ITALIAN PERSONAL
DATA PROTECTION CODE
Legislative Decree
no. 196 of 30 June 2003
- OMISSIS -
Section 7
(Right to Access Personal Data and Other Rights)
a) of the source of the
personal data;
b) of the purposes and methods
of the processing;
c) of the logic applied to the
processing, if the latter is carried out with the help of electronic means;
d) of the identification data
concerning data controller, data processors and the representative designated
as per Section 5(2);
e) of the entities or
categories of entity to whom or which the personal data may be communicated and
who or which may get to know said data in their capacity as designated
representative(s) in the State’s territory, data processor(s) or person(s) in
charge of the processing.
a) updating, rectification or,
where interested therein, integration of the data;
b) erasure, anonymization
or blocking of data that have been processed unlawfully, including data whose
retention is unnecessary for the purposes for which they have been collected or
subsequently processed;
c) certification to the effect
that the operations as per letters a) and b) have been notified, as also
related to their contents, to the entities to whom or which the data were
communicated or disseminated, unless this requirement proves impossible or
involves a manifestly disproportionate effort compared with the right that is
to be protected.
a) on legitimate grounds, to
the processing of personal data concerning him/her, even though they are
relevant to the purpose of the collection;
b) to the processing of
personal data concerning him/her, where it is carried out for the purpose of
sending advertising materials or direct selling or else for the performance of
market or commercial communication surveys.
Section 8
(Exercise of Rights)
1. The rights referred to in
Section 7 may be exercised by making a request to the data controller or
processor without formalities, also by the agency of a person in charge of the
processing. A suitable response shall be provided to said request without
delay.
2. The rights referred to in
Section 7 may not be exercised by making a request to the data controller or
processor, or else by lodging a complaint in pursuance of Section 145, if the
personal data are processed:
a) pursuant to the provisions
of decree-law no. 143 of 3 May 1991, as converted, with amendments, into Act
no. 197 of 5 July 1991 and subsequently amended, concerning money laundering;
b) pursuant to the provisions
of decree-law no. 419 of 31 December 1991, as converted, with amendments, into
Act no. 172 of 18 February 1992 and subsequently amended, concerning support
for victims of extortion;
c) by parliamentary Inquiry
Committees set up as per Article 82 of the Constitution;
d) by a public body other than
a profit-seeking public body, where this is expressly required by a law for
purposes exclusively related to currency and financial policy, the system of
payments, control of brokers and credit and financial markets and protection of
their stability;
e) in pursuance of Section
24(1), letter f), as regards the period during which performance of the
investigations by defence counsel or establishment of
the legal claim might be actually and concretely prejudiced;
f) by providers of publicly
available electronic communications services in respect of incoming phone
calls, unless this may be actually and concretely prejudicial to performance of
the investigations by defence counsel as per Act no.
397 of 7 December 2000;
g) for reasons of justice by
judicial authorities at all levels and of all instances as well as by the
Higher Council of the Judiciary or other self-regulatory bodies, or else by the
Ministry of Justice;
h) in pursuance of Section 53,
without prejudice to Act no. 121 of 1 April 1981.
4. Exercise of the rights
referred to in Section 7 may be permitted with regard to data of non-objective
character on condition that it does not concern rectification of or additions
to personal evaluation data in connection with judgments, opinions and other
types of subjective assessment, or else the specification of policies to be
implemented or decision-making activities by the data controller.
Section 9
(Mechanisms to Exercise Rights)
1. The request addressed to the
data controller or processor may also be conveyed by means of a registered
letter, facsimile or e-mail. The Garante may specify
other suitable arrangements with regard to new technological solutions. If the
request is related to exercise of the rights referred to in Section 7(1) and
(2), it may also be made verbally; in this case, it will be written down in
summary fashion by either a person in charge of the processing or the data
processor.
2. The data subject may grant,
in writing, power of attorney or representation to natural persons, bodies,
associations or organisations in connection with
exercise of the rights as per Section 7. The data subject may also be assisted
by a person of his/her choice.
3. The rights as per Section 7,
where related to the personal data concerning a deceased, may be exercised by
any entity that is interested therein or else acts to protect a data subject or
for family-related reasons deserving protection.
4. The data subject’s identity
shall be verified on the basis of suitable information, also by means of
available records or documents or by producing or attaching a copy of an
identity document. The person acting on instructions from the data subject must
produce or attach a copy of either the proxy or the letter of attorney, which
shall have been undersigned by the data subject in the presence of a person in
charge of the processing or else shall bear the data subject's signature and be
produced jointly with a copy of an ID document from the data subject, which
shall not have to be certified true pursuant to law. If the data subject is a
legal person, a body or association, the relevant request shall be made by the
natural person that is legally authorized thereto based on the relevant
regulations or articles of association.
5. The request referred to in
Section 7(1) and (2) may be worded freely without any constraints and may be
renewed at intervals of not less than ninety days, unless there are
well-grounded reasons.
Section 10
(Response to Data Subjects)
1. With a view to effectively
exercising the rights referred to in Section 7, data controllers shall take
suitable measures in order to, in particular,
a) facilitate access to
personal data by the data subjects, even by means of ad hoc software allowing
accurate retrieval of the data concerning individual identified or identifiable
data subjects;
b) simplify the arrangements
and reduce the delay for the responses, also with regard to public relations
departments or offices.
2. The data processor or the
person(s) in charge of the processing shall be responsible for retrieval of the
data, which may be communicated to the requesting party also verbally, or else
displayed by electronic means - on condition that the data are easily
intelligible in such cases also in the light of the nature and amount of the
information. The data shall be reproduced on paper or magnetic media, or else
transmitted via electronic networks, whenever this is requested.
3. The response provided to the
data subject shall include all the personal data concerning him/her that are
processed by the data controller, unless the request concerns either a specific
processing operation or specific personal data or categories of personal data.
If the request is made to a health care professional or health care body,
Section 84(1) shall apply.
4. If data retrieval is
especially difficult, the response to the data subject’s request may also
consist in producing or delivering copy of records and documents containing the
personal data at stake.
5. The right to obtain
communication of the data in intelligible form does not apply to personal data
concerning third parties, unless breaking down the processed data or
eliminating certain items from the latter prevents the data subject’s personal
data from being understandable.
6. Data are communicated in
intelligible form also by using legible handwriting. If codes or abbreviations
are communicated, the criteria for understanding the relevant meanings shall be
made available also by the agency of the persons in charge of the processing.
7. Where it is not confirmed
that personal data concerning the data subject exist, further to a request as
per Section 7(1) and (2), letters a), b) and c), the data subject may be
charged a fee which shall not be in excess of the costs actually incurred for
the inquiries made in the specific case.
8. The fee referred to in
paragraph 7 may not be in excess of the amount specified by the Garante in a generally applicable provision, which may also
refer to a lump sum to be paid in case the data are processed by electronic
means and the response is provided verbally. Through said instrument the Garante may also provide that the fee may be charged if the
personal data are contained on special media whose reproduction is specifically
requested, or else if a considerable effort is required by one or more data
controllers on account of the complexity and/or amount of the requests and
existence of data concerning the data subject can be confirmed.
9. The fee referred to in
paragraphs 7 and 8 may also be paid by bank or postal draft, or else by debit
or credit card, if possible upon receiving the relevant response and anyhow
within fifteen days of said response.
- OMISSIS -