Rights and Prevention

Rights and Prevention

What Is A "Personal Data" ?

A personal data is a piece of information that identifies or allows identifying a natural person and provides details about that person´s features, habits, lifestyle, personal relationships, health, financial status, and so on.

Special importance should be attached to

  • Identifying Information, i.e. any data allowing a person to be identified directly such as one´s first and last name, pictures, and so on;

  • Sensitive Information, i.e. any data that may disclose race, ethnicity, religious beliefs, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organisations in the religious, philosophical, political or trade-union sectors, health and sex life;

  • Judicial Information, i.e. any data that may disclose that a person is the subject of judicial measures the law requires to be included in that person´s criminal record (e.g. final sentences; parole orders; residency and/or movement restrictions; measures other than custodial detention) or that judicial proceedings or investigations are pending against a given person.

The evolution of new technologies has made other types of personal data especially significant – for instance, data relating to electronic communications (Internet- or phone-based) and geolocation data disclosing a person´s whereabouts and movements.

The Main Players

Data Subject – This is the natural person a personal data relates to. Thus, if you process, for instance, Mr. John Doe´s address, tax ID, and so on, then Mr. John Doe is the "data subject" (see Section 4(1)i. of the DP Code);

Data Controller – This is the natural person, business, public or private organization, association, and so on, deciding on the purposes and mechanisms of the processing of personal data and on the tools to be used for the processing (see Section 4(1)f. of the DP Code);

Data Processor – This is the natural person, business, organization, association or entity the Data Controller entrusts with specific, pre-defined tasks concerning management and control of the processing of personal data (see Section 4(1)g. of the DP Code). The Data Processor need not be part of the Data Controller´s organization and the Data Controller is not required to appoint it in all cases (see Section 29 of the DP Code).

Person Tasked with the Processing – This is a natural person that factually processes or uses any personal data on the Data Controller´s behalf according to the instructions received from the Data Controller and/or the Data Processor (see Section 4(1)h. of the DP Code).

What Is the Right to the Protection of Personal Data?

The right to the protection of personal data is a fundamental right of individuals and is provided for in the Italian Personal Data Protection Code (legislative decree no. 196 dated 30 June 2003) as well as in several Italian and international legal instruments. In particular, this right allows every person to make sure that their personal data is only processed in compliance with the rules and principles laid down in the law.

The Italian Data Protection Code (section 5) regulates the processing of personal data (including data held abroad) by any entity that

  • Is established either in the territory of Italy or in a place that is under the Italian State´s sovereignty;

  • Is established in a non-EU country and makes use in connection with the processing of equipment situated in the Italian State´s territory, unless such equipment is used only for purposes of transit through the territory of the European Union. If the Italian DP Code applies, the data controller must appoint a representative established in the State´s territory.

Specific security and protection measures are envisaged in the DP Code and specific steps must be taken if another individual´s personal data is processed. The rights afforded to data subjects under the DP Code may be exercised by applying directly to the Data Controller (see section 7); there are, however, some exceptions to this rule.

Right to Access Your Personal Data

Everyone has the right to request a natural person, a business, an association, a political party, and so on, to provide information on whether their personal data is being processed and to obtain all the personal information held by the Data Controller.

In particular, everyone has the right to know:

a. The source of the personal data that is being processed;

b. The purposes and mechanisms of the processing;

c. Whether the personal data is being processed electronically and what is the logic underlying the processing;

d. The information identifying the Data Controller and/or the Data Processor and/or the representative appointed for the Italian territory;

e. The entities or categories the personal data may be disclosed to or become known by to the extent they act as representatives appointed for the Italian territory, Data Processors or Data Controllers.

To exercise this right

  • You do not have to provide specific reasons;

  • You do not have to pay any charges, as a rule.

How to exercise this right

Right to Update, Rectify, or Erase Your Personal Data

Everyone may request that whoever processes their personal data

a. Updates, rectifies or supplements the data (the latter if proof of a specific interest can be provided);

b. Blocks, erases or anonymises the data, if

  • The data is not processed in accordance with the law;

  • It is no longer necessary to keep the data.

NOTE: The fact that a data is updated, rectified or erased must be made known to any entity the data has been disclosed or disseminated to, unless this proves impossible or entails an effort that is unquestionably disproportionate compared with the right to be protected.

How to exercise this right

Right to Object

You may object to the processing of your personal data:

a. On legitimate grounds;

b. In all cases, i.e. without having to justify your objection, if your data is processed for marketing and commercial communications purposes.

How to exercise this right

NOTE: As of 1 February 2011, a subscriber listed in telephone directories through his name and phone number has to sign up for the Public Opt-Out Register if he does not wish to receive operator-assisted telemarketing calls (see Section 130, paragraph 3-bis and subsequent ones, of the DP Code).


How Can You Protect Your Personal Data?

To protect your personal data, you can first of all exercise the rights you have under Section 7 of the DP Code.


A Data Subject can apply to the Data Controller or the Data Processor (if appointed), also via a Person Tasked with the Processing and via any suitable mechanisms (e.g. via registered mail, by sending faxes, or emailing a message).

A model form can be downloaded here to exercise this right.

In some cases - which are expressly mentioned in the DP Code (see Section 9(1) ) -  you may also apply verbally and the Person Tasked with the Processing or the Data Processor (if any) must make a summary note of the application.

Depending on the specific case, you may apply for specific personal data, categories of data, or a specific processing operation; you may also apply for all the personal data relating to you, regardless of the type of processing.

The Data Controller or the Data Processor (if appointed) must handle your application appropriately, also via a Person Tasked with the Processing, without delay and in any case

  • Within 15 days from receiving it;

  • Within 30 days from receiving it if replying proves especially complex in terms of the steps to be taken, or if there is any other justifiable ground. In this case, the Data Controller or the Data Processor must get back to the Data Subject and inform him within the 15-day term mentioned above.

What should I do if my application for exercising the rights of section 7 in the DP Act is not handled on time, or if I am not satisfied with the way it was handled?

If an application for exercising any of the rights of Section 7 in the DP Act is not handled timely or you are not satisfied with the reply provided to you, you as the data subject may claim your rights before either a judicial authority or the data protection authority (Garante).

Lodging a Complaint with the DPA

Lodging a complaint with the DPA is a formal procedure as it leads to the making of a decision followed by specific legal effects. In particular, you may either lodge this type of complaint with the DPA or claim your rights before a judicial authority. The procedure for lodging this complaint with the DPA is outlined in the DP Code and must be complied with strictly (see section 147 in the DP Code).

You may lodge a complaint with the DPA only to claim the rights mentioned in section 7 of the DP Code (see section 141(1)c. of the Code) and only if the data controller (or the data processor, where appointed) handles your application for exercising any of the rights in question either in breach of the time limits mentioned above or in a way you consider to be unsatisfactory; you may also complain to the DPA if the lapse of the time limits mentioned above exposes you to impending, irretrievable harm (see section 146 of the DP Code).

NOTE: You may not claim damages before the Italian DPA. Any damages claim may only be lodged with the competent judicial authority (see Section 152 of the DP Code).

Case Handling Fee – You should provide proof that you paid the case handling fee (Euro 150.00) along with your complaint.

Procedural Costs – Once the proceeding initiated by a complaint is through, the Garante calculates the relevant procedural costs (if this has been requested by either party) and awards those costs, in whole or in part, to the losing party. Offsetting of procedural costs is permitted, at the Garante´s discretion, for justified reasons.

Under the law, procedural costs are calculated as a lump sum (see Section 150(3) of the DP Code).

The Italian DPA set the said lump sum at a minimum of Euro 500.00 (by a collegiate resolution dated 19 October 2005); a threshold of Euro 1000.00 was also set by having regard to especially complex proceedings.

Additional Remedies

Lodging a Claim

A detailed claim may be lodged with the DPA to report a breach of the applicable data protection legislation (see section 141(1)a. of the DP Code).

Each claim is investigated on a preliminary basis to decide whether a formal administrative proceeding is to be initiated; such proceeding may result into the adoption of various measures (see Section 143 of the DP Code and Article 8 et seq. of the DPA´s Rules of Procedure no. 1/2007).

Case Handling Fee – Proof of payment of the case handling fee is to be provided along with the claim (if the conditions are fulfilled for considering that a regular claim was lodged)

Lodging a Report

If you cannot or do not wish to lodge a detailed claim (for instance, because not all the relevant information is known to you), you may lodge a report with the DPA (see Section 141(1)b. of the DP Code and Articles 13 and 14 of the DPA´s Rules of Procedure no. 1/2007). The report is meant to provide information the DPA may decide to rely upon in order to check (in a general perspective) application of the relevant data protection legislation.

How to lodge a report with the DPA – No formal requirements have to be met. The Contact Details shown in the "Contact Us" section may be used.

No Case Handling Fee – There is no fee involved in lodging a report with the DPA.

Who protects our personal data?

Enforcing everyone´s right to the protection of their personal data is the task committed to the Italian Data Protection Authority (Garante per la protezione dei dati personali) in compliance with administrative law.

Alternatively, the competent judicial authority may be seized (see Section 152 of the DP Code); judicial authorities are also competent for reviewing the DPA´s decisions that are challenged by any of the litigating parties.


The DPA´s tasks are set forth in the Italian Data Protection Code (legislative decree no. 196 dated 30 June 2003) as well as in other EU and national instruments. The Italian DPA ensures that personal data is processed appropriately and the rights of individuals are respected in processing their personal data – in both the public and the private sector.


  • verifying that data processing operations are carried out in compliance with the laws and regulations in force and ordering data controllers or processors to adopt measures that make their processing compliant; receiving claims and reports and deciding on the complaints lodged under Section 145 of the DP Code;

  • prohibiting, in whole or in part, or blocking data processing operations where they may be substantially prejudicial to data subjects because of their features, the relevant mechanisms, or the effects produced;

  • taking the measures provided for under the legislation on the processing of personal data including, in particular, general authorisations to process sensitive data;

  • fostering the adoption of codes of practice and ethics in various sectors (consumer credit, journalism, etc.);

  • drawing Government´s attention, where appropriate, to the need for enacting specific regulatory provisions in the economic and social sectors;

  • contributing to debates on regulatory innovations by taking part in Parliamentary hearings;

  • rendering the opinions requested by the Prime Minister and the individual Ministers as for secondary legislation and administrative measures that are liable to impact the sectors regulated by the DP Code;

  • drawing an annual activity report including a review of the implementation of privacy-related legislation, to be submitted to Parliament and Government;

  • contributing to EU and international sector-related activities, also by participating in the Article 29 Working Party and the Joint Supervisory Bodies provided for by international Conventions (Europol, Schengen, Customs Information System);

  • keeping the Register of Processing Operations on the basis of the notifications received under Section 37 of the DP Code;

  • informing citizens and raising their awareness about issues relating to the processing of personal data and data security measures;

  • seeking citizens´ and stakeholders´ opinions by way of public consultations with a view to drafting measures and provisions of a general nature.

Personal Data Protection Code