Authorisation No. 3/2014 Concerning Processing of Sensitive Data by Associations and Foundations 
[doc. web n. 3800792]
Authorisation No. 3/2014 Concerning Processing of Sensitive Data by Associations and Foundations
Published in Italy's Official Journal No. 301 of 30 December 2014
The Italian Data Protection Authority
Having convened today, with the participation of Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;
Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;
Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects' written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;
Having regard to paragraph 4, letter a), of the aforementioned Section 26, providing that sensitive data may be processed without the data subject's consent, subject to the Garante's authorisation, "if the processing is carried out for specific, lawful purposes as set out in the relevant memorandums, articles of association or collective agreements by not-for-profit associations, bodies or organisations, whether recognised or not, of political, philosophical, religious or trade-unionist nature, including political parties and movements, with regard to personal data concerning members and/or entities having regular contacts with said associations, bodies or organisations in connection with the aforementioned purposes, provided that the data are not communicated or disclosed outside and the bodies, associations or organisations lay down suitable safeguards in respect of the processing operations performed by expressly setting out the arrangements for using the data through a resolution that shall be made known to data subjects at the time of providing the information under Section 13";
Having regard to paragraph 3, letters a) and b), of the aforementioned Section 26, providing that the requirements set out in paragraph 1 thereof shall not apply to processing a) of the data concerning members of religious denominations and entities having regular contact with said denominations for exclusively religious purposes, on condition that the data are processed by the relevant organs or else by entities recognised under civil law and are not communicated or disseminated outside said denominations, and b) of the data concerning affiliation of trade unions and/or trade associations or organisations to other trade unions and/or trade associations, organisations or confederations;
Whereas the religious denominations referred to in letter a) of Section 26(3) of the Code are required to lay down suitable safeguards with regard to the processing operations performed by complying with the relevant principles as set out in an authorisation by the Garante;
Having regard to Section 181(6) of the Code, under which religious denominations that, prior to adoption of said Code, had laid down and adopted the safeguards referred to in the aforementioned Section 26(3), letter a), within the framework of their respective regulations, may continue processing data in compliance with said safeguards;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;
Whereas it is appropriate to grant new authorisations replacing those due to expire on 31 December 2014 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for twenty-four months;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;
Whereas a considerable number of processing operations concerning sensitive data are performed by associations and foundations to achieve specific, lawful purposes as laid down in the respective memorandums or articles of association, or else in collective agreements;
Having regard to Section 167 of the Code;
Having regard to Section 11(2) of the Code, prohibiting the use of any data that is processed in breach of the provisions applying to the processing of personal data;
Having regard to Section 31 and following ones of the Code as well as to the Technical Specifications contained in Annex B thereto, which lay down provisions and rules concerning security measures;
Having regard to Section 41 of the Code;
Having regard to Section 42 et seq. of the Code concerning cross-border data flows;
Having regard to official records;
Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Ms. Giovanna Bianchi Clerici;
the processing of sensitive data as per Section 4(1), letter d), of the Code by associations, foundations, committees and similar organisations, in compliance with the following requirements.
Prior to starting and/or continuing the processing, information systems and software shall be configured by minimising the use of personal and/or identification data in such a way as to prevent their processing if the purposes sought in the individual cases can be achieved by using either anonymous data or suitable mechanisms to allow identifying data subjects exclusively when necessary – as provided for in Section 3 of the Code
1) Scope of Application
This authorisation shall be granted:
a) to associations, recognised or not, political parties and movements, trade-union associations and organisations, trade associations, social security funds, assistance or voluntary organisations as well as federations and confederations including the above entities in compliance with the relevant memorandums and/or articles of association or else with collective agreements, if any;
b) to foundations, committees and any other non-profit bodies, consortia or entities, regardless of their being legal persons, including non-profit organisations for social purposes [organizzazioni non lucrative di utilità sociale, Onlus];
c) to social co-operatives and mutual aid societies as per Act no. 381 of 08.11.91 and no. 3818 of 15.04.1886, respectively.
This authorisation shall also be granted to schools with regard to the processing of data disclosing religious beliefs as well as to the activities that are absolutely necessary in order to implement Section 310 of legislative decree no. 297 of 16.04.94 and Sections 3 and 10 of legislative decree no. 59 of 19.02.2004.
The obligation referred to in Section 26(3), letter a), of the Code, whereby religious denominations are to set out suitable safeguards in respect of the processing operations performed, which must be compliant with the principles laid down herein, is hereby left unprejudiced.
Under Section 181(6) of the Code, religious denominations that, prior to adoption of said Code, had laid down and adopted the safeguards referred to in Section 26(3), letter a), of the Code within the framework of their regulations, may continue the processing operations carried out either by their respective organisations or by entities recognised under civil law, providing they comply with said safeguards.
2) Purposes of the Processing
This authorisation shall be granted for specific, legitimate purposes as set out in the relevant articles and/or memorandums of association, or collective agreements, if any, in particular as regards cultural, religious, political or trade-union purposes, amateur participation in sports activities or sports competitions, educational purposes including the freedom to choose one's religious education, training, scientific research, legal assistance provided by trade union-related bodies, protection of the environment and arts and historical heritage, civil rights protection as well as charitable purposes, welfare, and health care.
This authorisation shall also be granted for the establishment or defence of a legal claim, also by third parties, including administrative proceedings and arbitration or settlement proceedings in the cases provided for by laws, Community legislation, regulations or collective agreements.
Additionally, this authorisation shall be granted with a view to exercising the right of access to administrative records in accordance with the relevant laws and regulations.
For the purposes referred to above, the processing of sensitive data may also concern the keeping of accounting books and records, lists, mailing lists, and any other documents required with a view to managing administrative matters in respect of the association, foundation, committee or entity, complying with tax requirements, or circulating journals, bulletins and similar publications.
If the entities as per letters a), b) and c) of point 1 avail themselves of legal persons, other profit-making entities, or else self-employed professionals for the above purposes, or if they request the latter to supply goods or services, this authorisation shall be granted to said entities, legal persons, and self-employed professionals as well.
The entities as per the aforementioned letters a), b) and c) may disclose, to legal persons and profit-making entities acting as controllers on their own account, only such sensitive data as are absolutely indispensable for the activities actually serving the above purposes – with particular regard to data subjects' particulars and mailing lists; to that end, a written instrument shall have to detail the information disclosed, the arrangements made for its subsequent use, the specific security measures taken, and – where necessary – the suitable safeguards decided upon. The notice by which data subjects give their consent in writing must especially highlight this fact and refer specifically to the data controller(s) and the relevant purposes. As well as complying with the provisions laid down under 4) and 6) to ensure that data are relevant, not excessive, and indispensable, legal persons and profit-making entities may only process the data collected as above for purposes that are subservient to those mentioned above, or else for management and accounting purposes.
3) Data Subjects
Processing may concern sensitive data in respect of:
a) members of an association, partners and, if this is absolutely indispensable for the purposes referred to under 2), their respective family members and cohabiting persons;
b) members, supporters or subscribers and any person applying for membership in or accession to, or having regular contacts with, an association, foundation or other entity;
c) any person holding offices, whether honorary or not;
d) beneficiaries and/or users of the activities or services delivered by an association or any other organisation, on condition they can be identified pursuant to the respective memorandums or articles of association, if any, as well as any person in whose interest the entities referred to under 1) may act on the basis of regulatory provisions;
e) students registered and/or applying for registration with the institutions referred to under 1) and, as for underage persons, their parents or else any person having parental authority;
f) employees of the association members and/or partners with regard to data suitable for disclosing membership of trade unions, associations or organisations with trade-union aims, and to the operations required to fulfil specific obligations resulting from collective agreements also applying to individual businesses.
4) Categories of Processed Data
This Authorisation shall not apply to the data suitable for disclosing health and sex life, which are the subject of General Authorisation No. 2/2014.
The processing may concern the other sensitive data referred to in Section 4(1), letter d), of the Code, which are suitable for disclosing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, and membership of parties, trade unions, associations or organisations with a religious, philosophical, political or trade-union aim.
Processing may concern such data and operations as are indispensable to achieve the purposes under 1) or anyhow to fulfil obligations provided for by laws, Community legislation, regulations and collective agreements, if those purposes and obligations cannot be fulfilled, on a case by case basis, by processing either anonymous data or personal data of a different kind.
To that end it shall be verified, also by way of regular controls, that the data are closely relevant, not excessive, and indispensable in respect of the aforementioned purposes and obligations, with particular regard to data disclosing opinions and innermost beliefs including the data supplied on the data subject's initiative. Any data that is found to be either excessive or irrelevant or non indispensable, also based on said verification, may not be used except with a view to keeping the instrument and/or document containing the data in question as required by law.
5) Processing Mechanisms
Without prejudice to the obligations laid down in Sections 11 and 14 of the Code, in Section 31 and following ones of the Code, and in Annex B to the latter, the processing of sensitive data shall only be carried out via such operations and in accordance with such logic and organisational data arrangements as are absolutely indispensable by having regard to the purposes and obligations referred to under 2).
The data shall be collected, as a rule, from the data subject.
Subject to the provisions made in points 2) and 7) hereof, if it is indispensable to communicate or disseminate data outside an association, foundation, committee, or other entity under said point 7), the data subjects' written consent shall be obtained after providing a suitable information notice to the data subjects in question pursuant to Section 13 of the Code, whereby the notice shall detail the specific mechanisms to use the data in the light of the suitable safeguards that have been adopted in respect of the processing operations to be performed.
6) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of the Code, sensitive data shall be kept for no longer than is necessary to achieve the purposes as per point 2), or else to fulfil the obligations mentioned therein.
The verification referred to in the last paragraph of point 4) shall also concern relevance, non-excessiveness and indispensability of the data with regard either to the activity carried out by the data subject or to the relationship between the data subject and the entities referred to in point 1) – in the light of the nature of the service or benefit supplied to the data subject as well as of the status pertaining to the latter in respect of the entities in question.
7) Data Communication and Dissemination
Sensitive data may only be communicated to public and private entities and, if necessary, disseminated if they are absolutely relevant to the purposes and obligations referred to under 2) by having regard to the additional provisions mentioned above.
Sensitive data may be communicated to the competent authorities if this is necessary for preventing, investigating or suppressing crimes in accordance with the provisions regulating this subject matter.
No data concerning health and sex life may be disseminated.
8) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.
9) Final Provisions
The requirements set out in Community legislation, laws and regulations imposing prohibitions or restrictions on the processing of personal data are hereby left unprejudiced.
This authorisation shall also be without prejudice to the provisions against discrimination, in particular decree-law no. 122 of 26.04.93 as converted, with amendments, into Act no. 205 of 25.06.93 on discrimination for racial, ethnic, nationality or religious reasons and genocide; legislative decree no. 215 of July 9, 2003, implementing EC Directive 2000/43 on equal treatment between persons irrespective of racial or ethnic origin; and legislative decree no. 216 of July 9, 2003, implementing EC Directive 2000/78 on equal treatment in employment and occupation.
10) Effectiveness and Provisional Arrangements
This authorisation shall be effective as of 1 January 2015 until 31 December 2016 subject to such amendments as the Garante may decide to make on account of regulatory developments concerning this subject matter.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 11th day of the month of December 2014.
THE SECRETARY GENERAL