Authorisation No. 4/2013 Concerning Processing of Sensitive Data by...
Authorisation No. 4/2013 Concerning Processing of Sensitive Data by Self-Employed Professionals 
[doc. web n. 3015931]
Authorisation No. 4/2013 Concerning Processing of Sensitive Data by Self-Employed Professionals
The Garante per la protezione dei dati personali
Having convened today, with the participation of Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary-General;
Having regard to Legislative Decree no. 196 of 30 June 2003, containing the personal data protection Code (hereinafter, the "Code");
Having regard to, in particular, Section 4(1), letter d), of the abovementioned Code, in which sensitive data are referred to;
Whereas under Section 26(1) of the Code private bodies and profit-seeking public bodies may only process sensitive data upon authorisation by this Authority and, where necessary, after obtaining the data subjects´ written consent, subject to compliance with the conditions and limitations set out in the Code as well as in laws and regulations;
Having regard to Section 26(4), letter c), of the Code, providing that sensitive data may also be processed without the data subject´s consent, subject to the Garante´s authorisation, if the processing is necessary for carrying out the investigations by defence counsel referred to in Act no. 397 dated 07.12.2000, or else to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor, and that the claim at stake is not overridden by the data subject´s claim or else consists in a personal right or another fundamental right or freedom, if the data are suitable for disclosing health and sex life;
Whereas the processing of the data in question may be authorised by the Garante also ex officio by way of general provisions applying to specific categories of controller and/or processing (Section 40 of the Code);
Whereas the general authorisations that have been issued so far have proved to be suitable tools in order to lay down unified safeguards for the benefit of data subjects, and have made it unnecessary for many data controllers to request individual authorisation decrees;
Whereas it is appropriate to grant new authorisations replacing those due to expire on 31 December 2013 by streamlining their provisions in the light of the experience gathered so far;
Whereas it is appropriate for these new authorisations to be also provisional and time-limited in pursuance of Section 41(5) of the Code and, in particular, to be effective for a twelve-month term;
Whereas it is necessary to ensure compliance with principles aimed at minimising the risk of affecting or endangering, through the processing, fundamental rights and freedoms and human dignity, with particular regard to the right to personal data protection set out in Section 1 of the Code;
Whereas a considerable number of processing operations involving sensitive data are carried out by self-employed professionals included in the relevant registers and lists in order to discharge the respective professional tasks;
Having regard to Section 11(2) of the Code, whereby any data that is processed in breach of the relevant provisions applying to personal data processing may not be used;
Having regard to Section 31 and following ones in the Code, and to the Technical Specifications contained in Annex B to the Code, setting out rules and specifications in respect of security measures;
Having regard to Section 41 of the Code;
Having regard to Section 42 et seq. of the Code concerning cross-border data flows;
Having regard to Section 167 of the Code;
Having regard to official records;
Having regard to the considerations made by the Secretary General on behalf of the Office, in pursuance of Section 15 of the Rules of Procedure of the Garante (no. 1/2000);
Acting on the report submitted by Ms. Augusta Iannini;
the processing of sensitive data referred to in Section 4(1), letter d), of the Code by self-employed professionals included in the relevant lists or registers, in compliance with the following requirements.
Prior to starting and/or continuing the processing, information systems and programmes must be configured by minimising the use of either personal data or identification data so as to rule out their processing if the purposes sought in the individual case can be achieved by using, respectively, either anonymous data or mechanisms that allow identifying the data subject only if this is necessary, in accordance with Section 3 of the Code.
1) Scope of Application
This authorisation shall be granted, without any request being necessary, to self-employed professionals who are required to be included in the relevant lists or registers for carrying out professional activities either alone or in association with others, also pursuant to legislative decree no. 96 of 02.02.2001 or the provisions implementing Section 24(2) of Act No. 266 of 17 August 1997 on assistance and advisory activities.
The entities included in the corresponding special lists or registers set up in pursuance of, inter alia, Section 34 of Royal decree-law no. 1578 of 27.11.1933 as subsequently amended and supplemented - concerning regulations for the Bar - shall be regarded as self-employed professionals.
This authorisation shall also be granted to alternates and staff co-operating with a self-employed professional in pursuance of Section 2232 of the Civil Code, as well as to trainees working with a self-employed professional, whenever they are controllers of a separate processing operation or jointly control the processing carried out by the self-employed professional.
This authorisation shall not apply to the processing of sensitive data:
a) that is performed by health care professionals and psychologists, nursing, technical or rehabilitation staff in the health care sector, which are the subject of general authorisation No. 2/2013;
b) that is aimed at managing entities employed by and/or co-operating with the self-employed professional and/or any of the abovementioned entities, which are the subject of general authorisation No. 1/2013;
c) that is performed by private entities carrying out investigational activities and by professional, free-lance and trainee journalists as per Sections 26 and 33 of Act no. 69 of 03.02.63.
2) Data Subjects and Data Categories
Processing may concern the sensitive data related to clients.
Sensitive data concerning third parties may be processed insofar as this is absolutely indispensable to discharge specific professional tasks as requested by clients for specific, legitimate purposes.
At all events, the data must be closely relevant and not excessive with regard to committed tasks that cannot be discharged by processing either anonymous data or personal data of a different kind.
Processing of data suitable for disclosing health or sex life shall be carried out by also complying with the aforementioned general authorisation No. 2/2013.
3) Purposes of the Processing
Sensitive data may only be processed for discharging tasks that fall within the scope of those a self-employed professional is enabled to discharge under the relevant professional regulations, in particular
a) with a view to fulfilling obligations in respect of labour law, social security and assistance and fiscal assistance on behalf of other persons who are either employees or self-employed workers, as per Act no. 12 of 11.01.79 on the activity of occupational consultants;
b) for the performance by defence counsel of the investigations referred to in Act no. 397 of 07.12.2000, also by the agency of alternates and/or technical experts, or else for the establishment or defence of a legal claim also by third parties, including administrative proceedings and arbitration or conciliation proceedings in the cases provided for by Community legislation, laws, regulations or collective agreements. If the data are suitable for disclosing health and sex life, the claim to be established and/or defended must not be overridden by the data subject´s one, or else must consist either in a personal right or in another fundamental, inviolable right or freedom;
c) in order to exercise the right of access to administrative records in compliance with the relevant laws and regulations, subject to Section 60 of the Code as for the data concerning health and sex life.
4) Processing Arrangements
Processing of sensitive data shall only be carried out on the basis of such logic and organisational data arrangements as are absolutely indispensable with regard to the task conferred by a client.
This authorisation shall be without prejudice to the obligations laid down in Sections 11 and 14 of the Code as well as in Section 31 and following ones of the Code and in Annex B thereto.
This authorisation shall be without prejudice to the requirement of informing the data subject as per Section 13, paragraphs 1, 4, and 5, of the Code, also if the data are collected from third parties, and obtaining his/her consent in writing whenever necessary. A lawyer (legal counsel) may provide the said information along with the data he is required to make available pursuant to the legislation on defence investigations, also by posting the relevant notice at the premises of the respective law firm and/or on his own Internet website, where available; the notice may also be worded concisely and in plain language.
If the data are collected either for the establishment of a legal claim or for the investigations by defence counsel (as per point 3), subheading b.), the requirement of informing the data subject with regard to the data collected from a third party and obtaining his/her consent in writing shall only apply if the data are processed either for a longer period than is absolutely necessary for said purposes or else for different purposes that are not incompatible with the former.
The information must enable the data subject to easily understand whether the data controller is a self-employed professional or an association of self-employed professionals, or else whether a number of self-employed professionals act jointly as data controllers or carry out their practice as a partnership in pursuance of legislative decree no. 96 of 02.02.2001.
Nothing in this authorisation shall be construed to prevent a self-employed professional from appointing substitutes, co-operating staff or trainees as processors or persons in charge of the processing; in this case, they shall only have access to the data that are closely relevant to the co-operation requested from them.
The same restriction shall also apply to the persons in charge of the processing who are entrusted with administrative tasks.
5) Data Retention
In compliance with the obligation referred to in Section 11(1), letter e), of the Code, sensitive data may be kept for as long as set out by Community legislation, laws, and regulations, and anyhow for no longer than is absolutely necessary to discharge the tasks that have been entrusted.
To that end it shall be verified, also by way of regular controls, that the data are closely relevant, not excessive, and indispensable with regard to the existing, planned or terminated tasks as also regards the data supplied on the data subject´s initiative. Any data that is found to be either excessive or irrelevant or non indispensable, also based on said verification, may not be used except with a view to keeping – as required by law – the instrument and/or document containing the data in question. Special attention shall be paid to indispensability of the data related to entities other than those that are directly concerned by fulfilment of the abovementioned obligations and/or tasks
The data acquired in connection with tasks already discharged may be retained if they are relevant, not excessive, and indispensable in relation to any subsequent tasks.
6) Data Communication and Dissemination
Sensitive data may be communicated and, if necessary, disseminated to public and private entities exclusively insofar as they are closely relevant to discharge of the relevant task(s), and at all events in compliance with professional secrecy requirements.
Data suitable for disclosing health may only be communicated if this is necessary for the prevention, detection or suppression of criminal offences in compliance with the relevant provisions.
No data relating to health and sex life may be disseminated.
7) Authorisation Requests
No request for authorisation shall have to be lodged with the Garante by a data controller falling within the scope of application of this authorisation, if the proposed processing is in line with the above provisions.
The authorisation requests received prior to and/or after the date of adoption of this provision shall be regarded as granted insofar as they comply with the requirements laid down herein.
No authorisation requests concerning processing operations that are not in line with the provisions set out herein shall be taken into consideration by the Garante, unless they are to be granted under Section 41 of the Code on account of special and/or exceptional circumstances that are not referred to in this authorisation.
8) Final Provisions
Any laws, Community legislation or regulations imposing more restrictive prohibitions or limitations on the processing of personal data are hereby left unprejudiced, in particular as regards Act no. 300 dated 20.05.70, Act no. 135 dated 05.06.90 as amended by Section 178 of the Code, and any provisions against discrimination.
This authorisation shall also be without prejudice to the prohibition to disclose, on no legitimate grounds, or use, with a view to gain for oneself or another, information to which professional secrecy applies; the obligations resulting from professional ethics shall further remain unprejudiced.
This authorisation shall be effective as of 1 January 2014 until 31 December 2014 subject to such amendments as the Garante may decide to make on account of regulatory developments concerning this subject matter.
This authorisation shall be published in the Official Journal of the Italian Republic.
Done in Rome, this 12th day of the month of December 2013.