall only contain such data as are indispensable to identify the

specific authorisation without using any symbols or abbreviations that may allow the specific nature

of the authorisation to be inferred by simply looking at the permit.

2. Name and address of the data subject concerned shall be reported on said permits by taking care

that they are not immediately visible unless a request is made to produce the permit or an

assessment is to be carried out.

3. The provision as per paragraph 2 shall also apply if the obligation to affix a copy of the car

registration document or any other document on the vehicle is provided for on any grounds.

4. The provisions laid down in Presidential Decree no. 250 of 22 June 1999 shall further apply to

processing of the data collected by means of equipment detecting access by vehicles to town centres

and restricted access areas.

TITLE V – PROCESSING OF PERSONAL DATA IN THE HEALTH

CARE SECTOR

CHAPTER I – IN GENERAL

Section 75

(Scope of Application)

1. This Title shall regulate the processing of personal data in the health care sector.

Section 76

(Health Care Professionals and Public Health Care Bodies)

1. Health professionals and public health care bodies may process personal data disclosing health,

also within the framework of activities in the substantial public interest pursuant to Section 85,

a) with the data subject’s consent, also without being authorised by the Garante, if the

processing concerns data and operations that are indispensable to safeguard the data subject’s

bodily integrity and health,

b) also without the data subject’s consent, based on the Garante’s prior authorisation, if the

purposes referred to under a) concern either a third party or the community as a whole.

2. In the cases referred to in paragraph 1, consent may be given in accordance with the simplified

arrangements referred to in Chapter II.

3. In the cases referred to in paragraph 1, the Garante’s authorisation shall be granted after seeking

the opinion of the Higher Health Care Council except for emergencies.

CHAPTER II – SIMPLIFIED ARRANGEMENTS CONCERNING

INFORMATION AND CONSENT

Section 77

(Simplification)

1. This Chapter shall lay down simplified arrangements that may be applied by the entities referred

to in paragraph 2

a) to inform data subjects of the personal data collected either from them or from third parties, in

pursuance of Section 13, paragraphs 1 and 4,

b) to obtain data subjects’ consent to the processing of personal data whenever this is required under

Section 76,

c) to process personal data.

2. The simplified arrangements referred to in paragraph 1 shall be applicable

a) by public health care bodies,

b) by other private health care bodies and health care professionals,

c) by the other public entities referred to in Section 80.

Section 78

(Information Provided by General Practitioners and Paediatricians)

1. General practitioners and paediatricians shall inform data subjects of the processing of personal

data in a clear manner such as to allow the items referred to in Section 13(1) to be easily

understandable.

2. The information may be provided as regards the overall personal data processing operations that

are required for prevention, diagnosis, treatment and rehabilitation as carried out by a general

practitioner or a paediatrician to safeguard the data subject’s health or bodily integrity, such

activities being performed at the data subject’s request or else being known to the data subject in

that they are carried out in his/her interest.

3. The information may also concern personal data collected from third parties and is given

preferably in writing, also by means of pocketable cards with foldable annexes, and should include

at least the items specified by the Garante in pursuance of Section 13(3), which may be

supplemented by additional information – also verbally – in connection with specific features of the

processing.

4. Unless specified otherwise by the general practitioner or paediatrician, the information shall also

concern data processing operations that are related to those carried out by said general practitioner

or paediatrician, being performed by either a professional or another entity, who should be

identifiable on the basis of the service requested and

a) temporarily replaces the general practitioner or paediatrician in question,

b) provides specialised advice at the general practitioner’s or paediatrician’s request,

c) may lawfully process the data within the framework of a professional partnership,

d) supplies prescribed drugs,

e) communicates personal data to the general practitioner or paediatrician in compliance with the

applicable regulations.

5. The information provided pursuant to this Section shall highlight, in detail, processing operations

concerning personal data that may entail specific risks for the data subject’s rights and fundamental

freedoms and dignity, in particular if the processing is carried out

a) for scientific purposes, including scientific research and controlled clinical drug testing, in

compliance with laws and regulations, by especially pointing out that the consent, if necessary, is

given freely,

b) within the framework of tele-aid or tele-medicine services,

c) to supply other goods or services to the data subject via electronic communication networks.

Section 79

(Information Provided by Health Care Bodies)

1. Public and private health care bodies may avail themselves of the simplified arrangements

concerning information and consent referred to in Sections 78 and 81 with regard to several services

delivered also by different divisions and units of a selfsame body or else by several specifically

identified hospitals and local entities.

2. In the cases referred to in paragraph 1, the health care body or entity shall record the provision of

information and consent in a unified manner such as to allow this circumstance to be verified by

other divisions and units that may happen to process data concerning the same data subject also

thereafter.

3. The simplified arrangements referred to in Sections 78 and 81 may be applied in a homogeneous,

consistent manner with regard to all the processing operations concerning personal data that are

carried out by all the entities pertaining to a given health care agency.

4. Based on appropriate organisational measures in pursuance of paragraph 3, the simplified

arrangements in question may be applied to several data processing operations carried out both in

the cases referred to in this Section and by the entities referred to in Section 80.

Section 80

(Information Provided by Other Public Bodies)

1. In addition to the provisions made in Section 79, the competent services or departments of public

bodies working in the sectors of health care and/or occupational safety and prevention may avail

themselves of the possibility to provide a single information notice in connection with several data

processing operations performed in different periods for administrative purposes with regard to data

collected both from a data subject and from third parties.

2. The information as per paragraph 1 shall be supplemented by placing suitable, specific notices

and signs, which shall be easily visible to the public and shall be affixed and disseminated also

within the framework of institutional publications as well as on electronic communication networks

– with particular regard to administrative activities in the substantial public interest requiring no

consent by data subjects.

Section 81

(Providing One’s Consent)

1. Consent to the processing of data disclosing health – where required pursuant to either this Code

or another law – may be provided by means of a single statement, also verbally. In this case, the

consent shall not be documented in a written instrument released by the data subject, but in a notice

written by the health care professional and/or public health care body, in which reference shall be

made to the processing of data by either one or several entities and to the information provided to

the data subject according to Sections 78, 79 and 80.

2. Where a general practitioner or paediatrician provides information on behalf of several

professionals as per Section 78 (4), the consent rendered in pursuance of paragraph 1 shall have to

be also notified to said professionals by appropriate mechanisms, also by referring to it or placing a

notice or a stamp/tag on a electronic card and/or the medical card, in which reference shall be made

to Section 78(4) as well as to the detailed specifications made, if any, in the information provided

pursuant to the latter paragraph.

Section 82

(Emergency and Protection of Health and Bodily Integrity)

1. Information and consent requirements in connection with the processing of personal data may be

complied with after the relevant service has been delivered, without delay, in cases of medical

emergency and/or related to public hygiene whenever the competent authority has issued a

contingent emergency order pursuant to Section 117 of legislative decree no. 112 of 31 March

1998.

2. Information and consent requirements in connection with the processing of personal data may

also be complied with after the relevant service has been delivered, without delay,

a) if the data subject is physically impaired, legally incapable or unable to distinguish right and

wrong, and the consent cannot be obtained from the entity legally representing the data subject, or

else a next of kin, a family member, a person cohabiting with the data subject or, failing these, the

manager of the institution where the data subject is hosted,

b) if there exists a serious, impending and irretrievable danger for the data subject’s health or bodily

integrity.

3. Information and consent requirements in connection with the processing of personal data may be

complied with after the relevant service has been delivered, without delay, also if the provision of

medical care may be negatively affected - in terms of its timeliness or effectiveness - by the need to

obtain the data subject’s prior consent.

4. As regards persons over eighteen years of age, the information shall be provided to a data subject

also for the purpose of newly obtaining his/her consent whenever the latter is required.

Section 83

(Other Provisions to Ensure Respect for Data Subjects’ Rights)

1. The entities referred to in Sections 78, 79 and 80 shall take suitable measures to ensure that data

subjects’ rights, fundamental freedoms and dignity, as well as professional secrecy requirements are

respected in organising the relevant services and discharging the relevant tasks, without prejudice to

the provisions made in laws and regulations concerning arrangements to process sensitive data and

minimum security measures.

2. The measures referred to in paragraph 1 shall include, in particular,

a) solutions aimed at respecting precedence and order in calling up data subjects regardless of their

specific names as regards medical care activities and administrative requirements entailing a

waiting time,

b) setting up appropriately spaced waiting lines by having regard to the use of voice messages

and/or barriers,

c) solutions to prevent third parties from unduly getting to know information disclosing health

during an interview,

d) precautions aimed at preventing medical care activities – including collection of a patient’s

history – from being carried out in privacy-unfriendly situations due to the specific arrangements

and/or the premises selected,

e) respect for the data subject’s dignity when providing the specific medical treatment as well as in

connection with all data processing operations,

f) suitable arrangements to ensure that the provision of emergency aid can be notified or confirmed

also by phone, if necessary, exclusively to third parties entitled thereto,

g) provisions in line with the internal regulations of hospitals and other establishments for medical

care by which suitable mechanisms are laid down to inform third parties that are lawfully entitled

thereto on the whereabouts of data subjects inside medical wards, on the occasion of visits paid by

such third parties, whereby data subjects are informed thereof in advance and compliance with their

legitimate denial of authorisation is ensured,

h) implementing procedures, including training of staff, to prevent third parties from establishing a

link between a data subject and a given ward or department such as to disclose a specific medical

condition,

i) subjecting persons in charge of the processing that are not bound by professional secrecy under

the law to rules of practice that are similar to those based on professional secrecy.

Section 84

(Data Communication to Data Subjects)

1. Personal data disclosing health may be communicated by health care professionals and health

care bodies either to the data subject or to the entities referred to in Section 82(2), letter a), only by

the agency of a physician who must have been designated either by the data subject or by the data

controller. This paragraph shall not apply to the personal data that had been provided previously by

said data subject.

2. The data controller or processor may authorise, in writing, health care professionals other than

physicians who, to fulfil their respective duties, have direct contacts with patients and are in charge

of processing personal data disclosing health, to communicate said data either to data subjects or to

the entities referred to in Section 82(2), letter a). The instrument by which said task is conferred

shall set out adequate arrangements and precautions having regard to the context within which the

data are to be processed.

CHAPTER III – PURPOSES IN THE SUBSTANTIAL PUBLIC INTEREST

Section 85

(Tasks of the National Health Service)

1. Except for the cases referred to in paragraph 2, the activities falling within the scope of the tasks

committed to the National Health Service and other public health care bodies shall be considered to

be in the substantial public interest for the purposes of Sections 20 and 21 as regards:

a) administrative activities related to prevention, diagnosis, care and rehabilitation of the persons

assisted by the National Health Service, including aliens in Italy and Italian citizens abroad as well

as the health care provided to seamen and airport staff;

b) planning, management, control and assessment of health care;

c) monitoring of testing and drugs, authorization for marketing and importing medical drugs and

other health-related products;

d) certification activities;

e) application of provisions concerning occupational hygiene and safety and population health and

safety;

f) administrative activities related to organ and tissue transplantations and human blood

transfusions, also pursuant to Act no. 107 of 04.05.90;

g) setting up, managing, planning and monitoring the relationships between the administration and

the entities bound by contractual agreements with and/or recognised by the National Health Service.

2. Paragraph 1 shall not apply to the processing of data disclosing health that is carried out either by

health care professionals or by public health care bodies for the purpose of protecting health or

bodily integrity of a data subject, a third party or the community as a whole, in which case the

provisions concerning the data subject’s consent and/or authorisation by the Garante shall apply as

per Section 76.

3. The specification of the categories of data disclosing health and the processing operations they

may undergo shall be publicised to the greatest possible extent, also by affixing a copy thereof or

making available an explanatory booklet in each health care agency as well as in general

practitioners’ and paediatricians’ clinics.

4. Processing the data subject’s identification data shall be lawfully reserved for the entities that

directly pursue the purposes referred to in paragraph 1. Utilisation of the various data categories

shall only be allowed to the persons in charge of the processing who have been entrusted, on a case-

by-case basis, with the specific stages of the activities mentioned in paragraph 1 in accordance with

the principle that only indispensable data shall have to be processed in the individual cases.

Section 86

(Other Purposes in the Substantial Public Interest)

1. Apart from the cases referred to in Sections 76 and 85, the purposes to be achieved by processing

sensitive and judicial data in connection with administrative activities related to implementation of

the legislation concerning the matters below shall be regarded to be in the substantial public interest

as per Sections 20 and 21:

a) social protection of motherhood and abortion, with particular regard to the processing operations

that are carried out for managing family planning centres and similar institutions, providing

information, medical treatment and in-hospital care to mothers, as well as for performing abortions;

b) narcotic drugs and psychotropic substances, with particular regard to the activities carried out in

order to provide, also with the help of non-profit bodies and associations, such public services as are

necessary for the social and medical assistance of drug addicts, and to adopt the measures, including

preventive measures, referred to by laws and implement the required administrative provisions;

c) assistance, social integration and rights of persons with a disability, in particular with a view to

1) assessing the disability and ensuring operation of medical care and rehabilitation services and

family and personal support, as well as granting allowances and further benefits,

2) ensuring social integration, education, training and information to the family of a person with a

disability as well as mandatory employment of such person in the cases provided for by law,

3) setting up residential facilities and social rehabilitation centres,

4) keeping the registers of voluntary bodies, associations and organisations working in this sector.

2. The provisions as per Section 85(4) shall apply to the processing operations referred to in this

Section.

CHAPTER IV – MEDICAL PRESCRIPTIONS

Section 87

(Drugs Paid for by the National Health Service)

1. Prescriptions concerning medical drugs that are charged, even only in part, to the National Health

Service shall be written by using the form referred to in paragraph 2. Said form shall be designed so

as to allow establishing the data subject's identity only if this is necessary in order to check that the

prescription is correct or else with a view to administrative controls or for epidemiological and

research purposes, in compliance with the applicabile rules of conduct.

2. The paper form to be used for prescribing drugs that are charged, even only in part, to the

National Health Service as per Annexes 1, 3, 5 and 6 to decree no. 350 by the Minister of Health of

11 July 1988 and Chapter 2, paragraph 2.2.2. of the relevant technical specifications, shall be

supplemented either by a paper tag or by a carbon-copy tag that shall be pasted to the margins of the

areas referred to in paragraph 3.

3. The tag referred to in paragraph 2 shall be affixed to the areas of the form where the patient’s

name and address are to be entered so that the latter may only be visible upon transiently removing

the tag for the purposes specified in paragraphs 4 and 5.

4. The tag may be transiently removed from the prescription form and subsequently re-affixed to it

if this is considered indispensable by a chemist – who shall have to sign the tag – on account of the

actual need to check that the prescription is correct as also related to supply of the drug specifically

prescribed.

5. The tag may also be transiently removed in the manner described in paragraph 3 by the

competent bodies with a view to performing an administrative audit as to correctness of the

prescription, and by entities that may lawfully carry out epidemiological surveys or else researches

in accordance with the law, provided that this is indispensable in order to achieve their respective

purposes.

6. Further technical solutions other than the one referred to in paragraph 1 may be laid down in a

decree by the Minister of Health, after seeking the Garante’s opinion, based on the use of a sticker

or else on equivalent technology also related to the use of non-paper media.

Section 88

(Drugs Not Paid for by the National Health Service)

1. The data subject’s name shall not be specified in the prescriptions made on paper forms with

regard to drugs that are not charged, even in part, to the National Health Service.

2. In the cases referred to in paragraph 1, a physician may specify the data subject’s name

exclusively if he/she considers that it is indispensable to make said data subject personally

identifiable on account of an actual requirement that is related either to the data subject’s specific

condition or to the special arrangements to be made for preparing or using the drug.

Section 89

(Special Cases)

1. The provisions of this Chapter shall leave unprejudiced the application of regulatory provisions

requiring drug prescriptions not to allow identification of data subjects or else to bear specific

notices, such as those laid down in decree-law no. 23 of 17 February 1998 as converted, with

amendments, into Act no. 94 of 8 April 1998.

2. Whenever the data subject's identity is to be established in pursuance of the consolidated text of

the Act applying to narcotic drugs and psychotropic substances, prevention, care and rehabilitation

of drug addiction, as approved by presidential decree no. 309 of 9 October 1990, the relevant

prescriptions shall be kept separate from any other document that does not require their use.

CHAPTER V – GENETIC DATA

Section 90

(Processing of Genetic Data and Bone Marrow Donors)

1. Processing of genetic data, regardless of the entity processing them, shall be allowed exclusively

in the cases provided for in ad-hoc authorisations granted by the Garante, after having consulted

with the Minister for Health who shall seek, to that end, the opinion of the Higher Health Care

Council.

2. The authorisation referred to in paragraph 1 shall also specify the additional items of information

that should be contained in the information notice pursuant to Section 13, with particular regard to

the purposes sought and the results to be achieved also in connection with the unexpected

information that may be made known on account of the processing as well as with the data subject’s

right to object to the processing on legitimate grounds.

3. Under Act no. 52 of 6 March 2001, bone marrow donors shall have the right and duty to remain

anonymous with regard to both recipient(s) and third parties.

CHAPTER VI – MISCELLANEOUS PROVISIONS

Section 91

(Data Processed by Means of Cards)

1. Processing in whatever form of data disclosing health and sex life that are stored on cards,

including non-electronic cards and the national services card, or that are processed by means of said

cards, shall only be allowed if it is necessary under the terms of Section 3 in compliance with

measures and precautions laid down by the Garante as per Section 17.

Section 92

(Clinical Records)

1. Where public and private health care bodies draw up and retain clinical records in compliance

with the applicable legislation, suitable precautions shall be taken to ensure that the data are

understandable as well as to keep the data concerning a patient separate from those concerning

other data subjects – including the information related to unborn children.

2. Any request to inspect or obtain a copy of the clinical records and the attached patient discharge

form as lodged by entities other than the data subject may only be granted, in whole or in part, if it

is justified because of the proven need

a) to establish or defend a legal claim in pursuance of Section 26(4), letter c), such claim being

equal in rank to the data subject’s right or else consisting in a personal right or another fundamental,

inviolable right or freedom,

b) to establish a legally relevant claim in pursuance of the legislation concerning access to

administrative records, such claim being equal in rank to the data subject’s right or else consisting

in a personal right or another fundamental, inviolable right or freedom.

Section 93

(Certificate of Attendance at Birth)

1. With a view to issuing a birth certificate, the certificate of attendance at birth shall be replaced by

a declaration only containing the data that must be entered into the register of births. The provisions

of Section 109 shall also apply.

2. The certificate of attendance at birth or clinical records, where containing personal data allowing

identification of a mother that has objected to being referred to as per Section 30(1) of Presidential

Decree no. 396 of 3 November 2000, may be issued in full to any person interested therein,

pursuant to law, after one hundred years have elapsed since the relevant document has been drawn

up.

3. During the period referred to in paragraph 2, a request for accessing the certificate and/or clinical

records may be granted with regard to the data concerning a mother that has objected to being

referred to by taking suitable precautions to prevent the latter from being identifiable.

Section 94

(Data Banks, Registers and Filing Systems in the Health Care Sector)

1. The processing of data disclosing health as contained in data banks, filing systems, archives or

registers kept by entities in the health care sector shall be carried out in compliance with Section 3

also with regard to data banks, filing systems, archives or registers that had already been set up on

the date of entry into force of this Code as well as in respect of the access by third parties pursuant

to the provisions in force on that date – in particular concerning

a) the national register of asbestos-related mesotheliomas set up at the Istituto superiore per la

prevenzione e la sicurezza del lavoro (Ispesl), which is referred to in Section 1 of Prime Minister’s

decree no. 308 of 10 December 2002,

b) the data bank on surveillance of Creutzfeldt-Jakob’s disease and the variants or related

syndromes, which is referred to in a decree by the Minister of Health of 21 December 2001

published in the Official Journal no. 8 of 10 January 2002,

c) the national register of rare diseases referred to in Section 3 of decree no. 279 of 18 May 2001 by

the Minister of Health,

d) the registers of bone marrow donors set up in pursuance of Act no. 52 of 6 March 2001,

e) the files concerning blood donors referred to in Section 15 of a decree by the Minister of Health

of 26 January 2001, as published in the Official Journal no. 78 of 3 April 2001.

TITLE VI – EDUCATION

CHAPTER I – IN GENERAL

Section 95

(Sensitive and Judicial Data)

1. For the purposes of Sections 20 and 21, the activities aimed at education and training in the

schooling, vocational, high school or university sectors shall be considered to be in the substantial

public interest with particular regard to those carried out also in integrated fashion.

Section 96

(Processing of Data Concerning Students)

1. With a view to facilitating vocational orientation and training as well as employment in Italy and

abroad, high schools and similar educational bodies may communicate or disseminate, also to

private entities and by electronic means, on the data subjects' request, data on the evaluation and

marks obtained by students (whether at mid-term or in the final term) and further personal data

other than sensitive or judicial data, provided they are relevant in respect of the above purposes and

are referred to in the information provided to data subjects pursuant to Section 13. The data may be

processed further exclusively for the abovementioned purposes.

2. The provisions referred to in Section 2(2) of Presidential Decree no. 249 of 24 June 1998

concerning protection of students’ right to privacy as well as the provisions in force concerning

publication of examination marks by affixing a notice on the school's bulletin board, and those

concerning the granting of diplomas and certifications shall be left unprejudiced.

TITLE VII – PROCESSING FOR HISTORICAL, STATISTICAL OR

SCIENTIFIC PURPOSES

CHAPTER I – IN GENERAL

Section 97

(Scope of Application)

1. This Title shall regulate processing of personal data for historical, statistical or scientific

purposes.

Section 98

(Purposes in the Substantial Public Interest)

1. For the purposes of Sections 20 and 21, the purposes related to the data processing operations

carried out by public bodies

a) for historical purposes in respect of keeping, classifying and communicating the

documents and records kept in State archives and historical archives of public bodies pursuant to

legislative decree no. 490 of 29 October 1999, which adopted the consolidated statute on cultural

and environmental heritage, as amended by this Code,

b) that are members of the National Statistical System (SISTAN) as per legislative decree

no. 322 of 6 September 1989, as subsequently amended,

c) for scientific purposes,

shall be considered to be in the substantial public interest.

Section 99

(Compatibility between Purposes and Duration of Processing)

1. Processing of personal data for historical, scientific or statistical purposes shall be considered to

be compatible with the different purposes for which the data had been previously collected or

processed.

2. Processing of personal data for historical, scientific or statistical purposes may be carried out also

upon expiry of the period that is necessary for achieving the different purposes for which the data

had been previously collected or processed.

3. Where the processing of personal data is terminated, for whatever reason, such data may be kept

or transferred to another data controller for historical, statistical or scientific purposes.

Section 100

(Data Concerning Studies and Researches)

1. In order to encourage and support research and co-operation in the scientific and technological

sectors, public bodies including universities and research institutions may, by autonomous decision,

communicate and disseminate, also to private bodies and by electronic means, data concerning

studies and researches to graduates, post-graduates, technicians and engineers, researchers,

professors, experts and scholars – except for sensitive and judicial data.

2. The data subject’s right to object on legitimate grounds pursuant to Section 7(4), letter a), shall be

left unprejudiced.

3. The data referred to in this Section shall not be regarded as administrative records under the

terms of Act no. 241 of 7 August 1990.

4. The data referred to in this Section may be processed further exclusively for the purposes for

which they have been communicated or disseminated.

CHAPTER II – PROCESSING FOR HISTORICAL PURPOSES

Section 101

(Processing Arrangements)

1. No personal data that has been collected for historical purposes may be used for taking actions or

issuing provisions against the data subject in administrative matters, unless said data are also used

for other purposes in compliance with Section 11.

2. Any document containing personal data that is processed for historical purposes may only be

used, by having regard to its nature, if it is relevant and indispensable for said purposes. Personal

data that are disseminated may only be used for achieving the aforementioned purposes.

3. Personal data may be disseminated in any case if they relate to circumstances or events that have

been made known either directly by the data subject or on account of the latter's public conduct.

Section 102

(Code of Conduct and Professional Practice)

1. The Garante shall encourage adoption of a code of conduct and professional practice by the

private and public entities, including scientific societies and professional associations, which are

involved in the processing of data for historical purposes, in pursuance of Section 12.

2. The code of conduct and professional practice referred to in paragraph 1 shall set out, in

particular,

a) rules based on fairness and non-discrimination in respect of users, to be abided by also in

communication and dissemination of data, pursuant to the provisions of this Code that are

applicable to the processing of data for journalistic purposes or else for publication of papers, essays

and other intellectual works also in terms of artistic expression;

b) the specific safeguards applying to collection, interrogation and dissemination of

documents concerning data disclosing health, sex life or private family relations; the cases shall be

also specified in which either the data subject or an interested party must be informed by the user of

the planned dissemination;

c) arrangements to apply the provisions on processing of data for historical purposes to

private archives, as also related to harmonisation of interrogation criteria and the precautions to be

taken in respect of communication and dissemination.

Section 103

(Interrogating Documents Kept in Archives)

1. Interrogation of documents kept in State archives, historical archives of public bodies and private

archives shall be regulated by legislative decree no. 490 of 29 October 1999, enacting the

consolidated Act on cultural and environmental heritage, as amended by this Code.

CHAPTER III – PROCESSING FOR STATISTICAL OR SCIENTIFIC

PURPOSES

Section 104

(Scope of Application and Identification Data for Statistical or Scientific Purposes)

1. The provisions of this Chapter shall apply to the processing of data for statistical purposes or, to

the extent that they are compatible, for scientific purposes.

2. For the purpose of implementing this Chapter, account shall be taken with regard to identification

data of all the means that can be reasonably used by a data controller or others to identify the data

subject, also on the basis of the knowledge acquired in connection with technological

developments.

Section 105

(Processing Arrangements)

1. No personal data that is processed for statistical or scientific purposes may be used for taking

decisions or measures with regard to the data subject or else with a view to processing data for

different purposes.

2. Statistical or scientific purposes shall have to be specified unambiguously and made known to the

data subject in accordance with Section 13, as also related to Section 106(2), letter b), of this Code

and Section 6-bis of legislative decree no. 322 of 06.09.89 as subsequently amended.

3. Where specific circumstances referred to in the codes as per Section 106 are such as to allow an

entity to respond on behalf of another entity, being a family member of or co-habiting with the

latter, the data subject may also be informed by the agency of the respondent.

4. As for processing operations for statistical or scientific purposes concerning data collected for

other purposes, no information shall have to be provided to data subjects if it entails a

disproportionate effort compared with the right to be protected – on condition that those operations

have been appropriately publicized as laid down in the Codes referred to in Section 106.

Section 106

(Codes of Conduct and Professional Practice)

1. The Garante shall encourage adoption of one or more codes of conduct and professional practice

by the private and public entities, including scientific societies and professional associations, which

are involved in the processing of data for statistical or scientific purposes, in pursuance of Section

12

2. The codes referred to in paragraph 1 shall lay down, by having regard to legislative decree no.

322 of 06.09.89, as subsequently amended, in respect of the entities that are members of the

National Statistical System and on the basis of similar safeguards in respect of other entities,

a) prerequisites and procedures for proving and verifying that the data are processed actually

for appropriate statistical and scientific purposes, except as provided for in legislative decree no.

322 of 06.09.89;

b) where not provided for in this Code, further prerequisites for the processing and the

relevant safeguards, as also related to the data retention time, the information to be provided to data

subjects in respect of the data collected also from third parties, communication and dissemination of

the data, the selective criteria to be implemented in processing identification data, the specific

security measures and the mechanisms to amend the data as a result of the exercise of data subjects'

rights, by taking account of the principles laid down in the relevant Council of Europe’s

Recommendations;

c) the means that can be reasonably used by data controllers or others in order to identify a

data subject, by taking also account of technical developments;

d) the safeguards to be afforded with a view to applying the provisions referred to in

Sections 24(1), letter I) and 43(1), letter g), making the data subject's consent unnecessary, by

having regard to the principles laid down in the aforementioned Recommendations;

e) simplified arrangements for obtaining the data subjects' consent in connection with

processing sensitive data;

f) the fairness criteria applying to collection of the data and the instructions for the staff in

charge of this activity;

g) the measures to be adopted in order to promote compliance with the principle that the

data should be relevant and not excessive as well as with the security measures referred to in

Section 31, by having also regard to the precautions to be taken in order to prevent both access by

natural persons who are not in charge of the processing and unauthorized identification of data

subjects, the interconnection of information systems also within the framework of the National

Statistical System and the data exchanges for statistical and scientific purposes that are carried out

with entities and agencies abroad also based on the safeguards referred to in Section 44(1), letter a);

h) the requirement for any person in charge of the processing who is not bound by official or

professional secrecy under the law to abide by rules of conduct that can ensure similar security and

confidentiality levels.

Section 107

(Processing of Sensitive Data)

1. Without prejudice to Section 20 and except for specific statistical or scientific research

investigations or surveys that are provided for by law, the data subject’s consent for processing

sensitive data may be given, if required, in accordance with simplified arrangements as set out in

the code referred to in Section 106. The relevant authorisation may be granted by the Garante also

in pursuance of Section 40.

Section 108

(National Statistical System)

1. Processing of personal data by entities included in the National Statistical System shall be

regulated further by legislative decree no. 322 of 6 September 1989 as subsequently amended as

well as by the provisions set out in the code of conduct and professional practice adopted pursuant

to Section 106(2), with particular regard to processing of the sensitive data referred to in the

national statistical programme, provision of information to data subjects, exercise of data subjects’

rights and data falling outside the scope of statistical secrecy under Section 9(4) of the

aforementioned decree.

Section 109

(Statistical Data Concerning Birth Events)

1. The collection of statistical data concerning birth events - including malformed newborns and

stillborns - and the data flows also by medical directors shall be regulated by the technical

specifications made by the National Statistics Institute after hearing the Minister of Health, the

Minister of Justice and the Garante as well as by the provisions laid down in decree no. 349 of 16

July 2001 by the Minister of Health.

Section 110

(Medical, Biomedical and Epidemiological Research)

1. The data subject's consent shall not be required for processing data disclosing health with a view

to scientific research activities in the medical, bio-medical or epidemiological sectors if said

research activities are expressly provided for by legislation that specifically refers to the processing,

or else are included in a bio-medical or health care research programme pursuant to Section 12-bis

of legislative decree no. 502 of 30.12.92, as subsequently amended, and forty-five days have

elapsed since communication of said activities to the Garante under Section 39. Additionally,

consent shall not be necessary if data subjects cannot be informed on specific grounds and the

research programme has been the subject of a reasoned, favourable opinion by the geographically

competent ethics committee as well as being authorised by the Garante also in pursuance of Section

40.

2. Where a data subject exercises his/her rights in pursuance of Section 7 with regard to the

processing operations which are referred to in paragraph 1, updates, rectifications and additions to

the data shall be reported without modifying the data themselves if the outcome of the above

operations does not produce significant effects on the outcome of the research.

TITLE VIII – OCCUPATIONAL AND SOCIAL SECURITY ISSUES

CHAPTER I – IN GENERAL

Section 111

(Code of Conduct and Professional Practice)

1. The Garante shall encourage adoption, pursuant to Section 12, of a code of conduct and

professional practice by public and private entities that are involved in the processing of personal

data either for social security purposes or in connection with management of employer-employee

relationships, by also setting forth specific arrangements to inform data subjects and obtain their

consent, if necessary, as regards publishing job ads pursuant to Section 113(3) and receiving CVs

including personal – possibly sensitive – data.

Section 112

(Purposes in the Substantial Public Interest)

1. For the purposes of Sections 20 and 21, the activities carried out by public bodies in order to

enter into and manage labour relations of any kind whatsoever, whether based on a contract of

service or for services, including unpaid, honorary, part-time or temporary work, as well as other

types of employment which do not entail any contract of service, shall be considered to be in the

substantial public interest.

2. The processing operations performed for the purposes referred to in paragraph 1 shall include, in

particular, those aimed at:

a) implementing the provisions concerning mandatory employment of disabled persons and

employing staff also from disadvantaged groups;

b) ensuring equal opportunity policies;

c) establishing existence of specific qualifications as required to fill certain positions, as also related

to protection of language minorities, or else of prerequisites for suspension from or termination of

employment or service, relocation of an employee for incompatibility and granting special

authorizations;

d) fulfilling obligations related to assessment of legal and economic status, including recognition of

industrial accidents or granting of fair compensation, as well as obligations concerning wages,

taxation or accounting in respect of staff, whether employed or retired, including payment of premia

and security benefits;

e) fulfilling specific obligations or discharging tasks which are laid down in legislation concerning

occupational hygiene and safety, population health and safety and trade-unions' activities;

f) implementing, as also related to social security and assistance organizations, the provisions

concerning social security and assistance, including supplementary social security schemes,

pursuant to, inter alia, legislative decree no. 804 of 29.07.47, with regard to communication of the

data, also by means of electronic communications networks, to social assistance agencies, trade

associations and professional councils that have obtained the data subject's consent under Section

23 in connection with specific data categories;

g) carrying out activities aimed at establishing civil, disciplinary and accounting liability and

dealing with complaints in administrative matters pursuant to the relevant rules;

h) entering an appearance in court by the agency of counsel or else taking part in arbitration or

settlement proceedings as provided for by law or collective labour agreements;

i) protecting the data subject's or a third party's life or bodily integrity;

l) managing the register of civil servants and implementing the provisions concerning tasks

undertaken by civil servants, co-operators and advisors;

m) implementing the provisions concerning conflicts of interest and part-time jobs;

n) carrying out inquiries and inspections with regard to public bodies;

o) assessing quality of the services provided as well as of the results achieved.

3. The data referred to in letters m), n) and o) of paragraph 2 may be disseminated in anonymous

form and anyhow in a way preventing the data subject from being identified.

CHAPTER II – JOB ADS AND EMPLOYEE DATA

Section 113

(Data Collection and Relevance)

1. The provisions laid down in Section 8 of Act no. 300 of 20 May 1970 shall be left unprejudiced.

CHAPTER III – BAN ON DISTANCE MONITORING AND TELEWORK

Section 114

(Distance Monitoring)

1. The provisions made in Section 4 of Act no. 300 of 20 May 1970 shall be left unprejudiced.

Section 115

(Telework and Home-Based Work)

1. In the context of home-based work and telework, employers shall be required to ensure that the

employees’ personality and moral freedom are respected.

2. Home-based workers shall be required to ensure confidentiality as necessary with regard to all

family-related matters.

CHAPTER IV – ASSISTANCE BOARDS AND SOCIAL WORK

Section 116

(Availability of Data under the Terms Agreed upon with Data Subjects)

1. Assistance and social work boards may access the data banks of the entities providing the

relevant services under the terms agreed upon with data subjects, in order to discharge their

respective tasks, as regards the data categories that have been referred to specifically upon obtaining

the data subjects’ consent in pursuance of Section 23.

2. Guidelines for ad-hoc agreements to be made between assistance and social work boards and the

entities providing the relevant services shall be set out in a decree by the Minister of Work and

Social Policies.

TITLE IX – BANKING, FINANCIAL AND INSURANCE SYSTEMS

CHAPTER I – INFORMATION SYSTEMS

Section 117

(Reliability and Timeliness in Payment-Related Matters)

1. The Garante shall encourage, pursuant to Section 12, adoption of a code of conduct and

professional practice for the processing of personal data that is carried out within the framework of

information systems owned by private entities, where they are used to grant consumer credits or

else concern data subjects’ reliability and timeliness in performing payments, by also laying down

specific arrangements to facilitate communication of accurate, up-to-date personal data in

compliance with data subjects’ rights.

Section 118

(Commercial Information)

1. The Garante shall encourage, pursuant to Section 12, adoption of a code of conduct and

professional practice for the processing of personal data that is carried out for commercial

information purposes, by also setting forth simplified arrangements to inform data subjects and

appropriate mechanisms to ensure quality and accuracy of the data collected and communicated, in

line with the provisions made in Section 13(5).

Section 119

(Data Concerning Payment of Debts)

1. The code of conduct and professional practice referred to in Section 118 shall also lay down

harmonised retention periods for the personal data contained, in particular, in data banks, registers

and lists kept by public and private bodies with regard to payment of debts by data subjects in cases

other than those regulated by the Code referred to in Section 117. Account shall have to be taken of

the specific features of the processing operations carried out in the different sectors.

Section 120

(Car Accidents)

1. The Istituto per la vigilanza sulle assicurazioni private e di interesse collettivo (ISVAP)

[Supervisory Body for Private Insurance] shall lay down procedural and operational mechanisms

applying to the car accidents data bank that was set up to prevent and fight fraud in connection with

the compulsory insurance for motor vehicles registered in Italy; further, the arrangements for

accessing the information collected in said data bank as regards judicial authorities and public

administrative agencies that are competent over prevention of and fight against fraud in the

compulsory insurance sector as well as limitations on and arrangements for access to said

information by insurance companies shall be set out.

2. Personal data may be processed and communicated to the entities referred to in paragraph 1 in

order to discharge the tasks referred to in said paragraph.

3. To the matters that are not regulated by this Section there shall apply the provisions of Section

2(5-quarter) of decree-law no. 70 of 28 March 2000 as converted, with amendments, into Act no.

137 of 26 May 2000, including subsequent amendments.

TITLE X – ELECTRONIC COMMUNICATIONS

CHAPTER I – ELECTRONIC COMMUNICATION SERVICES

Section 121

(Services Concerned)

1. This Title shall apply to the processing of personal data in connection with the provision of

publicly accessible electronic communication services on public communications networks.

Section 122

(Information Collected with Regard to Subscribers or Users)

1. Subject to paragraph 2, it shall be prohibited to use an electronic communication network to gain

access to information stored in the terminal equipment of a subscriber or user, to store information

or monitor operations performed by an user.

2. The Code of conduct referred to in Section 133 shall lay down prerequisites and limitations for a

provider of an electronic communication service to use the network in the manner described in

paragraph 1 for specific, legitimate purposes related to technical storage for no longer than is

strictly necessary to transmit a communication or provide a specific service as requested by a

subscriber or user that has given his/her consent based on prior information as per Section 13,

whereby purposes and duration of the processing shall have to be referred to in detail, clearly and

accurately.

Section 123

(Traffic Data)

1. Traffic data relating to subscribers and users that are processed by the provider of a public

communications network or publicly available electronic communications service shall be erased or

made anonymous when they are no longer necessary for the purpose of transmitting the electronic

communication, subject to paragraphs 2, 3 and 5.

2. Providers shall be allowed to process traffic data that are strictly necessary for subscriber billing

and interconnection payments for a period not in excess of six months in order to provide evidence

in case the bill is challenged or payment is to be pursued, subject to such additional retention as

may be specifically necessary on account of a claim also lodged with judicial authorities.

3. For the purpose of marketing electronic communications services or for the provision of value

added services, the provider of a publicly available electronic communications service may process

the data referred to in paragraph 2 to the extent and for the duration necessary for such services or

marketing, on condition that the subscriber or user to whom the data relate has given his/her

consent. Such consent may be withdrawn at any time.

4. In providing the information referred to in Section 13, the service provider shall inform a

subscriber or user on the nature of the traffic data processed as well as on duration of the processing

for the purposes referred to in paragraphs 2 and 3.

5. Processing of traffic data shall be restricted to persons in charge of the processing who act –

pursuant to Section 30 – directly under the authority of the provider of a publicly available

electronic communications service or, where applicable, the provider of a public communications

network and deal with billing or traffic management, customer enquiries, fraud detection, marketing

of electronic communications or the provision of value-added services. Processing shall be

restricted to what is absolutely necessary for the purposes of such activities and must allow

identification of the person in charge of the processing who accesses the data, also by means of

automated interrogation procedures.

6. The Authority for Communications Safeguards may obtain traffic and billing data that are

necessary for settling disputes, particularly with regard to interconnection or billing matters.

Section 124

(Itemised Billing)

1. Subscribers shall have the right to receive, upon request and free of charge, detailed proof of the

items making up the bill, in particular concerning date and starting time of a conversation, selected

numbers, type of numbering, place, duration and units charged for each conversation.

2. The provider of a publicly available electronic communications service shall be required to

enable users to perform communications and request services from any terminal equipment - free of

charge and using simple means – by availing themselves of alternative payment methods, including

anonymous methods, such as credit cards, debit cards or pre-paid cards.

3. The services and communications referred to in paragraph 2 and the communications required to

implement alternative payment methods shall not be displayed in the documents sent to subscribers

concerning the communications performed.

4. The final three digits of the called numbers shall not be displayed in subscriber bills. A subscriber

may request communication of the full numbers relating to the communications at stake for the sole

purpose of specifically challenging either the accuracy of certain charges or charges relating to

limited periods.

5. Having established that the methods referred to in paragraph 2 are actually available, the Garante

may authorise the provider to report the full numbers in the bills.

Section 125

(Calling Line Identification)

1. Where presentation of calling line identification is available, the provider of a publicly available

electronic communications service shall ensure that the calling user has the possibility, free of

charge and using simple means, to eliminate the presentation of calling line identification on a per-

call basis. The calling subscriber must have the same possibility on a per-line basis.

2. Where presentation of calling line identification is available, the provider of a publicly available

electronic communications service shall ensure that the called subscriber has the possibility, free

of charge and using simple means, to prevent presentation of identification of incoming calls.

3. Where presentation of calling line identification is available and such identification is presented

prior to the call being established, the provider of a publicly available electronic communications

service shall ensure that the called subscriber has the possibility, free of charge and using simple

means, to reject incoming calls if the presentation of calling line identification has been eliminated

by the calling user or subscriber.

4. Where presentation of connected line identification is available, the provider of a publicly

available electronic communications service shall ensure that the called subscriber has the

possibility, free of charge and using simple means, to prevent the presentation of connected line

identification to the calling user.

5. Paragraph 1 shall also apply to calls to countries outside the European Union. Paragraphs 2 to 4

shall also apply with regard to calls originating in said countries.

6. Where presentation of calling or connected line identification is available, the provider of a

publicly available electronic communications service shall inform subscribers and users of the

existence of such service as well as of the possibilities referred to in paragraphs 1, 2, 3 and 4.

Section 126

(Location Data)

1. Location data other than traffic data, relating to users or subscribers of public communications

networks or publicly available electronic communications services, may only be processed when

they are made anonymous, or with the prior consent of the users or subscribers, which may be

withdrawn at any time, to the extent and for the duration necessary for the provision of a value

added service.

2. The service provider must inform the users or subscribers, prior to obtaining their consent, of the

type of location data other than traffic data which will be processed, of the purposes and duration of

the processing and whether the data will be transmitted to a third party for the purpose of providing

the value added service.

3. Where consent of the users or subscribers has been obtained for the processing of location data

other than traffic data, the user or subscriber shall continue to have the possibility, using a simple

means and free of charge, of requesting to temporarily refuse the processing of such data for each

connection to the network or for each transmission of a communication.

4. Processing of location data other than traffic data in accordance with paragraphs 1, 2 and 3 shall

be restricted to persons in charge of the processing acting pursuant to Section 30 under the authority

of the provider of the publicly available communications service or, as the case may be, the public

communications network or of the third party providing the value added service. Processing shall be

restricted to what is necessary for the purposes of providing the value added service and must

ensure identification of the persons in charge of the processing that access the data also by means of

automated interrogation operations.

Section 127

(Nuisance and Emergency Calls)

1. Any subscriber receiving nuisance calls may request that the provider of a public

communications network or publicly available electronic communications service override, on a

temporary basis, the elimination of the presentation of calling line identification and store the data

concerning the origin of the incoming call. Overriding the elimination of the presentation of calling

line identification may only be provided for in connection with the time ranges during which the

nuisance calls take place and for no longer than fifteen days.

2. The request made in writing by the subscriber shall specify the manner in which the nuisance

calls are received and, if it is preceded by a request made by phone, shall be forwarded within the

following forty-eight hours.

3. The data stored pursuant to paragraph 1 may be communicated to a subscriber where the latter

declares that he/she will only use them to protect himself/herself against nuisance calls. As for the

services referred to in paragraph 1, the provider shall make available transparent procedures to

subscribers and may charge them amounts not exceeding the costs actually incurred.

4. The provider of a public communications network or publicly available electronic

communications service shall set out transparent procedures in order to ensure that the services

authorised to deal with emergency calls may override, on a per-line basis, the elimination of the

presentation of calling line identification and, if necessary, process location data notwithstanding

the temporary denial or absence of consent of the subscriber or user. Said services shall be

specified in a decree issued by the Minister of Communications after seeking the opinion of the

Garante and the Authority for Communications Safeguards.

Section 128

(Automatic Call Forwarding)

1. The provider of a publicly available electronic communications service shall take the measures

required to allow each subscriber, free of charge and using simple means, to stop automatic call

forwarding by third parties to his/her own terminal.

Section 129

(Directories of Subscribers)

1. The Garante shall issue a provision, in co-operation with the Authority for Communications

Safeguards as per Section 154(3) as well as in compliance with Community legislation, to set out

the arrangements for entering and subsequently using subscribers’ personal data as contained in

publicly available paper or electronic directories, also with regard to the data collected prior to entry

into force of this Code.

2. The provision referred to in Section 1 shall lay down appropriate mechanisms for subscribers to

give their consent to inclusion in said directories as well as to the use of their data for the purposes

referred to in Section 7(4), letter b), the relevant principles consisting in the highest possible

simplification of the mechanisms for being included in a directory that is only intended to allow

searching the contact details of a subscriber, in the need for the subscriber’s express, specific

consent if the purposes of the processing are broader in scope as well as in the possibility for

subscribers to access, rectify or erase their data free of charge.

Section 130

(Unsolicited Communications)

1. The use of automated calling systems without human intervention for the purposes of direct

marketing or sending advertising materials, or else for carrying out market surveys or interactive

business communication shall only be allowed with the user’s consent.

2. Paragraph 1 shall also apply to electronic communications performed by e-mail, facsimile, MMS-

or SMS-type messages or other means for the purposes referred to therein.

3. Except as provided for in paragraphs 1 and 2, further communications for the purposes referred to

therein as performed by different means shall be allowed in pursuance of Sections 23 and 24.

4. Subject to paragraph 1, where a data controller uses, for direct marketing of his/her own products

or services, electronic contact details for electronic mail supplied by a data subject in the context of

the sale of a product or service, said data controller may fail to request the data subject’s consent, on

condition that the services are similar to those that have been the subject of the sale and the data

subject, after being adequately informed, does not object to said use either initially or in connection

with subsequent communications. The data subject shall be informed of the possibility to object to

the processing at any time, using simple means and free of charge, both at the time of collecting the

data and when sending any communications for the purposes referred to in this paragraph.

5. In any event, the practice of sending communications for the purposes referred to in paragraph 1

or anyhow for promotional purposes by disguising or concealing the identity of the sender, or

without a valid address to which the data subject may send a request to exercise the rights referred

to in Section 7, shall be prohibited.

6. In case of persistent breach of the provisions laid down in this Section, the Garante may also

order the provider of electronic communications services, under Section 143(1), letter b), to

implement filtering procedures or other practicable measures with regard to the electronic contact

details for electronic mail used for sending the communications.

Section 131

(Information Provided to Subscribers and Users)

1. The provider of a publicly available electronic communications service shall inform

subscribers and, if possible, users concerning the existence of situations that allow the

contents of communications or conversations to be unintentionally made known to persons

who are not party to them.

2. Subscribers shall inform users whenever the contents of communications or conversations

may come to be known by others either because of the type of terminal equipment used or

because of the connection established between such terminal equipment at the subscribers'

premises.

3. An user shall inform another user whenever, during a conversation, devices are used to

enable said conversation to be heard by others.

Section 1321

(Traffic Data Retention for Other Purposes)

1. Without prejudice to Section 123(2), telephone traffic data shall be retained by the provider for

twenty-four months with a view to detecting and suppressing criminal offences.

2. Upon expiry of the term referred to in paragraph 1, telephone traffic data shall be retained by the

provider for additional twenty-four months exclusively with a view to detecting and suppressing the

offences referred to in Section 407(2), letter a), of the Criminal Procedure Code as well as any

offences against information or telematics systems.

3. Within the term referred to in paragraph 1, the data may be acquired from the provider by means

of a reasoned order of the judicial authority at the request of either the public prosecutor, defence

counsel, the person under investigation, the injured party, or any other private party, without

prejudice to the requirements set out in Section 8(2), letter f), with regard to incoming phone calls.

Defence counsel for either the defendant or the person under investigation may directly request the

provider to make available the data relating to the subscriptions entered into by his/her client

according to the arrangements specified in Section 391-quater of the Criminal Procedure Code.

4. Upon expiry of the term referred to in paragraph 1, the judicial authority may authorise data

acquisition by means of a reasoned order if sufficient circumstantial evidence is considered to exist

of the commission of the offences under Section 407(2), letter a), of the Criminal Procedure Code

as well as of any offences against information or telematics systems.

1 As amended by Decree-Law no. 354 of 24th December 2003, converted, with amendments, into Act no. 45 of 26th

February 2004.

5. Data processing for the purposes referred to in paragraphs 1 and 2 shall be carried out by

complying with the measures and precautions to safeguard data subjects as required under Section

17, which are also aimed at

a. providing in all cases for specific systems allowing both computer-based authentication and

authorisation of persons in charge of the processing as per Annex B,

b. making arrangements for the separate retention of the data after expiry of the term referred to in

paragraph 1,

c. setting out the mechanisms for specific persons in charge of the processing to process the data in

such a way as to only allow using the data in the circumstances referred to in paragraph 4 and/or

Section 7 after expiry of the term as per paragraph 1,

d. laying down technical mechanisms to regularly destroy the data after expiry of the term referred

to in paragraphs 1 and 2.

CHAPTER II – INTERNET AND ELECTRONIC NETWORKS

Section 133

(Code of Conduct and Professional Practice)

1. The Garante shall encourage, pursuant to Section 12, adoption of a code of conduct and

professional practice applying to the processing of personal data by providers of communication

and information services supplied by means of electronic communications networks, with particular

regard to the criteria to ensure and streamline adequate information and awareness by users of

public and private electronic communications networks as to the categories of personal data

processed and the mechanisms for such processing – in particular, by providing information notices

online using simple means and in an interactive manner, so as to enhance openness and fairness in

respect of the users as well as full compliance with the principles referred to in Section 11 also with

a view to certifying quality of the implemented mechanisms and the security level afforded.

CHAPTER III – VIDEO SURVEILLANCE

Section 134

(Code of Conduct and Professional Practice)

1. The Garante shall encourage, pursuant to Section 12, adoption of a code of conduct and

professional practice applying to the processing of personal data that is performed by means of

electronic image acquisition devices, by setting forth specific processing arrangements and

simplified mechanisms to inform data subjects in order to ensure lawfulness and fairness of the

processing also in the light of Section 11.

TITLE XI – SELF-EMPLOYED PROFESSIONALS AND PRIVATE

DETECTIVES

CHAPTER I – IN GENERAL

Section 135

(Code of Conduct and Professional Practice)

1. The Garante shall encourage, pursuant to Section 12, adoption of a code of conduct and

professional practice applying to the processing of personal data that is performed to carry out

investigations by defence counsel as per Act no. 397 of 7 December 2000 or else to establish or

defend a legal claim, in particular as regards self-employed professionals and entities authorised

under the law to operate as private detectives.

TITLE XII – JOURNALISM AND LITERARY AND ARTISTIC

EXPRESSION

CHAPTER I – IN GENERAL

Section 136

(Journalistic Purposes and Other Intellectual Works)

1. This Title shall apply to processing operations

a) that are carried out in the exercise of the journalistic profession and for the sole purposes related

thereto;

b) that are carried out by persons included either in the list of free-lance journalists or in the roll of

trainee journalists as per Sections 26 and 33 of Act no. 69 of 03.02.63;

c) that are carried out on a temporary basis exclusively for the purposes of publication or occasional

circulation of articles, essays and other intellectual works also in terms of artistic expression.

Section 137

(Applicable Provisions)

1. The provisions laid down in this Code concerning

a) the authorisation granted by the Garante pursuant to Section 26,

b) the safeguards referred to in Section 27 in connection with judicial data,

c) transborder data flows as per Title VII of Part I,

shall not apply to the processing operations referred to in Section 136.

2. The data processing operations referred to in paragraph 1 may be performed also in the absence

of the data subject’s consent as per Sections 23 and 26.

3. If the data are communicated or disseminated for the purposes referred to in Section 136, the

limitations imposed on freedom of the press to protect the rights as per Section 2, in particular

concerning materiality of the information with regard to facts of public interest, shall be left

unprejudiced. It shall be allowed to process the data concerning circumstances or events that have

been made known either directly by the data subject or on account of the latter's public conduct.

Section 138

(Professional Secrecy)

1. The provisions concerning professional secrecy in the journalistic profession shall be left

unprejudiced as related to the source of the information if a data subject requests to be informed of

the source of the personal data in accordance with Section 7(2), letter a).

CHAPTER II – CODE OF PRACTICE

Section 139

(Code of Practice Applying to Journalistic Activities)

1. The Garante shall encourage, pursuant to Section 12, adoption of a code of practice by the

National Council of the Press Association as regards processing of the data referred to in Section

136. The code shall include measures and provisions to safeguard data subjects as appropriate in

respect of the nature of the data, with particular regard to those disclosing health and sex life. The

code may also lay down simplified arrangements for providing the information referred to in

Section 13.

2. In the course of drawing up said code, or thereafter, the Garante in cooperation with the Council

shall lay down measures and provisions to safeguard data subjects, which the Council shall have to

adopt.

3. Where the code of practice or any amendments or additions thereto fail to be adopted by the

Council within six months of the proposal put forward by the Garante, they shall be adopted

vicariously by the Garante and enforced until different regulations come into force pursuant to the

cooperation procedure.

4. The code and any amendments or additions thereto shall come into force fifteen days after

publication in the Official Journal as per Section 12.

5. Should any of the provisions in the code of practice be infringed, the Garante may prohibit the

processing pursuant to Section 143(1), letter c).

TITLE XIII – DIRECT MARKETING

CHAPTER I – IN GENERAL

Section 140

(Code of Conduct and Professional Practice)

1. The Garante shall encourage, pursuant to Section 12, adoption of a code of conduct and

professional practice applying to the processing of personal data that is performed to send

advertising materials or for direct selling purposes, or else to carry out market surveys or commercial

communication activities, by also laying down simplified arrangements for a data subject to indicate

and highlight his/her objection to receiving certain communications whenever the data subject’s

consent is not a prerequisite for the processing.

PART III – REMEDIES AND SANCTIONS

TITLE I – ADMINISTRATIVE AND JUDICIAL REMEDIES

CHAPTER I – REMEDIES AVAILABLE TO DATA SUBJECTS

BEFORE THE GARANTE

I – GENERAL PRINCIPLES

Section 141

(Available Remedies)

1. Data subjects may apply to the Garante

a) to lodge a circumstantial claim pursuant to Section 142, in order to point out an

infringement of the relevant provisions on the processing of personal data,

b) to lodge a report, if no circumstantial claim as per letter a) may be lodged, in order to call

upon the Garante to check up on the aforementioned provisions,

c) to lodge a complaint with a view to establishing the specific rights referred to in Section 7

in accordance with the arrangements and for the purposes laid down in Part III of this Chapter.

II – ADMINISTRATIVE REMEDIES

Section 142

(Lodging a Claim)

1. A claim shall refer, with as many details as possible, to the facts and circumstances on which it is

grounded, the allegedly infringed provisions and the remedies sought as well as to the identification

data concerning data controller, data processor, if available, and claimant.

2. The claim shall be undersigned either by the data subjects or by associations representing them

also pursuant to Section 9(2) and shall be lodged with the Garante without any specific formalities

being required. Such documents as may be helpful for assessment purposes shall be annexed to the

claim including the relevant letter of attorney, if any, and an address shall be specified to send

communications also by e-mail, facsimile or telephone.

3. The Garante may draw up a claim form to be published in the Bulletin and made available via

electronic means.

Section 143

(Handling a Claim)

1. Upon conclusion of the preparatory phase, if the claim is not found to be manifestly groundless

and the prerequisites for a decision are fulfilled, the Garante

a) may call upon the data controller – also requesting the latter to appear jointly with the data

subject – to autonomously block the processing before ordering that the measures referred to in

letter b) are taken, or before prohibiting or blocking the processing as per letter c),

b) shall order that the data controller takes such measures as are necessary or appropriate to bring

the processing into line with the provisions in force,

c) shall block or prohibit the processing, in whole or in part, if the latter is found to be unlawful or

unfair partly because of the failure to take the necessary measures as per letter b), or else if there is

an actual risk that it may be considerably prejudicial to one or more of the data subjects by having

regard to the nature of the data, the arrangements applying to the processing or the effects that may

be produced by the processing,

d) may prohibit, in whole or in part, processing of data concerning individual entities or categories

if it is in conflict with the substantial public interest,

also prior to finalising the relevant proceeding.

2. The provisions referred to in paragraph 1 shall be published in the Official Journal of the Italian

Republic if the relevant addressees cannot be easily identified on account either of their number or

of the complexity of the inquiries.

Section 144

(Reports)

1. The provisions referred to in Section 143 may also be taken in connection with a report lodged as

per Section 141(1), letter b), if preliminary investigations have already been started, also prior to

finalising the relevant proceeding.

III – NON-JUDICIAL REMEDIES

Section 145

(Complaints)

1. The rights as per Section 7 may be enforced either by filing a lawsuit or by lodging a complaint

with the Garante.

2. Lodging a complaint with the Garante shall not be permitted if an action regarding the same

matter and between the same parties has already been brought before a judicial authority.

3. Lodging a complaint with the Garante shall prevent an action from being brought by the same

parties and for the same matter before a judicial authority.

Section 146

(Prior Request to Data Controller or Processor)

1. Except where the running of time would cause imminent, irreparable harm to a person, lodging a

complaint with the Garante shall only be permitted after a request concerning the same matter has

been made to the data controller or processor pursuant to Section 8(1) and the term provided for in

this Section has expired, or else if said request has not been granted also in part.

2. A response to the request shall be provided by the data controller or processor within fifteen days

of its receipt.

3. Within the deadline referred to in paragraph 2, the data controller or processor shall inform the

data subject that the operations required to fully comply with his/her request are especially

complex, or that delay can be accounted for on other grounds. In this case, the request shall have to

be complied with in full within thirty days of its receipt.

Section 147

(Lodging a Complaint)

1. A complaint shall be lodged against the data controller by specifying:

a) name of complainant, special agent, if any, data controller and, where known, the

data processor that has been designated to provide responses to data subjects exercising the

rights referred to in Section 7;

b) date of the request made to the data controller or processor pursuant to Section 8(1),

or else the imminent, irreparable harm making said request unnecessary;

c) the grounds for the complaint;

d) the remedy sought from the Garante;

e) the domicile of choice for the purposes of the relevant proceeding.

2. The complaint shall be undersigned by either the complainant or the latter’s special agent and

include as attachments

a) a copy of the request made to the data controller or processor pursuant to Section 8(1);

b) the letter of attorney, if any;

c) proof of the payment of office charges.

3. Any documents that may be helpful in evaluating the complaint shall be also attached, including

an address for the service of communications on either the complainant or the special agent by e-

mail, facsimile or telephone.

4. The complaint shall be lodged with the Garante and the relevant signature shall be certified true.

No certification shall be necessary if the complaint is undersigned either at the Office of the Garante

or by a special agent who is included in the roll of lawyers and has been granted power of attorney

in accordance with Section 83 of the Civil Procedure Code, or else if it is electronically signed

pursuant to the legislation in force.

5. Complaints shall have to be lodged exclusively either by registered letter or by electronic

networks in compliance with the arrangements concerning digital signature and receipt

confirmation that are referred to in Section 38(2); alternatively, they may be lodged directly with

the Office of the Garante.

Section 148

(Inadmissible Complaints)

1. A complaint shall be inadmissible

a) if it is lodged by a person having no legitimate title thereto,

b) if Sections 145 and 146 are not complied with,

c) in default of any of the items referred to in Section 147(1) and (2), unless the

complainant or the special agent amend the complaint, also following the invitation made by

the Office of the Garante in accordance with paragraph 2, within seven days of the date on

which it was lodged or said invitation was received. In this case, the complaint shall be

regarded as lodged at the time when the amended complaint is received by the Office.

2. The Garante shall specify the cases in which a complaint may be amended.

Section 149

(Handling a Complaint)

1. The Office of the Garante shall be responsible for communicating a complaint to the data

controller within three days, except where it has been declared to be inadmissible or manifestly

groundless, also informing said controller that he/she may notify both the complainant and the

Office within ten days of the receipt of the above communication that he/she will voluntarily

comply. Said information shall be provided to the data controller by the data processor, if any, that

has been designated to provide responses to data subjects in case the rights as per Section 7 are

exercised, on condition that this is referred to in the complaint.

2. In case of voluntary compliance, a declaration of no case to answer shall be returned. Upon the

complainant’s request, costs and charges relating to the complaint shall be calculated as a lump sum

and either awarded to the opposing party or balanced, also in part, on rightful grounds.

3. The data controller, the data processor referred to in paragraph 1 and the data subject shall have

the right of being heard, whether personally or through a special agent, and of submitting pleadings

or documents. To that end, the communication referred to in para. 1 shall be also sent to the

complainant and specify the term within which the data controller, processor or data subject may

submit pleadings and documents as well as the day on which said persons may be heard, also by

means of suitable audiovisual techniques.

4. In the course of the proceeding, the complainant may better specify his/her claim to the extent

that it falls within the scope of the complaint, or else if the data controller raises objections.

5. The Garante may order, also ex officio, that one or more expert assessments be carried out. The

relevant order shall specify the scope of such assessment and its deadline and shall be

communicated to the parties, who may attend either personally or through their agents or advisors.

The order shall also make arrangements for the payment in advance of any costs relating to the

assessment.

6. The data controller and the data processor referred to in paragraph 1 may be assisted in the

proceeding by an agent or a person of their choice.

7. If the enquiries are especially complex or the parties agree thereto, the sixty-day term referred to

in Section 150(2) may be extended by no more than forty additional days.

8. Running of time as per Section 150(2) and Section 151 shall be stopped by operation of law from

1 August to 15 September of each year and shall start again as of the end of the latter period. Should

time start running during said period, the start shall be postponed to the end of the selfsame period.

Running of time shall not be stopped whenever there exists the harm referred to in Section 146(1)

and its stopping shall not prevent taking the measures referred to in Section 150(1).

Section 150

(Measures Taken Following a Complaint)

1. If so required by the specific case, the Garante may provisionally order either the partial or total

blocking of some of the data, or the immediate termination of one or more processing operations.

Such order may also be adopted prior to communicating the complaint as per Section 149(1) and

shall cease to be effective if the decision mentioned in paragraph 2 is not rendered within the

relevant deadline. The order may be challenged together with said decision.

2. Having gathered the necessary information, the Garante shall order with a reasoned decision, if

the complaint is found to be grounded, that the data controller abstain from the unlawful conduct;

the Garante shall also specify the remedies to enforce the data subject’s rights and set a term for

their implementation. If no decision on the complaint is rendered within sixty days of the date on

which the complaint was lodged, the complaint shall have to be regarded as dismissed.

3. If any party previously requested it, the provision by which the proceeding is finalised shall also

set out the costs and office charges relating to the complaint as a lump sum either to be awarded,

also in part, to the losing party, or to be compensated for, also in part, on rightful grounds.

4. The decision taken by the Garante, regardless of its being provisional, shall be communicated to

the parties within ten days either at their domiciles of choice or at the domiciles specified in the case

records. Said decision may be communicated to the parties also by e-mail or facsimile.

5. If enforcement of the decision referred to in paragraphs 1 and 2 proves difficult or is objected to,

the Garante shall lay down implementing arrangements, after hearing the parties if appropriate, by

availing itself, if necessary, either of Office staff or of the collaboration of other public authorities.

6. If the provision in which costs and charges are set out is not challenged, or if it is dismissed, said

provision shall be regarded as an enforcement order pursuant to Sections 474 and 475 of the Civil

Procedure Code with regard to such costs and charges.

Section 151

(Challenging)

1. The decision and/or tacit dismissal referred to in Section 150(2) may be challenged by the data

controller or the data subject, as the case may be, in that they may file a petition pursuant to Section

152. Challenging shall not suspend enforcement of the decision.

2. Courts shall follow the procedure set out in Section 152.

CHAPTER II – JUDICIAL REMEDIES

Section 152

(Judicial Authorities)

1. Competence over any disputes concerning application of the provisions of this Code, including

those related either to provisions issued by the Garante with regard to personal data protection or to

the failure to adopt such provisions, shall lie with judicial authorities.

2. As regards any dispute referred to in paragraph 1, the relevant proceeding shall be instituted by

filing a petition with the clerk’s office of the court having jurisdiction on the data controller’s place

of residence.

3. The judicial authority shall decide on the case as a single-judge court.

4. Any petition against a provision by the Garante, also in pursuance of Section 143, shall have to

be filed within thirty days of the date on which said provision is communicated or tacitly dismissed.

If the petition is filed thereafter, the court shall declare that it is inadmissible by an order that may

be challenged before the Court of Cassation.

5. Filing of a petition shall not suspend enforcement of the provision by the Garante. The court may

provide wholly or partly otherwise on serious grounds, after hearing the parties, by issuing an order

that may be challenged together with the decision finalising the relevant proceeding.

6. If there is an imminent danger of serious, irretrievable harm, the court may take the necessary

measures by a reasoned decree, also summoning the parties to appear in court by no later than

fifteen days. During the relevant hearing the court shall uphold, amend or discharge the measures

taken by means of said decree.

7. The court shall summon the parties to appear by a decree in which the petitioner shall be notified

of the mandatory term within which he/she shall have to serve said decree on the other parties as

well as on the Garante. There shall be an interval of no less than thirty days between the day of

service and the day in court.

8. Should the petitioner fail to appear on the first day in court without alleging any lawful grounds,

the court shall order that the case be struck off the cause list and declare that the relevant proceeding

is expired, also awarding costs to the petitioner.

9. When dealing with the case, the court shall decide on the items of evidence that it deems to be

necessary, also of its own motion and without any formalities that are unnecessary for dealing with

the case in court, and may order that witnesses be summoned also without laying down the relevant

chapters.

10. Upon completion of the preparatory phase, the court shall invite the parties to sum up their cases

and proceed with the oral argument. The court shall issue a judgment immediately thereafter by

reading the relevant instrument. The reasons for the judgment shall be deposited with the court’s

clerk’s office in the next thirty days. The court may also draw up and read the reasons jointly with

the formal judgment, both being deposited with the court’s clerk’s office immediately thereafter.

11. If necessary, the court may grant no more than ten days for the parties to submit pleadings and

adjourn to the first useful day following expiry of the above term with a view to the oral argument

and issuing of the judgment.

12. With its judgment, the court shall grant or dismiss the petition, in whole or in part, order the

necessary measures, provide for damages, if claimed, and award legal costs to the losing party, also

by derogating from the prohibition referred to in Section 4 of Act no. 2248 of 20 March 1865,

Annex E), whenever this is necessary in connection with, inter alia, acts performed by a public body

in its capacity as data controller or processor.

13. The judgment may not be appealed against, however it may be challenged before the Court of

Cassation.

14. This Section shall also apply to the cases referred to in Section 10(5) of Act no. 121 of 1 April

1981 as subsequently amended.

TITLE II – THE SUPERVISORY AUTHORITY

CHAPTER I – THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI

Section 153

(The Garante)

1. The Garante shall act fully autonomously and independently in its decisions and assessments.

2. The Garante shall be a collegiate body composed of four members, of whom two shall be elected

by the Chamber of Deputies and two by the Senate through a specific voting procedure. The