Italy - Data Protection
History of Data Protection in ITALY
In 1981, Italy ratified the Council of Europe Convention No. 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data. However, it was not until the passing of Act No. 675 of 31 December 1996 that Italy managed to fulfil its international obligations in this regard.
Act No. 675 of 31 December 1996 also transposed Directive 95/46/EC into Italian law. This Act, however, provided only the general regulatory framework that applied to data protection, and was been supplemented by a number of later acts. The Italian Data Protection Code, which entered into force on 1 January 2004, brought together all the laws and regulations that previously governed data protection.
Summary of Data Protection in ITALY
| Title of Data Protection Legislation | Italian Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003) |
| Name of supervisory authority | Italian Data Protection Commission |
| General Powers of supervisory authority |
The Commission's legal basis is in Section 153 of the
2003 law.
Section 154(1) outlines the tasks of the Commission.
Among the most important are
"a) verifying whether data processing operations
are carried out in compliance with laws and regulations in force as well
as with the relevant notification, also in case of termination of processing
operations; b) receiving reports and complaints, and taking steps as appropriate with regard to the complaints lodged by other data subjects or the associations representing them; c) ordering data controllers or processors, also ex officio, to adopt such measures as are necessary or appropriate for the processing to comply with the provisions in force as per Section 143; d) prohibiting, also ex officio, unlawful or unfair data processing operations, in whole or in part, or blocking such processing operations[…] h) raising public awareness of the legislation applying to personal data processing and the relevant purposes as well as of the data security measures". |
| Who has standing to notify the supervisory authority of breaches? | Data subjects and associations representing them. |
| What are the penalties for data controllers if they breach the law? | Punishments are not expressly detailed in the 2003 law, but according to the previous data protection law, Act no 675 of 1996 (Articles 36-39), fines can be imposed on the data controller, and there is also the risk of imprisonment. In addition, the judgments in cases can be published in the press. |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Section 91 of the 2003 Act deals with data processed by means of cards. It states that "Processing in whatever form of data disclosing health and sex life that are stored on cards, including non-electronic cards and the national services card, or that are processed by means of said cards, shall only be allowed if it is necessary under the terms of Section 3 in compliance with measures and precautions laid down by the Garante as per Section 17". The national services card is not a national ID number carrier, but this provision could well be extended if one is introduced. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | Rights may be exercised by any person having an interest in them, so a deceased person's data is covered. On this basis, relatives of the deceased can access the deceased's data. |
| Who is able to indirectly identify the data subject? | Anybody |
Laws and Regulations
- Legislative Decree no. 196 of 30 June 2003
- Act
no. 675 of 31.12.1996
- For
all other relevant national legislation, see Italian Data Protection Commission
site