[doc. web n. 1898462]

Authorisation to Process Judicial Data As Related to Mediation Activities Aimed at Conciliation of Civil and Commercial Disputes – 21 April 2011
(As published in Italy´s Official Journal no. 101 dated 3 May 2011)

The Garante per la protezione dei dati personali

Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Daniele De Paoli, Secretary-General;

Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code;

Having regard to, in particular, Section 4(1), letter e., of the said Code, in which judicial data are referred to;

Whereas section 21(1) and section 27 of the Code provide that judicial data may be processed by public bodies and by private bodies and/or profit-seeking public entities, respectively, if such processing is permitted explicitly by a law or a decision by the Italian DPA, which must specify the substantial public interest underlying the processing, the categories of data to be processed, and the processing operations that may be performed;

Whereas section 20(2) and (4) and the provisions concerning specific sectors as included in Part II of the Code, in  particular Chapter IV of Title IV, refer to substantial public interest purposes that justify the processing of judicial data by public bodies;

Whereas section 22 of the Code lays down the principles applying, in particular, to the processing of judicial data by public bodies;

Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);

Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisations;

Having regard to legislative decree no. 28 dated 4 March 2010, implementing Section 60 of Act no. 69 dated 18 June 2009 on mediation for the purpose of conciliation of civil and commercial disputes; having regard to ministerial decree no. 180 dated 18 October 2010, issued in pursuance of section 16 of the aforementioned legislative decree;

Whereas legislative decree no. 28/2010 and ministerial decree no. 180/2010 provide that mediation organisations, training bodies and the Ministry of Justice may process judicial data to establish compliance with moral eligibility requirements in respect of mediators as well as of the members, associates, managers and representatives of the aforementioned private bodies; whereas they empower the Ministry of Justice to carry out supervision and control as regards the said requirements;

Having regard to the general authorisation no. 7/2009 for the processing of judicial data by private entities, profit-seeking public bodies, and public entities, which does not include the processing in question as related to mediation activities for the purpose of conciliation of civil and commercial disputes;

Whereas it is accordingly necessary to grant a new authorisation in order to enable the said processing;

Whereas it is appropriate for this new authorisation to also be provisional and time-limited in pursuance of section 41(5) of the Code; whereas it is appropriate, in particular, to provide for such authorisation to be in force until 30 June 2012 pending the initial implementation of legislative decree no. 28/2010, since the arrangements to be made in order to implement section 16 of decree no. 28/2010 pursuant to the criteria laid down in section 4 of ministerial decree no. 180/2010 are expected to be in place by the above deadline, whereupon the relevant regulatory framework will be completed;

Whereas it is necessary to ensure compliance with principles that are aimed at minimizing the risk of harming or endangering fundamental rights and freedoms and personal dignity on account of the processing in question, which applies, in particular, to the right to the protection of personal data laid down in section 1 of the Code;

Having regard to section 167 of the Code;

Having regard to section 11(2) of the code, whereby any data that is processed in breach of the relevant personal data protection legislation may not be used;

Having regard to section 31 et seq. of the Code as well as to the technical specifications contained in Annex B thereto, which lay down rules and requirements applying to security measures;

Having regard to section 41 of the Code;

Having regard to section 42 et seq. of the Code as for the transfer of personal data abroad;

Having regard to the records on file;

Having regard to the considerations by the Office as submitted by the Secretary General in pursuance of article 15 of the Italian DPA´s Rules of Procedure no. 1/2000;

Acting on the report submitted by Prof. Francesco Pizzetti;

AUTHORISES

The processing of judicial data for the substantial public interest purposes mentioned hereinafter under the terms of sections 21 and 27 of the Code and in accordance with the requirements laid down below.

1. Authorised Entities and Purposes of the Processing

a. The following entities shall be authorised to process the judicial data referred to in section 4(1)e. of the Code, also without lodging a specific request to that effect, in order to fulfil obligations set forth in legislation or regulations applying to mediation aimed at the conciliation of civil and commercial disputes, for the substantial interest purpose mentioned in section 69 of the Code (Granting Honours, Rewards, Recognition):

i. The mediation organisations that are private entities as referred to in section 1(1)d. of legislative decree no. 28/2010, including subsequent amendments and additions thereof, as regards data on members, associates, managers and representatives, as well as on registered mediators;

ii. The mediation organisations that are public bodies as referred to in section 1(1)d. of legislative decree no. 28/2010, including subsequent amendments and additions thereof, as regards data on registered mediators;

iii. The training bodies referred to in section 16(5) of legislative decree no. 28/2010, including subsequent amendments and additions thereof, as regards data on members, associates, managers and representatives;

b. The Ministry of Justice shall be authorised to process the judicial data referred to in section 4(1)e. of the Code in pursuance of section 16 of legislative decree no. 28/2010, including subsequent amendments and additions thereof along with the relevant implementing rules, in order to manage the register of mediation organisations and the list of training bodies as well as to verify the moral eligibility requirements mentioned in ministerial decree no. 180/2010 with regard to members, associates, managers and representatives of mediation organisations and training bodies that are private entities as well as to the individual mediators, for the substantial public interest purposes set forth in section 69 (Granting Honours, Rewards, Recognition) and in section 67 (Supervisory and Inspection Activities).

2. Data Subjects and Data Categories
Processing shall only concern the judicial data relating to the moral eligibility requirements set forth in ministerial decree no. 180/2010 as applying to members, associates, managers and representatives of the mediation organisations and training bodies that are private entities and to the individual mediators (i.e. "not having been the subject of a final sentence for non-negligent offences or not having been sentenced to a custodial penalty without suspension thereof; not having been disqualified, temporarily or not, from holding public offices; not having been the subject of precautionary and/or security measures").

3. Data Categories and Processing Operations
Processing shall only concern such judicial data and processing operations as are found to be indispensable, relevant, and not excessive with regard to the specific purpose(s) under the terms set forth in laws and regulations.

4. Data Communication
The Ministry of Justice may communicate the judicial data referred to in section 4(1)e. of the Code to the following entities within the framework of the supervisory and control powers conferred on it by the sector-specific legislation:

- Mediation organisations and training bodies that are private entities with regard to the moral eligibility requirements set forth in section 4(2)c. and section 18(2)b. of ministerial decree no. 180/2010 as for the respective members, associates, managers and representatives;

- Public and private mediation organisations with regard to the moral eligibility requirements set forth in section 4(3)c. of ministerial decree no. 180/2010 as for the mediators included in the respective registers.

5. Data Preservation
Under the terms of the obligations set forth in section 11(1)e. of the Code, judicial data may be kept for as long as provided for by Community laws, legislation and/or secondary legislation and anyhow for no longer than is absolutely necessary to manage mediation activities.

To that end, the authorised entities shall regularly verify that the data are accurate and updated as well as relevant, complete, not excessive and necessary vis-à-vis the purposes to be achieved on a case by case basis. To ensure that the data are absolutely relevant, not excessive, and indispensable vis-à-vis the said purposes, the authorised entities shall specifically assess the relationship between the data and the individual obligations and tasks. Any data that, also on verification, is found to be excessive, irrelevant and/or dispensable may not be used - except for the legally required preservation of the record and/or document containing it.

6. Authorisation Requests
Where a data controller falls under the scope of application of this authorisation, no authorisation request shall have to be lodged with the Italian DPA if the processing to be performed is in line with the foregoing requirements.

Such authorisation requests as may have already been received and those that will be received after the date of adoption of this authorisation shall be considered to be granted under the terms set forth herein.

The Italian DPA shall not consider authorisation requests in respect of processing operations that are not in accordance with the requirements set forth herein, unless such requests are to be granted in pursuance of section 41 of the Code because of highly peculiar circumstances and/or on account of exceptional situations that are not covered by this authorisation.

7. Final Provision
Any and all obligations contained in laws, regulations and/or Community legislation that set forth more restrictive limitations or prohibitions on the processing of personal data shall be left unprejudiced.

The legal ban on disclosing, without just cause, and using, with a view to gain for oneself or others, information that is covered by professional secrecy shall be left unprejudiced as well. This shall also apply to good practice and/or ethical requirements applying to the individual professions.

8. Sunset Provision

This authorisation shall be effective until 31 December 2012¹ subject to such amendments as the Italian DPA may deem appropriate on account of relevant regulatory changes.
This authorisation shall be published in the Official Journal of the Italian Republic.

Done in Rome, this 21st day of the month of April 2011.

THE PRESIDENT
Pizzetti

THE RAPPORTEUR
Pizzetti

THE SECRETARY GENERAL
De Paoli

(1) Effectiveness was extended to 31 December 2012 by a Resolution of the DPA dated 28 June 2012, available here: http://www.garanteprivacy.it/garante/doc.jsp?ID=1908632