PRACTICAL GUIDELINES AND SIMPLIFYING MEASURES FOR SMEs 
[doc. web n. 1435985]
IL GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
PRACTICAL GUIDELINES AND SIMPLIFYING MEASURES FOR SMEs
1. Who Carries out the Processing
2. Notifying the Processing
3. Providing Information Notices
4. Obtaining the Data Subject´s Consent
5. Data Security
6. Transferring Data to Third Countries
7. What a Data Controller Is to Do to Comply with Data Subjects´ Access Requests under Section 7 of the DP Code
Certain requirements under personal data legislation are sometimes considered burdensome, in particular by having regard to standard business activities carried out by SMEs. In fact, affording personal data the appropriate protection can turn into a major asset for an enterprise, which can thereby enhance its effectiveness and increase consumers´ and users´ trust.
These guidelines are meant to provide SMEs with a tool that can facilitate compliance with the obligations arising out of the legislation in force, and to highlight the simplification measures that are currently available.
A checklist is also provided in addition to the guidelines, which are published on the Garante´s website. Both documents may be updated as appropriate. Please consider that these guidelines do not replace the contents of legislation, which is to be complied with in any case.
1. WHO CARRIES OUT THE PROCESSING
Doing business usually entails the processing of personal data, i.e. information that can be related to identified and/or identifiable entities (e.g. employees, customers, suppliers). Such data must be relevant and not excessive by having regard to the legitimate purposes to be achieved; additionally, the data must be accurate and updated (see section 11 of the DP Code). Processing operations (such as collecting, communicating, or disseminating personal data) may also be carried out by the data processor (where appointed) and the persons in charge of the processing.
1.1. Who Is A Data Controller?
The data controller is "the entity (…) having fully autonomous decision-making powers in respect of purposes and mechanisms of (…) processing operations as also related to security matters" (as per section 28 of the DP Code). As regards – more specifically – business activities, the "data controller" can be either a natural person (e.g. in the case of a single-person business) or a legal person (e.g. a company) that processes personal data by collecting, storing, communicating and/or disseminating such data.
The data controller is required to comply with the relevant obligations (which are summarised in these Guidelines); where he decides to appoint one or more data processors, he is also required to supervise over compliance by such data processors with the instructions he will have issued.
1.2. Who Is A Data Processor?
A data processor (there may be more than just one data processor) is an entity the data controller may decide to appoint, in which case a written document must specify the tasks committed to such data processor. Natural persons or entities should be selected that can provide suitable safeguards – in the light of their experience, skills, and reliability – as to full compliance with the legislation in force applying to processing operations, including security measures (see section 29 of the DP Code).
Therefore, appointment of a data processor is an option the data controller may decide to avail himself of; this is frequently the case in the presence of business units that work with a certain degree of autonomy (e.g. the heads of business units such as human resources or marketing are often appointed as data processors) as well as in respect of external entities that work on an outsourcing basis by processing personal data (e.g. this applies to data processing centres for accounting purposes, mailing services, factoring companies, etc.)
1.3. Who Is A Person in Charge of the Processing?
A person in charge of the processing is a natural person who processes personal data in concrete under the data controller´s/data processor´s direct authority, by complying with instructions issued in writing (see section 30 of the DP Code). The data controller is required to appoint any such person.
To that end, it will be enough to allocate a given employee to a specific organisational unit, providing the categories of data to be accessed by the said employee and the scope of the processing operations at issue are specified in writing. This means that, for instance, if a given number of employees have been allocated to an organisational unit within an enterprise, there will be no need for a formal appointment (based e.g. on the provision of an ad-hoc written document) if the scope of the processing operations to be performed by the unit in question is specified in writing (for instance, in the staff roll, in the employment contract, in the detailed job descriptions, etc.) and the employees are permanently allocated to the said unit.
2. NOTIFYING THE PROCESSING
Notifying the processing means making a statement whereby the data controller informs the Garante beforehand that he/she collects and uses personal data. The Garante enters the notification into the public register of processing operations, which can be accessed freely via the Garante´s website.
2.1. Is It Always Necessary to Notify the Processing to the Garante?
As a rule, there is no need to notify the processing operations that are most commonly performed by SMEs; this applies, for instance, to the processing operations concerning data on employees, suppliers, and/or customers. In particular, there is no need to notify the data concerning defaulting customers that are kept by an individual enterprise.
Given these premises, the processing must be notified in the specific cases listed in section 37 of the DP Code. As for business activities, this applies to the processing operations concerning:
- data stored in ad-hoc databases via electronic tools, where the data relate to creditworthiness, assets and liabilities, fulfilment of specific obligations, unlawful and/or fraudulent conduct. As said, the data related to defaulting customers kept by an individual enterprise are exempted;
- genetic data, biometric data, and data on the geographic location of individuals/objects as based on an electronic communications network (e.g. data processed by means of geo-location devices installed on cars in order to locate the vehicles);
- data processed with the help of electronic tools in order to profile data subjects and/or their personality, or else to analyse consumption patterns and choices, or to monitor the use of electronic communications services – except for such processing as is technically indispensable to provide those services;
- sensitive data stored in databases with a view to personnel selection activities undertaken on behalf of third parties (i.e. excepting the data processed directly by the enterprise) as well as sensitive data used for opinion polls, market surveys and/or other sample-based surveys.
2.2. How Should One Notify the Processing to the Garante?
The interface made available on the Garante´s website should be used by following the guidelines provided to this purpose (see section 38 of the DP Code).
2.3. When Should One Submit A New Notification to the Garante?
This is only to be done either if the processing is terminated or if certain items of information in the initial notification happen to change.
3. PROVIDING INFORMATION NOTICES
Whoever processes personal data must inform data subjects on the basic features of the processing in question. The information must be provided irrespective of whether the data are collected from the data subjects or from third parties. Simplifications and exemptions are envisaged in the applicable legislation.
3.1. What Is An Information Notice?
An information notice should be straightforward and require no useless formalities; it may also be worded simply and concisely, and should contain the following items of information (see section 13 of the DP Code):
- purposes and mechanisms of the processing;
- whether providing the data is optional or compulsory, and what consequences result from a refusal to provide them;
- who the data may be communicated to (individual entities or else categories), or who may become apprised with the data;
- rights vested in the data subject under section 7 of the DP Code;
- identification information concerning the data controller and – where appointed – the data processor.
If any of the above items of information is already known to the data subject, it is unnecessary to mention it in the information notice.
3.2. When Is the Information Notice to Be Provided?
If the data are collected from the data subject, the information notice must be provided – also verbally – before starting the processing. As regards relationships with suppliers, customers, employees and/or co-workers, it is unnecessary to provide the information each and every time they are contacted; indeed, it is enough to provide the information once and for all by wording it in general terms, before starting processing operations (which might continue over a longer time span).
An information notice must also be provided if the personal data are collected from third parties. In the latter case, it must be provided at the time the data are recorded; if the data are to be communicated by the data controller to third parties, the information must be provided no later than when the data are first communicated. The categories of processed data must also be specified.
3.3. May One Provide A Simplified Information Notice?
The information notice may also be provided verbally and worded simply and concisely, without including information that is already held by the data subject (see section 13(2) of the DP Code). The information may also be accommodated in standard items of correspondence and/or paperwork.
The legislation in force allows for additional simplification mechanisms (see section 13(3) of the DP Code) by having regard to specific, concrete circumstances to be made known to the Garante in an ad-hoc application – which may also be lodged by the competent trade association.
3.4. When Is No Information Notice Required?
As regards the data collected from third parties, it is permitted not to provide an information notice in the light of the concrete circumstances if the data are processed (see section 13(5), letter c), of the DP Code):
- pursuant to obligations set forth in laws, regulations and/or Community legislation; or
- with a view to enabling investigations by defence counsel (under Act no. 397/2000) or else to establish or defend a judicial claim.
Additionally, the data controller may be exempted – in whole or in part – from providing information notices
- if the Garante finds, also after receiving an ad-hoc application, that providing the information in question is impossible or involves a clearly disproportionate effort compared with the claim at issue.
4. OBTAINING THE DATA SUBJECT´S CONSENT
In some cases, a private entity is required to obtain the data subject´s consent to lawfully process personal data (see section 23 of the DP Code). However, it is more often the case that the data subject´s consent is unnecessary in performing standard business activities (see section 24 of the DP Code).
4.1. Is the Data Subject´s Consent Required in Performing Business Activities?
As regards specifically the processing of (non-sensitive) personal data in connection with standard business activities, consent is not required if (see section 24 of the DP Code):
- the data are processed to perform a contract and/or prior to entering a contract (section 24(1), letter b), of the DP Code);
- the data are processed to fulfil a legal obligation (section 24(1), letter a), of the DP Code);
- the data are taken from public registers and lists (section 24(1), letter c), of the DP Code);
- the data relate to the performance of economic activities by the data subject (section 24(1), letter d), of the DP Code).
Whilst the above cases cover most of the processing operations that are usually performed by a business, additional exemptions are mentioned in section 24 of the DP Code.
As for the rest, the data subject must have given his/her free, specific, and informed consent to the processing at issue. The consent must be documented/recorded in writing (see section 23 of the DP Code).
4.2. What Requirements Are to Be Met to Process Sensitive Data?
More stringent safeguards apply to the processing of sensitive data, i.e. any information suitable for disclosing racial or ethnic origin; religious, philosophical or other beliefs; political opinions; membership of parties, trade unions, associations and/or organisations of a religious, philosophical, political or trade-union character; health; and/or sex life (see section 4(1), letter d), of the DP Code).
As a rule, written consent along with an authorisation by the Garante are required to process sensitive data.
The Garante has issued seven general authorisations covering all the processing operations that are usually performed in connection with standard business activities. This means that there is no need to apply to the Garante for an ad-hoc authorisation, whilst this will only be required in exceptional situations that are not envisaged in the said general authorisations – which has seldom been the case so far. (All the general authorisations in question have been translated to English and are available on the Garante´s website.)
Furthermore, the data subject´s consent to the processing of his/her sensitive data is not required under the DP Code in the following cases:
- if the processing is necessary for defence counsel to carry out the investigations referred to in Act no. 397/2000, or else to establish or defend a judicial claim. The data may only be processed for such purposes and for no longer than is absolutely necessary to achieve those purposes (see section 26(4), letter c), of the DP Code);
- if the processing is necessary to fulfil specific obligations and/or tasks as set forth by laws, regulations, or Community legislation in connection with managing employer-employee relationships, as also related to occupational and population health and safety and/or social security and welfare. The limitations provided for in the Garante´s general authorisation will have to be complied with (see section 26(4), letter d), of the DP Code).
5. DATA SECURITY
Security and integrity of the information that is processed lawfully are key components of personal data protection legislation (see section 31 et seq. of the DP Code, and the technical specifications contained in Annex B to the DP Code).
5.1. Who Is Required to Take Security Measures
A general obligation to take suitable security measures is laid down in the DP Code. A data controller may fulfil this obligation by also availing himself/herself of a data processor (see section 29(2) of the Code.)
5.2. What Security Measures Are to Be Adopted?
The data controller is required to take all suitable measures by having regard to the knowledge acquired thanks to technical advancements, the nature of the data in question, and the features of the processing; additionally, the data controller is required to reduce the risk that the data may get lost or destroyed, whether accidentally or not, or that third parties can access the data without being authorised or allowed to do so (see section 31 of the DP Code).
Within the above context, the minimum security measures as applicable to SMEs are also to be implemented (see sections 33 to 35 of the DP Code, and Annex B to the Code).
5.3. How and When Is A Security Policy Statement to Be Drafted?
Under the legislation in force, a security policy statement is to be drafted if sensitive and/or judicial data are processed with the help of computerised systems (see section 34(1), letter g), and Rule 19 of Annex B to the DP Code). Account can be taken in this regard of the suggestions provided by the Garante in its "Operating Guidelines", which were posted on the Garante´s website as of 11 June 2004 to meet the demands and specific requirements arising from the activities of professionals and SMEs.
The security policy statement:
- is to be drafted/updated by the 31st of March of each year;
- must not be submitted to the Garante and should be kept by the data controller at the respective premises so as to produce it in case an inspection is carried out (section 34(1), letter g), of the DP Code, and Rule 19 of Annex B to the DP Code);
- must be drafted by "the controller of processing operations concerning sensitive and/or judicial data (…), also by the agency of the data processor, if nominated" (Rule 19 of Annex B to the DP Code).
6. TRANSFERRING PERSONAL DATA TO THIRD COUNTRIES
Business activities may necessitate the transfer of personal data outside the European Union (e.g. as for employees´ or customers´ data). Specific rules are set out in the DP Code in such cases.
6.1. When Is the Code Applicable to Data Transfers outside the European Union?
The provisions applying to data transfers outside the EU concern mainly personal data flows towards the so-called "third countries", given that EU Member States have implemented Directive 95/46/EC – at domestic level – by passing specific legislation on the protection of personal data. Therefore, data may move freely within the EU providing the applicable legislation is complied with (see section 42 of the DP Code).
6.2. When Is It Permitted to Transfer Data outside the European Union?
Data may be transferred without any restrictions in several cases (see section 43 of the DP Code); as regards, in particular, business activities, the following situations can be referred to:
- if the data subject has given his/her express consent, which must be in writing if sensitive data are processed;
- if the transfer is necessary to fulfil obligations arising out of a contract stipulated by the data subject, or else to comply with specific requests lodged by the data subject prior to stipulating a contract, or to finalise or perform a contract stipulated in the data subject´s interest;
- if the transfer is necessary to safeguard a substantial public interest as specified by a law and/or regulation;
- if the transfer is necessary to enable investigations by defence counsel (under Act no. 397/2000), or to establish or defend a judicial claim;
- if the processing concerns data related to legal persons, bodies and/or associations.
6.3. If None of the Above Conditions Is Fulfilled, Under What Circumstances Is It Permitted to Transfer Data?
Data may also be transferred with the Garante´s authorisation, which is issued in the presence of appropriate safeguards for data subjects´ rights. Such safeguards may:
- be specified by the Garante;
- consist in the adequacy decisions adopted by the European Commission as for the level of data protection afforded by the legal systems of certain recipient countries (see section 25(6) and section 26(4) of Directive 95/46/EC) ;
- be grounded on the decision concerning adequacy of the safeguards laid down in the Safe Harbor agreement as for data transfers towards organisations established in the USA that have adhered to the said agreement;
- consist in the use of standard contractual clauses regulating the transfer between data "exporter" and data "importer", such clauses having been found adequate by the European Commission (see section 25(6) and section 26(4) of Directive 95/46/EC).
7. WHAT A DATA CONTROLLER IS TO DO TO COMPLY WITH DATA SUBJECTS´ ACCESS REQUESTS UNDER SECTION 7 OF THE DP CODE
Under personal data protection legislation, every data subject has the right to access the personal data concerning him/her and exercise the other rights mentioned in section 7 of the DP Code.
7.1. What Should One Do If An Access Request Is Lodged by A Data Subject?
Where a data subject exercises his/her right to access the data concerning him/her, or any of the other rights vested in him/her, the data controller (or the data processor, as the case may be) is required to comply with the request – as a rule – within fifteen days of receiving it (see section 146 of the DP Code).
7.2. What Consequences Result from Failure to Comply with the Data Subject´s Request?
Partial or total non-compliance entitles the data subject to claim his/her rights either before judicial authorities or before the Garante via an ad-hoc complaint (see section 145 of the DP Code).
The checklist below is intended for data controllers. The points made in the above paragraphs are summarised in the form of questions, to be answered by "Yes" or "No". Please note that negative answers point to possible criticalities in terms of personal data protection.
1. Who carries out the processing
Did you carry out an assessment of the processing operations concerning personal data, including sensitive data, that are carried out by your business?
Are the processed data relevant and not excessive by having regard to the legitimate purposes of the processing, and are the data accurate and updated?
Did you appoint the natural persons processing personal data in your business as "persons in charge of the processing" ?
Have all the "persons in charge of the processing" been provided with written instructions as to their tasks?
If, within your business, you have identified entities empowered to exercise a certain discretion as to the processing of personal data, did you appoint those entities as "data processors" ?
If, outside your business, there are entities and/or natural persons that process personal data in your interest, and such entities are required to abide by your instructions (e.g. in case of outsourcing), were they appointed as "data processors" ?
2. Notification of the processing
Did you check – prior to starting any processing operations – whether your business performs processing that is to be notified to the Garante ?
If anything has changed in processing operations you have already notified to the Garante, have you seen to updating your notification?
If the processing operations have been terminated, has this circumstance been specifically notified to the Garante?
3. Information notices
Did you provide data subjects with information notices if the data were collected directly from them?
Did you provide data subjects with information notices if the data were collected from other parties?
4. Data subjects´ consent
Are personal data processed on the basis of any of the lawfulness preconditions listed in section 24 of the DP Code?
If none of the lawfulness preconditions listed in section 24 of the DP Code applies, did you obtain the data subjects´ consent?
If sensitive data are processed, did you check whether the processing in question has already been authorised by the Garante via general authorisations?
If sensitive data are processed, did you obtain the data subjects´ written consent?
If the processing of sensitive data does not fall within the scope of the general authorisations issued by the Garante, did you apply to the Garante for an ad-hoc authorisation?
5. Data security
Did you take suitable security measures to protect the personal data?
Did you take the minimum security measures as required to protect personal data?
If you process sensitive and/or judicial data, did you draw up – if you were required to do so – the security policy statement, and do you comply with the requirements set out therein?
Are the security measures set out in the security policy statement reviewed regularly, at all events by March 31st of every year?
6. Data transfers to third countries
If the personal data processed by your business are liable to be transferred to third countries (other than EU or EEA countries), are the data transferred
7. Data controller´s obligations with regard to exercise of the rights provided for in section 7 of the DP Code
If access rights are exercised, do you reply to the data subject in accordance with the requirements set out in the law?