Legislative Decree No. 196 dated 30 June 2003
Official Gazette of the Italian Republic 29 July 2003, No. 174 – Ordinary Supplement, No. 123
Personal Data Protection Code. [Privacy Code
Right to Access Personal Data and Other Rights
1. A data subject has the right to obtain confirmation as to whether or not personal data concerning him/her exist, regardless of their being already recorded, and communication of such data in intelligible form.
2. A data subject shall have the right to be informed
a) of the source of the personal data;
b) of the purposes and methods of data processing;
c) of the logic applied to the processing, if the latter is carried out using electronic means;
d) of the identification data concerning the data controller, data processors and representative designated as per Section 5 (2);
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative (s) in the State’s territory, data processor(s) or person (s) in charge of the processing.
3. A data subject shall have the right to obtain:
a) updating, correction or, where interested therein, integration of the data;
b) erasure, anonymization, or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which the data have been collected or subsequently processed;
c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part
a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for market or commercial communication surveys.
Exercise of Rights
1. The rights referred to in Section 7 may be exercised by making a request to the data controller or processor without formalities, also by the agency of a person in charge of the processing. A suitable response to said request shall be provided without delay.
2. The rights referred to in Section 7 may not be exercised by making a request to the data processor or controller, or else by lodging a complaint pursuant to Section 145, if the personal data are processed:
a) pursuant to the provisions of decree-law No. 143 of 3 May 1991, as converted, with amendments, into Act No. 197 of 5 July 1991, and subsequently amended, concerning money laundering;
b) pursuant to the provisions of decree-law No. 419 of 31 December 1991, as converted, with amendments, into Act. No. 172 of 18 February 1992, and subsequently amended, concerning support for victims of extortion;
c) by parliamentary Inquiry Committees set up as per Article 82 of the Constitution;
d) by a public body other than profit-seeking public body, where this is expressly required by law for purposes exclusively related to currency and financial policy, the system of payments, control of brokers and credit and financial markets and the protection of their stability;
e) pursuant to Section 24(1), letter f), as regards the period during which performance of investigations by defense counsel or establishment of the legal claim might be actually or concretely prejudiced;
f) by providers of publicly available electronic communications services in respect of incoming phone calls, unless this may be actually and concretely prejudicial to performance of the investigations by defense counsel as per Act. No. 397 of 7 December 2000;
g) for reasons of justice by judicial authorities at all levels and of all instances as well as by the Higher Council of the Judiciary or other self-regulatory bodies, or else by the Ministry of Justice;
h) pursuant to Section 53, without prejudice to Act. No. 121 of 1 April 1981.
3. In the cases referred to in paragraph 2, letters a), b), d), e) and f), the Italian Data Protection Authority, also following a report submitted by the data subject, shall act as per Sections 157,158 and 159; in the cases referred to in letters c), g) and h) of said paragraph, the Italian Data Protection Authority shall act as per Section 160.
4. Exercise of the rights referred to in Section 7 may be permitted with regard to data of non-objective character on condition that it does not concern rectification of or additions to personal evaluation data in connection with judgments, opinions, and other types of subjective assessment, or else the specification of policies to be implemented or decision-making activities by the data controller.
Processing Arrangements and Data Quality
1. Personal data undergoing processing shall be:
a) processed lawfully and fairly;
b) collected and recorded for specific, explicit and legitimate purposes, and used in further processing operations in a way that is not inconsistent with said purposes;
c) accurate and, when necessary, kept up to date;
d) relevant, complete and non excessive in relation to the purposes for which they are collected or subsequently processed;
e) kept in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed.
2. Any personal data that is processed in breach of the relevant provisions concerning the processing of personal data may not be used.
Information to Data Subjects
1. The data subject as well as any entity from whom or which personal data are collected shall be preliminarily informed, either orally or in writing, as to:
a) the purposes and processing methods for which the data are intended;
b) the mandatory or voluntary nature of providing the requested data;
c) the consequences if (s)he fails to reply;
d) the entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of said data;
e) the rights as per Section 7;
f) the identification data concerning the data controller and, where designated, the data controller’s representative in the State’s territory pursuant to Section 5 and the data processor. If several data processors have been designated by the data controller, at least one among them shall be referred to and either the site on the communications network or the procedures for easily accessing the updated list of data processors shall be specified. If a data processor has been designated to provide responses to data subjects in the event the rights as per Section 7 are exercised, such data processor shall be referred to.
2. The information as per paragraph 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain items if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defense or State security, or else for the prevention, suppression or detection of offences.
3. The Italian Data Protection Authority may issue a provision to set out simplified information arrangements as regards, in particular, telephone services providing assistance and information to the public.
4. Whenever the personal data are not collected from the data subject, the information as per paragraph 1, also including the categories of processed data, shall be provided to the data subject at the time of recording such data or, if their communication is envisaged, no later than when the data are first communicated.
5. Paragraph 4 shall not apply
a) if the data are processed in compliance with an obligation imposed by law, regulations or Community legislation;
b) if the data are processed either for carrying out the investigations by defense counsel as per Act No. 397 of 7 December 2000, or to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor; c) if the provision of information to the data subject involves an effort that is declared by the Italian Data Protection Authority to be manifestly disproportionate compared with the right to be protected, in which case the Italian Data Protection Authority shall establish suitable measures, if any, or if it proves impossible in the opinion of the Italian Data Protection Authority.
5-bis. The information as per paragraph 1 shall not be necessary in case résumés are received that are sent voluntarily by the relevant data subjects with a view to recruitment for job positions. When first contacting a data subject that has sent his/her résumé, the data controller shall be required to provide such data subject, also verbally, with a short information notice that shall include at least the items mentioned in paragraph 1, letters a), d) and f).
Termination of Processing Operations
1. Should data processing be terminated, for whatever reason, the data shall be
b) assigned to another data controller, provided they are intended for processing under terms that are compatible with the purposes for which the data have been collected;
c) kept for exclusively personal purposes, without being intended for systematic communication or dissemination;
d) kept or assigned to another controller, for historical, scientific or statistical purposes, in compliance with laws, regulations, Community legislation and the codes of conduct and professional practice adopted pursuant to Section 12.
2. Assignment of data in breach either of paragraph 1, letter b), or of other relevant provisions applying to the processing of personal data shall be void.