ITALY

The Garante per la protezione dei dati personali Website: http://www.garanteprivacy.it/garante/navig/jsp/index.jsp

Personal Data Protection Code – Legislative Decree no. 196 dated 30 June 2003: http://www.garanteprivacy.it/garante/document?ID=1219452

Code of Conduct Practice Applying to the Processing of Personal Data (2008): http://www.garanteprivacy.it/garante/doc.jsp?ID=1569165

What needs to be done prior to collection?

CONTACT THE GARANTE

Section 37 – Notification of the Processing

A data controller shall notify the processing of personal data he/she intends to perform exclusively if said processing concerns –

1. Genetic information, biometric data, or other data disclosing geographic location of individuals or objects by means of an electronic communications network,
2. Data disclosing health and sex life where processed for the purposes of assisted reproduction, provision of health care services via electronic network in connection with data banks and/or the supply of goods, epidemiological surveys, diagnosis of mental, infectious and epidemic diseases, seropositivity, organ and tissue transplantation and monitoring of health care expenditure,
3. Data disclosing sex life and the psychological sphere where processed by not-for-profit associations, bodies or organisations, whether recognised or not, of a political, philosophical, religious or trade-union character,
4. Data processed with the help of electronic means aimed at profiling the data subject and/or his/her personality, analysing consumption patterns and/or choices, or monitoring use of electric communication services except for such processing operations as are technically indispensable to deliver said services to users,
5. Sensitive data stored in data banks for personnel selection purposes on behalf of third parties, as well as sensitive data used for opinion polls, market surveys and other sample based surveys,
6. Data stored in ad-hoc data banks managed by electronic means in connection with creditworthiness, assets and liabilities, appropriate performance of obligations, and unlawful and/or fraudulent contacts

Section 38 – Notification of Mechanisms

1. The notification of processing operations shall have to be submitted to the Garante in advance of the processing and once only, regardless of the number of operations to be performed and the duration of the processing, and may concern one or more processing operations for related purposes
2. A notification shall only be effective if it is transmitted via the Garante’s website by using the ad-hoc form, which shall contain the request to provide the following information:
   1. Information to identify the data controller and, where appropriate, his/her representative, as well as the arrangements to identify the data processor if the latter has been appointed;
   2. The purpose of the processing;
   3. A description of the category/categories of the data subject and the data or data categories related to the said category/categories of data subject;
   4. The data recipients or the categories of data recipient;
   5. Data transfers to third countries, where envisaged;
   6. A general description that shall allow assessing beforehand whether the measures adopted to ensure security of the processing are adequate

A new notification shall only have to be submitted either prior to termination of processing operations or in connection with the modification of any items to be specified in the notification

Section 39 – Communication Obligations

1. Data controllers shall be required to communicate what follows in advance to the Garante:
   1. That personal data are to be communicated by a public body to another public body in the absence of specific laws of regulations, irrespective of the form taken by such communication and also in case the latter is based on an agreement
   2. That data disclosing health are to be processed in pursuance of the biomedical or health care research programme referred to in s.110 (1)

CONTACT THE DATA SUBJECT

Section 13 – Information to Data Subjects

1. The data subject as well as any entity from whom or which personal data are collected shall be preliminarily informed, either orally or in writing, as to:
   1. The purposes and modalities of the processing for which the data are intended,
   2. The obligatory or voluntary nature of providing the requested data,
   3. The consequences if he/she fails to reply,
   4. The entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination and said data
   5. The rights as per section 7
   6. The identification data concerning the data controller and, where designated, the data controller’s representatives in the State’s territory pursuant to section 5 and the data processor. If several data processors have been designated by the data controller, at least one among them shall be referred to and either the site on the communications network or the mechanisms for easily accessing the updated list of data processors shall be specified. If a data processor has been designated to provide responses to data subjects in case the rights as per section 7 are exercised, such data processor shall be referred to

2. The information as per paragraph 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain terms if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defence or State Security, or else for the prevention, suppression or detection of offences

3. The Garante may issue a provision to set out simplified information arrangements as regards, in particular telephone services providing assistance and information to the public

4. Whenever the personal data are not collected from the data subject, the information as per paragraph 1, also including the categories of processed data, shall be provided to the data subject at the time of recording such data or, if their communication is envisaged, no later than when the data are first communicated

5. Paragraph 4 shall not apply –

1. If the data are processed in compliance with an obligation imposed by a law, regulations or Community legislation
2. If the data are processed either for carrying out the investigations by defence council as per Act 397 of 07.12.2000 or to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary thereafter
3. If the provision of information to the data subject involves an effort that is declared by the Garante to be manifestly disproportionate compared with the right to be protected, in which case the Garante shall lay down suitable measures, if any, or if it proves impossible in the opinion of the Garante 

What needs to be done prior to shipping?

Section 42 – Data Transfers in the EU

The provisions of this Code shall not be applied in such a way as to restrict or prohibit the free movement of personal data among EU Member States, subject to the taking of measures under this Code in case data are transferred in order to escape application of said provisions

Section 43 – Permitted Data Transfers to third countries

1. Personal data that are the subject of processing may be transferred from the State’s territory to countries outside the European Union, temporarily or not and in any form and by any means whatsoever,
   1. If the data subject has given his/her consent either expressly, or, where the transfer concerns sensitive information, in writing;
   2. If the transfer is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or to take steps at the data subjects request prior to entering into a contract, or for the conclusion or performance of a contract made in the interest of the data subject
   3. If the transfer is necessary for safeguarding a substantial public interest that is referred to by laws or regulations, or else that is specified in pursuance on Sections 20 and 21 where the transfer concerns sensitive or judicial data
   4. If the transfer is necessary to safeguard a third party’s life or bodily integrity. If this purpose concerns the data subject and the latter cannot give his/her consent because she/he is physically unable to do so, legally incapable or unable to distinguish right and wrong, the consent shall be given by the entity legally representing the data subject, or else by next of kin, a family member, a person cohabiting with the data subject or, failing these, the manager of the institution where the data subject is hosted.
   5. If the transfer is necessary for carrying out the investigations by defence council referred to in Act no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are transferred exclusively for said purposes and for no longer than is necessary thereof in compliance with the legislation in force applying to business and industrial secrecy
   6. If the transfer is carried out in response to a request for access to administrative records of for information contained in a publicly available register, list, record or document, in compliance with the provisions applying to this subject matter
   7. If the transfer is necessary, pursuant to the relevant codes of conduct referred to in Annex A, exclusively for scientific or statistical purposes, or else exclusively for historical purposes, in connection with private archives that have been declared to be of considerable historical interest under section 6 (2) of legislative decree no. 490 of 29 October 1999, enacted to adopt the consolidated statute on cultural and environmental heritage, or else in connection with other private archives pursuant to the provisions made in said codes
   8. If the processing concerns data relating to legal persons, bodies or associations

Section 44 – Other permitted data transfers

1. The transfer of processed personal data to a non EU Member State shall also be permitted if it is authorised by the Garante on the basis of adequate safeguards for data subjects rights
   1. As determined by the Garante also in connection with contractual safeguards, or else by means of rules of conduct as in force within the framework of companies all belonging to the same group. A data subject may establish his/her rights in the State’s territory as set forth by this Code also with regard to non-compliance with the aforementioned safeguards
   2. As determined via the decisions referred to in Articles 25 (6) and 26 (4) of Directive 95/46/EC, through which the European Commission may find that a non-EU Member State affords an adequate level of protection, or else that certain contractual clauses afford sufficient safeguards

Article 45 – Prohibited data transfers

Apart from the cases referred to in Sections 43 and 44, it shall be prohibited to transfer personal data that are the subject of processing from the State’s territory to countries outside the EU, temporarily or not and in any form and by any means whatsoever, if the laws of the country of destination or transit of the data do not ensure an adequate level of protection of individuals. Account shall also be taken of the methods used for the transfer and the envisaged processing operations, the relevant purposes, nature of the data and security measures.

What are the sections for non-compliance?

Part III – Remedies and Sanctions (see Statute for more detail on Sanctions)

Section 161 - Providing no or inadequate information to data subjects

Breach of the provisions referred to in section 13 shall be punished by a fine consisting in payment between EUR 6,000 and EUR 35,000. The amount may be increased by up to three times as much if it is found to be ineffective on account of the offender’s economic status.

Section 163 – Failure to submit notification or submitting incomplete notification

Whoever fails to timely submit the notification required under sections 37 and 38 or provides incomplete information in a notification, in breach of his/her duties, shall be punished by a fine consisting in payment between EUR 20,000 and EUR 120,000

Section 164 – Less serious cases and Aggravating circumstances

1. Where any of the above violations is less serious by having regard also to the social and/or business features of the activities at issue, the upper and lower thresholds set forth in the sections shall be reduced by two-fifths thereof.
2. Where one or more of the provisions above are violated repeatedly, also on different occasions, in connection with especially important and/or large databases, an administrative sanction shall be applied as consisting in payment of a fine ranging from EUR 50,000 to EUR 300,000. Reduction of the applicable fine shall not be allowed
3. In other, more serious cases, in particular if the prejudicial effects produced on one or more data subjects are more substantial or if the violation concerns several data subjects, the upper and lower thresholds of the applicable fines as per this Chapter shall be doubled.
4. The fines referred to in this Chapter may be increased by up to four times if they may prove ineffective on account of the offender’s economic status

Section 165 – Publication of Provisions by the Garante

In the cases referred to in this Chapter, the additional administrative sanction may be applied as consisting in publication of the injunctive order, in whole or in part, in one or more newspapers as specified in the relevant provision. The offender shall be responsible for the said publication and bear the relevant costs.

Please refer to The Garante per la protezione dei dati personali Website for further details on the Statute