Authorisation No. 6/2014 Concerning Processing of Sensitive Data by Private Detectives
[doc. web n. 3816659]
Authorisation No. 6/2014 Concerning Processing of Sensitive Data by Private Detectives
Published in Italy's Official Journal No. 301 of 30 December 2014
The Garante per la protezione dei dati personali
Having convened today, with the participation of Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code (hereinafter, the "Code");
Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;
Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects' written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;
Having regard to Section 26(4), letter c), of the Code, providing that sensitive data may also be processed without the data subject's consent, subject to the Garante's authorisation, if the processing is necessary for carrying out the investigations by defence counsel referred to in Act no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor, and that the claim at stake is not overridden by the data subject's claim or else consists in a personal right or another fundamental right or freedom, if the data are suitable for disclosing health and sex life;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;
Whereas it is appropriate to grant new authorisations replacing those due to expire on 31 December 2014 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for twenty-four months;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;
Whereas the Garante has issued a general authorisation applying to the data suitable for disclosing health and sex life (No. 2/2014) also with regard to the aforementioned purposes in connection with judicial activities;
Whereas a considerable number of processing operations for the above purposes are carried out with the help of private detectives, and that it is therefore appropriate to supplement the provisions set forth in Authorisation No. 2/2014 by an additional general instrument taking account of the specific context applying to private investigations, also with a view to streamlining the requirements to be imposed on this sector;
Whereas additional measures and arrangements were set forth by the Garante via the code of conduct and professional practice applying to the processing of personal data for the purposes of defence investigations, which was issued in pursuance of Section 12 of the Code (see the Resolution no. 60 dated 6 November 2008 as published in Italy's Official Journal no. 275 dated 24 November 2008);
Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;
Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;
Having regard to Section 41 of the Code;
Having regard to Section 42 and following ones of the Code concerning cross-border data flows;
Having regard to Section 167 of the Code;
Having regard to official records;
Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Ms. Augusta Iannini;
processing of the sensitive data referred to in Section 4(1), letter d), of the Code by private detectives, in compliance with the following requirements.
Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of either personal data or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.
1) Scope of Application
This authorisation shall be granted without any request being necessary, to natural and legal persons, institutions, bodies, associations and entities carrying out private investigation activities as licensed by the prefetto (in pursuance of Section 134 of Royal decree no. 773 dated 18.06.31 as subsequently amended and supplemented).
2) Purposes of the Processing
Processing shall only be permitted to discharge the task committed by the entities referred to in point 1), and in particular:
a) in order to allow an entity committing a specific task to establish or defend a legal claim, which must not be overridden by the data subject's one, or else must consist either in a personal right or in another fundamental right or freedom if the data are suitable for disclosing health and sex life;
b) on the defence counsel's instructions in connection with a criminal proceeding in order to search and detect information in favour of the relevant client, such information being only used for the exercise of the right to bring evidence (as per Section 190 of the Criminal Procedure Code and Act no. 397 dated 07.12.2000).
This authorisation shall be without prejudice to the other general authorisations that have been granted either for carrying out investigations in criminal proceedings or for the establishment of a legal claim, in particular as regards:
a) the employment context (as per authorisation No. 1/2014);
b) data disclosing health and sex life (as per authorisation No. 2/2014);
c) associations and foundations (as per authorisation No. 3/2014);
d) self-employed professionals included in the relevant lists or registers, including defence counsel and their deputies and co-operating staff (as per authorisation No. 4/2014);
e) judicial data (as per authorisation No. 7/2014).
3) Data Subjects and Categories
Processing may concern the sensitive data referred to in Section 4(1), letter d), of the Code, provided this is absolutely indispensable to discharge specific tasks that have been committed for specific and legitimate purposes as per point 1) and cannot be accomplished by processing either anonymous data or personal data of a different kind.
The data must be relevant and not excessive in relation to the tasks committed.
4) Processing Arrangements
Private detectives may not carry out, on their own initiative, investigations or researches or anyhow collect data. These activities may only be performed on specific instructions given in writing, also by defence counsel, solely for the purposes referred to under 2).
In the above instructions specific mention must be made of the legal claim to be established, or else of the criminal proceeding to which the investigations relate, as well as of the main facts accounting for said investigations and the reasonable deadline for their completion.
Without prejudice to the obligations set out in Sections 11 and 14 of the Code as well as in Section 31 et seq. of the Code, and in Annex B to said Code, sensitive data may only be processed by means of operations and in accordance with logic and data organisation arrangements that are absolutely indispensable in connection with the purposes referred to under 2).
The data subjects or the persons from whom the data are collected must be informed in pursuance of Section 13 of the Code, by highlighting the private detective's identity and professional capacity as well as that the data are to be provided on a voluntary basis.
If the data are collected from a third party, it is necessary to inform the data subject thereof and obtain his/her consent in writing, (as per Section 13, paragraphs 1, 4, and 5, and Section 26(4) of the Code) exclusively if the data are processed for longer than is absolutely necessary to establish the legal claim or perform the investigations by defence counsel, or else if the data are used for further purposes that are not incompatible with the initial ones.
The defence counsel or the entity that has committed the task to the private detective must be regularly informed of the investigations, partly in order to be enabled to make a timely decision concerning establishment of the legal claim and/or the right to bring evidence.
Private detectives must personally carry out the tasks committed to them and may not resort to other detectives if the names of such additional detectives were not specified in their original terms of reference and/or were not appended subsequently to the said terms of reference – providing the latter envisage the said option.
If internal staff are employed in their capacity of either data processors or persons in charge of the processing – pursuant to Sections 29 and 30 of the Code –, private detectives must assess, at least at weekly intervals, that the relevant laws and instructions are thoroughly abided by. The above staff may only access the data that are closely relevant to the collaboration requested.
Where not expressly provided for herein, the data suitable for disclosing health and sex life shall be processed in compliance with the additional provisions laid down in general authorisation no. 2/2013 as well as in the authorisation concerning the processing of genetic data adopted pursuant to Section 90 of the DP Code.
Data processing must also be in line with the provisions laid down in the code of conduct and professional practice applying to the processing of personal data for the purposes of defence investigations that was issued pursuant to Section 12 of the DP Code (see Resolution no. 60 dated 6 November 2008 as published in Italy's Official Journal no. 275 dated 24 November 2008).
5) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of the Code, sensitive data may be kept for as long as is absolutely necessary to discharge the tasks that have been entrusted.
To that end it shall be verified, also by way of regular controls, that the data are closely relevant, not excessive, and indispensable with regard to both the purposes sought and the tasks that have been entrusted.
Upon completion of the specific investigations, the processing operations must be terminated in all its forms except for the immediate communication to defence counsel and/or the person who has committed the relevant task(s); the latter may allow, also by way of the instrument entrusting the detective with the task(s) in question, temporary retention of strictly personal items pertaining to the individuals that have discharged the said tasks – exclusively with a view to proving that their conduct was lawful and fair. If an exception is raised against the processing, the defence counsel and/or the person who has committed the relevant task(s) may also provide the detective – for no longer than is absolutely necessary – with such materials/items as may be necessary to show that his conduct was lawful and fair.
The mere circumstance that the proceeding related to the investigation is still pending before a court or has been referred to other courts prior to issuing of the final judgment shall not justify, in itself, retention of the data by the private detective.
6) Data Communication and Dissemination
The data may be only communicated to the entity that has committed the relevant task.
No data shall be communicated to another private detective, unless the latter was specifically referred to in the instrument whereby the relevant task was committed and such communication is necessary in order to discharge said tasks.
Data suitable for disclosing health may only be communicated to the competent authorities if this is necessary for the purposes of prevention, detection or suppression of offences in compliance with the relevant laws and regulations.
No data disclosing health and sex life may be disseminated.
7) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.
8) Final Provisions
Any laws, regulations or Community rules imposing prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, in particular as regards:
a) Section 4 (devices and equipment for the distance monitoring of employees) and Section 8 (inquiries into employees' opinions and/or any other facts that are irrelevant to the assessment of professional qualifications) of Act no. 300 dated 20.05.70, and Section 10 (investigating employees' opinions and discriminatory treatment) of legislative decree no. 276 dated 10 September 2003;
b) Act no. 135 dated 05.06.90, concerning seropositivity and HIV-related infection;
c) any provisions against discrimination;
d) Section 734-bis of the Criminal Code, prohibiting disclosure of particulars or images of victims of sexual violence without their consent.
More specifically, this authorisation shall be without prejudice to the obligations concerning the fair, lawful use of devices or equipment for the collection of information, including sound and visual information, as well as those concerning access to data banks or the contents of correspondence, communications or conversations by telephone, electronic networks or among persons all present in the same place.
The possibility for natural persons to directly process data exclusively for the defence of a legal claim, also in connection with investigations relating to a criminal proceeding, shall be left unprejudiced. The Code shall not apply to the above cases even though the data are occasionally communicated to judicial authorities or a third party, on condition that such data are not intended for systematic communication or dissemination (as per Section 5(3) of the Code).
This authorisation shall be effective as of 1 January 2015 until 31 December 2016 subject to such amendments as the Garante may decide to make on account of regulatory developments concerning this subject matter.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 11th day of the month of December 2014.