Electrical and Electronic Waste and Data Protection 
Electrical and Electronic Waste and Data Protection
THE ITALIAN DATA PROTECTION AUTHORITY
Having convened today with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary-General;
Having regard to official records where it is reported that personal data had been found within electrical and electronic appliances that had been transferred to a dealer with a view to their disposal and/or sale and/or in connection with repair and/or replacement activities; having also regard to recent news reports whereby bank account data related to over one million individuals had been found in a second-hand hard disk that had been marketed and purchased via the Internet;
Having regard to legislative decree no. 196/2003 (the Data Protection Code), in particular sections 31 et seq. and section 154(1)h. thereof, as well as to clauses 21 and 22 of the Technical Specifications concerning minimum security measures (Annex B to the Data Protection Code);
Having regard to legislative decree no. 151 dated 25 July 2005 ("Implementing directives 2002/95/EC, 2002/96/EC and 2003/108/EC on the restriction of the use of hazardous substances in electrical and electronic equipment, and on the disposal of waste"), whereby measures and procedures must be implemented to prevent waste electrical and electronic equipment and foster reuse, recycling and other forms of recovery of such wastes so as to reduce the disposal of waste (see section 1(1)a. and b.);
Whereas application of the provisions set forth in the aforementioned decree no. 151/2005 is aimed, among other things, at prioritizing recovery of components from waste electrical and electronic equipment also via their re-use and/or the recycling into products that can be marketed anew (see, in particular sections 1 and 3(1)e. and f. thereof); whereas this entails a high risk of "circulating" second-hand electronic components that contain personal data, including sensitive data, given the inappropriate erasure of such data, whereby unauthorised third parties – e.g. any entity in charge of performing certain activities with a view to re-use of the equipment and/or whoever purchases the equipment in question – might access the data;
Whereas "reuse" consists in any operation by which waste electrical and electronic equipment or components thereof are used "for the same purpose for which the equipment had been initially conceived, including the use of the said equipment or components thereof which are returned to collection centres, distributors, recyclers or manufacturers" (Section 3(1)e. of decree no. 151/2005), whilst "recycling" consists in "reprocessing in a production process of the waste materials for the original purpose or for other purposes" (section 3(1)e. of decree no. 151/2005);
Whereas the risk of unauthorised access to the stored data also arises in connection with waste electrical and electronic equipment that is to be disposed of (section 3(1)i. of decree no. 151/2005);
Noting that it is necessary to bring the aforementioned risks to the attention of the legal persons, public administrative bodies, any other bodies and/or natural persons – hereinafter referred to as "data controllers" pursuant to section 4(1)f. of the Data Protection Code – that dispose of IT systems or, generally speaking, electrical and electronic equipment containing personal data after using them in discharging the respective tasks, with particular regard to industrial, business, professional and/or institutional tasks; whereas this also applies, in a broader perspective, to any entity that deals with the reuse, recycling and/or disposal of the said waste equipment;
Noting that the rules set forth in the said decree no. 151/2005 as well as the implementing regulations issued accordingly […] are without prejudice to the obligations and liability vested in data controllers as for the minimum security measures they are required to take when processing personal data;
Noting that every data controller must accordingly take suitable organisational and technical measures in order to secure the personal data they process as also related to unauthorised accesses possibly taking place in connection with the disposal of the said electrical and electronic equipment (see section 31 et seq. of the Data Protection Code); noting, moreover, that manufacturers, distributors and assistance centres of electrical and electronic equipment do not appear to be subject to specific obligations arising out of sector-specific legislation with regard to the destruction of such personal data as may happen to be stored in the electrical and electronic equipment returned to them, without prejudice to any agreements that may provide otherwise;
Noting that non-compliance with security measures may attract criminal liability for data controllers (under section 169 of the DP Code) and may also give rise to tort liability (under section 15 of the DP Code and section 2050 of Italy´s Civil Code) if any third party is injured and/or harmed;
Noting that similar obligations as for the final destination of the data are vested in data controllers if the equipment is disposed of in connection with termination of the processing (as per section 16 of the DP Code);
Noting that the measures to be taken upon disposal of electrical and electronic components that are capable to store personal data must consist in actually erasing the personal data in question and/or making them unintelligible so as to prevent unauthorised entities from accessing the data on account of their holding the components in question for whatever purposes – reference can be made in this connection, for instance, to the personal data stored in the hard disk of personal computers and/or in email folders, or to the data kept in the address books of electronic communication devices;
Whereas the measures at issue have already been set forth in the form of minimum security measures applying to the processing of sensitive and/or judicial data, pursuant to clauses 21 and 22 of the Technical Specifications on minimum security measures that regulate keeping and use of data storage removable devices – whereby such devices may only be reused after the data are erased and/or made unintelligible;
Considering that data controllers disposing of the aforementioned electrical and electronic equipment, where they do not have the required skills and technical devices to erase the personal data at issue, may avail themselves of and/or entrust technically qualified entities that can implement such measures as are appropriate to actually erase the data and/or make them unintelligible – e.g. assistance centres, equipment manufacturers and distributors, which should certify performance of the operations in question and/or undertake to perform the said operations;
Considering that whoever intends to reuse and/or recycle waste electrical and electronic equipment or components thereof must make sure that no personal data is present and/or intelligible in the said equipment and obtain, where feasible, an authorisation to erase such data and/or make them unintelligible;
Whereas the measures in question may also consist, depending on the specific circumstances, in the procedures outlined in the attached documents, which are an integral part hereof, subject to their being updated in the light of technological developments and without prejudice to the adoption of additional safeguards to prevent third parties from unduly obtaining personal information also by chance;
Considering it necessary to raise public awareness of the applicable provisions in connection with the processing of personal data and the respective purposes as well as by having regard to data security measures (section 154(1)h. of the DP Code) as related to the disposal of electrical and electronic equipment, inter alia by publishing this decision in the Official Journal of the Italian Republic;
Having regard to the considerations submitted by the Secretary General in pursuance of Article 15 of the Italian DPA´s Regulations (no. 1/2000);
Acting on the report submitted by Mr. Giuseppe Fortunato;
NOW, THEREFORE, THE ITALIAN DATA PROTECTION AUTHORITY
1. Under section 154(1)h. of the DP Code, draws the attention of legal persons, public administrative bodies, any other bodies and natural persons that do not destroy, but rather dispose of devices containing personal data after using them in discharging the respective tasks – especially those related to business, commercial, professional and/or institutional activities – to the need for taking suitable arrangements and measures, also with the help of third parties having the appropriate technical skills, in order to prevent unauthorised accesses to the personal data stored in the electrical and electronic equipment that is intended to be:
a. reused and/or recycled, also by means of the procedures described in Annex A;
b. disposed, also by means of the procedures described in Annex B.
The measures and arrangements in question may also be implemented with the help of and/or by entrusting them to technically qualified third parties such as assistance centres, equipment manufacturers and distributors, which should certify performance of the operations in question and/or undertake to perform the said operations.
Whoever intends to reuse and/or recycle waste electrical and electronic equipment or components thereof must make sure that no personal data is present and/or intelligible in the said equipment and obtain, where feasible, an authorisation to erase such data and/or make them unintelligible;
2. Orders hereby that a copy of this decision be sent to the Ministry of Justice – Ufficio pubblicazione leggi e decreti in order for it to be published in the Official Journal of the Italian Republic.
Done in Rome, this 13th day of the month of October 2008
THE SECRETARY GENERAL
Annex A to the Decision by the Italian data protection authority dated 13 October 2008
Reuse and Recycling of Waste Electrical and Electronic Equipment
In case of reuse and/or recycling of waste electrical and electronic equipment, the measures and arrangements aimed at preventing unauthorised accesses to the personal data contained therein must be compliant with sector-related legislation and allow the data to be erased or else made unintelligible. The measures in question, which may be applied jointly, should take account of state-of-the-art technical standards and may consist, among other things, in the following:
Technical Preventive Measures for Secure Data Storage as Applicable to Electronic and/or IT Devices
1. Encrypting individual files and/or file sets, to be protected from time to time via confidential passwords only known to the data owner, who can de-crypt the said files thereafter. This requires applying encryption whenever it is necessary to protect a data and/or a dataset (e.g. files or file collections); each user should keep the passwords they use separate;
2. Storing the data on the hard disks of personal computers and/or any other magnetic and/or optic device (CD-ROM, DVD-R) by writing automatically encrypted data with the help of confidential passwords only known to the user. This may be applied to whole sets of data stored on one or more devices such as hard disks or portions thereof (partitions, logical drives, file systems, etc.) so as to implement the functions of a so-called cryptographic file system; such functions are available on the main operating systems for electronic processors – including personal computers – and electronic devices and allow averting the risks of unauthorised acquisition of the stored information with the help of a single confidential password. The single volume password will be used automatically for encrypting and decrypting without affecting behaviour and use of the data processing software.
Technical Measures for Secure Data Erasure as Applicable to Electronic and/or IT Device
3. Erasing data securely, which can be achieved by means of ad-hoc software (such as wiping programmes or file shredders). After the user erases the files from a disk unit and/or any similar storage device with the help of the standard tools made available by the various operating systems, the said software repeatedly overwrites the blank spaces left free on the disk with random sequences of "binary" digits (zero and one) so as to minimize the likelihood of retrieving the information also by means of electronic data analysis and recovery tools.
The number of overwrite cycles that is considered sufficient in order to ensure a reasonable security level – by having regard to the sensitiveness and/or importance of the information to be protected – ranges from seven to thirty-five; the time required for applying this procedure varies accordingly and may amount to several hours or days in the case of high-capacity (over 100-gigabyte) hard disks – also depending on computer speed;
4. "Low-level" formatting of hard disks and similar devices, where feasible, in compliance with the manufacturer´s instructions and by taking account of the possible technical consequences – which may prevent the devices in question from being re-used subsequently;
Disposal of Electrical and Electronic Waste
In case of disposal of electrical and electronic waste, actual erasure of the personal data from the storage media contained in electrical and electronic equipment can also be achieved with the help of procedures that – in compliance with sector-related legislation – consist in destroying optical and/or magneto-optical storage media so as to prevent personal data from being acquired unduly.
Storage media can be destroyed by means of different procedures and tools depending on the individual features, such as
- mechanical punching and/or deformation systems;
- physical destruction and/or disintegration (used for optical media such as CD-ROMs and DVDs);
- high-intensity de-magnetization.