Salta al contenuto

DIRITTI E PREVENZIONE > COME TUTELARE LA TUA PRIVACY

ricerca avanzata

Provision by the italiana Data Protection Authority - Cases exempted from notification [1672979]

SCHEDA
Garante per la protezione dei dati personali
Doc-Web:
1672979
Data:
31/03/04
Argomenti:
Pubblica Amministrazione , Autorità indipendenti
Tipologia:
Provvedimenti a carattere generale

[doc. web n. 1672979]

versione italiana

Provision by the italiana Data Protection Authority - Cases exempted from notification

Decision no. 1 of 31st March 2004

THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI

Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi, Member, Mr. Mauro Paissan, Member, and Mr. Giovanni Buttarelli, Secretary General, having convened today,

HAVING REGARD to Section 37, paragraphs 1 and 2, of legislative decree no. 196 of 30th June 2003, containing the Personal Data Protection Code,

WHEREAS the above Code sets out the data processing operations to be notified to the Garante and entrusts this Authority with the task of specifying the processing operations that may be exempted from notification, providing that they are not liable to be prejudicial to data subjects' rights and freedoms on account of either the processing mechanisms or the nature of the data at stake (see Section 37(1) ),

WHEREAS the aforementioned Code also entrusts the Garante with the task of specifying other processing operations in addition to those set out in the above statutory provision,

HAVING REGARD to official records,

WHEREAS with regard to the initial implementing phase of the Code, some processing operations are carried out in accordance with such mechanisms as allow, under the current circumstances, exempting them from notification requirements subject to compliance with the other principles and obligations laid down in the personal data protection Code,

HAVING REGARD to the considerations made by the Secretary General pursuant to Section 15 of the Garante's Regulations no. 1/2000,

ACTING on the report submitted by Prof. Stefano Rodotà,

HEREBY DECIDES

A) that the requirement to give notification to the Garante shall not apply, as regards the cases referred to in Section 37(1) of legislative decree no. 196 of 30th June 2003,

1) in respect of the cases referred to in paragraph 1, letter a), of the above Section,

a) to non-systematic processing operations of genetic and/or biometric data carried out by health care professionals, whether jointly or not with other health care professionals acting as controllers of said processing operations, concerning data that are not organised in a data bank accessible to third parties via electronic networks. This provision shall only apply to such data and operations, including communication, as are indispensable for the purpose of safeguarding the data subjects' and/or third parties' health or bodily integrity,

b) to processing of genetic and/or biometric data carried out in the exercise of the legal profession with regard to such data and operations as are necessary to carry out the investigations by defence counsel referred to in Act no. 397/2000, and anyhow to establish or defend a legal claim also concerning a third party, on condition that said claim is not overridden by the data subject's one and the data are only processed with a view to said purposes and for no longer than is absolutely necessary therefor,

c) to processing of data disclosing geographic position of air, sea, and ground transportation means, where it is only carried out for the purpose of transportation security;

2) in respect of the cases referred to in paragraph 1, letter b), of the aforementioned Section, to the processing of data suitable for disclosing health and sex life where it is performed by health care professionals, whether jointly or not with other health care professionals acting as controllers of said processing,

a) for the purpose of assisted reproduction, organ and tissue transplantation, epidemiologic surveys, and assessment of mental, infectious, and epidemic diseases and/or seropositivity, on condition that the processing is not carried out on a systematic basis and concerns data that are not organised in a data bank accessible to third parties also via electronic networks, as regards such data and operations as are indispensable to safeguard the data subjects' and/or third parties' health or bodily integrity,

b) exclusively for the purpose of monitoring health care expenditure or else fulfilling regulatory obligations in respect of occupational and population health and safety;

3) in respect of the cases referred to in paragraph 1, letter c), to the processing of data suitable for disclosing workers' psychological sphere,

a) where it is performed by associations, bodies or organisations of trade-unionistic nature exclusively to fulfil specific obligations and/or duties as set out in employment and/or social security legislation, also concerning the disabled persons' right to employment,

b) where it is performed by not-for-profit associations, bodies or organisations, recognised or not, of a political, philosophical or religious nature with regard to data concerning their own employees and/or collaborators exclusively in order to fulfil specific obligations as set out in employment and/or social security legislation;

4) in respect of the cases referred to in paragraph 1, letter d), to the processing of personal data

a) that is not grounded exclusively on an automated processing operation aimed at defining professional profiles, where said processing is carried out exclusively for occupational purposes or else for the purpose of managing the employer-employee relationship, except for the cases referred to in letter e) of said Section 37(1),

b) that is not grounded exclusively on an automated processing operation aimed at defining an investor's profile, where said processing is carried out exclusively in order to fulfil specific obligations set out in financial brokerage legislation,

c) that is related to the use of electronic markers or similar devices whether installed or temporarily stored, in a non-persistent manner, on an user's terminal equipment, as consisting exclusively in the transmission of session IDs pursuant to the applicable regulations for the sole purpose of facilitating access to the contents of Internet sites;

5) in respect of the cases referred to in paragraph 1, letter e), to the processing of sensitive data carried out

a) for the sole purpose of personnel selection exclusively on behalf of entities belonging to the same company and/or banking group,

b) by public entities exclusively in order to fulfil specific obligations and/or duties as set out in employment and/or labour market legislation,

c) by trade associations and/or organisations for the sole purpose of carrying out sample surveys with regard to data concerning membership of said associations and/or organisations;

6) in respect of the cases referred to in paragraph 1, letter f), to the processing of personal data

a) carried out by public entities to keep public registers or else publicly available lists,

b) that are stored in data banks used to keep in touch with a data subject in connection with the provision of goods or services, or else to comply with accounting and/or tax requirements as also related to breach of contract, factoring of receivables and litigations involving said data subject,

c) that are stored in data banks used by public and/or private entities exclusively to fulfil regulatory obligations concerning employment, social security, or assistance,

d) that are stored in data banks used by public bodies exclusively with a view to keeping and executing instruments, provisions and documents as related to levying of taxes, imposition of administrative sanctions, or granting of licences, concessions, and authorisations,

e) related to images and/or sound as temporarily stored for the sole purpose of securing and/or protecting individuals and/or property,

f) carried out pursuant to law by the entities authorised thereto in connection with such operations and data as are necessary exclusively with a view to collective suretyship guarantees (so-called “confidi”) and any services that are related and/or instrumental thereto;

B) that a copy of this decision be sent to the Ufficio pubblicazione leggi e decreti [Publishing Office for Laws and Decrees] at the Ministry of Justice and published in the Official Journal of the Italian Republic.

Done in Rome, this 31st day of march 2004

THE CHAIRMAN
Rodotà

THE RAPPORTEUR
Rodotà

THE SECRETARY GENERAL
Buttarelli