Annual Report For 2011 – Summary
- Main Legislative and Regulatory Developments; -Relationships with Parliament and Other Institutions; - Main Activities by the DPA; - Media and Outreach
Italian Data Protection Authority
Annual Report For 2011 – Summary
Main Legislative and Regulatory Developments
Significant amendments were made to the Italian DP Code in 2011. They mainly concerned the following:
- Processing of personal data relating to legal persons: The Act containing urgent financial measures (May 2011) excluded legal persons from the scope of application of the DP Code, if the processing was performed for the so-called administrative and accounting purposes and as part of business-to-business relations (see Section 5(3) of the DP Code). Whilst this provision was subsequently repealed (in December 2011), a new amendment to the Code (Section 4) introduced in May 2012 ultimately excluded legal persons from the definition of "personal data" – whereby a personal data is "any information relating to a natural person" only. This means that the DP Code currently does not apply to the processing of personal data relating to legal persons (including associations, foundations, committees, etc.); however, the DPA issued a detailed opinion (published ultimately in October 2012) to clarify that this is to be construed not to exclude legal persons to the extent they are "subscribers" to a publicly available electronic communications service as per the definitions contained in the DP Code in pursuance of the e-privacy directive (Section 4(2)f.).
- Telemarketing: The 2011 Act on urgent financial measures also extended the opt-out regime to unsolicited postal marketing alongside telephone-based marketing. Based on the latter amendment, direct marketers may now rely on postal addresses contained in subscriber directories without having to obtain the subscribers' prior consent – providing such subscribers have not opted out of this promotional activity by entering their phone numbers and postal addresses in the ad-hoc Opt-Out Register.
- Security Policy Document: A further instance of simplification was introduced via the said 2011 Act to exempt "an entity [that] only processes non-sensitive personal data or else sensitive and judicial data that relate to the respective employees and collaborators, including non-EU nationals, and/or to their spouses and/or relatives" from submitting the so-called "Security Policy Document" (Documento programmatico per la sicurezza, DPS) to the DPA. This obligation was repealed altogether via an amendment to the DP Code that was introduced in May 2012. It should be recalled that all the other security measures continue to be fully applicable.
- Additional amendments were made by the 2011 Act, which exempted private entities and profit-seeking public bodies from obtaining prior consent in order to process personal data contained in CVs or biographies if these are sent voluntarily by prospective job candidates as well as in order to transfer personal information within a corporate group.
Relationships with Parliament and Other Institutions
The DPA was heard by Parliament on several occasions before Parliamentary Committees or other Parliamentary Forums on issues tabled by Parliament as well as in connection with fact-finding initiatives or prior to the passing of bills.
In all cases the DPA pointed out the possible implications as for the processing of personal data. Reference can be made in particular to the following:
- Bills containing provisions to enable implantation of unused embryos kept at Italian centres for medically assisted reproduction;
- Amendments to the Italian data protection Code (see above); additional relevant provisions contained in decree no. 70/2011 (urgent financial measures),
- Operation of the national unified coding system as used in connection with the comparative study on effectiveness, quality and appropriateness of Italian health care agencies;
- Fact-finding investigation into degenerative diseases of special social importance, with particular regard to breast cancer, chronic rheumatic diseases, and the HIV syndrome.
Considerable importance should be also attached to the opinions rendered by the DPA concerning both secondary legislation (Government-initiated instruments) and regional legislation impacting the protection of personal data (under section 154(4) of the DP Code). Mention can be made of the opinions regarding the Register of mammal prostheses; a regulation laying down technical rules for implementing ICT in civil and criminal proceedings; technical rules to identify the owner of a certified email account also via electronic networks; management of the Register of auditors and auditing companies; the Guidelines issued by Digit-PA [the public agency in charge of fostering ICT in the public administration] regarding disaster recovery in the public sector; the provisions supplementing Italy's civil procedure code as for reducing and simplifying fact-finding proceedings under civil law. However, it should be pointed out that the DPA was not asked for the advice mandated by the law in all cases in which data protection issues were involved.
Main Activities by the DPA
- Journalism and Online Information: Whilst acknowledging that the publication of court transcripts no longer subject to confidentiality constraints is part of freedom of expression, the DPA issued an injunction to a web site banning online dissemination of information that was excessive as well as irrelevant for the specific information purposes – even though it was contained in the judicial order to remand the defendant in custody.
- Genetic Data: The general authorization granted by the DPA to process genetic data was upgraded following an opinion rendered to the Italian Ministry of Health. The new general authorization takes account of the experience gathered as well as of the contributions coming from authoritative experts; it was also granted to public and private mediation organisations as per the legislation enacted recently.
- Processing for Purposes of Scientific Research: In 2011 there was an upsurge in the applications to authorize processing for purposes of scientific research without the data subjects' consent, on account of the alleged impossibility to inform a significant portion of the patients concerned. The DPA issued a provisional general authorization taking account of the most frequent cases in which one could justifiably fail to inform data subjects – in particular because of "ethical reasons" and/or "impossibility resulting from organisational arrangements".
- Processing Data in the Employer-Employee Relationship: Several decisions issued in 2011 highlighted the multifarious situations in which employer-employee relationships develop along with the need for carefully considering the relevance of any personal information used in this context. The main decisions concerned monitoring of employees' Internet navigation; admissibility in disciplinary proceedings of information retrieved from the web; use of questionnaires on employees' personality traits; disclosure of information on alleged "moonlighting" (second jobs) to the national occupational insurance body; geolocation of employees; etc.
The DPA clarified that the roles played by the entities involved in telemarketing activities should be determined by having regard to the factual circumstances in which the processing of personal data takes place. In principle, the data controller is the entity on whose behalf and/or in whose name the promotional activities are being implemented; accordingly, the Italian DPA specified that any company outsourcing its promotional activities to external providers whilst retaining the factual operational control over such activities must appoint the promoters, agents, etc. in question formally as data processors in compliance with the Italian DP law.
Unsolicited marketing calls, following the setting-up of the "Opt-Out (Do-Not-Call) Register" for users that do not wish to receive promotional calls, in the light of the relevant implementing difficulties;
"Silent" calls, i.e. those phone calls – at times repeated on the same day – in which users are left without any safeguards and remedies to face the "dead air" on the caller's side. In this connection, the DPA ordered a company that relied on a dialer-based system to implement various arrangements and measures in order to prevent repeated silent calls and rule out the calling of the same number for at least a 30-day period;
Unsolicited faxes: The DPA ruled that the Italian DP Code applied to a company established in a third country that kept (prospective) customers' personal data in such country and relied on remote data handling mechanisms, to the extent the company made use substantially of a data transmission equipment (fax gateway) located in Italy. For this reason, the promotional faxes sent by the said company without providing suitable information notices and obtaining the recipients' prior consent were found to be unlawful and accordingly prohibited.
The main areas of activity in this case is related to "Online subscriber directories": several complaints had been lodged against a company that had posted a subscriber directory including "confidential" information on the web. The DPA found the processing in question to be unlawful insofar as the personal data contained in the directory had not been taken from the "Unified Telephone Database" (DBU, Database Unico), which is the only legitimate source for telephone subscriber directories under Italian law.
Media and Outreach
The DPA continued its awareness-raising initiatives by focusing especially on youths; to that end, ad-hoc publishing initiatives were launched concerning social networks, schools, and health care. A competition was also organized called "Privacy 2.0: Youths and New Technologies" in which high-school students were called upon to create short films on privacy and thus work as script-writers, performers, directors, and so on. Reference should also be made to a judgment by Italy's Court of Cassation of 28 September 2011 concerning the relationship between privacy and journalism; in particular, the Court of Cassation (Civil Law Division) upheld a judgment by an Appellate Court which had ruled out any harm coming from publication of a newspaper feature since the facts at issue had been demonstrated to be true. In the Court of Cassation's view, no harm is caused to an individual's identity if a newspaper feature only reports factual circumstances that have occurred in reality.