Legislative Decree n. 196 of 06-30-03
Legislative Decree 30 June 2003, n. 196
Code regarding the protection of personal data
(in Ordinary Supplement no. 123 to the Official Gazette, July 29, no. 174)
THE PRESIDENT OF THE REPUBLIC
CONSIDERING articles 76 and 87 of the Constitution;
HAVING REGARD to article 1 of the law of 24 March 2001, n. 127, authorizing the Government to issue a single text on the processing of personal data;
HAVING REGARD to article 26 of the law of 3 February 2003, n. 14, containing provisions for the fulfillment of obligations deriving from Italy's membership of the European Communities (Community law 2002);
HAVING REGARD to the law of 31 December 1996, n. 675, and subsequent modifications;
HAVING REGARD to the law of 31 December 1996, n. 676, delegating to the Government regarding the protection of persons and other subjects with regard to the processing of personal data;
HAVING REGARD TO Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free circulation of data;
HAVING REGARD TO Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 relating to the processing of personal data and the protection of privacy in the electronic communications sector;
HAVING REGARD to the preliminary resolution of the Council of Ministers, adopted in the meeting of 9 May 2003;
HAVING HEARD the Guarantor for the protection of personal data;
HAVING ACQUIRED the opinion of the competent Parliamentary Commissions of the Chamber of Deputies and of the Senate of the Republic;
CONSIDERING the resolution of the Council of Ministers, adopted in the meeting of 27 June 2003;
ON THE PROPOSAL of the President of the Council of Ministers, the Minister for the Public Service and the Minister for Community Policies, in agreement with the Ministers of Justice, Economy and Finance, Foreign Affairs and Communications;
EMANATE
the following legislative decree:
Article 1
(Right to personal data protection)
1. Everyone has the right to the protection of personal data concerning him.
Article 2
(purpose)
1. This consolidated text, hereinafter referred to as the code, guarantees that the processing of personal data is carried out in compliance with fundamental rights and freedoms, as well as the dignity of the interested party, with particular reference to confidentiality, personal identity and the right to the protection of personal data.
2. The processing of personal data is governed by ensuring a high level of protection of the rights and freedoms referred to in paragraph 1 in compliance with the principles of simplification, harmonization and effectiveness of the methods envisaged for their exercise by the interested parties, as well as for the fulfillment of the obligations by the data controllers.
Article 3
(Principle of necessity in data processing)
1. Information systems and computer programs are configured by minimizing the use of personal data and identification data, so as to exclude their treatment when the purposes pursued in individual cases can be achieved through, respectively, anonymous data or appropriate methods which allow the data subject to be identified only if necessary.
Article 4
(Definitions)
1. For the purposes of this code, the following definitions are meant:
a) "treatment", any operation or set of operations, carried out even without the aid of electronic tools, concerning the collection, registration, organization, conservation, consultation, processing, modification, selection, the extraction, comparison, use, interconnection, blocking, communication, dissemination, cancellation and destruction of data, even if not recorded in a database;
b) "personal data", any information relating to a natural person, legal person, entity or association, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number;
c) "identification data", the personal data that allow the direct identification of the data subject;
d) "sensitive data", personal data capable of revealing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious or philosophical nature , political or trade union, as well as personal data suitable for revealing the state of health and sex life;
e) “judicial data!, personal data capable of disclosing provisions referred to in article 3, paragraph 1, letters a) to o) and r) to u), of Presidential Decree November 14, 2002, n. 313, concerning criminal records, the register of administrative sanctions dependent on crimes and related pending charges, or the quality of defendant or suspect pursuant to articles 60 and 61 of the code of criminal procedure;
f) "owner", the natural person, the legal person, the public administration and any other body, association or body which is responsible, even together with another owner, for decisions regarding the purposes, methods of processing personal data and tools used, including the security profile;
g) "responsible", the natural person, the legal person, the public administration and any other entity, association or body appointed by the owner to process personal data;
h) "persons in charge", the natural persons authorized to carry out processing operations by the owner or manager;
i) "interested party", the natural person, legal person, body or association to which the personal data refer;
l) "communication", the giving knowledge of personal data to one or more specific subjects other than the interested party, the representative of the owner in the territory of the State, the manager and the persons in charge, in any form, including by making them available or consultation;
m) "dissemination", giving knowledge of personal data to unspecified subjects, in any form, including by making them available or consulting them;
n) “anonymous data”, data which originally, or following processing, cannot be associated with an identified or identifiable interested party;
o) "blocking", storage of personal data with temporary suspension of any other processing operation;
p) 'database, any organized complex of personal data, divided into one or more units located in one or more sites;
q) "Guarantor", the authority referred to in article 153, established by law no. 675.
2. For the purposes of this code, the term also means:
a) 'electronic communication, any information exchanged or transmitted between a finite number of subjects via an electronic communication service accessible to the public. Information transmitted to the public via an electronic communications network, as part of a broadcasting service, is excluded, unless the same information is linked to an identified or identifiable receiving subscriber or user;
b) "call", the connection established by a telephone service accessible to the public, which allows two-way communication in real time;
c) “electronic communications networks” means transmission systems, switching or routing equipment and other resources that allow signals to be transmitted via cable, radio, optical fibers or other electromagnetic means, including satellite networks , terrestrial mobile and fixed circuit-switched and packet-switched networks, including the Internet, networks used for the circular broadcasting of sound and television programmes, systems for carrying electric current, insofar as they are used to transmit signals, cable television networks, regardless of the type of information carried;
d) “public communications network” means an electronic communications network used wholly or mainly to provide publicly available electronic communications services;
e) "electronic communications service" means services consisting exclusively or mainly in the transmission of signals on electronic communications networks, including telecommunications services and transmission services in networks used for radio and television broadcasting, within the limits set out in Article 2 , letter c) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002;
f) "subscriber", any natural person, legal person, body or association party to a contract with a provider of publicly available electronic communications services for the supply of such services, or in any case recipient of such services through prepaid cards;
g) "user", any natural person who uses an electronic communications service accessible to the public, for private or commercial reasons, without necessarily having subscribed to it;
h) "traffic data", any data subjected to processing for the purpose of transmitting a communication over an electronic communications network or for the related billing;
i) “location data” means any data processed in an electronic communications network which indicates the geographical position of the user's terminal equipment of a publicly available electronic communications service;
l) "value-added service", the service which requires the processing of data relating to traffic or data relating to location other than data relating to traffic, in addition to what is necessary for the transmission of a communication or the related billing ;
m) "electronic mail", messages containing texts, voices, sounds or images transmitted through a public communications network, which may be stored on the network or in the receiving terminal equipment, until the recipient has become aware of them.
3. For the purposes of this code, the term also means:
a) 'minimum measures, the set of technical, information technology, organisational, logistical and procedural security measures which configure the minimum level of protection required in relation to the risks envisaged in Article 31;
b) "electronic instruments", computers, computer programs and any electronic or in any case automated device with which the processing is carried out;
c) "IT authentication", the set of electronic tools and procedures for verifying, even indirectly, identity;
d) "authentication credentials", data and devices, in the possession of a person, known by him or uniquely related to him, used for computer authentication;
e) "keyword", component of an authentication credential associated with a person and known to him, consisting of a sequence of characters or other data in electronic form;
f) "authorization profile", the set of information, unequivocally associated with a person, which makes it possible to identify which data they can access, as well as the processing they are permitted to do;
g) "authorization system", the set of tools and procedures that enable access to data and the methods of processing them, according to the authorization profile of the applicant.
4. For the purposes of this code, the following definitions are meant:
a) "historical purposes", the purposes of study, investigation, research and documentation of figures, facts and circumstances of the past;
b) "statistical purposes", the purposes of statistical surveys or the production of statistical results, also by means of statistical information systems;
c) "scientific purposes", the purposes of study and systematic investigation aimed at developing scientific knowledge in a specific sector.
Article 5
(Object and scope of application)
1. This code governs the processing of personal data, also held abroad, carried out by anyone established in the territory of the State or in a place in any case subject to the sovereignty of the State.
2. This code also applies to the processing of personal data carried out by anyone who is established in the territory of a country that does not belong to the European Union and uses, for processing, instruments located in the territory of the State, even other than electronic ones, unless they are used only for the purpose of transit through the territory of the European Union. In the event of application of this code, the data controller designates a representative established in the territory of the State for the purposes of applying the regulations on the processing of personal data.
3. The processing of personal data carried out by natural persons for exclusively personal purposes is subject to the application of this code only if the data are intended for systematic communication or dissemination. In any case, the provisions on responsibility and data security referred to in articles 15 and 31 apply.
Article 6
(Discipline of treatment)
1. The provisions contained in this Part apply to all data processing, except as provided, in relation to some processing, by the supplementary or amending provisions of Part II.
Article 7
(Right of access to personal data and other rights)
1. The interested party has the right to obtain confirmation of the existence or not of personal data concerning him, even if not yet registered, and their communication in an intelligible form.
2. The interested party has the right to obtain the indication:
a) the origin of the personal data;
b) the purposes and methods of processing;
c) of the logic applied in case of treatment carried out with the aid of electronic instruments;
d) of the identification details of the owner, of the managers and of the designated representative pursuant to article 5, paragraph 2;
e) of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as designated representative in the territory of the State, managers or agents.
3. The interested party has the right to obtain:
a) updating, rectification or, when interested, integration of data;
b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment is proves impossible or involves the use of means manifestly disproportionate to the protected right.
4. The interested party has the right to object, in whole or in part:
a) for legitimate reasons, to the processing of personal data concerning him, even if pertinent to the purpose of the collection;
b) to the processing of personal data concerning him for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communication.
Article 8
(Exercise of rights)
1. The rights referred to in article 7 are exercised with a request addressed informally to the owner or manager, also through a person in charge, to which a suitable response is provided without delay.
2. The rights referred to in article 7 cannot be exercised with a request to the owner or manager or with an appeal pursuant to article 145, if the processing of personal data is carried out:
a) on the basis of the provisions of the decree-law of 3 May 1991, n. 143, converted, with amendments, by law 5 July 1991, n. 197, and subsequent amendments, on the subject of money laundering;
b) on the basis of the provisions of the decree-law of 31 December 1991, n. 419, converted, with amendments, by law February 18, 1992, n. 172, and subsequent amendments, regarding support for victims of extortion requests;
c) by parliamentary commissions of inquiry set up pursuant to article 82 of the Constitution;
d) by a public entity, other than economic public bodies, on the basis of an express provision of the law, for exclusive purposes relating to monetary and currency policy, the payment system, the control of intermediaries and the credit and financial markets, as well as the protection of their stability;
e) pursuant to article 24, paragraph 1, letter f), limited to the period during which an effective and concrete prejudice could derive for the performance of the defensive investigations or for the exercise of the right in court;
f) from providers of electronic communication services accessible to the public in relation to incoming telephone communications, unless there could be an effective and concrete prejudice for the performance of the defensive investigations referred to in the law of 7 December 2000, n. 397;
g) for reasons of justice, in judicial offices of every order and degree or the Superior Council of the Judiciary or other self-governing bodies or the Ministry of Justice;
h) pursuant to article 53, without prejudice to the provisions of the law of 1 April 1981, n. 121.
3. The Guarantor, also upon notification by the interested party, in the cases referred to in paragraph 2, letters a), b), d), e) and f), shall proceed in the manner referred to in articles 157, 158 and 159 and, in the cases referred to in letters c), g) and h) of the same paragraph, it shall proceed in the manner referred to in article 160.
4. The exercise of the rights referred to in article 7, when it does not concern data of an objective nature, can take place unless it concerns the rectification or integration of personal data of an evaluative nature, relating to judgments, opinions or other appreciations of a subjective nature, as well as an indication of the conduct to be followed or decisions being taken by the data controller.
Article 9
(Exercise Mode)
1. The request addressed to the owner or manager can also be sent by registered letter, fax or e-mail. The Guarantor can identify another suitable system with reference to new technological solutions. When it concerns the exercise of the rights referred to in article 7, paragraphs 1 and 2, the request can also be formulated orally and in this case it is briefly noted by the person in charge or the manager.
2. In exercising the rights referred to in article 7, the interested party may grant, in writing, a proxy or power of attorney to natural persons, bodies, associations or organizations. The interested party can also be assisted by a trusted person.
3. The rights referred to in article 7 referring to personal data concerning deceased persons may be exercised by anyone who has an interest of their own, or acts to protect the data subject or for family reasons worthy of protection.
4. The identity of the interested party is verified on the basis of suitable elements of assessment, also by means of available deeds or documents or by showing or attaching a copy of an identification document. The person acting on behalf of the interested party exhibits or attaches a copy of the power of attorney, or of the proxy signed in the presence of a person in charge or signed and presented together with an unauthenticated photocopy of an identification document of the interested party. If the interested party is a legal person, an entity or an association, the request is made by the natural person entitled on the basis of the respective statutes or regulations.
5. The request referred to in article 7, paragraphs 1 and 2, is formulated freely and without constraints and can be renewed, save for the existence of justified reasons, with an interval of no less than ninety days
Article 10
(Reply to the interested party)
1. To guarantee the effective exercise of the rights referred to in article 7, the data controller is required to adopt suitable measures aimed, in particular:
a) to facilitate access to personal data by the interested party, also through the use of special computer programs aimed at a careful selection of data concerning identified or identifiable individual interested parties;
b) to simplify the methods and reduce the times for replying to the applicant, also in the context of offices or services in charge of relations with the public.
2. The data are extracted by the manager or the persons in charge and can be communicated to the applicant even orally, or offered for viewing by electronic means, provided that in such cases the understanding of the data is easy, also considering the quality and quantity of the information. If requested, the data will be transposed on paper or electronically, or sent electronically.
3. Unless the request refers to a particular treatment or to specific personal data or categories of personal data, the reply to the interested party includes all the personal data concerning the interested party in any case processed by the owner. If the request is addressed to a health professional or to a health organization, the provision of article 84, paragraph 1 is observed.
4. When the extraction of the data is particularly difficult, the response to the request of the interested party can also take place through the exhibition or delivery in copies of deeds and documents containing the requested personal data.
5. The right to obtain communication of data in an intelligible form does not concern personal data relating to third parties, unless the breakdown of the data processed or the deprivation of some elements makes the personal data relating to the interested party incomprehensible.
6. The communication of data is carried out in an intelligible form also through the use of understandable handwriting. In case of communication of codes or acronyms, the parameters for understanding the relative meaning are provided, also through the persons in charge.
7. When, following the request referred to in article 7, paragraphs 1 and 2, letters a), b) and c) the existence of data concerning the interested party is not confirmed, a contribution to expenses not exceeding the costs actually incurred for the research carried out in the specific case.
8. The contribution referred to in paragraph 7 cannot in any case exceed the amount determined by the Guarantor with a provision of a general nature, which can identify it on a flat-rate basis in relation to the case in which the data are processed with electronic instruments and the answer is provided orally. With the same provision, the Guarantor may provide that the contribution can be requested when the personal data appear on a special support whose reproduction is specifically requested, or when, with one or more holders, a considerable use of means is determined in relation to the complexity or entity of the requests and the existence of data concerning the interested party is confirmed.
9. The contribution referred to in paragraphs 7 and 8 is also paid by postal or bank payment, or by payment or credit card, where possible upon receipt of the reply and in any case no later than fifteen days from such reply.
Article 11
(Methods of processing and data requirements)
1. The personal data being processed are:
a) processed lawfully and fairly;
b) collected and recorded for specific, explicit and legitimate purposes, and used in other processing operations in terms compatible with these purposes;
c) accurate and, if necessary, updated;
d) pertinent, complete and not excessive in relation to the purposes for which they are collected or subsequently processed;
e) kept in a form that allows identification of the data subject for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed.
2. Personal data processed in violation of the relevant regulations on the processing of personal data cannot be used.
Article 12
(Codes of ethics and good conduct)
1. The Guarantor promotes within the categories concerned, in compliance with the principle of representativeness and taking into account the directive criteria of the recommendations of the Council of Europe on the processing of personal data, the signing of codes of ethics and good conduct for certain sectors, verifies their compliance with the laws and regulations also by examining the observations of interested parties and helps to ensure their dissemination and compliance.
2. The codes are published in the Official Gazette of the Italian Republic by the Guarantor and, by decree of the Minister of Justice, are listed in attachment A) of this code.
3. Compliance with the provisions contained in the codes referred to in paragraph 1 constitutes an essential condition for the lawfulness and correctness of the processing of personal data carried out by private and public entities.
4. The provisions of this article also apply to the code of ethics for the processing of data for journalistic purposes promoted by the Guarantor in the manner referred to in paragraph 1 and in article 139.
Article 13
(Information)
1. The interested party or the person from whom the personal data are collected are previously informed orally or in writing about:
a) the purposes and methods of the processing for which the data are intended;
b) the mandatory or optional nature of the provision of data;
c) the consequences of a possible refusal to answer;
d) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as managers or agents, and the scope of diffusion of the same data;
e) the rights referred to in article 7;
f) the identification details of the owner and, if designated, of the representative in the territory of the State pursuant to article 5 and of the person in charge. When the owner has designated several managers, at least one of them is indicated, indicating the site of the communication network or the methods through which the updated list of managers can be easily known. When a manager has been designated for replying to the interested party in the event of exercise of the rights referred to in article 7, this manager is indicated.
2. The information referred to in paragraph 1 also contains the elements envisaged by specific provisions of this code and may not include the elements already known to the person providing the data or the knowledge of which can concretely hinder the completion, by a public entity, of inspection or control functions carried out for purposes of defense or security of the State or for the prevention, detection or repression of crimes.
3. The Guarantor can identify with his own provision simplified procedures for the information provided in particular by telephone assistance and information services to the public.
4. If the personal data are not collected from the interested party, the information referred to in paragraph 1, including the categories of data processed, is given to the interested party when the data is recorded or, when their communication is envisaged , no later than the first communication.
5. The provision referred to in paragraph 4 does not apply when:
a) the data are processed on the basis of an obligation established by law, by a regulation or by community legislation;
b) the data are processed for the purpose of carrying out the defensive investigations pursuant to the law of 7 December 2000, n. 397, or, in any case, to assert or defend a right in court, provided that the data are processed exclusively for these purposes and for the period strictly necessary for their pursuit;
c) the information to the interested party involves the use of means that the Guarantor, prescribing any appropriate measures, declares manifestly disproportionate to the protected right, or proves to be, in the opinion of the Guarantor, impossible.
Article 14
(Definition of profiles and the personality of the data subject)
1. No judicial or administrative act or provision involving an assessment of human behavior can be based solely on an automated processing of personal data aimed at defining the profile or personality of the data subject.
2. The interested party may oppose any other type of determination adopted on the basis of the treatment referred to in paragraph 1, pursuant to article 7, paragraph 4, letter a), unless the determination was adopted on the occasion of the conclusion or the execution of a contract, in acceptance of a proposal from the interested party or on the basis of adequate guarantees identified by this code or by a provision of the Guarantor pursuant to article 17.
Article 15
(Damage caused as a result of the treatment)
1. Whoever causes damage to others as a result of the processing of personal data is required to pay compensation pursuant to article 2050 of the civil code.
2. Non-pecuniary damage is also recoverable in the event of a violation of article 11.
Article 16
(Termination of treatment)
1. In the event of termination, for any reason, of a treatment, the data are:
a) destroyed;
b) transferred to another owner, provided they are intended for treatment in terms compatible with the purposes for which the data are collected;
c) stored for exclusively personal purposes and not intended for systematic communication or dissemination;
d) stored or transferred to another owner, for historical, statistical or scientific purposes, in compliance with the law, regulations, community legislation and the codes of ethics and good conduct signed pursuant to article 12.
2. The transfer of data in violation of the provisions of paragraph 1, letter b), or of other relevant provisions regarding the processing of personal data is ineffective.
Article 17
(Treatment presenting specific risks)
1. The processing of data other than sensitive and judicial data which presents specific risks for fundamental rights and freedoms, as well as for the dignity of the interested party, in relation to the nature of the data or the methods of treatment or the effects it can determine, it is permitted in compliance with measures and expedients to guarantee the interested party, where prescribed.
2. The measures and precautions referred to in paragraph 1 are prescribed by the Guarantor in application of the principles sanctioned by this code, in the context of a preliminary verification at the beginning of the treatment, also carried out in relation to certain categories of data controllers or treatments , also following a request from the owner.
Article 18
(Principles applicable to all processing carried out by public entities)
1. The provisions of this chapter concern all public entities, excluding economic public entities.
2. Any processing of personal data by public entities is permitted only for the performance of institutional functions.
3. In processing the data, the public entity observes the assumptions and limits established by this code, also in relation to the different nature of the data, as well as by the law and regulations.
4. Except as provided for in Part II for health professionals and public health bodies, public entities must not request the consent of the interested party.
5. The provisions of article 25 regarding communication and dissemination are observed.
Article 19
(Principles applicable to the processing of data other than sensitive and judicial data)
1. The processing by a public entity concerning data other than sensitive and judicial data is permitted, without prejudice to the provisions of article 18, paragraph 2, even in the absence of a law or regulation expressly providing for it.
2. Communication by a public entity to other public entities is permitted when it is provided for by a law or regulation. In the absence of this provision, communication is permitted when it is in any case necessary for the performance of institutional functions and can be initiated if the term referred to in article 39, paragraph 2 has expired and the different determination indicated therein has not been adopted.
3. Communication by a public entity to private individuals or to economic public bodies and dissemination by a public entity are permitted only when they are provided for by a law or regulation.
Article 20
(Principles applicable to the processing of sensitive data)
1. The processing of sensitive data by public entities is permitted only if authorized by express provision of the law which specifies the types of data that can be processed and the operations that can be performed and the purposes of relevant public interest pursued.
2. In cases where a legal provision specifies the purpose of significant public interest, but not the types of sensitive data and operations that can be performed, the processing is permitted only with reference to the types of data and operations identified and made public by of the subjects who carry out the processing, in relation to the specific purposes pursued in individual cases and in compliance with the principles referred to in article 22, with a regulatory act adopted in compliance with the opinion expressed by the Guarantor pursuant to article 154, paragraph 1, letter g), also on standard schemes.
3. If the processing is not expressly provided for by a legal provision, public subjects can request the Guarantor to identify the activities, among those entrusted to the same subjects by law, which pursue purposes of significant public interest and for which it is consequently authorized , pursuant to article 26, paragraph 2, the processing of sensitive data. Processing is permitted only if the public entity also identifies and makes public the types of data and operations in the manner referred to in paragraph 2.
4. The identification of the types of data and operations referred to in paragraphs 2 and 3 is periodically updated and integrated.
Article 21
(Principles applicable to the processing of judicial data)
1. The processing of judicial data by public subjects is permitted only if authorized by express provision of the law or provision of the Guarantor which specify the purposes of significant public interest of the processing, the types of data processed and the operations that can be performed.
2. The provisions referred to in article 20, paragraphs 2 and 4, also apply to the processing of judicial data.
Article 22
(Principles applicable to the processing of sensitive and judicial data)
1. The public subjects conform the processing of sensitive and judicial data according to methods aimed at preventing violations of the rights, fundamental freedoms and dignity of the interested party.
2. In providing the information referred to in article 13, public subjects expressly refer to the legislation which provides for the obligations or tasks on the basis of which the processing of sensitive and judicial data is carried out.
3. Public subjects may only process sensitive and judicial data indispensable for carrying out institutional activities which cannot be fulfilled, case by case, by means of the processing of anonymous data or personal data of a different nature.
4. Sensitive and judicial data are usually collected from the interested party.
5. In application of article 11, paragraph 1, letters c), d) and e), public subjects periodically verify the accuracy and updating of sensitive and judicial data, as well as their pertinence, completeness, non-excess and indispensability with respect to the purposes pursued in individual cases, also with reference to the data that the interested party provides on his own initiative. In order to ensure that sensitive and judicial data are indispensable with respect to the obligations and tasks assigned to them, public bodies specifically evaluate the relationship between the data and the obligations. The data which, even following the checks, are found to be excessive or irrelevant or indispensable cannot be used, except for the possible conservation, in accordance with the law, of the deed or document that contains them. Specific attention is paid to verifying the indispensability of sensitive and judicial data referring to subjects other than those to whom the services or obligations directly refer.
6. The sensitive and judicial data contained in lists, registers or databases, kept with the aid of electronic instruments, are treated with encryption techniques or through the use of identification codes or other solutions which, considering the number and the nature of the data processed, make them temporarily unintelligible even to those who are authorized to access them and allow the data subjects to be identified only in case of need.
7. Data suitable for revealing the state of health and sex life are stored separately from other personal data processed for purposes that do not require their use. The same data are treated in the manner referred to in paragraph 6 even when they are kept in lists, registers or databases without the aid of electronic instruments.
8. Data suitable for revealing the state of health cannot be disclosed.
9. With respect to sensitive and indispensable judicial data pursuant to paragraph 3, public subjects are authorized to carry out only the processing operations indispensable for the pursuit of the purposes for which the processing is permitted, even when the data are collected in the performance of supervisory, control or inspection tasks.
10. Sensitive and judicial data cannot be processed in the context of psycho-aptitude tests aimed at defining the profile or personality of the data subject. The operations of comparison between sensitive and judicial data, as well as the processing of sensitive and judicial data pursuant to article 14, are carried out only after written annotation of the reasons.
11. In any case, the operations and treatments referred to in paragraph 10, if carried out using databases of different owners, as well as the dissemination of sensitive and judicial data, are permitted only if provided for by express provision of law.
12. The provisions referred to in this article contain applicable principles, in accordance with the respective regulations, to the treatments governed by the Presidency of the Republic, the Chamber of Deputies, the Senate of the Republic and the Constitutional Court.
Article 23
(Consent)
1. The processing of personal data by private individuals or public economic entities is permitted only with the express consent of the interested party.
2. The consent may concern the entire treatment or one or more operations of the same.
3. Consent is validly given only if it is expressed freely and specifically with reference to a clearly identified treatment, if it is documented in writing, and if the information referred to in article 13 has been provided to the interested party.
4. Consent is expressed in written form when the treatment concerns sensitive data.
Article 24
(Cases in which processing can be carried out without consent)
1. Consent is not required, other than in the cases provided for in Part II, when the treatment:
a) it is necessary to fulfill an obligation established by law, by a regulation or by community legislation;
b) it is necessary to fulfill obligations deriving from a contract of which the interested party is a party or to fulfil, before the conclusion of the contract, specific requests from the interested party;
c) it concerns data from public registers, lists, deeds or documents that can be known by anyone, without prejudice to the limits and methods that the laws, regulations or community legislation establish for the knowledge and publicity of the data;
d) concerns data relating to the performance of economic activities, processed in compliance with current legislation on corporate and industrial secrecy;
e) it is necessary to protect the life or physical integrity of a third party. If the same purpose concerns the interested party and the latter cannot give his consent due to physical impossibility, due to incapacity to act or inability to understand or want, the consent is expressed by the person who legally exercises the authority, or by a neighbor joint, by a family member, by a cohabitant or, in their absence, by the manager of the structure where the person concerned lives. The provision referred to in article 82, paragraph 2 applies;
f) with the exclusion of diffusion, it is necessary for the purpose of carrying out the defensive investigations pursuant to the law of 7 December 2000, n. 397, or, in any case, to assert or defend a right in court, provided that the data are processed exclusively for these purposes and for the period strictly necessary for their pursuit, in compliance with current legislation on corporate and industrial secrecy;
g) with the exclusion of dissemination, it is necessary, in the cases identified by the Guarantor on the basis of the principles established by law, to pursue a legitimate interest of the owner or of a third party recipient of the data, also with reference to the activity of banking groups and companies subsidiaries or affiliates, if the fundamental rights and freedoms, dignity or legitimate interest of the data subject do not prevail;
h) with the exclusion of external communication and dissemination, is carried out by non-profit associations, bodies or organizations, even if not recognized, with reference to subjects who have regular contact with them or to members, for the pursuit of specific purposes and legitimate identified by the deed of incorporation, by the statute or by the collective agreement, and with methods of use expressly provided for with determination made known to the interested parties at the time of the disclosure pursuant to article 13;
i) it is necessary, in accordance with the respective codes of ethics referred to in Annex A), for exclusive scientific or statistical purposes, or for exclusive historical purposes in private archives declared to be of considerable historical interest pursuant to article 6, paragraph 2, of the legislative decree 29 October 1999, n. 490, for the approval of the consolidated act on cultural and environmental assets or, according to the provisions of the same codes, in other private archives.
Article 25
(Communication and dissemination bans)
1. Communication and dissemination are prohibited, as well as in the event of a prohibition ordered by the Guarantor or by the judicial authority:
a) in reference to personal data whose cancellation has been ordered, or when the period of time indicated in article 11, paragraph 1, letter e has elapsed);
b) for purposes other than those indicated in the notification of treatment, where required.
2. The communication or dissemination of data requested, in accordance with the law, by police forces, judicial authorities, information and security bodies or other public entities pursuant to article 58, paragraph 2, is reserved purposes of defense or state security or the prevention, detection or repression of crimes.
Article 26
(Guarantees for sensitive data)
1. Sensitive data may be processed only with the written consent of the interested party and with the prior authorization of the Guarantor, in compliance with the conditions and limits established by this code, as well as by law and regulations.
2. The Guarantor communicates the decision adopted on the request for authorization within forty-five days, after which failure to pronounce is equivalent to rejection. With the authorization provision, or subsequently, also on the basis of any checks, the Guarantor can prescribe measures and expedients to guarantee the interested party, which the data controller is required to adopt.
3. Paragraph 1 does not apply to processing:
a) data relating to members of religious confessions and to subjects who, with reference to purposes of an exclusively religious nature, have regular contact with the same confessions, carried out by the relative bodies, or by civilly recognized bodies, provided that the data are not disseminated or communicated outside the same denominations. The latter determine suitable guarantees in relation to the treatments carried out, in compliance with the principles indicated in this regard with the authorization of the Guarantor;
b) data concerning the membership of associations or organizations of a trade union or category nature to other associations, organizations or confederations of a trade union or category nature.
4. Sensitive data may be processed even without consent, subject to authorization by the Guarantor:
a) when the processing is carried out by non-profit associations, bodies or organizations, even if not recognised, of a political, philosophical, religious or trade union nature, including political parties and movements, for the pursuit of specific and legitimate purposes identified by the deed of incorporation, by the statute or by the collective agreement, in relation to the personal data of the members or of the subjects who, in relation to these purposes, have regular contact with the association, entity or body, provided that the data are not communicated externally or disseminated and the institution, association or body determines suitable guarantees in relation to the treatments carried out, expressly providing for the methods of use of the data with determination made known to the interested parties at the time of the information pursuant to article 13;
b) when the treatment is necessary to protect the life or physical integrity of a third party. If the same purpose concerns the interested party and the latter cannot give his consent due to physical impossibility, inability to act or inability to understand or want, the consent is expressed by the person who legally exercises the authority, or by a neighbor joint, by a family member, by a cohabitant or, in their absence, by the manager of the structure where the person concerned lives. The provision referred to in article 82, paragraph 2 applies;
c) when the treatment is necessary for the purpose of carrying out the defensive investigations pursuant to the law of 7 December 2000, n. 397, or, in any case, to assert or defend a right in court, provided that the data are processed exclusively for these purposes and for the period strictly necessary for their pursuit. If the data are suitable for revealing the state of health and sex life, the right must be of equal rank to that of the interested party, or consisting in a right of the personality or in another right or fundamental and inviolable freedom;
d) when it is necessary to fulfill specific obligations or tasks established by law, by a regulation or by Community legislation for the management of the employment relationship, also in matters of hygiene and safety at work and of the population and of social security and assistance, in the limits established by the authorization and without prejudice to the provisions of the code of ethics and good conduct referred to in article 111.
5. Data suitable for revealing the state of health cannot be disclosed.
Article 27
(Guarantees for judicial data)
1. The processing of judicial data by private individuals or public economic bodies is permitted only if authorized by express provision of law or provision of the Guarantor which specify the relevant purposes of public interest of the processing, the types of data processed and the operations that can be performed .
Article 28
(Data Controller)
1. When the treatment is carried out by a legal person, by a public administration or by any other body, association or body, the data controller is the entity as a whole or the peripheral unit or body which exercises a decision-making power of the entirely independent on the purposes and methods of processing, including the security profile.
Article 29
(Responsible for the treatment)
1. The manager is optionally designated by the owner.
2. If designated, the person in charge is identified among subjects who, by experience, ability and reliability, provide a suitable guarantee of full compliance with the current provisions on the subject of treatment, including the profile relating to security.
3. Where necessary for organizational reasons, several subjects may be designated as managers, also by subdivision of tasks.
4. The tasks entrusted to the manager are analytically specified in writing by the owner.
5. The manager carries out the processing following the instructions given by the owner who, also through periodic checks, supervises the punctual observance of the provisions referred to in paragraph 2 and of his own instructions.
Article 30
(in charge of the treatment)
1. The processing operations can be carried out only by persons in charge who operate under the direct authority of the owner or manager, following the instructions given.
2. The designation is made in writing and punctually identifies the scope of the permitted treatment. The documented preposition of the natural person to a unit for which the scope of treatment permitted to the employees of the same unit is identified in writing is also considered as such.
Article 31
(security obligations)
1. The personal data being processed are kept and controlled, also in relation to the knowledge acquired on the basis of technical progress, the nature of the data and the specific characteristics of the processing, so as to minimize, through the adoption of suitable and preventive security measures, the risks of destruction or loss, even accidental, of the data, unauthorized access or treatment that is not permitted or does not comply with the purposes of the collection.
Article 32
(Particular holders)
1. The provider of an electronic communications service accessible to the public adopts, pursuant to article 31, suitable technical and organizational measures appropriate to the existing risk, to safeguard the security of its services, the integrity of data relating to traffic, data relating to the location and of electronic communications with respect to any form of unauthorized use or knowledge.
2. When the security of the service or of the personal data also requires the adoption of measures concerning the network, the provider of the publicly available electronic communications service shall adopt these measures jointly with the provider of the public communications network. In the event of no agreement, at the request of one of the suppliers, the dispute is defined by the Authority for guarantees in communications according to the procedures established by current legislation.
3. The provider of a publicly available electronic communications service shall inform subscribers and, where possible, users, if there is a particular risk of a breach of network security, indicating, when the risk is outside the scope of the measures that the supplier himself is required to adopt pursuant to paragraphs 1 and 2, all possible remedies and the relative presumed costs. Similar information is provided to the Guarantor and the Communications Regulatory Authority.
Article 33
(minimum sizes)
1. Within the framework of the more general security obligations referred to in article 31, or envisaged by special provisions, the data controllers are in any case required to adopt the minimum measures identified in this chapter or pursuant to article 58, paragraph 3, aimed at ensuring a minimum level of protection of personal data.
Article 34
(Treatments with electronic tools)
1. The processing of personal data carried out with electronic instruments is permitted only if the following minimum measures are adopted, in the manner prescribed by the technical specification contained in attachment B):
a) computer authentication;
b) adoption of authentication credential management procedures;
c) use of an authorization system;
d) periodic updating of the identification of the scope of the treatment permitted to the single appointees and persons in charge of the management or maintenance of electronic tools;
e) protection of electronic tools and data against illicit data processing, unauthorized access and certain IT programs;
f) adoption of procedures for keeping backup copies, restoring the availability of data and systems;
g) maintenance of an updated programmatic document on security;
h) adoption of encryption techniques or identification codes for certain data treatments suitable for revealing the state of health or sexual life carried out by health bodies.
Article 35
(Treatments without the aid of electronic tools)
1. The processing of personal data carried out without the aid of electronic instruments is permitted only if the following minimum measures are adopted, in the manner prescribed by the technical specification contained in attachment B):
a) periodic updating of the identification of the scope of processing permitted to individual persons in charge or to organizational units;
b) provision of procedures for a suitable custody of deeds and documents entrusted to the persons in charge for the performance of the relative duties;
c) provision of procedures for the conservation of certain documents in archives with selected access and regulation of access methods aimed at identifying the persons in charge.
Article 36
(Adjustment)
1. The technical specification referred to in Annex B), relating to the minimum measures referred to in this chapter, is periodically updated by decree of the Minister of Justice in agreement with the Minister for Innovations and Technologies, in relation to the technical evolution and the experience gained in the sector.
Article 37
(Notification of treatment)
1. The holder notifies the Guarantor of the processing of personal data which he intends to proceed, only if the processing concerns:
a) genetic, biometric data or data indicating the geographical position of persons or objects via an electronic communications network;
b) data suitable for revealing the state of health and sexual life, processed for the purpose of assisted procreation, provision of health services by telematic means relating to databases or the supply of goods, epidemiological surveys, detection of mental, infectious and diffusion, seropositivity, organ and tissue transplantation and monitoring of health expenditure;
c) data suitable for revealing sexual life or the psychic sphere processed by non-profit associations, bodies or organizations, even if not recognised, of a political, philosophical, religious or trade union nature;
d) data processed with the aid of electronic tools aimed at defining the profile or personality of the interested party, or at analyzing consumption habits or choices, or at monitoring the use of electronic communication services with the exclusion of processing that is technically essential for provide the same services to users;
e) sensitive data recorded in databases for personnel selection purposes on behalf of third parties, as well as sensitive data used for opinion polls, market research and other sample research;
f) data recorded in special databases managed with electronic tools and relating to the risk of economic solvency, the financial situation, the correct fulfillment of obligations, illicit or fraudulent conduct.
2. The Guarantor can identify other treatments likely to cause prejudice to the rights and freedoms of the interested party, due to the relative methods or the nature of the personal data, with its own provision adopted also pursuant to article 17. With a similar provision published on the Official Gazette of the Italian Republic, the Guarantor can also identify, within the context of the treatments referred to in paragraph 1, any treatments not likely to cause such damage and therefore not subject to the notification obligation.
3. The notification is made with a single deed even when the processing involves the transfer of the data abroad.
4. The Guarantor enters the notifications received in a register of treatments accessible to anyone and determines the methods for its free consultation electronically, also through agreements with public subjects or at his own office. The information accessible by consulting the register can be processed for the exclusive purposes of applying the regulations on the protection of personal data.
Article 38
(Notification Mode)
1. The treatment notification is presented to the Guarantor before the start of the treatment and only once, regardless of the number of operations and the duration of the treatment to be carried out, and may also concern one or more treatments with related purposes.
2. The notification is validly made only if it is transmitted electronically using the form prepared by the Guarantor and observing the instructions given by the latter, also as regards the methods of signing with digital signature and confirming receipt of the notification.
3. The Guarantor favors the availability of the model electronically and the notification also through agreements entered into with subjects authorized on the basis of current legislation, also with trade associations and professional orders.
4. A new notification is required only before the termination of the treatment or the change of some of the elements to be indicated in the notification itself.
5. The Guarantor can identify another suitable system for notification with reference to new technological solutions envisaged by current legislation.
6. The data controller who is not required to notify the Guarantor pursuant to article 37 provides the information contained in the model referred to in paragraph 2 to anyone who requests it, unless the treatment concerns public registers, lists, deeds or documents knowable by anyone.
Article 39
(Notification obligations)
1. The data controller is required to notify the Guarantor in advance of the following circumstances:
a) communication of personal data by a public entity to another public entity not provided for by a law or regulation, carried out in any form including through an agreement;
b) processing of data suitable for revealing the state of health envisaged by the biomedical or health research program referred to in article 110, paragraph 1, first period.
2. The treatments subject to communication pursuant to paragraph 1 can be started after forty-five days from receipt of the communication unless otherwise determined, even later by the Guarantor.
3. The communication referred to in paragraph 1 is sent using the form prepared and made available by the Guarantor, and transmitted to the latter electronically by observing the methods of signing with digital signature and confirmation of receipt referred to in article 38, paragraph 2, or by fax or registered letter.
Article 40
(General permissions)
1. The provisions of this code which require an authorization from the Guarantor are also applied through the release of authorizations relating to certain categories of data controllers or treatments, published in the Official Gazette of the Italian Republic.
Article 41
(Permission Requests)
1. The data controller who falls within the scope of application of an authorization issued pursuant to article 40 is not required to present a request for authorization to the Guarantor if the treatment he intends to carry out complies with the relative provisions.
2. If a request for authorization concerns a treatment authorized pursuant to article 40, the Guarantor may in any case proceed with the request if the specific methods of treatment justify it.
3. Any request for authorization is formulated using exclusively the form prepared and made available by the Guarantor and transmitted to the latter electronically, observing the methods of signing and confirmation of receipt referred to in article 38, paragraph 2. The the same request and the authorization can also be sent by fax or registered letter.
4. If the applicant is invited by the Guarantor to provide information or to produce documents, the term of forty-five days referred to in article 26, paragraph 2, starts from the date of expiry of the term set for the fulfillment requested.
5. In the presence of particular circumstances, the Guarantor can issue a provisional authorization for a fixed period.
Article 42
(Transfers within the European Union)
1. The provisions of this code cannot be applied in such a way as to restrict or prohibit the free circulation of personal data between the Member States of the European Union, without prejudice to the adoption, in accordance with the same code, of any measures in the event of data transfers carried out in order to circumvent the same provisions.
Article 43
(Transfers allowed in third countries)
1. The transfer, even temporary, outside the territory of the State, by any form or means, of personal data being processed, if directed to a country not belonging to the European Union, is permitted when:
a) the interested party has expressed his express consent or, in the case of sensitive data, in writing;
b) it is necessary for the execution of obligations deriving from a contract of which the interested party is a party or to fulfil, before the conclusion of the contract, specific requests of the interested party, or for the conclusion or for the execution of a contract stipulated in favor of the interested party;
c) it is necessary to safeguard a significant public interest identified by law or regulation or, if the transfer concerns sensitive or judicial data, specified or identified pursuant to articles 20 and 21;
d) it is necessary to protect the life or physical integrity of a third party. If the same purpose concerns the interested party and the latter cannot give his consent due to physical impossibility, inability to act or inability to understand or want, the consent is expressed by the person who legally exercises the authority, or by a neighbor joint, by a family member, by a cohabitant or, in their absence, by the manager of the structure where the person concerned lives. The provision referred to in article 82, paragraph 2 applies;
e) it is necessary for the purpose of carrying out the defensive investigations referred to in the law of 7 December 2000, n. 397, or, in any case, to assert or defend a right in court, provided that the data are transferred exclusively for these purposes and for the period strictly necessary for their pursuit, in compliance with current legislation on corporate and industrial secrecy;
f) is carried out in acceptance of a request for access to administrative documents, or a request for information that can be extracted from a public register, list, deed or document that can be known by anyone, in compliance with the rules governing the matter;
g) it is necessary, in accordance with the respective codes of ethics referred to in attachment A), for exclusive scientific or statistical purposes, or for exclusive historical purposes in private archives declared to be of considerable historical interest pursuant to article 6, paragraph 2, of the legislative decree 29 October 1999, n. 490, for the approval of the consolidated act on the subject of cultural and environmental assets or, according to the provisions of the same codes, in other private archives;
h) the processing concerns data relating to legal persons, entities or associations.
Article 44
(Other transfers allowed)
1. The transfer of personal data being processed, directed to a country not belonging to the European Union, is also permitted when it is authorized by the Guarantor on the basis of adequate guarantees for the rights of the interested party:
a) identified by the Guarantor also in relation to guarantees given under a contract;
b) identified with the decisions envisaged by articles 25, paragraph 6, and 26, paragraph 4, of directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, with which the European Commission ascertains that a country does not belonging to the European Union guarantees an adequate level of protection or that certain contractual clauses offer sufficient guarantees.
Article 45
(Transfers prohibited)
1. Except for the cases referred to in articles 43 and 44, the transfer, even temporary, outside the territory of the State, by any form or means, of personal data being processed, directed towards a country that does not belong to the European Union, is prohibited when the regulations of the country of destination or transit of the data do not ensure an adequate level of protection of individuals. The methods of transfer and the envisaged treatments, the related purposes, the nature of the data and the security measures are also evaluated.
Article 46
(Data Controllers)
1. The judicial offices of every order and degree, the Superior Council of the Judiciary, the other self-governing bodies and the Ministry of Justice are the data controllers of the processing of personal data relating to the respective powers conferred by law or regulation.
2. By decree of the Minister of Justice, attachment C) to this code identifies the non-occasional processing referred to in paragraph 1 carried out with electronic instruments, in relation to central databases or databases subject to interconnection between several offices or holders. The provisions with which the Superior Council of the Judiciary and the other self-government bodies referred to in paragraph 1 identify the same treatments they carry out are listed in attachment C) by decree of the Minister of Justice.
Article 47
(Treatments for reasons of justice)
1. In case of processing of personal data carried out at judicial offices of all levels, at the Superior Council of the Judiciary, other self-governing bodies and the Ministry of Justice, they do not apply, if the processing is carried out for reasons of justice , the following provisions of the code:
a) articles 9, 10, 12, 13 and 16, from 18 to 22, 37, 38, paragraphs from 1 to 5, and from 39 to 45;
b) Articles 145 to 151.
2. For the purposes of this code, the processing of personal data directly related to the judicial handling of business and disputes, or which, in the matter of legal and economic treatment of judicial personnel, has a direct impact on the judicial function, as well as inspection activities on judicial offices. The same reasons of justice do not apply to the ordinary administrative-management activity of personnel, means or structures, when the secrecy of acts directly connected to the aforementioned discussion is not compromised.
Article 48
(Databases of judicial offices)
1. In the cases in which the judicial authority of every order and degree can acquire data, information, deeds and documents from public subjects in compliance with the procedural provisions in force, the acquisition can also be carried out electronically. To this end, the judicial offices may make use of the standard agreements stipulated by the Ministry of Justice with public subjects, aimed at facilitating the consultation by the same offices, via electronic communication networks, of public registers, lists, files and databases, in compliance with the pertinent provisions and principles referred to in articles 3 and 11 of this code.
Article 49
(Implementing provisions)
1. By decree of the Minister of Justice, n. 334, the regulatory provisions necessary for the implementation of the principles of this code in criminal and civil matters.
Article 50
(News or images relating to minors)
1. The prohibition pursuant to article 13 of the decree of the President of the Republic of 22 September 1988, n. 448, publication and dissemination by any means of news or images suitable for allowing the identification of a minor is also observed in the case of involvement in any capacity of the minor in judicial proceedings in matters other than criminal.
Article 51
(General principles)
1. Without prejudice to the provisions of the procedural provisions concerning the viewing and release of extracts and copies of deeds and documents, the identification data of the issues pending before the judicial authority of every order and degree are made accessible to anyone who has an interest through electronic communication networks, including the institutional site of the same authority on the Internet.
2. The judgments and other decisions of the judicial authority of every order and degree deposited in the chancellery or secretariat are also made accessible through the information system and the institutional site of the same authority on the Internet, observing the precautions provided for in this chapter.
Article 52
(Identification data of the interested parties)
1. Without prejudice to the provisions of the provisions concerning the drafting and content of sentences and other jurisdictional provisions of the judicial authority of every order and degree, the interested party may request for legitimate reasons, with a request filed in the registry or secretariat of the office which proceeds before the relative degree of judgment has been defined, that an annotation aimed at precluding, in the event of reproduction of the sentence or provision in any form, is affixed by the same chancellery or secretariat on the original of the sentence or provision , for purposes of legal information in legal journals, electronic media or through electronic communication networks, the indication of the personal details and other identification data of the same interested party reported on the sentence or provision.
2. The authority that pronounces the sentence or adopts the provision shall proceed with a decree at the bottom of the request referred to in paragraph 1, without further formalities. The same authority may order ex officio that the annotation referred to in paragraph 1 be affixed, to protect the rights or dignity of the interested parties.
3. In the cases referred to in paragraphs 1 and 2, upon filing the judgment or provision, the chancellery or secretariat affixes and signs, also with a stamp, the following annotation, bearing the indication of the details of this article: 'In case of dissemination, omit the personal details and other identification data of…..'.
4. In the event of dissemination also by third parties of judgments or other measures bearing the annotation referred to in paragraph 2, or of the related legal maxims, the indication of the personal details and other identification data of the interested party is omitted.
5. Without prejudice to the provisions of article 734-bis of the penal code relating to persons offended by acts of sexual violence, anyone who disseminates sentences or other jurisdictional provisions of the judicial authority of any order and degree is required to omit in any case, even in the absence of the annotation referred to in paragraph 2, the personal details, other identification data or other data also relating to third parties from which the identity of minors can be inferred, even indirectly, or of the parties in proceedings concerning family and state relations of people.
6. The provisions referred to in this article also apply in the event of the filing of an award pursuant to article 825 of the code of civil procedure. The party may formulate the request referred to in paragraph 1 to the arbitrators before the award is pronounced and the arbitrators affix the annotation referred to in paragraph 3 to the award, also pursuant to paragraph 2. The arbitration panel set up at the arbitration chamber for the public works pursuant to article 32 of the law of 11 February 1994, n. 109, provides in a similar way in the event of a request from a party.
7. Except for the cases indicated in this article, the diffusion in any form of the content, even integral, of sentences and other jurisdictional provisions is permitted.
Article 53
(Scope of application and data controllers)
1. To the processing of personal data carried out by the Data Processing Center of the Department of Public Security or by police forces on data intended to be transferred to it on the basis of the law, or by public security bodies or other public entities for the purpose of protecting order and of public safety, prevention, detection or repression of crimes, carried out on the basis of an express provision of the law which specifically provides for the treatment, the following provisions of the code do not apply:
a) articles 9, 10, 12, 13 and 16, from 18 to 22, 37, 38, paragraphs from 1 to 5, and from 39 to 45;
b) articles 145 to 151.
2. By decree of the Minister of the Interior, the non-occasional treatments referred to in paragraph 1 carried out with electronic instruments, and the relative owners, are identified in attachment C) to this code.
Article 54
(Methods of processing and data flows)
1. In cases in which the public security authorities or the police forces can acquire data, information, deeds and documents from other subjects in compliance with the provisions of the law or regulations in force, the acquisition can also be carried out electronically. To this end, the bodies or offices concerned may make use of agreements aimed at facilitating consultation by the same bodies or offices, via electronic communication networks, of public registers, lists, files and databases, in compliance with the pertinent provisions and principles referred to in articles 3 and 11. The model agreements are adopted by the Ministry of the Interior, with the approval of the Guarantor, and establish the methods of connections and access also in order to ensure selective access only to the data necessary for pursuit of the purposes referred to in Article 53.
2. The data processed for the purposes referred to in the same article 53 are kept separately from those recorded for administrative purposes which do not require their use.
3. Without prejudice to the provisions of article 11, the Data Processing Center referred to in article 53 ensures periodic updating and the pertinence and non-excess of the personal data processed also through authorized queries of the criminal records and the records of pending charges of the Ministry of Justice referred to in the decree of the President of the Republic November 14, 2002, n. 313, or other databases of police forces, necessary for the purposes referred to in article 53.
4. The police bodies, offices and commands periodically verify the requirements referred to in article 11 with reference to the data processed even without the aid of electronic instruments, and update them also on the basis of the procedures adopted by the Data Processing Center at pursuant to paragraph 3, or, for treatments carried out without the aid of electronic instruments, by means of annotations or additions to the documents that contain them.
Article 55
(Special technologies)
1. The processing of personal data which involves greater risks of harm to the interested party, with particular regard to genetic or biometric data banks, techniques based on location data, data banks based on particular data processing techniques information and the introduction of particular technologies, is carried out in compliance with the measures and precautions to guarantee the interested party prescribed pursuant to article 17 on the basis of prior communication pursuant to article 39.
Article 56
(Protection of the data subject)
1. The provisions referred to in article 10, paragraphs 3, 4 and 5, of the law of 1 April 1981, n. 121, and subsequent amendments, also apply, in addition to the data destined to flow into the Data Processing Center referred to in article 53, to data processed with the aid of electronic instruments by police bodies, offices or commands.
Article 57
(Implementing provisions)
1. By decree of the President of the Republic, following a resolution by the Council of Ministers, on the proposal of the Minister of the Interior, in agreement with the Minister of Justice, the methods of implementation of the principles of this code are identified in relation to the processing of data carried out for the purposes referred to in article 53 by the Data Processing Center and by police bodies, offices or commands, also to supplement and amend the decree of the President of the Republic 3 May 1982, n. 378, and in implementation of Recommendation R (87) 15 of the Council of Europe of 17 September 1987, and subsequent modifications. The methods are identified with particular regard to:
a) the principle according to which the collection of data is correlated to the specific purpose pursued, in relation to the prevention of a concrete danger or the repression of crimes, in particular as regards the treatments carried out for analysis purposes;
b) the periodic updating of the data, also relating to evaluations carried out on the basis of the law, the various methods relating to the data processed without the aid of electronic tools and the methods for making the updates knowable by other bodies and offices to which the data have previously been communicated;
c) the conditions for carrying out processing for temporary needs or connected to particular situations, also for the purpose of verifying the data requirements pursuant to article 11, of identifying the categories of interested parties and of keeping them separate from other data that do not require the their use;
d) the identification of specific data retention terms in relation to the nature of the data or the tools used for their treatment, as well as the typology of the procedures within which they are processed or the provisions are adopted;
e) to the communication to other subjects, even abroad or for the exercise of a right or a legitimate interest, and to their diffusion, where necessary in accordance with the law;
f) the use of particular information processing and research techniques, also through the use of index systems.
Article 58
(Applicable provisions)
1. The treatments carried out by the bodies referred to in articles 3, 4 and 6 of the law of 24 October 1977, n. 801, or on data covered by state secrecy pursuant to article 12 of the same law, the provisions of this code apply only to those provided for in articles 1 to 6, 11, 14, 15, 31, 33, 58, 154, 160 and 169.
2. The provisions of this code apply only to those indicated in paragraph 1, as well as to the provisions of referred to in articles 37, 38 and 163.
3. The security measures relating to the data processed by the bodies referred to in paragraph 1 are established and periodically updated by decree of the President of the Council of Ministers, with observance of the rules governing the matter.
4. By decree of the President of the Council of Ministers, the methods of application of the applicable provisions of this code are identified with reference to the types of data, of interested parties, of processing operations that can be carried out and of persons in charge, also in relation to updating and conservation .
Article 59
(Access to administrative documents)
1. Without prejudice to the provisions of article 60, the conditions, methods and limits for exercising the right of access to administrative documents containing personal data, and the related judicial protection, remain governed by the law of 7 August 1990, n. 241, and subsequent amendments and by the other legal provisions on the matter, as well as by the related implementing regulations, also as regards the types of sensitive and judicial data and the processing operations that can be performed in execution of an access request. The activities aimed at applying this regulation are considered to be of significant public interest.
Article 60
(Data suitable to reveal the state of health and sex life)
1. When the processing concerns data suitable for revealing the state of health or sex life, the processing is permitted if the legally relevant situation that it is intended to protect with the request for access to administrative documents is at least equal in rank to the rights of the interested party i.e. it consists of a personal right or another fundamental and inviolable right or freedom.
Article 61
(Use of public data)
1. Pursuant to article 12, the Guarantor promotes the signing of a code of ethics and good conduct for the processing of personal data from archives, registers, lists, deeds or documents held by public entities, also identifying the cases in which the source of data acquisition must be indicated and providing appropriate guarantees for the association of data from multiple archives, bearing in mind the provisions of Recommendation no. R (91)10 of the Council of Europe in relation to article 11.
2. For the purposes of applying this code, personal data other than sensitive or judicial data, which must be entered in a professional register in accordance with the law or a regulation, may be communicated to public and private subjects or disseminated, pursuant to of article 19, paragraphs 2 and 3, also through electronic communication networks. The existence of provisions which order the suspension or which affect the exercise of the profession can also be mentioned.
3. The professional order or college may, at the request of the person registered in the register who is of interest, integrate the data referred to in paragraph 2 with further pertinent and not excessive data in relation to the professional activity.
4. At the request of the interested party, the professional order or college may also provide third parties with news or information relating, in particular, to special professional qualifications not mentioned in the register, or to the willingness to assume assignments or to receive information material of a scientific nature inherent even at conferences or seminars.
Article 62
(Sensitive and judicial data)
1. Pursuant to articles 20 and 21, the purposes relating to the keeping of civil status deeds and registers, the registry offices of the population residing in Italy and of Italian citizens residing abroad, and the lists are considered to be of significant public interest electoral elections, as well as the issue of identification documents or the change of personal details.
Article 63
(Consultation of documents)
1. The civil status documents conserved in the State Archives can be consulted within the limits established by article 107 of the legislative decree of 29 October 1999, n. 490.
Article 64
(Citizenship, immigration and status of the foreigner)
1. Pursuant to articles 20 and 21, the purposes of applying the legislation on citizenship, immigration, asylum, the condition of foreigners and refugees and the status of refugee are considered to be of significant public interest.
2. In the context of the purposes referred to in paragraph 1, in particular, the processing of essential sensitive and judicial data is permitted:
a) the issuance and renewal of visas, permits, certifications, authorizations and documents, including health documents;
b) the recognition of the right to asylum or refugee status, or the application of temporary protection and other institutes or measures of a humanitarian nature, or the implementation of legal obligations regarding migration policies;
c) in relation to the obligations of employers and workers, reunification, the application of existing rules on education and housing, participation in public life and social integration.
3. This article does not apply to the processing of sensitive and judicial data carried out in execution of the agreements and conventions referred to in article 154, paragraph 2, letters a) and b), or in any case carried out for purposes of defense or state security or for the prevention, detection or repression of crimes, on the basis of an express provision of the law which specifically provides for the processing.
Article 65
(Political rights and publicity of organ activity)
1. Pursuant to articles 20 and 21, the purposes of applying the regulations on the subject of: are considered to be of significant public interest:
a) active and passive electorate and the exercise of other political rights, in compliance with the secrecy of the vote, as well as the exercise of the mandate of the representative bodies or keeping the lists of popular judges;
b) documentation of the institutional activity of public bodies.
2. The processing of sensitive and judicial data for the purposes referred to in paragraph 1 is permitted to perform specific tasks envisaged by laws or regulations including, in particular, those concerning:
a) conducting electoral consultations and verifying their regularity;
b) requests for referendums, the related consultations and the verification of the related regularities;
c) the ascertainment of the causes of ineligibility, incompatibility or forfeiture, or of removal or suspension from public offices, or of suspension or dissolution of bodies;
d) examining reports, petitions, appeals and popular initiative bills, the activity of commissions of inquiry, relations with political groups;
e) the designation and appointment of representatives in commissions, bodies and offices.
3. For the purposes of this article, the dissemination of sensitive and judicial data is permitted for the purposes referred to in paragraph 1, letter a), in particular with regard to the subscription of lists, the presentation of candidatures, positions in organizations or associations policies, institutional positions and elected bodies.
4. For the purposes of this article, in particular, the processing of indispensable sensitive and judicial data is permitted:
a) for the drafting of minutes and reports on the activity of representative assemblies, commissions and other collegiate or assembly bodies;
b) for the exclusive performance of a function of control, political guidance or inspection union and for access to documents recognized by law and by the regulations of the bodies concerned for exclusive purposes directly connected to the performance of an elective mandate.
5. Sensitive and judicial data processed for the purposes referred to in paragraph 1 may be communicated and disseminated in the forms provided for by the respective regulations. In any case, the disclosure of sensitive and judicial data which is not indispensable to ensure compliance with the principle of publicity of institutional activity is not permitted, without prejudice to the prohibition of disclosure of data suitable for revealing the state of health.
Article 66
(Tax and customs matters)
1. Pursuant to articles 20 and 21, the activities of public entities aimed at the application, also through their concessionaires, of the provisions on taxes, in relation to taxpayers, substitutes and managers are considered to be of significant public interest of tax, as well as in the matter of deductions and deductions and for the application of the provisions whose execution is entrusted to the customs.
2. Pursuant to articles 20 and 21, activities aimed at preventing and repressing violations of obligations and adopting the measures envisaged by laws, regulations or community legislation are also considered to be of significant public interest, as well as the control and enforced execution of the exact fulfillment of these obligations, the making of refunds, the allocation of tax quotas, and those aimed at the management and alienation of state-owned properties, the inventory and qualification of properties and the conservation of real estate registers.
Article 67
(Control and inspection activities)
1. The purposes of:
a) verification of the legitimacy, good performance, impartiality of the administrative activity, as well as the compliance of said activity with the requirements of rationality, economy, efficiency and effectiveness for which control functions are, in any case, attributed by law to public subjects , feedback and inspections of other subjects;
b) verification, within the limits of the institutional purposes, with reference to sensitive and judicial data relating to complaints and petitions, or to acts of control or inspection union referred to in article 65, paragraph 4.
Article 68
(Economic benefits and qualifications)
1. Pursuant to articles 20 and 21, the purposes of applying the regulations on the granting, liquidation, modification and revocation of economic benefits, subsidies, donations, other emoluments and qualifications are considered to be of significant public interest.
2. The treatments regulated by this article also include those indispensable in relation to:
a) communications, certifications and information required by anti-mafia legislation;
b) to the donations of contributions envisaged by the legislation on usury and victims of extortion requests;
c) the payment of war pensions or the recognition of benefits in favor of politically persecuted people and prisoners in extermination camps and their relatives;
d) recognition of benefits connected to civil invalidity;
e) the granting of contributions in the field of professional training;
f) the granting of grants, loans, donations and other benefits provided for by law, regulations or community legislation, also in favor of associations, foundations and entities;
g) the recognition of exemptions, concessions or tariff or economic reductions, deductibles, or the issue of licenses, including radio and television licenses, licences, authorizations, registrations and other qualifications provided for by law, by a regulation or by community legislation.
3. Processing may include dissemination only in cases where this is indispensable for the transparency of the activities indicated in this article, in compliance with the law, and for supervisory and control purposes resulting from the activities themselves, without prejudice to the prohibition of dissemination data suitable for revealing the state of health.
Article 69
(Honours, Rewards and Acknowledgments)
1. Pursuant to articles 20 and 21, the purposes of applying the regulations on the conferment of honors and rewards, the recognition of the legal personality of associations, foundations and bodies, including those of worship, the assessment of the requisites of integrity and professionalism for appointments, for the profiles of competence of the public entity, to offices including those of worship and to managerial positions of legal persons, companies and non-state educational institutions, as well as the issue and revocation of authorizations or qualifications, granting sponsorships, sponsorships and representation prizes, membership of honor committees and admission to ceremonies and institutional meetings.
Article 70
(Voluntary work and conscientious objection)
1. Pursuant to articles 20 and 21, the purposes of applying the regulations on relations between public entities and voluntary organizations are considered to be of significant public interest, in particular as regards the provision of contributions aimed at their support, the maintenance of general registers of the same organizations and international cooperation.
2. The purposes of applying the law of 8 July 1998, n. 230, and other provisions of the law on conscientious objection.
Article 71
(Sanctioning and protection activities)
1. The following purposes are considered to be of significant public interest, pursuant to articles 20 and 21:
a) application of the rules on administrative sanctions and appeals;
b) aimed at asserting the right of defense in administrative or judicial proceedings, also by a third party, also pursuant to article 391-quater of the code of criminal procedure, or directly connected to the reparation of a judicial error or in the event of violation of the reasonable time of trial or an unjust restriction of personal liberty.
2. When the treatment concerns data suitable for revealing the state of health or sexual life, the treatment is allowed if the right to be asserted or defended, referred to in letter b) of paragraph 1, is of at least equal rank to that of the interested party, i.e. it consists of a personal right or another fundamental and inviolable right or freedom.
Article 72
(Relationships with religious institutions)
1. Pursuant to articles 20 and 21, the purposes relating to the performance of institutional relations with religious bodies, religious confessions and religious communities are considered to be of significant public interest.
Article 73
(Other administrative and social purposes)
1. The social-welfare purposes, with particular reference to:
a) psycho-social support and training interventions in favor of young people or other subjects who are in conditions of social, economic or family hardship;
b) interventions also of health importance in favor of needy or non-self-sufficient or incapable subjects, including economic or home assistance services, remote assistance, accompaniment and transport;
c) assistance to minors, also in relation to legal proceedings;
d) psycho-social investigations relating to adoption measures, including international ones;
e) supervisory tasks for temporary assignments;
f) supervisory and support initiatives in relation to the stay of nomads;
g) interventions on the subject of architectural barriers.
2. The following purposes are also considered to be of significant public interest, pursuant to articles 20 and 21, in the context of the activities that the law assigns to a public entity:
a) management of nursery schools;
b) concerning the management of school canteens or the supply of subsidies, contributions and teaching materials;
c) recreational or promotion of culture and sport, with particular reference to the organization of stays, exhibitions, conferences and sporting events or the use of real estate or the occupation of public land;
d) assignment of public residential housing;
e) relating to military service;
f) administrative and local police, except for the provisions of article 53, with particular reference to hygiene services, mortuary police and controls on the subject of the environment, protection of water resources and soil protection;
g) public relations offices;
h) in matters of civil protection;
i) support for placement and job start-up, in particular by local initiative centers for employment and job desks;
l) regional and local ombudsmen.
Article 74
(Signs on vehicles and entrances to historical centres)
1. The permits issued for any reason for the circulation and parking of vehicles serving disabled people, or for transit and parking in restricted traffic areas, and which must be displayed on vehicles, contain only the data indispensable for identifying the authorization issued and without the affixing of symbols or wordings from which the special nature of the authorization can be deduced by effect of the sole vision of the mark.
2. The personal details and address of the natural person concerned are shown on the stamps in a manner which likewise does not allow their direct visibility except in the case of a request for exhibition or need for verification.
3. The provision referred to in paragraph 2 also applies in the event of an obligation for any reason to display a copy of the vehicle registration certificate or other document on vehicles.
4. For the treatment of data collected by systems for detecting vehicle access to historic centers and restricted traffic areas, the provisions of the decree of the President of the Republic of 22 June 1999, n. 250.
Article 75
(scope of application)
1. This title regulates the processing of personal data in the health sector.