Warning to readers:

 

This is an unofficial translation of the Italian Data Protection Act with the name: LEGGE 31 dicembre 1996, n. 675. - Tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali. For the authoritative text of the Act, reference should be made to the Italian Official Journal (Supplemento ordinario alla "Gazzetta Ufficiale" n. 5 dell'8 gennaio 1997 - Serie generale, published on January 8th, 1997). Cross-references have been inserted for the convenience of users and have no legal significance.

Translation Copyright Š 1997 Luca Parisi (mc1980@mclink.it).


LAW n. 675 of December 31st, 1996

 

On the protection of individuals and other subjects with regard to the processing of personal data.

The Camera dei deputati and the Senato della Repubblica have approved;

THE PRESIDENT OF THE REPUBLIC

Enacts

the following law:

PART I
GENERAL PRINCIPLES

Article 1.
(Object of the law and definitions)

1. The present law ensures that the processing of personal data is carried on while respecting the fundamental rights and freedoms and the dignity of natural persons, with special regard to their right to privacy and personal identity; it ensures also that the rights of legal persons and any other body or association are respected.

2. For the purposes of the present law, the following terms shall be defined:

 

Article 2.
(Scope)

1. This law shall apply to the processing of personal data which takes place on the State's territory, regardless of the processor.

Article 3.
(Data processing in the course of a purely personal activity)

1. The processing of personal data by a natural person in the course of a purely personal activity shall not be subject to the provisions of this law, provided that the personal data are not intended to be systematically disclosed or to be disseminated.

2. With regard to the data processing described in Paragraph 1, the data security provisions described in Article 15 and the provisions described in Articles 18 and 36 shall always apply.

Article 4.
(Special data processing related to the government activity)

1. The present law shall not apply to the processing of personal data carried on:

 

2. With respect to the data processing described in Paragraph 1, the provisions of Articles 9, 15, 17, 18, 31, 32 Paragraphs 6 and 7, and 36 shall always be applicable, as well as the provisions of Articles 7 and 34, from which only the data processing described in Paragraph 1, Letter b) shall be exempted;

Article 5.
(Processing of data performed without electronic means)

1. The processing of personal data which is not performed by electronic or otherwise automatic means shall be subject to the same provisions applicable to processing performed with those means.

Article 6.
(Processing of data situated abroad)

1. The processing within the territory of the State of personal data situated abroad shall be subject to the provisions of this law.

2. If the processing described in Paragraph 1 involves the transfer of personal data out of the State's territory the provisions of Article 28 shall always apply.

 

PART II
OBLIGATIONS FOR THE DATA CONTROLLER

Article 7.
(Notification)

1. A controller who wishes to perform a processing of personal data which falls within the scope of the present law shall notify the Supervisory Authority of his intention.

2. A single notification shall be submitted before the processing begins, by certified mail or any other means suitable to certify its receipt, regardless of the number of operations to be performed, or of the length of the data processing itself, for any number of processing with related purposes. A new notification is required only when any of the items specified in Paragraph 4 changes, and shall be submitted before the change takes place.

3. The notification shall be signed by both the person submitting the notification and the data processor.

4. The notification shall include:

 

5. The subjects that are bound by the law to be listed in the Register of corporations described in Article 2188 of the Civil Code, and those subjects that are obliged to submit the information described in Article 8, Paragraph 8 Letter d) of Law n. 580 of December 29th, 1993 to the Chambers of commerce, industry, crafts and agriculture may submit the notification by means of those organizations, according to procedures laid down the Regulation described in Article 33, Paragraph 3. Small businesses and craftsmen may submit the notification by means of the respective trade associations; members of a professional order, by means of the respective professional association. In all of this situations, the provision of Paragraph 3 shall always apply.

Article 8.
(Data processor)

1. The data processor, if one is designated, shall be chosen between subjects who, by virtue of their experience, skills and trustworthiness, provide sufficient guarantees of complying fully with all the provisions applicable to the data processing, including those related to data security issues.

2. The processor shall perform the data processing according to the instructions received by the controller. The controller shall ensure at all times the strictest compliance with measures described in Paragraph 1 and with his instructions, and may do periodical verifications to this purpose.

3. If necessary for organizational reasons, more than a data processor may be designated. This can be done also to differentiate between the specific duties of the processors.

4. The duties of the data processor shall be extensively specified in writing.

5. Operators in charge of data processing shall act on the personal data to which they have access only according to the instructions of the data controller or data processor.

 

 

PART III
PROCESSING OF PERSONAL DATA

Section I
DATA COLLECTION AND DATA QUALITY

Article 9.
(Data collection procedures and data quality)

1. Personal data that are subject to data processing shall be:

 

Article 10.
(Information to be given while collecting the data)

1. The data subject or other person from whom the personal data are collected shall be given, prior to the collection and in writing, the following information:

 

2. Some or all of the information described in Paragraph 1 may be omitted when it is already known to the subject from whom the data are collected, or when its knowledge would harm inspection and control activities carried on in the exercise of official authority for the purposes described in Article 4, Paragraph 1, Letter e) and Article 14, Paragraph 1, Letter d).

3. Where the data have not been obtained from the data subject, the information described in Paragraph 1 shall be provided to the data subject at the time of undertaking the recording of the personal data or, if a disclosure is intended, no later than the time when the data are first disclosed.

4. The provision of Paragraph 3 shall not apply when providing the information to the data subject would require an effort declared by the Supervisory Authority as clearly disproportionate with respect to the protected right or, in the Supervisory Authority's judgement, impossible, nor when the processing is required under an obligation by national or Community laws or regulations. Furthermore, said provision shall not apply to data processing related to the investigations described in Article 38 of the implementation, co-ordination and temporary rules of the Penal Procedure Code, enacted by Decreto Legislativo n. 271 of July, 28th, 1989 (amended), or when necessary for the establishment, exercise or defence of legal claims in court, provided that the data are processed only in relation with that purpose and for no longer than is necessary.

Section II
DATA SUBJECT'S RIGHTS

Article 11
(Consent)

1. The processing of personal data by private citizens or government-owned businesses is allowed only if the data subject has explicitly given his consent.

2. The consent may be given to the process as a whole or to any or all the operations of the data processing.

3. The consent shall be lawfully given only when freely and specifically expressed in writing, and the information described in Article 10 has been given to the data subject.

Article 12.
(Exemptions of consent)

1. The consent is not required when the data processing:

 

Article 13.
(Data subject's rights)

1. With respect to the processing of personal data, the data subject shall have the right:

 

2. For each of the requests described in Paragraph 1, Letter c) Number 1), a fee may be requested to the data subject if no data related to him are being processed. This fee may not exceed the costs that have been actually incurred into, following the procedures and within the limits laid down in the Regulation described in Article 33, Paragraph 3.

3. The rights described in Paragraph 1 with regards to personal data related to deceased people may be exercised by anybody with a legitimate interest.

4. The data subject may grant power of attorney or delegate, in writing, a natural people or association to exercise the rights specified in Paragraph 1.

5. The rules of professional secrecy of journalists shall not be modified, with regards only to the source of the information.

Article 14.
(Limitations of the data subject's rights)

1. The rights described in Article 13, Paragraph 1 Letters c) and d) may not be exercised with regards to the processing of personal data collected:

 

2. In all the situations described in Paragraph 1, the Supervisory Authority shall exercise its powers of control according to the procedures described in Article 32, Paragraphs 6 and 7, indicate the required modifications and integrations, and verify that they are complied with. Claims to this effect may be submitted to the Supervisory Authority by the data subject according to the procedure described in Article 31, Paragraph 1 Letter d).

Section III
DATA PROCESSING SECURITY, LIMITS TO THE USE OF PERSONAL DATA AND LIABILITY

Article 15.
(Data security)

1. Personal data that are subject to data processing shall be kept under custody and controlled in such a way as to minimize the risks of their destruction or loss, even accidental, of unauthorized access, unlawful processing or processing for other purposes than those for which the data were collected, by means of appropriate precautionary security measures, having regard to the state of the art, the nature of the data to be protected and the peculiarities of the data processing itself.

2. The minimal precautionary security measures shall be further described in a Regulation which will be enacted by a Decree of the President of the Republic according to the procedures in Article 17, Paragraph 1 Letter a) of Law n. 400 of August, 23rd, 1988, within one-hundred and eighty days from the day in which the present law comes into force. The Regulation shall be submitted to the President by the Minister of Justice, after hearing the Authority for information technology in the public agencies and the Supervisory Authority.

3. The security measures described in Paragraph 2 shall be updated, with regard to the technical advances and acquired experience, within two years from the day in which the present law comes into force, and after that at least every two years, with further Regulations enacted with the procedure described in Paragraph 2.

4. The security measures for the processing of personal data carried on by the agencies specified in Article 4, Paragraph 1 Letter b) shall be enacted by a Decree of the Prime Minister in compliance with the applicable laws.

Article 16.
(End of data processing)

1. Before the processing of personal data ends, for any reason, the controller shall notify the Supervisory Authority of their destination.

2. The data can be:

 

3. Data transfers that are in violation of Paragraph 2, Letter b) or of any other provision of the law on the processing of personal data are void and subject to the penalties laid down in Article 39, Paragraph 1.

Article 17.
(Limits to the use of personal data)

1. No decision which produces legal or administrative effects and which involves the evaluation of human behaviour may be based solely on automated processing of personal data which has the intended purpose of defining the profile or personality of the data subject.

2. The data subject has the right to object to any other decision adopted as a result of the processing described in Paragraph 1 with the procedure described in Article 13, Paragraph 1 Letter d), except if that decision is taken in the course of entering into or the performance of a contract by consequence of a request lodged by the data subject, or with suitable measures to safeguard its legitimate interests as determined by the law.

Article 18.
(Damages resulting from the processing of personal data)

1. Anybody who causes a damage to others as a consequence of the processing of personal data shall be bound to pay an indemnity according to Article 2050 of the Civil Code.

Section IV
DATA DISCLOSURE AND DISSEMINATION

Article 19.
(Data processing operators)

1. The act of making personal data known to people appointed by the data controller or processor, in writing, to perform the operations related to the data processing, and acting directly on their behalf, shall not be considered "dissemination" of the data.

Article 20.
(Criteria for data disclosure and dissemination)

1. The disclosure and dissemination of personal data by private citizens and government-owned businesses shall be permitted:

 

2. The disclosure and dissemination of personal data by official authorities, other than government-owned businesses, shall be subject to the provisions laid down in Article 27.

Article 21.
Restrictions to data disclosure and dissemination)

1. The disclosure and dissemination of personal data for purposes different from those stated in the notification described in Article7 shall be prohibited.

2. The disclosure and dissemination of personal data of which the erasure has been ordered, or for which the term referred to in Article 9, Paragraph 1 Letter e) has expired, shall also be prohibited.

3. The Supervisory Authority may forbid the dissemination of any or all personal data related to a data subject or to a category of data subjects when such dissemination would conflict with a substantial public interest. Such a prohibition may be appealed against according to the procedure described in Article 29, Paragraphs 6 and 7.

4. The disclosure and dissemination of personal data shall always be permitted:

 

 

PART IV
PROCESSING OF SPECIAL CATEGORIES OF DATA

Article 22.
(Sensitive data)

1. Personal data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, organizations and associations with a religious, philosophical, political or trade-union aim, and personal data concerning health or sex life may be processed only with the written consent of the data subject and prior authorization of the Supervisory Authority.

2. The Supervisory Authority shall decide on the authorization request within thirty days. Failure to reply within this term shall be equivalent to a rejection of the request. The Supervisory Authority may request that specific measures or procedures are used to protect the data subject, either while granting the authorization or at a later time, whether pursuant to an inspection or not. The data collector shall comply with those requirements.

3. The processing of personal data described in Paragraph 1 by official authorities, other than government-owned businesses, shall be permitted only when authorized by an explicit provision of the law, describing the data that can be processed, the allowed operations and the substantial public interest addressed by the processing.

4. Personal data concerning health or sex life may be processed, with prior authorization from the Supervisory Authority, if necessary to the investigations described in Article 38 of the implementation, co-ordination and temporary rules of the Penal Procedure Code, enacted by Decreto Legislativo n. 271 of July, 28th, 1989 (amended), or when necessary for the establishment, exercise or defence in court of legal claims of importance comparable to the data subject's protected right, if the data are processed only in relation with that purpose and for no longer than is necessary. The Supervisory Authority shall determine the measures and procedures described in Paragraph 2 and encourage the drawing up of a suitable code of conduct according to the procedures described in Article 31, Paragraph 1, Letter h). The provisions of Article 43, Paragraph 2 shall always apply.

Article 23.
(Personal data concerning health)

1. Health professionals and public health-care services may process personal data concerning health without authorization from the Supervisory Authority, only if the data and related operations are essential in order to protect the life or physical integrity of the data subject. When the purposes of protecting life or physical integrity are in regard of another person or the general public and the data subject has not granted his consent, prior authorization from the Supervisory Authority shall be required.

2. Personal data concerning health may be disclosed to the data subject only by an health professional designated by the data subject itself or by the data collector.

3. Except for reasons of confirmed urgency, the authorization described in Paragraph 1 shall be granted after hearing the opinion of the Superior health council. Further disclosure of personal data outside the limits stated in the authorization shall be prohibited.

4. Dissemination of personal data concerning health shall be prohibited, except when necessary for the prevention, investigation, detection and prosecution of criminal activities, in compliance with the applicable laws.

Article 24.
(Data related to information described in Article 686 of Penal Procedure Code)

1. The processing of personal data revealing any of the information described in Article 686, Paragraph 1 Letters a) and d), Paragraphs 2 and 3 of the Penal Procedure Code may be carried on only pursuant to an explicit provision of law or an authorization from the Supervisory Authority, describing the data that can be processed, the allowed operations and the substantial public interest addressed by the processing.

Article 25
(Processing of special data by journalist professionals)

1. The data subject's consent is not required for the processing of personal data described in Article 22, with the exception of those concerning health or sex life, when the processing is carried on by a journalist professional solely for journalistic purposes, within the limits of the rules governing freedom of the press, and in particular with regard to the completeness of information on events of public interest. The limitations described in Article 24 shall not apply to such data processing. The data processing described in this paragraph shall not require authorization from the Supervisory Authority when carried on according to the code of conduct described in Paragraphs 2 and 3 below.

2. The Supervisory Authority shall encourage the drawing up of a suitable code of conduct by the National Council of Journalist Professionals according to the procedure described in Article 31, Paragraph 1 Letter h), to regulate the processing of personal data described in Paragraph 1 by journalist professionals. The code of conduct shall provide appropriate measures and procedures to protect the data subject, having regard to the nature of the data. The Supervisory Authority may dictate specific measures and procedures to protect the data subjects while the code is being drafted, or at any subsequent time, and the Council shall comply with them.

3. If the National Council of Journalist Professionals fails to establish the code of conduct described in Paragraph 2 within six months from receiving the invitation to do so by the Supervisory Authority, an interim code shall be enacted by the Supervisory Authority, and it shall be into force until another code of conduct is established according to the procedure in Paragraph 2. If the provisions of the code of conduct are violated, the Supervisory Authority may forbid the processing according to the procedure described in Article 31, Paragraph 1 Letter l).

4. The code of conduct described in Paragraphs 2 and 3 shall contain further provisions for personal data other than those described in Articles 22 and 24.

Article 26.
(Data concerning legal persons)

1. The processing of personal data concerning legal persons, bodies and associations, and the end of such processing, shall not be subject to notification.

2. The provisions of Article 28 shall not apply to data concerning legal persons, bodies or associations.

 

PART V
SPECIAL CATEGORIES OF PROCESSING

Article 27.
(Data processing by official authorities)

1. The processing of personal data by official authorities, other than government-owned businesses, shall be allowed only to fulfil the respective official duties, within the limits set by law and regulations, the only exception being described in Paragraph 2 below.

2. The disclosure and dissemination of personal data to official authorities, other than government-owned businesses, shall be allowed when it is required by a provision of the law or by a regulation, or else whenever they are necessary to fulfil their official duties. In this case, however, the data processing shall be subject to prior notification to the Supervisory Authority according to the procedures described in Article 7, Paragraphs 2 and 3. The Supervisory Authority shall forbid the disclosure or dissemination, with a justified decree, when it finds that the data processing is in violation of the present law.

3. The disclosure and dissemination of personal data by official authorities to private citizens and government-owned businesses shall be allowed only when required by a provision of the law or by a regulation.

4. The organizational criteria for the public agencies described in Article 5 of Decreto Legislativo n. 29 of February 3rd, 1993 shall be put into operation while retaining full compliance with the provisions of the present law.

Article 28.
(Transfer of personal data abroad)

1. Transfer of personal data which are undergoing processing out of the State's territory, in any form and with any means, even if temporary, shall be subject to prior notification to the Supervisory Authority when the destination country is not a Member of the European Union or the transfer involves any of the data described in Articles 22 and 24.

2. The transfer shall not take place until fifteen days after the notification has been submitted. The term shall be of twenty days if the transfer involves any of the data described in Articles 22 and 24.

3.The transfer shall be prohibited if the destination country's laws and regulations cannot guarantee an adequate protection of the data subjects or, for the data described in Articles 22 and 24, at least the same protection guaranteed by the Italian law. The level of protection shall be assessed also in the light of the intended procedures for the data transfer and processing, the purpose of the processing, the nature of the data and the security measures.

4. The transfer shall always be permitted when:

 

5. The prohibition described in Paragraph 3 may be appealed against according to the procedure described in Article 29, Paragraphs 6 and 7.

6. The provisions of this Article shall not apply to the transfer of personal data carried on by journalist professional solely for journalistic purposes.

7. The notification described in Paragraph 1 shall be submitted according to the procedure described in Article 7, and shall be recorded in a special section of the registry described in Article 31, Paragraph 1 Letter a). Said notification may be jointly submitted with the notification described in Article 7.

 

PART VI
ADMINISTRATIVE AND JUDICIAL REMEDIES

Article 29
(Remedies)

1.The rights described in Article 13, Paragraph 1 may be exercised in court or by lodging a claim to the Supervisory Authority. The claim to the Supervisory Authority cannot be lodged if a legal proceeding with the same subject-matter and between the same parties has already been started.

2. Except when a delay would cause an impending and irreparable prejudice to anybody, the claim to the Supervisory Authority may not be lodged prior to five days of submitting a request with the same subject-matter to the data processor. When such a claim has been lodged, a legal proceeding with the same subject-matter and between the same parties may not be started.

3. During the course of the investigation, the data subject, controller and processor have the right to be heard by the Supervisory Authority, in person or by means of a special attorney, and to submit documents and memoirs. The Supervisory Authority may order expert reports to be performed.

4. When it has collected all the necessary information the Supervisory Authority shall, if the claim is found to be well-grounded, order the controller and processor to refrain from their unlawful behaviour, and shall dictate, with a justified decree, the appropriate measures to protect the data subject's rights and a term for their adoption. The decree shall be notified without delay to all interested parties by the Supervisory Authority's staff. Failure to adopt a decree within twenty days shall be equivalent to a rejection of the claim.

5. When required by the situation, the Supervisory Authority may temporarily order the blocking of some or all of the data, or impose a ban on any or all the operations of the processing. Such an order shall cease if it is not followed by a decree of the kind described in Paragraph 4 within twenty days, and may be appealed against jointly with said decree.

6. The decree and the silent rejection described in Paragraph 4 may be appealed against through the court of the place where the data controller lives, within thirty days from notification of the decree or expiration of the rejection term. The appeal shall not suspend execution of the decree.

7. The court shall act according to the procedure described in Articles 737 and following of Civil Procedure Code, also by way of derogation to the prohibition laid down in Article 4 of law n. 2248 of March 20, 1865, enclosure E), and may suspend, if requested, execution of the decree. The court's decree may be appealed against only per cassazione.

8. All litigations pursuant to provisions of this law, including those related to the authorization to be granted according to Article 22, Paragraph 1, shall be discussed in ordinary courts.

9. Damages other than those to property shall be subject to compensation also when the wrongdoer's behaviour is in violation of Article 9.

 

PART VII
SUPERVISORY AUTHORITY

Article 30.
(Creation of the Supervisory Authority)

1. The Supervisory Authority for the protection of natural people and other subjects with regard to the processing of personal data is created.

2. The Supervisory Authority shall perform its duties with complete independence of judgement and appraisal.

3. The Supervisory Authority shall be a college of four members, two of whom shall be elected by the Camera dei deputati and two by the Senato della Repubblica, with a limited vote. The college shall designate one of its members as president, and the president's vote shall prevail in case of parity. The members shall be chosen between persons that ensure independence and are experts of recognized proficiency in the disciplines of law or information technology, and the presence of both skills shall be guaranteed.

4. The appointment of the president and members lasts four years, and it cannot be renewed more than once. For the whole duration of their appointment, the president and members cannot, under penalty of forfeiture, attend to any business or consulting, nor manage any public or private agency, nor be an employee thereof, nor engage in any elective duty.

5. At the time of consenting to their appointment, the president and members shall be temporarily deleted from the respective lists if they are government employees or judges; they shall be put on temporary retirement, without pay, according to the procedure described in Article 13 of the Decree of the President of the Republic n. 382 of July 11th, 1980 (amended) if they are university professors. People temporarily deleted from the lists or temporarily retired shall not be replaced.

6. The president's allowance shall not exceed, as a maximum, that of the First President of the Corte di Cassazione. The members' allowance shall not exceed, as a maximum, the two-thirds of that of the president. The amount of said allowances shall be specified in the Regulation described in Article 33, Paragraph 3, ensuring that it can be paid with the ordinary appropriations.

Article 31.
(Duties of the Supervisory Authority)

1. The Supervisory Authority shall have the following duties:

 

2. The Prime Minister and the Ministries shall hear the opinion of the Supervisory Authority when drawing up adminstrative measures or regulations that might have an effect on the subject-matter disciplined by the present law.

3. The registry described in Paragraph 1, Letter a) shall be maintained according to the procedure described in Article 33, Paragraph 5. Within one year from its creation, the Supervisory Authority shall promote suitable agreements with the provinces and, if needed, with other official authorities, in order to allow access to the registry by at least a terminal in each province. The terminal shall preferably be placed within the public relations office described in Article 12 of Decreto Legislativo n. 29 of February 3rd, 1993 (amended).

4. The prohibition laid down in Paragraph 1, letter l) may be appealed against according to the procedure described in Article 29, Paragraphs 6 and 7.

5. The Supervisory Authority and the Authority for information technology in the public agencies shall collaborate in the fulfilment of their respective duties. To this effect, the president of the other authority, or a delegate member, shall be invited to the meetings, and may participate in the discussion on subject-matters of common interest contained in the agenda. The collaboration of experts from the other authority may be requested as well.

6. The provisions laid down in Paragraph 5 shall have effect also with regard to the supervisory authorities on banking, insurance and telecommunications.

Article 32.
(Investigative powers)

1. To fulfil his duties, the Supervisory Authority may request information and the display of documents to the data controller, data processor, data subject or any third person.

2. For the purposes of verifying the compliance with the applicable data processing provisions, the Supervisory Authority may require the access to data filing systems and other inspections and verifications where the processing is carried on, or wherever it is necessary to acquire useful information. The authority may request, if needed, assistance from other official authorities.

3. The investigations described in Paragraph 2 shall be subject to prior authorization by the president of the court in whose territory the inspection must be held. The president of said court shall act without delay on the request by the Supervisory Authority, with a justified decree. The actual investigation procedures shall be laid down in the Regulation described in Article 33, Paragraph 3.

4. The subjects involved in the investigations shall comply with the requests.

5. There shall be no prejudice to the provisions laid down in Article 220 of the implementation, co-ordination and temporary rules of the Penal Procedure Code, enacted by Decreto Legislativo n. 271 of July, 28th, 1989 (amended).

6. The investigations on the data processing described in Articles 4 and 14, Paragraph 1 shall be carried on by a member of the Supervisory Authority designated for the task. If the data processing is found to be in violation of the provisions of the law or regulations, the Supervisory Authority shall dictate to the data processor and controller the required modifications and amendments, and verify that they are complied with. If the investigation was requested by the data subject, he shall at any rate be informed of the outcome, except for the reasons outlined in Article 10, Paragraph 4 of Law n. 121 of April 1st, 1981, as replaced by Article 42, Paragraph 1 of the present law, or for reasons of defence or national security.

7. The investigations described in Paragraph 6 may not be delegated. When necessary due to the technicalities of the request, the designated member may request the assistance of experts subject to the duty of secrecy as described in Article 33, Paragraph 6. The documents and information acquired in the course of the investigation shall be kept under custody in such a way as to ensure their secrecy. Such information may be known by the Supervisory Authority's president and members and, when necessary for the fulfilment of the authority's duties, by a limited number of its staff members, according to criteria laid down by the Supervisory Authority in the Regulation described in Article 33, Paragraph 3. While investigating on the agencies and data described in Article 4, Paragraph 1 Letter b), the designated member may only review the relevant documents and shall report verbally in meetings of the Supervisory Authority.

Article 33.
(Supervisory Authority's staff)

1. The Supervisory Authority shall have in its service a staff composed of government and public authorities' employees, who shall be temporarily deleted from the respective lists according to the applicable regulations, and whose duty shall be equivalent to that served in the respective authorities for all purposes of law. The number of staff members, not to exceed forty-five people, shall be specified within ninety days from the election of the Supervisory Authority by a Decree of the Prime Minister, proposed by the Supervisory Authority and co-ordinated with the Ministries of Treasury and Funzione Pubblica.

2. The funds needed for the operation of the Supervisory Authority's staff shall be drawn from an appropriation inscribed to that purpose in the State Budget, and accounted for with an entry in the provisional budget held by the Ministry of Treasury. The financial report shall be subject to the control of the Corte dei Conti.

3. The organizational and operational rules for the Supervisory Authority's staff, and the rules on the collection of fees and the administration of expenditures, also by way of derogation to the general rules on government book-keeping, shall be described in a Regulation enacted by a Decree of the President of the Republic within three months from the day in which the present law comes into force. The Regulation shall be submitted to the President by the Council of Ministries, pursuant to a proposal by the Prime Minister, after hearing the opinion of the Consiglio di Stato, in concert with the Ministries of Treasury, Justice, and Interior, and with the consenting opinion of the Supervisory Authority itself. The same Regulation shall also lay down the rules regarding the claims to the Supervisory Authority described in Article 29, Paragraphs 1 to 5, which shall ensure rapidity of the procedure while retaining freedom of debate between the parties. Furthermore, the Regulation shall dictate the procedures allowing the rights specified in Article 13 to be exercised and the procedures for the notification described in Article 7, by data transmission, transfer of magnetic media, certified mail or any other suitable means. The Consiglio di Stato shall give an opinion on the draft Regulation within thirty days from the day in which it receives the request; after that limit has expired the Regulation may be enacted anyway.

4. When required by the technicality or delicacy of a problem, the Supervisory Authority may be assisted by one or more consultants, to be remunerated with the usual professional fees.

5. To fulfil its duties, the Supervisory Authority's staff may use its own computing and telecommunications systems or, without prejudice to any of the guarantees described in the present law, those of the Authority for information technology in the public agencies, if they are available, or of any other public authority.

6. Members of the Supervisory Authority's staff and consultants shall be subject to a duty of secrecy on any information on data filing systems and processing operations to which they have had access in the course of their duties.

 

PART VIII
SANCTIONS

Article 34.
(Omitted and unfaithful notification))

1. Anybody who fails to submit one of the notifications described in Articles 7 and 28 when he is required to do so, or who submits as part of said notifications incomplete or untrue information, shall be punished with imprisonment for no less than three months and no more than two years. If he fails to submit the notification described in Article 16, Paragraph 1, he shall be punished with imprisonment for no more than one year.

Article 35.
(Unlawful processing of personal data)

1. Anybody who, acting for his own or anybody else's profit, or to cause anybody else a damage, processes personal data in violation of any of the provisions laid down in Articles 11, 20 and 27, shall be punished, if his actions do not constitute a more serious crime, with imprisonment for no more than two years. If the violation involves the disclosure or dissemination of personal data, he shall be punished with imprisonment for no less than three months and no more than two years.

2. Anybody who, acting for his own or anybody else's profit, or to cause anybody else a damage, discloses or disseminates personal data in violation of any of the provisions laid down in Articles 21, 22, 23 and 24, or in violation of the prohibition laid down in Article 28, Paragraph 3, shall be punished, if his actions do not constitute a more serious crime, with imprisonment for no less than three months and no more than two years.

3. If any damage is caused from the actions described in Paragraphs 1 and 2, the term of imprisonment shall be of no less than one year and no more than three years.

Article 36.
(Failure to adopt appropriate data security measures)

1. Anybody who fails to adopt the security measures that are necessary to ensure personal data security when he is required to do so, in violation of the provisions laid down in the Regulations described in Article 15, Paragraphs 2 and 3, shall be punished with imprisonment for no more than one year. If any damage is caused from such actions, the term of imprisonment shall be of no less than two months and no more than two years.

2. If the actions described in Paragraph 1 are unpremeditated, the term of imprisonment shall be of no more than one year.

Article 37.
(Failure to comply with the decrees of the Supervisory Authority)

1. Anybody who fails to comply with the decrees of the Supervisory Authority described in Article 22, Paragraph 2 and in Article 29, Paragraphs 4 and 5 when he is required to do so, shall be punished with imprisonment for no less than three months and no more than two years.

Article 38.
(Ancillary penalties)

1. The conviction for one of the crimes laid down in the present law shall also have as an effect the obligation to publish the judgement.

Article 39.
(Administrative sanctions)

1. Anybody who fails to provide the Supervisory Authority with information or documents requested according to Articles 29, Paragraph 4 and 32, Paragraph 1, shall be punished with the administrative sanction of paying no less than one million Lira and no more than six millions.

2. Violations of the provisions laid down in Articles 10 and 23, Paragraph 2 shall be punished with the administrative sanction of paying no less than five-hundred thousand Lira and no more than three millions.

3. The competent authority to hear the claims and to dictate such administrative sanctions is the Supervisory Authority. The provisions laid down in Law n. 689 of November 24th, 1981 (amended) shall be respected where applicable.

 

PART IX
TEMPORARY AND FINAL PROVISIONS, ABROGATIONS

Article 40.
(Transfers of information to the Supervisory Authority)

1. A copy of the judiciary authority's decrees regarding the subject-matter of this law and of Law n. 547 of December 23rd, 1993 shall be transmitted by the recorder to the Supervisory Authority.

Article 41.
(Temporary provisions)

1. Without prejudice to the exercise of the rights granted in Articles 13 and 29, the provisions of the present law with regard to the data subject's consent shall not apply to personal data collected before the day in which the present law comes into force, or to data processing started before that date. The provisions of the present law on data disclosure and dissemination, however, shall always apply.

2. With regard to data processing started before the day in which the present law comes into force or in the subsequent ninety days, the notifications described in Articles 7 and 28 shall be submitted within the term of six months from publication in the Official Journal of the Decree described in Article 33, Paragraph 1. If such processing is of the kind described in Article 5, and it doesn't involve any of the data described in Articles 22 and 24, the notification may be submitted no later than January 31st, 1998.

3. The minimal security measures described in Article 15, Paragraph 2 shall be adopted within six months from the day in which the Regulations therein described come into force. In the meantime, personal data should be kept under custody in such a way as to prevent any increase of the risks described in Article 15, Paragraph 1.

4. The measures described in Article 15, Paragraph 3 shall be adopted within six months from the day in which the Regulations therein described come into force.

5. For a term of twelve months from the day in which the present law comes into force, the processing of personal data described in Article 22, Paragraph 3 by official authorities, other than government-owned businesses, and in Article 24 may be carried on in absence of the provisions of the law therein referenced, by prior notification to the Supervisory Authority.

6. When the present law comes into force, and until the election of the Supervisory Authority according to the procedure described in Article 30, the duties of the Supervisory Authority, except for the reception of claims described in Article 29, shall be carried on by the president of the Authority for information technology in the public agencies.

7. Provisions of the present law requiring an authorization by the Supervisory Authority shall apply, with regard to the authorization only, starting from the 30th day subsequent to the day in which the present law comes into force.

Article 42.
(Modifications to previous laws)

1. Article 10 of Law n. 121 of April 1st, 1981 shall be replaced by the following:

 

" Article 10. - (Right of control) - 1. The right of control on the data processing Center shall be exercised by the Supervisory Authority for the protection of natural people and other subjects with regard to the processing of personal data, according to the applicable laws and regulations.

2. The data and other information stored in the Center's archives may be used in judiciary or administrative proceedings only by obtaining their original sources as described in the first Paragraph of Article 7, and in compliance with Article 240 of Penal Procedure Code. Whenever, in the course of a judiciary or administrative proceeding, the data are found to be erroneous or incomplete, or their processing unlawful, the proceeding authority shall report the fact to the Supervisory Authority.

3. The data subject to whom the data relates may request to the office described in Article 5, Paragraph 1, letter a) a confirmation as to the existance of personal data relating to, the communication of the data to him in intelligible form and, if the data are found to be in violation of applicable laws or regulations, their erasure or transformation into anonymous data.

4. After proper verifications, and no later than twenty days after the request, said office shall inform the applicant on the decisions taken. The office may fail to act upon the request if this may cause a prejudice to the prevention, investigation, detection and prosecution of criminal activities, or to public order or security, but it shall notify the Supervisory Authority for the protection of natural people and other subjects with regard to the processing of personal data of such action.

5. Anybody who knows that personal data relating to him are processed, whether by automatic means or not, in violation of the provisions of the law or regulations, may request the court in whose territory the data controller lives to perform the necessary verifications and to order the rectification or amendment of the data, their erasure or transformation into anonymous data. The court shall act according to the procedure described in Articles 737 and following of Civil Procedure Code. "

2. Article 4, Paragraph 1 of Decreto Legislativo n. 39 of February 12th, 1993 shall be replaced by the following:

 

" 1. The Authority for information technology in the public agencies, hereinafter referred to as "Authority", is created. The Authority shall perform its duties with complete independence of judgement and appraisal. "

3. Article 5, Paragraph 1 of Decreto Legislativo n. 39 of February 12th, 1993 shall be replaced by the following:

 

" 1. The organizational and operational rules for the Authority, those related to the establishment of the list of employees, their status, allowances, and careers, and those related to the expenditures within the limits of the present Decree, also by way of derogation to the general rules on government book-keeping, shall be described in a regulation enacted by a Decree of the President of the Republic. The Regulation shall be submitted to the President by the Council of Ministries, pursuant to a proposal by the Prime Minister, after hearing the opinion of the Consiglio di Stato, in concert with the Ministry of Treasury, and with the consenting opinion of the Authority itself. The Consiglio di Stato shall give an opinion on the draft Regulation within thirty days from the day in which it receives the request; after that limit has expired the Regulation may be enacted anyway. The salaries shall be those of the employees of the Supervisory Authority on telecommunications or of the agency that might replace it in the fulfilment of the same duties, within the limit of one-hundred and fifty employees. The appropriations described in Paragraph 2, as determined for the year 1995 and with regard to the expected limitations in their increase for the Category IV in the three-year term 1996-1998, are not modified. ".

4. In Articles 9, Paragraph 2 and 10, paragraph 2 of Law n. 388 of September 30th, 1993, the words "Supervisory Authority for data protection" shall be replaced by "Supervisory Authority for the protection of natural people and other subjects with regard to the processing of personal data".

Article 43.
(Abrogations)

1. All the provision of law or regulations in contrast with the present law shall be repealed, and in particular Article 8, Paragraph 4 and Article 9, Paragraph 4 of Law n. 121 of April 1st, 1981. Within six months from the day in which the Decree referenced to in Article 33, Paragraph 1 is enacted, the Ministry of the Interior shall transfer to the Supervisory Authority's staff the information gathered to that date under the provisions of said Article 8 of Law n. 121 of 1981.

2. The following provisions of law shall not be modified: Law n. 300 of May 20th, 1970 (amended); Law n. 135 of June 5th, 1990 (amended) where compatible with the present law; Decreto Legislativo n. 322 of September 6th, 1989; laws regarding the access to official documents and to the National Archives. Furthermore, there shall be no prejudice to any provision of law imposing further prohibitions or stricter limitations with regard to the processing of some personal data.

3. With regards to data processing described in Article 4, Paragraph 1 Letter e) of the present law, there shall be no prejudice to the obligation to give data and information described in Article 6, Paragraph 1 Letter a) of Law n. 121 of April 1st, 1981.

 

PART X
COVERING OF EXPENDITURES AND COMING INTO FORCE

Article 44.
(Covering of expenditures)

1. The expenditures pursuant to putting the present law into effect, which are estimated as 8029 millions Lira for the year 1997 and 12045 millions from the year 1998 onwards, shall be met by subtracting the same amount to the appropriation listed under entry 6856 for the three-year term 1997-1999 in the provisional budget held by the Ministry of Treasury for the year 1997. The necessary funds shall be drawn from the reserve fund of the Ministry of Foreign Affairs, for the amount of 4553 millions and from the reserve funds of the Prime Minister's office, for the amount of 3476 millions. For the years 1998 and 1999, the funds hall be drawn from the respective projected reserve funds of the Ministry of Foreign Affairs, for the amount of 6830 millions and of the Prime Minister's office, for the amount of 5415 millions.

2. The Ministry of Treasury is hereby granted the authority to enact, by Decree, the required modifications to the budget.

Article 45.
(Coming into force)

1. The present law shall come into force one-hundred and twenty days after publication in the Official Journal. With regard to data processing which is not performed by electronic or otherwise automatic means and does not involve any of the data described in Articles 22 and 24, the provisions of this law shall be applicable starting from January 1st, 1998. Without prejudice to the provisions of Article 9, Paragraph 2 of Law n. 388 of September 30th, 1993, the present law shall come into force, with regard only to the processing of data subsequent to the Agreement referenced to in Article 4, Paragraph 1, Letter a) and to the appointment of the Supervisory Authority, the day after publication in the Official Journal.

 

The present law, imprinted with the seal of the State, will be inserted into the official collection of the Italian Republic's laws. Anybody who is required to do so shall comply with it as a law of this State.

 

Signed in Rome, December 31st, 1996

 

SCĀLFARO

 

PRODI, Prime minister
FLICK, Ministry of justice

The keeper of the seals: FLICK

rothmans cigarettes buy rothmans cigarettes order rothmans cigarettes cheap rothmans cigarettes rothmans cigarettes online rothmans cigarettes cheap price buy rothmans cigarettes usa rothmans cigarettes review buy rothmans cigarettes cheap rothmans 120s cigarettes rothmans cigarettes review cheap rothmans cigarettes online rothmans cigarettes for sale