Code of Practice Applying to the Processing of Personal Data Performed with a View to Defence Investigations
[doc. web n. 1569165]
[doc. web n. 1565171 ]
Code of Practice Applying to the Processing of Personal Data Performed with a View to Defence Investigations
(Published in the Official Journal no. 275 of November 24, 2008)
The Garante per la protezione dei dati personali
We, the entities mentioned hereinafter, undersign this Code of practice on the basis of the following assumptions:
1. Several entities, in particular lawyers and trainee-lawyers included in the respective registers and professional rolls as well as the entities carrying out authorised private detective activities in pursuance of the law, make use of personal data to perform defence investigations in connection with criminal proceedings (under Act no. 397 dated 7 December 2000), or else in order to establish or defend a judicial claim. Use of such data is indispensable to ensure full, effective protection of the rights in question, with particular regard to the right of defence and the right to evidence; effective protection of both rights is not jeopardised, in fact it is enhanced, by the principle whereby personal data must be processed in compliance with the rights, fundamental freedoms and dignity of data subjects as related, in particular, to confidentiality, personal identity, and the right to personal data protection (see sections 1 and 2 of the DP Code);
2. Such specific adjustments and/or precautions as may be provided for by law and/or this code of practice may not be applicable if the data are processed for purposes other than those laid down in article 1 of this code;
3. Being aware of the paramount importance to be attached to the legitimate exercise of the right of defence and the protection of professional secrecy, we, the aforementioned entities, consider it necessary to take account of specific features of our professional activities with particular regard to sensitive and/or judicial personal information. This is aimed at highlighting the peculiarities inherent in looking up, collecting, using and storing data, statements and documents for defence purposes, in particular as related to judicial proceedings, as well as at preventing such implementing uncertainties as have arisen from time to time and have led ultimately to envisage useless safeguards that are not provided for in any items of legislation – in fact, they are at times in conflict with standard operational requirements. The paramount interest in the legitimate exercise of the right of defence must be respected in all cases, including inspection activities; additionally, account must also be taken of the constraints placed by law on the exercise of data subjects' rights (section 7-9 of the DP Code) with a view to safeguarding the right of defence;
4. Data processing for defence purposes contributes to a professional's standing training and gives rise to a set of legal practice precedents that has lasting significance – possibly to meet defence requirements – well after expiry of the retainer and represents an instance of that professional's activity as well;
5. Legislation and implementing instruments already set forth safeguards and arrangements to be complied with in order to protect the personal data that are processed to establish or defend a judicial claim and/or to carry out defence investigations. The safeguards in question – which do not apply to anonymous data – have already allowed clarifying, for instance, under what conditions personal data may be collected without the person's consent and without providing specific information, and that those data may be used for defence purposes in compliance with proportionality standards regardless of whether the relevant civil or criminal proceeding has been instituted or not. Failure to comply with the safeguards and arrangements mentioned above may entail the ban on using the processed data (see section 11(2) of the DP Code). Reference can be made, in particular, to the following:
a. the information notice to be given to data subjects, which may fail to include any items that are already known to the data subject and may be worded concisely and informally as appropriate by taking account of the trust relationship established with one's customer and/or of the specific professional task; the information may also be provided only verbally and once and for all by having regard to all the data collected whether from the data subject or from third parties. It is permitted not to provide the information notice in respect of the data collected from third parties if such data are processed exclusively for as long as may be necessary to establish or defend a judicial claim or else for the purpose of defence investigations; it should be considered that a data is not collected from the data subject if it results from a lawful remote monitoring activity, in particular where such monitoring does not entail any direct interaction with the data subject (see section 13(5)b. of the DP Code);
b. the consent to be obtained from data subjects, which is not required if the processing is necessary to comply with legal obligations and/or the data at issue – including sensitive data – are processed for defending a right also by means of defence investigations. This applies to the data that are processed in the course of a proceeding – including administrative, arbitration and/or conciliation proceedings –, the data processed in the preparatory phase prior to possibly instituting a proceeding – also in order to check whether the right at issue can be actually defended in court – and the data processed after the dispute is settled whether in or out of court. If the data are suitable for disclosing health or sex life, it is necessary to abide by the principle whereby such data may be processed if the right to be protected – irrespective of whether it arises from unlawful activities or events – is not "overridden by the data subject's right, or else if it consists in a personal right or any other fundamental, inviolable right or freedom" (section 24(1)f. and section 26(4)c. of the DP Code; see general authorisations no. 2/2008, 4/2008 and 6/2008, and the DPA's decision dated 9 July 2003);
c. the right to access one's personal data and exercise any other rights vested in data subjects as for the processing of those data, which may be postponed under the law for as long as such exercise might be specifically and tangibly prejudicial to the performance of defence investigations and/or the establishment of judicial claims (see section 8(2)e. of the DP Code);
d. cross-border transfers of the data where performed exclusively for the purposes of defence investigations or anyhow in order to establish or defend a judicial claim; such transfers, providing they are performed for no longer than is absolutely necessary, are not prohibited whether they are targeted to EU or non-EU countries (see sections 42 and 43(1)e. of the DP Code);
e. notification of the processing, which is not required in respect of many processing operations performed to establish or defend a judicial claim and/or to carry out defence investigations (see section 37(1) of the DP Code, and the DPA's decision no. 1 dated 31 March 2004 including the explanatory note no. 9564/33365 dated 23 April 2004);
f. appointment of persons in charge of the processing and data processors, if any, taking account that one is allowed to avail himself/herself of entities that can lawfully process the data at issue (colleagues, collaborators, partners, process agents, alternates, experts, and consultants not acting in their capacity as data controllers: see sections 29 and 30 of the DP Code);
g. specific data categories such as genetic data, which are already covered by certain safeguards with particular regard to compliance with proportionality requirements, security measures, information notices to data subjects and provision of consent (section 90 of the DP Code; see the DPA's general authorisation dated 22 February 2007);
h. law informatics as per sections 51 and 52 of the DP Code, which is the subject of ad-hoc legal provisions setting out the appropriate precautions in order to protect data subjects without jeopardising scientific and legal information;
i. use of public data and any other information contained in public registers, lists, instruments and/or publicly available documents or else in databases, archives and registers including the registry of births, marriages and deaths, whereby personal information may be retrieved lawfully from such sources and reported in certificates and statements that can be used for defence purposes;
6. Given the above scenario, this Code sets forth supplementary rules of conduct that make up an essential precondition for the data to be processed both fairly and lawfully – even though they produce no direct effects on disciplinary breaches. The Code in question is without prejudice to the rules of professional practice and/or the decisions made in this connection by the competent sector-related bodies, which remain enforceable as a separate, autonomous set of determinations – in particular as for the Code of Practice of the Bar. On the other hand, non-compliance with the latter Code may be relevant with a view to assessing lawfulness and fairness in the processing of personal data;
7. Data protection is supported by additional principles that are already enshrined in the Criminal Procedure Code as well as in the Code of Practice of the Bar – in particular as for confidentiality and secrecy obligations also vis-à-vis former clients; the disclosure of information that is confidential and/or subject to professional secrecy; disclosure of clients' names; recording of conversations between lawyers; and correspondence between colleagues. Other rules of conduct set forth by the Union of Italy's Criminal Lawyers and/or other signatory bodies of this Code are also helpful in this regard.
Chapter I – General Principles
Article 1 – Scope
1. The provisions of this code must be complied with by the following entities in processing personal data to carry out defence investigations and/or to establish or defend a judicial claim whether during a proceeding – including administrative, arbitration and conciliation proceedings – or in the preparatory phase prior to instituting a proceeding, or else upon conclusion of a proceeding:
a. Lawyers and/or trainee lawyers included in district rolls and/or the relevant registers, sections and lists whether working alone or as a law firm or partnership and providing in-court and out-of-court assistance and/or advisory services, whether based on a retainer or not, also by means of collaborators and employees; foreign lawyers practising in the State's territory in compliance with the law;
b. Entities carrying out private investigation activities also when hired by defence counsel (see general authorisation no. 6/2007, point 2) – under the terms of section 134 of Royal decree no. 773 dated 18 June 1931 and section 222 of the co-ordination provisions applying to the Criminal Procedure Code.
2. The provisions set forth in this Code shall also apply to any entity processing personal data for the purposes mentioned in paragraph 1, in particular to any other self-employed professionals and/or any other entities providing assistance and/or advisory services for the same purposes in compliance with the law, based on an ad-hoc appointment.
Chapter II – Processing Operations by Lawyers
Article 2 – Processing Arrangements
1. A lawyer shall make such arrangements in processing personal data, also without automated means, as are found to be appropriate, on a case by case basis, to foster actual respect for data subjects' rights, freedoms and dignity; in so doing, the purpose limitation, data minimization, and non-excessiveness principles shall have to be applied, the envisaged safeguards shall have to be assessed as to their substance rather than their form, and the quality and amount of the information to be processed shall have to be taken into account along with the possible risks.
2. Any decisions on the issues mentioned in paragraph 1 shall be made by the data controller, who shall consist – depending on the specific circumstances – in
a. The given professional;
b. Several professionals whether acting as joint defence counsel for the same client or involved in the relevant professional activity in their capacity as advisors and/or service agents, also without being appointed as defence counsel;
c. An association or partnership among professionals.
3. Within the framework of the appropriate instructions to be given in writing to the persons in charge of the processing, who must be appointed, as well as to the data processors, who may be appointed on an optional basis (see sections 29 and 30 of the DP code), specific guidance shall be provided on the arrangements to be complied with by the said entities; account shall be taken in this connection of the role vested in each entity - i.e. as a deputy barrister, practising or non-practising trainee lawyer, party-appointed expert, court-appointed expert, private detective and/or as an entity not acting in their capacity as separate data controllers, or else as a trainee, intern, or person in charge for administrative collaboration.
4. Specific attention shall be paid to the adoption of suitable precautions to prevent data from being collected, used or disclosed without justification if
a. Highly confidential items of information, data and/or documents are acquired, including where such information, data and documents may entail specific risks to data subjects;
b. Correspondence is exchanged, in particular via electronic networks;
c. Professionals in a law firm carry out activities in respect of their own client portfolio;
d. Any data is used whose lawfulness is questionable, partly because of the use of invasive techniques;
e. Data contained in specific devices and/or media, in particular electronic media (including audiovisual recordings), and/or in specific documents (telephone and Internet traffic data records, technical and experts' reports, reports by private detectives) are used and destroyed;
f. Records are kept but not used in a proceeding, and database queries are performed for internal purposes, in particular if those databases can be accessed also via electronic networks from offices of the same data controller that are located elsewhere;
g. Data and/or documents are acquired from third parties after checking that one has the right to obtain such data and documents;
h. Records are kept that relate to cases already dealt with.
5. If a data is processed to exercise the right of defence before a judicial authority, this may take place prior to instituting the relevant proceeding on condition the data in question is strictly functional to exercising the right of defence and the principles of proportionality, relevance, completeness and non-excessiveness are complied with by having regard to the defence purposes (see section 11 of the DP Code).
6. The following data are used lawfully and fairly:
a. The personal data contained in public registers, lists, rolls, records or publicly available documents as well as in databases, archives and lists including the register of births, marriages and deaths; personal information may be lawfully retrieved from the said repositories and reported in certifications and statements that may be used for defence purposes;
b. Records, notes, statements and information acquired in connection with defence investigations, in particular under sections 391-bis, 391-ter and 391-quater of the Criminal Procedure Code, whereby any requests for copies thereof shall not be granted without justification. Should it happen that any data is collected that is excessive and irrelevant vis-à-vis the defence purposes, also when acquiring statements and information in pursuance of the said sections 391-bis, 391-ter and 391-quater of the Criminal Procedure Code, that data shall belong with any other data collected as above if it cannot be extracted and/or destroyed.
Article 3 – Single Information Notice
1. A lawyer may provide an information notice on the processing of personal data (under section 13 of the DP Code) in one with the information he/she is required to disclose in pursuance of defence investigation legislation – e.g. by posting them in the premises of the law firm and/or on the respective website, where available; the information may also be worded concisely and informally.
Article 4 – Data Retention and Erasure
1. The fact that a proceeding pending before a judicial authority is concluded and/or the given assignment has been fulfilled does not entail that the data are to be disposed of. Once the proceeding is extinguished and/or the relevant retainer expires, any records and/or documents concerning the subject matter of the defence and/or defence investigations may be kept – either as originals or in copies – also in electronic format, if this is found to be necessary by having regard to foreseeable, additional defence requirements applying to the relevant client and/or data controller. This is without prejudice to use of the data in question in anonymous format for scientific purposes. The relevant assessment shall be carried out by having regard to the type of data. Where the data are to be retained to comply with legal obligations including taxation and the fight against crime, only such personal data as is actually necessary to comply with the said obligations shall be retained.
2. Without prejudice to the provisions set forth in the Code of Practice of the Bar as for returning the original documents to one's client, and unless provided otherwise by the law, it shall be allowed to destroy, erase or deliver the full documents contained in past case files and the respective copies to the person entitled thereto and/or to the latter's heirs and assigns, on condition the relevant client is notified thereof beforehand.
3. Should the power of attorney and/or the retainer be withdrawn or waived, such documents as have been acquired shall be provided to the supervening defence counsel in original format, if this is the format in which they are kept.
4. Controllership in respect of the processing shall not be terminated merely because of the suspension and/or termination of one's professional activity. In case of termination also due to supervening impediments, and if no substitute defence counsel is available in respect of the given case, the documents related to past case files shall be delivered to the relevant Council – after expiry of a suitable period following communication to one's client – so that they can be kept for defence purposes.
Article 5 – Data Communication and Dissemination
1. As for relationships with the press and third parties, non-confidential information may be provided if this is necessary to safeguard one's client – regardless of whether this has been agreed upon with the said client – in compliance with the principles of purpose limitation, lawfulness, fairness, data minimization, relevance and non-excessiveness as per Section 11 of the DP Code as well as by respecting the data subject's and third parties' rights and dignity, any prohibitions set forth in the law, and the Code of practice of the Bar.
Article 6 – Inquiries Concerning Documents Held by Defence Counsel
1. Whenever a lawyer is subject to inquiries and inspections, he/she shall be entitled – under section 159(3) of the DP Code – to arrange for the Chair of the competent Bar Council and/or a member of the Council acting on the Chair's behalf to attend. If the Chair is attending and so requests, a copy of the relevant order shall be delivered to him/her.
2. As for the requests to access or obtain communication of traffic data related to incoming phone calls under section 8(2)f. and section 24(1)f. of the DP Code, a lawyer shall certify to the provider of publicly available electronic communications services that the failure to obtain the said data will be actually and tangibly prejudicial to the performance of defence investigations; in doing so, he need not mention the case file number allocated to the given criminal proceeding.
Chapter III – Processing by Other Self-Employed Professionals and Other Entities
Article 7 – Application of Provisions Concerning Lawyers
1. The provisions set forth in Articles 2 and 5 shall apply to the following entities without prejudice to what is applicable by law exclusively to lawyers:
a. Self-employed professionals providing advisory and assistance services to establish or defend a judicial claim and/or to carry out defence investigations whether after being entrusted therewith by a lawyer and/or jointly with a lawyer and/or in the cases and to the extent permitted by the law;
b. Any other entities mentioned in Article 1(2) subject to what is manifestly incompatible with the individual entity and/or the function discharged by the said entity.
Chapter IV – Processing by Private Detectives
Article 8 – Processing Mechanisms
1. A private detective shall arrange for the processing of personal data, whether automated or not, to be compliant with the requirements laid down in Article 2(1).
2. A private detective may not undertake investigations, surveys and any other type of data collection on their own initiative. The said activities may only be carried out if the detective has been hired on purpose via a written agreement and they may only be aimed at the purposes mentioned in this Code.
3. The hiring agreement must refer specifically to the right to be established before a judicial authority, or else the criminal proceeding the investigation relates to, along with the main factual elements accounting for the said investigation and the reasonable deadline for concluding the investigation.
4. A private detective shall discharge the task committed to him/her in person by only availing himself/herself of such additional detectives as are referred to individually in the hiring agreement; the names of the said additional detectives may be appended subsequently to the agreement if this option is envisaged therein. The provisions applying to the processing of sensitive data as set forth in the Garante's authorisations shall be left unprejudiced.
5. Where a private detective avails himself/herself of in-house staff as either data processors or persons in charge of the processing pursuant to sections 29 and 30 of the DP Code, he/she shall issue specific instructions on the arrangements to be abided by and supervise – at least on a weekly basis – that the applicable laws and instructions are complied with.
6. The defence counsel and/or the hiring entity must be informed regularly on the progress made with the investigations; this is also meant to allow them to timely assess what decisions to make in respect of establishing the judicial claim and/or exercising the right to evidence.
Article 9 – Other Rules of Conduct
1. A private detective shall refrain from any practices that fail to conform with legal obligations and constraints; in particular, a private detective shall ensure that the following are in line with the lawfulness and fairness standards laid down in the DP Code:
a. Acquisition of personal data from other data controllers, including browsing of such data, whereby it shall be verified that one is entitled to obtain the data in question;
b. Deployment of lawful monitoring activities, especially remote monitoring, and video/audio recording;
c. Collection of biometric data.
2. A private detective shall comply with the provisions set forth in Article 2(4) to (6) of this Code when processing data.
Article 10 – Data Retention and Erasure
1. Under the terms of section 11(1)e. of the DP Code, any personal data that is processed by a private detective may be kept for no longer than is absolutely necessary to discharge the task committed. To that end, it shall be necessary to continuously verify that the data are closely relevant, not excessive and indispensable by having regard to the purposes sought and the task committed as above; regular controls may be carried out for this purpose.
2. Upon completion of the specific investigation, the processing must be discontinued in all respects except for the immediate communication of the data to the defence counsel and/or the hiring entity; the latter may allow – also via a specific assignment – that closely personal items related to the entities that have dealt with the relevant activities be retained, on a provisional basis, exclusively in order to provide proof that their conduct was lawful and fair. If the processing has been challenged, the defence counsel and/or the hiring entity may also provide the detective with such items as are required to provide proof that their conduct was lawful and fair – for no longer than this is absolutely necessary.
3. The fact that the proceeding underlying the given investigation is as yet pending, or that the case was brought before a higher-instance court pending the final judgment, does not represent in itself a valid justification for the private detective to retain the data.
Article 11 – Information Notice
1. A private detective may provide the information notice at a single juncture in pursuance of Article 3 hereof by highlighting the detective's identity and professional capacity as well as the circumstance that the data are provided on an optional basis.
Chapter V – Final Provisions
Article 12 – Monitoring Implementation of the Code
1. Under section 135 of the DP Code, the signatories to this code shall undertake collaboration initiatives to regularly monitor its implementation also with a view to making such adjustments as may be appropriate in the light of technological developments, experience and/or regulatory changes.
Article 13 – Entry into Force
1. This code shall apply as from 1 January 2009.