Authorisation No. 6/2004 Concerning Processing of Sensitive Data by...
Authorisation No. 6/2004 Concerning Processing of Sensitive Data by Private Detectives - 30 giugno 2004 
[doc. web. n. 1115361]
[ doc. web. n. 1037068]
Authorisation No. 6/2004 Concerning Processing of Sensitive Data by Private Detectives
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
As of this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;
Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;
Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;
Having regard to Section 26(4), letter c), of the Code, providing that sensitive data may also be processed without the data subject´s consent, subject to the Garante´s authorisation, if the processing is necessary for carrying out the investigations by defence counsel referred to in Act no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor, and that the claim at stake is not overridden by the data subject´s claim or else consists in a personal right or another fundamental, inviolable right or freedom, if the data are suitable for disclosing health and sex life;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;
Whereas after entry into force of the Code it is appropriate to grant new general authorisations replacing those due to expire on June 30, 2004 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for a twelve-month term by having regard to the initial implementing phase of the new provisions contained in the Code as well as to the on-going work in view of adopting the Code of conduct and professional practice referred to in Section 135 of the Code;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;
Whereas the Garante has issued a general authorisation applying to the data suitable for disclosing health and sex life (No. 2/2004, issued on June 30, 2004) also with regard to the aforementioned purposes in connection with judicial activities;
Whereas a considerable number of processing operations for the above purposes are carried out with the help of private detectives, and that it is therefore appropriate to supplement the provisions set forth in Authorisation No. 2/2004 by an additional general instrument taking account of the specific context applying to private investigations, also with a view to streamlining the requirements to be imposed on this sector;
Whereas additional measures and arrangements will be set out by the Garante upon undersigning the aforementioned code of conduct and professional practice that is to be issued shortly (see Section 12 of the Code);
Having regard to Section 167 of the Code;
Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;
Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;
Having regard to Section 42 and following ones of the Code concerning transborder data flows;
Having regard to Section 41 of the Code;
Having regard to official records;
Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Prof. Gaetano Rasi,
the processing of data disclosing health and sex life by private detectives, in compliance with the following requirements.
Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of either personal data or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.
1) Scope of Application
This authorisation shall be granted without any request being necessary, to natural and legal persons, institutions, bodies, associations and entities carrying out private investigation activities as licensed by the prefetto (in pursuance of Section 134 of Royal decree no. 773 of 18.06.31 as subsequently amended and supplemented).
2) Purposes of the Processing
Processing shall only be permitted to discharge the task committed by the entities referred to in point 1), and in particular:
a) in order to allow an entity committing a specific task to establish or defend a legal claim, which must not be overridden by the data subject´s one, or else must consist either in a personal right or in another fundamental, inviolabile right or freedom if the data are suitable for disclosing health and sex life;
b) on the defence counsel´s instructions in connection with a criminal proceeding in order to search and detect information in favour of the relevant client, such information being only used for the exercise of the right to bring evidence (as per Section 190 of the Criminal Procedure Code and Act no. 397 of 07.12.2000).
This authorisation shall be without prejudice to the other general authorisations that have been granted either for carrying out investigations in criminal proceedings or for the establishment of a legal claim, in particular as regards:
a) the employment context (as per authorisation no. 1/2004, issued on June 30, 2004);
b) data disclosing health and sex life (as per authorisation no. 2/2004, issued on June 30, 2004);
c) associations and foundations (as per authorisation no. 3/2004, issued on June 30, 2004);
d) self-employed professionals included in the relevant lists or registers, including defence counsel and their deputies and co-operating staff (as per authorisation no. 4/2004, issued on June 30, 2004);
e) judicial data (as per authorisation no. 7/2004, issued on June 30, 2004).
3) Data Subjects and Categories
Processing may concern the sensitive data referred to in Section 22(1) of Act no. 675/1996, provided this is absolutely necessary to discharge specific tasks that have been committed for specific and legitimate purposes as per 1) and cannot be accomplished by processing either anonymous data or personal data of a different kind.
The data must be relevant and not excessive in relation to the tasks committed.
4) Processing Arrangements
Private detectives may not carry out, on their own initiative, investigations or researches or anyhow collect data. These activities may only be performed on specific instructions given in writing, also by defence counsel, solely for the purposes referred to under 2).
In the above instructions specific mention must be made of the legal claim to be established, or else of the criminal proceeding to which the investigations relate, as well as of the main facts accounting for said investigations and the reasonable deadline for their completion.
Without prejudice to the obligations set out in Sections 11 and 14 of the Code as well as in Sections 31 and following ones of the Code, and in Annex B to said Code, sensitive data may only be processed by means of operations and in accordance with logic and data organisation arrangements that are absolutely indispensable in connection with the purposes referred to under 2).
Data subjects or the persons from which the data are collected must be informed in pursuance of Section 13 of the Code, by highlighting the private detective´s identity and professional capacity as well as the fact that the data are to be provided on a voluntary basis.
If the data are collected from a third party, it is necessary to inform the data subject thereof and obtain his/her consent in writing, (as per Section 13, paragraphs 1, 4, and 5, and Section 26(4) of the Code) exclusively if the data are processed for longer than is absolutely necessary to establish the legal claim or perform the investigations by defence counsel, or else if the data are used for further purposes that are not incompatible with the initial ones.
The defence counsel or the entity that has committed the task to the private detective must be regularly informed of the investigations, also in order to allow them to make a timely decision concerning establishment of the legal claim and/or the right to bring evidence.
Private detectives must personally carry out the tasks committed and may not avail themselves of other detectives that were not specifically referred to when the relevant task was committed.
If internal staff are employed in their capacity of either data processors or persons in charge of the processing - pursuant to Sections 29 and 30 of the Code -, private detectives must assess, at least at weekly intervals, that the relevant laws and instructions are thoroughly abided by. The above staff may only access the data that are closely relevant to the collaboration requested.
Where not expressly provided for herein, the data suitable for disclosing health and sex life shall be processed in compliance with the additional provisions laid down in general authorisation no. 2/2004 as well as in the authorisation, if any, referred to in Section 90 of the Code, with particular regard to data concerning unborn children and genetic data.
Data processing must also be in line with the provisions laid down in the code of conduct and professional practice that is being drafted in pursuance of Section 135 of the Code.
5) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of the Code, sensitive data may be kept for as long as absolutely necessary to discharge the tasks that have been entrusted.
To that end it shall be verified, also by way of regular controls, that the data are closely relevant, not excessive, and indispensable with regard to both the purposes sought and the tasks that have been entrusted.
Upon completion of the specific investigations, the processing operations must be terminated in all its forms except for the immediate communication to defence counsel and/or the person who has committed the relevant task(s).
The mere circumstance that the proceeding related to the investigation is still pending before a court or has been referred to other courts prior to issuing the final judgment shall not justify, in itself, retention of the data by the private detective.
6) Data Communication and Dissemination
Data may be only communicated to the entity that has committed the relevant task.
No data shall be communicated to another private detective, unless the latter was specifically referred to in the instrument whereby the relevant task was committed and such communication is necessary in order to discharge said tasks.
Data disclosing health may only be communicated to the competent authorities if this is necessary for the purposes of prevention, detection or suppression of offences in compliance with the relevant laws and regulations.
No data disclosing health and sex life may be disseminated.
7) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.
8) Final Provisions
Any laws, regulations or Community rules imposing prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, in particular as regards:
a) Section 4 (devices and equipment for the distance monitoring of employees) and Section 8 (inquiries into employees´ opinions and/or any other facts that are irrelevant to the assessment of professional qualifications) of Act no. 300 of 20.05.70, and Section 10 (investigating employees´ opinions and discriminatory treatment) in legislative decree no. 276 of 10 September 2003;
b) Act no. 135 of 05.06.90, concerning seropositivity and HIV-related infection;
c) procedural rules and/or any provisions against discrimination;
d) Section 734-bis of the Criminal Code, prohibiting disclosure of particulars or images of victims of sexual violence without the latters´ consent.
More specifically, this authorisation shall be without prejudice to the obligations concerning the fair, lawful use of devices or equipment for the collection of information, including sound and visual information, as well as those concerning access to data banks or the contents of correspondence, communications or conversations by telephone, electronic networks or among persons all present in the same place.
The possibility for natural persons to directly process data exclusively for the defence of a legal claim, also in connection with investigations relating to a criminal proceeding, shall be left unprejudiced. The Code shall not apply to the above cases even though the data are occasionally communicated to judicial authorities or a third party, on condition that such data are not intended for systematic communication or dissemination (as per Section 5(3) of the Code).
9) Effectiveness and Transitional Provisions
This authorisation shall be effective as of July 1, 2004 until June 30, 2005.
If the processing is not compliant with the provisions that were not included in Authorisation no. 4/2002 as of the date on which this authorisation is published, the data controller shall have to make the necessary adjustments by September 30, 2004.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 30th day of June 2004