g-docweb-display Portlet

Authorisation No. 5/2014 Concerning Processing of Sensitive Data by Various Categories of Data Controller [3813011]

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

VERSIONE ITALIANA

 

[doc. web n. 3813011]

Authorisation No. 5/2014 Concerning Processing of Sensitive Data by Various Categories of Data Controller
Published in Italy´s Official Journal No. 301 of 30 December 2014

The Italian Data Protection Authority

Having convened today, with the participation of  Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary-General;

Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code (hereinafter, the "Code");

Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;

Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;

Having regard to Legislative Decree No. 28 of 4 March 2010 implementing Section 60 of Act No. 69 of 18 June 2009, as amended by Act No. 98 of 9 August 2013, on mediation for the purpose of settling civil and commercial disputes as well as to Ministerial Decree No. 180 of 18 October 2010 as issued pursuant to Section 16 of the said legislative decree;

Whereas a considerable number of processing operations concerning sensitive data are performed by the organisations mentioned in Section 1(1)d) of Legislative decree No. 28/2010 in order to discharge the respective tasks;

Having regard to Authorisation No. 2/2014 for the processing of data suitable for disclosing health and sex life;

Considering that the processing of sensitive data by the mediation organisations referred to in Legislative Decree No. 28/2010 does not fall under the scope of General Authorisation No. 4/2014 for the processing of sensitive data by self-employed professionals on account of the different scope of application and the peculiar requirements set forth therein;

Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;

Whereas it is appropriate to grant new authorisations replacing those due to expire on 31 December 2014 by streamlining their provisions in the light of the experience gathered so far;

Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for twenty-four months;

Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;

Whereas the processing of sensitive data is carried out, to a considerable extent, by entities working in several industry sectors as specified herein;

Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;

Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;

Having regard to Section 41 of the Code;

Having regard to Section 42 of the Code concerning cross-border data flows;

Having regard to Section 167 of the Code;

Having regard to official records;

Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);

Acting on the report submitted by Ms. Giovanna Bianchi Clerici;

Hereby authorises

the processing of sensitive data as per Section 4(1), letter d), of the Code, except for those suitable for disclosing sex life, in accordance with the provisions set out below.

Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of personal an/or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.

Chapter I
Banking, Credit, Insurance, Fund Management, Tourism, Transportations, and Other Activities

1) Scope of the Authorisation

a) any undertaking authorised to carry out banking, credit or insurance activities and the relevant associations, including those that are the subject of compulsory administrative liquidation;

b) companies and other entities managing pension or benefit funds, or social security funds;

c) financial brokerage companies or entities, particularly as regards management and/or brokerage of investment funds and/or movables;

d) companies and any other entities issuing credit cards or other means of payment, or anyhow enabling payment mechanisms and managing the relevant transactions;

e) undertakings carrying out, on their own behalf, activities that are closely related and instrumental to those mentioned above as regards risk assessment, factoring, processing of a large amount of records, data transmission, packing and/or sorting of mail, and management of  tax collectors´ offices [esattorie] or treasury departments [tesorerie];

f) undertakings in the tourism, hotelling or transport sectors, travel agencies, and tour operators;

g) undertakings authorised to carry out their activities further to an authorisation granted under the provisions laid down in Royal Decree no. 773 of June 18, 1931 (Consolidated Public Security Act) and/or in Legislative Decree no. 112 of March 31, 1998.

2) Purposes of the Processing

This authorisation shall be granted without any request being necessary in respect of such data and operations as are indispensable in order to fulfil the obligations, including pre-contractual obligations, undertaken by the entities referred to under 1) within the relevant sectors of activity, with a view to supplying specific goods or services that have been requested by a data subject.

This authorisation shall also be granted to comply or enforce compliance with obligations – including tax and accounting obligations – under Community legislation, laws, regulations, or collective agreements, or else imposed by supervisory or control bodies or authorities in the cases mentioned in the relevant laws or regulations.

The processing operations performed for the above purposes may also concern the keeping of accounting registers and books, lists, mailing lists and any other documents that are necessary in connection with organisation or administrative management of businesses, companies, co-operatives or consortia.

3) Data Subjects and Data Categories

Processing may concern sensitive data relating to any person to whom goods or services are supplied insofar as the data are closely relevant to the specific request(s) made by the data subject, who must have given his/her informed consent thereto in writing. Subject to the above limitations, the processing may also concern data relating to third parties, whenever said goods or services cannot be supplied otherwise to the recipients/beneficiaries.

If  the data subject´s consent is required in respect of separate data controllers, the indication of his/her wishes must refer specifically to each of them.

4) Data Communication and Dissemination

Sensitive data may be communicated, insofar as this is closely relevant to the purposes mentioned under 2), to public and private entities, including social security and assistance funds and/or subsidiary and related companies in pursuance of Section 2359 of the Civil Code, as well as, if necessary, to the data subject´s family members.

Data controllers must keep a list of the recipients of the communications in question, including the specification of the categories of data that have been communicated, also with a view to informing other data controllers of any changes made to the data in response to a request lodged by data subjects (as per Section 7(3), letter c) of the Code).

No sensitive data may be disseminated.

Chapter II
Opinion Polls and Surveys

1) Scope of the Authorisation and Purposes of the Processing

This authorisation shall be granted to undertakings, companies, institutions and other private or public entities and/or organisations exclusively for the purpose of carrying out opinion polls, market surveys or any other sample-based study.

Polls and surveys must be carried out for specific, legitimate purposes, of which the data subject shall have to be informed.

2) Data Subjects and Data Categories

The processing may concern data in respect of individuals who have given their informed consent and have replied to questionnaires or interviews in connection with opinion polls, market surveys and any other sample-based studies.

The data subject´s consent must always be given in writing.

Sensitive data may only be processed if the processing of anonymous data does not allow achieving the purposes of the poll or survey.

3) Data Retention

The processing operations carried out after collecting the data shall not allow identifying data subjects, indirectly or not, by way of reference to any other information.

Any personal data, whether in aggregate form or not, shall be destroyed or made anonymous immediately after being collected, and anyhow no later than at the time when the collected samples are stored. Storage must take place without delay also if a large amount of samples has been collected.

This authorisation shall be without prejudice to the possibility for the data controller and the relevant processors or persons in charge of the processing to use the personal data within the aforementioned time span in order to verify reliability and accuracy of the samples by accessing the data subjects.

4) Data Communication

No sensitive data may be communicated or disseminated.

Poll or survey samples may be communicated or disseminated, whether in aggregate form or not, on condition that they cannot be associated with identified or identifiable data subjects also by way of a processing operation.

Chapter III
Data Processing Activities

1) Scope of the Authorisation

Undertakings, companies, institutions, and any other private organisations or entities acting as autonomous controllers of an activity that is carried out for the benefit of other entities and is based on data elaboration and additional processing operations either in the employment context or for the purposes of accounting, payment of wages, social security, welfare, and taxation.

2) Applicable Provisions

Processing shall be carried out in accordance with the following authorisations:

a) No. 1/2014 concerning the processing of sensitive data by, in particular, the parties to an employer-employee relationship if the  purposes sought are those referred to under item 3) of said authorisation;

b) No. 4/2014 concerning the processing of sensitive data by self-employed professionals or equivalent entities, if the purposes sought are those referred to under item 3) of said authorisation.

If the data subject´s consent is to be given in respect of separate data controllers, the indication of his/her wishes must specifically refer to each of them.

Chapter IV
Personnel Selection

1) Scope of the Authorisation and Purposes of the Processing

This authorisation shall be granted without any request being necessary to recruitment agencies and any other entities that carry out staff placement, recruitment, and selection activities or provide outplacement services, for the benefit of third parties, in accordance with the law.

2) Data Subjects and Data Categories

Processing may concern data suitable for disclosing health and racial and ethnic origin of applicants for employment or co-operation activities, on condition that the collection of said data serves specific, legitimate purposes and is absolutely indispensable for setting up the aforementioned relationship.

The processing of data suitable for disclosing health of an applicant´s family members or cohabiters is allowed with the data subject´s written consent, if it is aimed at awarding a specific benefit to the applicant - in particular, with a view to the latter´s mandatory recruitment or else in order to grant preferential treatment in connection with disability or sickness, war events or official duties.

If the data subject´s consent is required in respect of separate data controllers, the indication of his/her wishes must specifically refer to each of them.

The processing shall only concern information that is closely relevant to the above purposes regardless of whether the data are provided in response to a questionnaire that has been sent also by using electronic networks or upon the applicant´s own initiative - in particular via the submission of CVs.

It shall not be permitted to process data:

a) suitable for disclosing religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations with a religious, philosophical, political or trade-union aim, racial and ethnic origin, subject to the provisions above, and sex life, or

b) concerning facts that are irrelevant in order to assess employees´ professional qualifications, or

c) in breach of provisions either applying to equal opportunity policies or against discrimination.

3) Data Communication and Dissemination

Data suitable for disclosing health and racial and ethnic origin may be communicated to the public or private entities that are specifically referred to in the data subject´s statement of consent, insofar as they are closely relevant to the purposes mentioned under 1) and 2).

No sensitive data may be disseminated.

4) Final Provisions

Any additional obligations set out in laws and regulations are hereby left unprejudiced.

Chapter V
Marriage Brokers

1) Scope of the Authorisation

This authorisation shall be granted to undertakings, companies, institutions, and other private organisations or entities acting as brokers for the purpose of setting up marriage and/or cohabitation relationships, also by means of authorised agencies.

2) Purposes of Data Processing

This authorisation shall be granted exclusively in order to discharge the tasks that have been committed in pursuance of the relevant laws and regulations.

3) Data Subjects

Processing may only concern the sensitive data relating to the persons who are directly involved in the matrimonial and/or cohabitation relationship.

No data may be processed in respect of individuals who are considered to be underage either under the law of their nationality State or under Italian law.

4) Categories of Processed Data

Processing may only concern such data and operations as are indispensable with regard to the specific profile or personality described and/or requested by the persons who are interested in the marriage or cohabitation.

The data must be provided by the data subject in person.

The information to be provided prior to obtaining the data subject´s written consent must especially highlight the categories of processed data and the arrangements made for their communication to third parties.

5) Data Communication

The data may be communicated insofar as they are closely relevant to performance of the tasks specifically committed.

Data controllers must keep a list of the recipients of the communications in question, including the specification of the categories of data that have been communicated, also with a view to informing other data controllers of any changes made to the data in response to a request lodged by data subjects (as per Section 7(3), letter c) of the Code).

The dissemination of certain sensitive data, also by means of electronic networks, shall be the subject of a specific authorisation by this Authority.

6) Final Provisions

This authorisation shall be without prejudice to additional obligations laid down by laws or regulations, in particular as regards criminal law, public security, and the protection of children.

Chapter VI
Mediation for Settling Civil and Commercial Dispute
s

1) Scope of the Authorisation

This Authorisation shall be granted, also without any request therefor, to the private mediation organisations referred to in Section 1(1) of Legislative Decree no. 28 of 4 March 2010 in order to perform mediation activities aimed at settling civil and commercial disputes.

2) Purposes of the Processing

This Authorisation shall be granted exclusively for the purpose of performing one of the activities the entities mentioned under 1) above are empowered to carry out under the terms of Legislative Decree no. 28/2010, including subsequent amendments and additions thereof, and in particular to assist two or more entities both in achieving an amicable agreement to settle a dispute and – where no such agreement can be achieved – in putting forward a proposal for settling the said dispute. Where any data is suitable for disclosing health or sex life, the claim to be established or defended shall be equivalent to the one made by the data subject; alternatively, it shall consist in a personal right or in any other fundamental, inviolable right or freedom.

3) Data Subjects

The processing may only concern sensitive data relating to the entities that are involved in the dispute to be settled.

Sensitive data relating to third parties may be processed if this is absolutely indispensable for the purposes of mediation.

4) Data Categories and Processing Arrangements

Processing may only concern such data and operations as are indispensable, relevant and not excessive with regard to the specific dispute that is the subject of mediation as well as in connection with activities that may not be performed by relying on anonymous data and/or personal data of a different character.

Any data that is suitable for disclosing health or sex life must be processed by also complying with the aforementioned General Authorisation No. 2/2014.

The information notice to be provided prior to obtaining the data subject´s written consent must highlight the categories of processed data and the disclosure mechanisms applying to such data.

5) Data Communication

Sensitive data may be communicated to the parties to the mediation proceeding that is aimed at settling civil and commercial disputes to the extent this is strictly relevant to the specific mediation assignment, in accordance with the constraints and limitations referred to in Legislative Decree No. 28/2010.

No sensitive data may be disseminated.

6) Final Provisions

Any obligations set forth in laws and regulations and/or in Community legislation banning and/or placing tighter constraints on the processing of personal data shall be  left unprejudiced.

The legal obligations banning unjustified disclosure or the use, with a view to one´s own or another´s gain, of information that is covered by professional secrecy shall be also left unprejudiced along with good practice and/or ethical obligations applying to the individual professional sectors.

Chapter VII
Digital Services

1) Scope of the Authorisation

This Authorisation shall be granted, also without any request therefor, to

a) Suppliers of digital products and services as purchased via telephone operator billing (mobile remote payment);

b) Suppliers of interactive TV products and services.

2) Purposes of the Processing

This Authorisation shall be granted exclusively to fulfil obligations arising from a contract and/or the steps taken prior to entering into a contract for the supply of digital goods or services to the data subject as part of mobile remote payment and/or interactive TV.

3) Data Subjects and Categories of Processed Data

Processing may concern the sensitive data, including data suitable for disclosing sex life, relating to the individuals supplied with the digital goods and/or services as part of mobile remote payment and/or interactive TV.

The processing shall concern such data and operations as are absolutely indispensable with a view to the specific requests made by the data subject, who must have given his or her informed consent  either in writing or in any other equivalent format.

Where the data subject´s consent is requested by separate data controllers, it shall be given specifically to each of them.

4) Data Communication and Dissemination

Data may be communicated insofar as this is strictly relevant to performance of the specific service being requested and in accordance with sector-specific legislation, personal data protection legislation, and the Garante´s orders.

No sensitive data may be disseminated.

5) Final Provisions

Any laws, regulations or Community rules imposing further prohibitions or restrictions on the processing of personal data are hereby left unprejudiced.

This authorisation shall also be without prejudice to the prohibition to disclose, on no legitimate grounds, or use, with a view to gain for oneself or another, information to which professional secrecy applies; any obligations resulting from professional ethics shall further apply.

Chapter VIII
Provisions Applying to all Types of Processing

Insofar as these matters are not regulated in the above chapters, the following provisions shall also apply to the processing operations mentioned therein:

1) Data Suitable for Disclosing Health

The processing of data disclosing health shall also be carried out in accordance with authorisation No. 2/2014.

The processing of genetic data shall be authorised further in compliance with the terms and conditions set out in the authorisation adopted in pursuance of Section 90 of the DP Code.

2) Processing Arrangements

Without prejudice to the obligations laid down in Sections 11 and 14 of the Code, in Sections 31 and following ones of the Code, and in Annex B) to the Code, processing of sensitive data shall only be carried out by means of such operations and in accordance with such logic and organisational arrangements as are closely related to the purposes set out in the above Chapters.

Data shall be communicated as a rule either directly to the data subject or to the latter´s delegate subject to the provisions made in Section 84(1) of the Code, by using either a closed envelope or any means suitable for preventing unauthorised persons from having access to said data, including the requirement of standing behind a line while waiting to be served.

This authorisation shall also be without prejudice to the requirement of informing the data subject in pursuance of Section 13, paragraphs 1, 4 and 5 of the Code, also if the data are collected from a third party.

3) Data Retention

Without prejudice to the obligation laid down in Section 11(1), letter a) of the Code, sensitive data may be kept for no longer than is necessary to achieve the purposes, fulfil the obligations or discharge the tasks referred to in the above Chapters. To that end it shall be continuously verified, also by way of regular controls, whether the data are relevant, not excessive, and indispensable with regard to the existing, planned or terminated relationship, performance or tasks – including the data supplied on the data subject´s own initiative. The data that are found to be either excessive or irrelevant or unnecessary also following said verification may not be used except with a view to keeping – as required by law -  the instrument and/or document where the data are contained. Special attention shall be paid to indispensability of the data concerning entities other than those directly concerned by the aforementioned obligations and/or tasks.

This authorisation shall be without prejudice to any laws or regulations laying down different data retention periods.

The provisions of Chapter II applying to opinion polls and surveys are hereby left unprejudiced.

4) Authorisation Request

No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.

The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.

No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.

5) Final Provisions

Any laws, regulations or Community rules imposing further prohibitions or restrictions on the processing of personal data are hereby left unprejudiced, in particular as regards:

a) Act no. 300 dated 20.05.1970;

b) Act no. 135 dated 05.06.1990; and

c) Legislative Decree no. 276 dated September 10, 2003.

This authorisation shall also be without prejudice to the prohibition to disclose, on no legitimate grounds, or use, with a view to gain for oneself or another, information to which professional secrecy applies; any obligations resulting from professional ethics shall further apply, including those laid down in the codes of conduct that are adopted in pursuance of Section 12 of the Code.

The possibility to disseminate anonymous data, also as aggregate data, shall be left unprejudiced.

6) Effectiveness

This authorisation shall be effective as of 1 January 2015 until 31 December 2016    subject to such amendments as the Garante may decide to make on account of regulatory developments concerning this subject matter.

This authorisation shall be published in the Official Journal of the Italian Republic.

Done in Rome, this 11th day of the month of December 2014.

THE PRESIDENT
Soro

THE RAPPORTEUR
Bianchi Clerici

THE SECRETARY-GENERAL
Busia

Scheda

Doc-Web
3813011
Data
11/12/14

Argomenti


Tipologie

Autorizzazione generale

Vedi anche (10)