Authorisation No. 4/2002 Concerning Processing of Sensitive Data by...
Authorisation No. 4/2002 Concerning Processing of Sensitive Data by Self-Employed Professionals
Authorisation No. 4/2002 Concerning Processing of Sensitive Data by Self-Employed Professionals
The Garante per la protezione dei dati personali
On this day, with the participation of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, members, and Mr. Giovanni Buttarelli, Secretary-General;
Having regard to Act no. 675 of 31.12.1996, as subsequently amended and supplemented, concerning the protection of individuals and other subjects with regard to the processing of personal data;
Having regard to, in particular, Section 22(1) of said Act, in which "sensitive" data are referred to;
Whereas private entities and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subject´s consent in writing;
Whereas the processing of sensitive data may be also authorised by the Garante ex officio by way of general provisions applying to specific categories of controller and/or processing in pursuance of Section 41(7) of Act no. 675/1996;
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation orders;
Whereas it is appropriate to grant new general authorisations to replace those due to expire on the 31st of January 2002 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new provisional authorisations to be also time-limited in pursuance of Section 14 of Presidential Decree no. 501/1998 in view of the forthcoming adoption of a consolidated text of the provisions applying to personal data protection as required by Act no. 127/2001;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity;
Whereas the processing of sensitive data is carried out, to a considerable extent, by self-employed professionals included in professional lists and/or registers in order to discharge their respective professional tasks;
Having regard to Section 35 of Act no. 675/1996;
Having regard to the regulations including provisions on the minimum security measures, as adopted by Presidential decree no. 318 of 28.07.99;
Having regard to Section 14 of Presidential decree no. 501 of 31.03.98;
Having regard to official documents;
Having regard to the considerations made, on behalf of the Office, by the Secretary General in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Prof. Giuseppe Santaniello,
the processing of sensitive data as per Section 22(1) of Act no. 675/1996 by self-employed professionals included in the relevant lists or registers, in compliance with the following requirements:
This authorisation shall be granted, without any request being necessary, to self-employed professionals who are required to be included in the relevant lists or registers for carrying out professional activities either alone or jointly with others, also pursuant either to legislative decree no. 96 of 02.02.2001 or to the implementing provisions of Section 24(2) of Act no. 266 of 07.08.97 on assistance and advisory activities.
The entities included in the special lists or registers set up in pursuance of, inter alia, Section 34 of Royal decree-law no. 1578 of 27.11.33 as subsequently amended and supplemented - concerning regulations for the Bar - shall be regarded as self-employed professionals.
This authorisation shall also be granted to substitutes and staff co-operating with a self-employed professional in pursuance of Section 2232 of the Civil Code, as well as to trainees working with a self-employed professional, whenever they are controllers of a separate processing operation or jointly control the processing carried out by the self-employed professional.
This authorisation shall not apply to the processing of personal data:
a) that is performed by health care professionals and psychologists, nursing, technical or rehabilitation staff in the health care sector, which are the subject of general authorisation no. 2/2002;
b) that is aimed at managing employees or staff co-operating either with the self-employed professional or with any of the abovementioned entities, which is the subject of general authorisation no. 1/2002;
c) that is performed by private entities carrying out investigational activities and by professional, free-lance and trainee journalists as per Sections 26 and 33 of Act no. 69 of 03.02.63.
2) Data subjects and categories
Processing may concern the sensitive data related to clients.
Sensitive data concerning third parties may be processed insofar as this is absolutely necessary to discharge specific professional tasks as requested by clients for specific, legitimate purposes.
At all events, the data must be relevant and not excessive with regard to committed tasks that cannot be discharged by processing either anonymous data or personal data of a different kind.
Processing of data disclosing health or sex life shall be carried out by also complying with said general authorisation no. 2/2002.
3) Purposes of the processing
Sensitive data may only be processed for discharging tasks that are included among those permitted by the relevant professional regulations, and in particular:
a) with a view to fulfilling obligations in respect of labour law, social security and assistance and fiscal assistance on behalf of other persons who are either employees or self-employed workers, as per Act no. 12 of 11.01.79 on the activity of occupational advisors;
b) for the establishment or defence of a legal claim even by third parties, including administrative proceedings and arbitration or settlement procedures in the cases provided for by laws, Community legislation, regulations or collective agreements;
c) for the performance by defence counsel of the investigations referred to in Act no. 397 of 07.12.2000, including by the agency of substitutes and/or experts;
d) in order to exercise the right of access to administrative records in compliance with the relevant laws and regulations.
4) Processing arrangements
Processing of sensitive data shall only be carried out in accordance with such logic and organisational arrangements as are closely related to the task committed by a client.
This authorisation shall be without prejudice to the obligations laid down in Sections 9, 15, 17 and 28 of Act no. 675/1996 and in Presidential decree no. 318/1999.
Further, this authorisation shall be without prejudice to the requirement:
a) of informing the data subject as per Section 10(1) and (3) of Act no. 675/1996, even if the data are collected from a third party;
b) of obtaining the data subject´s consent in writing.
If the data are collected either for the establishment of a legal claim or for the investigations by defence counsel (as per 3), subheadings b) and c) ), the requirement of informing the data subject with regard to the data collected from a third party and obtaining his/her consent in writing shall only apply if the data are processed either for a longer period than is absolutely necessary for said purposes or else for different purposes which are not inconsistent with the former.
The information must enable the data subject to easily understand whether the data controller is a self-employed professional or an association of self-employed professionals, or else whether a number of self-employed professionals act jointly as data controllers or carry out their practice as a partnership in pursuance of legislative decree no. 96 of 02.02.2001.
Nothing in this authorisation shall be construed to prevent a self-employed professional from appointing substitutes, co-operating staff or trainees as processors or persons in charge of the processing; in this case, they shall only have access to the data that are closely relevant to the co-operation requested.
The same restriction shall also apply to the persons in charge of the processing who are committed administrative tasks.
5) Data retention
In compliance with the obligation referred to in Section 9(1), subheading e), of Act no. 675/1996, sensitive data shall be kept for as long as required by laws, Community legislation or regulations and anyhow for no longer than is absolutely necessary to discharge the tasks that have been committed.
To that end it shall be determined whether the data are relevant and not excessive in respect of the existing, planned or discharged tasks - including the data supplied on the data subject´s own initiative. The data that are found by said controls to be either excessive or irrelevant or unnecessary may not be used except with a view to keeping - as required by law - the instrument and/or document where the data are contained. Special attention shall be paid to relevance of the data concerning entities that are not immediately related to fulfilment of the abovementioned obligations and/or tasks.
The data acquired in connection with tasks already discharged may be kept further if they are relevant and not excessive in relation to any subsequent tasks.
6) Data communication and dissemination
Sensitive data may be communicated and, if necessary, disseminated to public and private entities exclusively in connection with discharge of the relevant task(s) and in compliance with professional secrecy requirements.
Data disclosing health may only be disseminated if this is necessary for the prevention, detection or suppression of criminal offences in compliance with the relevant provisions, as laid down in Section 23(4) of Act no. 675/1996.
No data disclosing sex life may be disseminated.
7) Requests for authorisation
Where the processing falls within the scope of this authorisation, no request for authorisation shall have to be filed with the Garante by the relevant controller if the proposed processing is in line with the above provisions.
Any requests for authorisation which have already been received, or which will be received following adoption of this authorisation, shall be regarded as granted insofar as they comply with the requirements laid down herein.
No requests to authorise processing operations that are not in pursuance of the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted on account of special or exceptional circumstances which are not referred to in this authorisation.
8) Final provisions
Any laws, Community rules or regulations imposing further prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, in particular as regards Act no. 300 of 20.05.70 and Act no. 135 of 05.06.90 as well as any provisions against discrimination.
This authorisation shall also be without prejudice to the prohibition to disclose, on no legitimate grounds, or use, with a view to gain for oneself or another, information to which professional secrecy applies; the obligations resulting from professional ethics shall further remain unprejudiced.
9) Effectiveness and transitional provisions
This authorisation shall be effective as of 1 February 2002 until 30 June 2003.
If, by the date on which this authorisation is published, the processing is not compliant with the provisions that are not included in Authorisation no. 4/2000, the data controller shall have to bring it into line with said provisions by the 31st May 2002.
This authorisation shall be published on the Official Journal of the Italian Republic.
Done in Rome, this 31st day of January 2002.