Data Protection and Privacy Glossary

Data Protection and Privacy Glossary





An instrument adopted by the Italian DPA to authorise the DataController (a public body, a company, a self-employed professional) to process certain "sensitive" or judicial data or to transfer personal data abroad.

Regarding sensitive and judicial data, General Authorisations have been issued by the Italian DPA to enable various categories of data controllers to process personal data for the purposes specified therein  without applying for ad-hoc authorisations to the DPA.



Disclosing personal data to one or more specific entities (other than the DataSubject, the DataProcessor, or a Person Tasked with Processing) in whatever manner, also by making the data available or accessible (see also Dissemination)



The free indication of the DataSubject´s wish to explicitly accept a specific processing operation concerning their personal data, of which the DataSubject was informed beforehand by the entity empowered to decide on that processing (the DataController). It is enough for written "proof" of consent to be available, i.e. for the consent to be noted, transcribed, entered by the DataController and/or the DataProcessor and/or a Person Tasked with Processing in a register, instrument or minutes – unless the processing operation concerns "sensitive" data, in which case the data subject has to give written consent (e.g. by undersigning a form).

Some types of processing may be performed without the DataSubject´s consent under the terms of Section 24 of Italy´s Data Protection Code.



The data controller is the natural person, company, association or other entity that is factually in control of the processing of personal data and is empowered to take the essential decisions on the purposes and mechanisms of such processing including the applicable security measures.

If personal data is processed by a company or a public administrative body, it is the entity as a whole that acts as the data controller rather than the individual or department/unit that manages or represents such entity (e.g. Chairperson, CEO, auditor, Minister, Director General, etc.). The cases where an individual is the data controller mostly concern processing operations performed by self-employed professionals or single-person corporations.



The data processor is the natural person, company, association or organization the DataController has entrusted with specific data processing management and control tasks on account of the relevant experience and/or skills.



    The natural person a personal data relates to.


DataSubject´s Rights

Under Italy´s Personal Data Protection Code, every DataSubject has various rights in connection with the processing of their personal data (see Section 7):

1. The right to obtain general information on processing operations performed in our country by accessing, free of charge, the online Register of Processing Operations kept by the Italian DPA;

2. The right to access their own personal data directly at the entity holding such data (the DataController), i.e. the right to obtain confirmation that such data exists and communication of the data as well as to know the source of the data and what criteria and purposes apply to its processing. In the latter case the DataController may charge a fee ("handling fee") if it is found that no data relating to the data subject is held;

3. The right to obtain erasure or blocking of any data that is processed in breach of the law, for instance because no consent was asked for. This right may also be exercised if there is no valid reason any longer for retaining data that had been collected lawfully;

4. The right to have inaccurate and/or incomplete data updated, rectified or supplemented;

5. In the cases mentioned under 3. and 4. above, the right to obtain confirmation from the DataController that the above operations have been also made known to the entities the data had been communicated to beforehand, unless this proves impossible or requires a disproportionate effort compared to the right to be protected;

6. The right to object to the processing of one´s own data on legitimate grounds;

7. The right to object, in any and all cases, to the processing of one´s own data for commercial information purposes and/or for sending advertising or direct selling materials and/or for market research purposes.



Making personal data known to the public at large and/or to an indefinite amount of entities – for instance, by publishing personal data in a daily or posting personal data on a web page.



The Garante, i.e. the Italian Data Protection Authority (DPA), is an administrative independent authority set up by the "Privacy Act" (675/1996, now merged into the consolidated Personal Data Protection Code).

Similar authorities have been set up in all EU countries pursuant to Article 8 of the Charter of Fundamental Rights of the European Union.

The Garante is tasked with ensuring the protection of fundamental rights and freedoms as regards the processing of personal data along with respect for individuals´ dignity. It is made up of four commissioners elected by Parliament and is headquartered in Rome – Piazza di Monte Citorio, 121. The Garante runs an Office with 125 staff members.

The Garante handles citizens´ claims and reports and supervises over compliance with the provisions protecting private life. It decides on complaints lodged by citizens and is empowered to prohibit, also of its own motion, any processing operation that is unlawful or unfair. It can perform inspections, impose administrative penalties, and issue opinions in the cases mentioned by the Data Protection Code. It can also draw Parliament´s and Government´s attention to the desirability of regulatory measures concerning personal data protection.



A notice containing the information the DataController is required to provide to every DataSubject, either orally or in writing, whenever a data is collected either from the DataSubject or from third parties. The InformationNotice must specify, in a concise and user-friendly manner, what purpose(s) and mechanisms apply to the processing; whether the DataSubject is obliged to provide the data or not; what consequences may result from the failure to provide the data; who the data may be communicated or disseminated to; what rights are afforded to the DataSubject; who the DataController (and the DataProcessor, if any) is and how one can contact them (address, phone, fax, etc.).




A personal data disclosing that certain judicial measures have been taken in respect of a person such as to require their inclusion into that person´s criminal record (e.g. final criminal convictions; paroling; residency and/or movement restrictions; measures other than custodial detention).

The fact of being a defendant and/or the subject of criminal investigations falls within the scope of this definition as well.




This is a one-shot communication the DataController is to give to the Garante by means of an ad-hoc form to be sent electronically and signed digitally (see the DPA´s website for additional procedural details). The notification describes the main features of the processing (categories of processed data, purposes of the processing, place where the processing is performed, data recipients in Italy or abroad, security measures in place).

Notification must be given prior to starting the processing and is not to be re-submitted if no features of the processing change. Thus, if the purposes of the processing or the nature of the DataController are modified, a new notification must be given to the DPA.

All notifications are kept in a "Register of Processing Operations" that is publicly accessible free of charge via the Internet. Citizens may get information through it and use it for the purpose of applying personal data protection legislation – e.g. to exercise data access rights or any other right set forth in the Data Protection Code.

Checks on the notified processing operations will be performed by way of the Register and the information contained in the relevant notification will be verified. If a DataController is not required to notify a processing operation, it must nevertheless provide the information contained in the notification form to any person requesting it as part of the exercise of that person´s access rights and/or any other right set forth in Section 7 of the Data Protection Code.


Person Tasked with Processing 

An employee or a co-worker that processes or factually uses personal data on behalf of the DataController´s organization in accordance with the instructions given by the DataController and/or the DataProcessor (if the latter has been appointed).


Personal Data   

Any information concerning natural persons that are or can be identified also by way of other items of information – e.g., via a number or an ID code.

For instance, personal data is one´s first or last name, address, Tax ID as well as a picture, the recording of one´s voice or one´s fingerprint, or medical, accounting or financial information relating to that person.



Privacy nowadays does not mean only the "right to be left alone" or to protect one´s private sphere, as it is above all the right to be in control of how one´s personal data are used and moved about. Personal information is actually the key commodity in today´s information society.

The right to privacy and the right to the protection of personal data are fundamental human rights and relate directly to the protection of human dignity, as also enshrined in the Charter of Fundamental Rights of the EU.


Processing (personal data)

This is an operation or set of operations concerning personal data.

The definition set forth by the DP Code is wide-ranging as it includes collection, recording, organization, storage, modification, selection, extraction, use, blocking, communication, dissemination, erasure and destruction of data. Each of these operations is an instance of processing.




Technical and organizational arrangements, electronic devices and/or computer software that are used to ensure that no data is lost or destroyed, even accidentally, only authorized entities may access the data, and no processing is performed either in breach of the law or by departing from that for which the data had been collected initially.

The Data Protection Code lays down various measures, standards and procedures (e.g. requiring an user ID and password for data access; deployment of anti-virus software; instructions to regularly perform data back-ups) a DataController is to adjust to the processing depending on whether this is performed electronically or manually (i.e. as regards paper records and documents).

Annex B to the Data Protection Code lists the minimum security measures that are to be implemented mandatorily in order not to be punished under the terms of Section 169 of the Code.



A personal data requiring special precautions on account of its nature. A sensitive data is any data that can disclose a person´s racial origin or ethnicity, religious or other beliefs, political opinions, membership of parties, trade unions and/or associations, health, or sex life.