Simplification of Notification Requirements and Forms 
Simplification of Notification Requirements and Forms 
[doc. web n. 1630455]
Simplification of Notification Requirements and Forms
Decision dated 22 October 2008 as published in Italy´s Official Journal no. 287 dated 9 December 2008
THE ITALIAN DATA PROTECTION AUTHORITY
Having convened today in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having regard to the personal data protection Code, in particular the provisions thereof on notification of processing operations (section 37 et seq. of legislative decree no. 196/2003);
Having regard to section 29 of ordinance no. 112 dated 25 June 2008 as converted, with amendments, into Act no. 133 dated 6 August 2008, which also amended section 38 of the DP Code;
Whereas notification of the processing is only valid if it is submitted via the Italian DPA´s website () with the help of the ad-hoc form made available by the Italian DPA (see section 38 of the DP Code as amended by the aforementioned section 29 of ordinance no. 112/2008);
Whereas the said notification form must only contain certain items of information related to the specific processing, such items being detailed in the legislation in question;
Considering that it is necessary to bring the said notification form and the respective instructions into line with the simplifications brought about on top of those that had already been introduced by the Italian DPA for the benefit of the data controllers required to notify processing operations;
Considering that it is necessary for the said notification form and the respective instructions to be easily retrievable from the Italian DPA´s website (), which is to be used for submitting the relevant notification;
Having regard to the records on file;
Having regard to the considerations made by the Office as submitted by the Secretary General in pursuance of Article 15 of the Garante´s Rules of Procedure no. 1/2000;
Acting on the report submitted by Mr. Giuseppe Chiaravalloti;
This decision is aimed at simplifying the form that is to be used to notify processing operations to the Italian DPA, further to the simplifications already introduced by the Italian DPA. To that end, it is appropriate to first briefly describe the main features of notification.
1. Contents of the Notification Submitted to the Italian DPA
The notification is a declaration whereby the data controller, be it a public or a private entity, informs the Italian DPA that personal data are being collected and used. The notification should only include the following information:
a. information to identify the data controller and the data controller´s representative, if any, along with the mechanisms to identify the data processor where the latter has been appointed;
b. purpose(s) of the processing;
c. a description of the category/categories of data subject and the data/data categories related to the latter;
d. the data recipients and/or the categories of data recipient;
e. envisaged data transfers to third countries;
f. a general description that should allow assessing beforehand whether the security measures applying to the processing are adequate.
After being received, the notifications are entered in a public register that is freely accessible online.
2. Cases Requiring Notification
Generally speaking, a data controller is required under the law to only notify the processing operations that concern the following:
a. genetic data, biometric data, or other data disclosing geographic location of individuals or objects by means of an electronic communications network,
b. data suitable for disclosing health and sex life where processed for the purposes of assisted reproduction, provision of health care services via electronic networks in connection with data banks and/or the supply of goods, epidemiological surveys, diagnosis of mental, infectious and epidemic diseases, seropositivity, organ and tissue transplantation and monitoring of health care expenditure,
c. data suitable for disclosing sex life and the psychological sphere where processed by not-for-profit associations, bodies or organisations, whether recognised or not, of a political, philosophical, religious or trade-union character,
d. data processed with the help of electronic means aimed at profiling the data subject and/or his/her personality, analysing consumption patterns and/or choices, or monitoring the use of electronic communications services except for such processing operations as are technically indispensable to deliver said services to users,
e. sensitive data stored in data banks for personnel selection purposes on behalf of third parties, as well as sensitive data used for opinion polls, market surveys and other sample-based surveys,
f. data stored in ad-hoc data banks managed by electronic means in connection with creditworthiness, assets and liabilities, appropriate performance of obligations, and unlawful and/or fraudulent conduct.
However, family doctors and/or paediatricians are not required to notify the above processing operations because the processing is regarded as functionally inherent in their professional relations with the National Health Service (see section 37(1-bis) of the DP Code).
It should also be recalled that the Italian DPA provided under the law for exempting certain entities and/or processing operations from notification obligations; an ad-hoc decision was published on the DPA´s website along with explanations related to the questions that had been submitted in this connection (see decision no. 1/2004 as published in Italy´s Official Journal no. 81 dated 6 April 2004 as well as on www.garanteprivacy.it– Web document no. 852561; see also Notice dated 23 April 2004, Web document no. 993385). [See the document published on the WP29´s website at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/others/2006-07-03-vademecum.doc ]
Any cases other than those mentioned above do not require notification.
3. Timing of Notification
The notification must be submitted to the Italian DPA once only before starting the processing, irrespective of the number of processing operations and/or the duration of the processing to be performed; the notification may also concern one or more processing operations for related purposes. If the processing also entails cross-border data flows, the latter shall be notified jointly with the remainder.
A new notification is only to be submitted prior to terminating the processing and/or whenever any of the items contained in the notification changes.
Based on the above premises, it is accordingly necessary to simplify the notification form in pursuance of the regulatory amendments described herein. The simplified form will be made available on the DPA´s website by not later than sixty days as from publication of this decision immediately the technical adjustments to the website are performed.
Now, therefore, the Italian DPA
1. to simplify the notification form by approving the new notification form contained in Annex A hereto, which shall be an integral part of this decision and shall be available on the Italian DPA´s website (www.garanteprivacy.it) by not later than sixty days as from publication hereof;
2. to clarify that the introduction of the new form does not impose, per se, an obligation to submit a new notification on any data controller that has already submitted it;
3. that a copy of this decision be sent to the Ministry of Justice – Ufficio pubblicazione leggi e decreti in order for it to be published in the Official Journal of the Italian Republic.
Done in Rome, this 22nd day of October 2008