What Needs to be Done Prior to Collection

Contact the data subject

Contact the Garante

Section 13

1. The data subject as well as any entity from whom or which personal data is collected shall be preliminarily informed, either orally or in writing, as to:

a) the purposes and modalities of the processing for which the data is intended;

b) the obligatory or voluntary nature of providing the requested data;

c) the consequences if (s)he fails to reply;

d) the entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of said data;

e) the rights as per Section 7;

f) the identification data concerning the data controller and, where designated, the data controller's representative in the State's territory pursuant to Section 5 and the data processor. If several data processors have been designated by the data controller, at least one among them shall be referred to and either the site on the communications network or the mechanisms for easily accessing the updated list of data processors shall be specified. If a data processor has been designated to provide responses to data subjects in case the rights as per Section 7 are exercised, such data processor shall be referred to.

2. The information as per paragraph 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain items if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defence or State security, or else for the prevention, suppression or detection of offences.

3. The Garante may issue a provision to set out simplified information arrangements as regards, in particular, telephone services providing assistance and information to the public.

4. Whenever the personal data is not collected from the data subject, the information as per paragraph 1, also including the categories of processed data, shall be provided to the data subject at the time of recording such data or, if its communication is envisaged, no later than when the data is first communicated.

5. Paragraph 4 shall not apply

a) if the data are processed in compliance with an obligation imposed by a law, regulations or Community legislation;

b) if the data is processed either for carrying out the investigations by defence counsel as per Act no. 397 of 07.12.2000 or to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefore;

c) if the provision of information to the data subject involves an effort that is declared by the Garante to be manifestly disproportionate compared with the right to be protected, in which case the Garante shall lay down suitable measures, if any, or if it proves impossible in the opinion of the Garante.

Contact the Garante

37 Notification of the Processing

1. A data controller shall notify the processing of personal data he/she intends to perform exclusively if said processing concerns:

a) genetic data, biometric data, or other data disclosing geographic location of individuals or objects by means of an electronic communications network,

b) data disclosing health and sex life where processed for the purposes of assisted

reproduction, provision of health care services via electronic networks in connection with data banks and/or the supply of goods, epidemiological surveys, diagnosis of mental, infectious and epidemic diseases, seropositivity, organ and tissue transplantation and monitoring of health care expenditure,

c) data disclosing sex life and the psychological sphere where processed by not-for-profit associations, bodies or organizations, whether recognised or not, of a political, philosophical, religious or trade-union character,

d) data processed with the help of electronic means aimed at profiling the data subject and/or his/her personality, analysing consumption patterns and/or choices, or monitoring use of electronic communications services except for such processing operations as are technically indispensable to deliver said services to users,

e) sensitive data stored in data banks for personnel selection purposes on behalf of third parties, as well as sensitive data used for opinion polls, market surveys and other sample-based surveys,

f) data stored in ad-hoc data banks managed by electronic means in connection with creditworthiness, assets and liabilities, appropriate performance of obligations, and unlawful and/or fraudulent conduct.

38 Notification Mechanisms

1. The notification of processing operations shall have to be submitted to the Garante in advance of the processing and once only, regardless of the number of operations to be performed and the duration of the processing, and may concern one or more processing operations for related purposes.

2. A notification shall only be effective if it is transmitted via electronic networks by using the form made available by the Garante and following the latter's instructions, also with regard to the arrangements applying to digital signature and receipt confirmation.

39 Communication Obligations

1. Data controllers shall be required to communicate the following in advance to the Garante:

a) that personal data is to be communicated by a public body to another public body in the absence of specific laws or regulations, irrespective of the form taken by such communication and also in case the latter is based on an agreement,

b) that data disclosing health is to be processed in pursuance of the biomedical or health care research programme referred to in Section 110(1), first sentence.