PERSONAL DATA PROTECTION CODE Legislative Decree no. 196 of 30 June 2003 1 2 PART 1 – GENERAL PROVISIONS ............................................................ 13 TITLE I – GENERAL PRINCIPLES..........................................................................................14 Section 1..............................................................................................................................14 Section 2................................................................................................................................14 Section 3................................................................................................................................14 Section 4................................................................................................................................14 Section 5................................................................................................................................17 Section 6................................................................................................................................18 (Right to the Protection of Personal Data) .........................................................................14 (Purposes)......................................................................................................................14 (Data Minimisation Principle) ...........................................................................................14 (Definitions) .......................................................................................................................14 (Subject-Matter and Scope of Application) .......................................................................17 (Regulations Applying to Processing Operations).............................................................18 TITLE II – DATA SUBJECT’S RIGHTS..................................................................................18 Section 7..............................................................................................................................18 Section 8................................................................................................................................19 Section 9................................................................................................................................20 Section 10.............................................................................................................................21 (Right to Access Personal Data and Other Rights)............................................................18 (Exercise of Rights) ...........................................................................................................19 (Mechanisms to Exercise Rights) ......................................................................................20 (Response to Data Subjects) ..............................................................................................21 TITLE III – GENERAL DATA PROCESSING RULES...........................................................22 CHAPTER I – RULES APPLYING TO ALL PROCESSING OPERATIONS.............................22 Section 11.............................................................................................................................22 (Processing Arrangements and Data Quality)....................................................................22 Section 12.............................................................................................................................23 (Codes of Conduct and Professional Practice)...................................................................23 Section 13.............................................................................................................................23 (Information to Data Subjects)...........................................................................................23 Section 14.............................................................................................................................24 (Profiling of Data Subjects and Their Personality)............................................................24 Section 15.............................................................................................................................25 (Damage Caused on Account of the Processing)...............................................................25 Section 16.............................................................................................................................25 (Termination of Processing Operations) ............................................................................25 Section 17.............................................................................................................................25 (Processing Operations Carrying Specific Risks)..............................................................25 CHAPTER II – ADDITIONAL RULES APPLYING TO PUBLIC BODIES ..............................26 Section 18.............................................................................................................................26 (Principles Applying to All Processing Operations Performed by Public Bodies)............26 Section 19.............................................................................................................................26 (Principles Applying to the Processing of Data Other Than Sensitive and Judicial Data) 26 Section 20.............................................................................................................................26 (Principles Applying to the Processing of Sensitive Data) ................................................26 Section 21.............................................................................................................................27 (Principles Applying to the Processing of Judicial Data) ..................................................27 Section 22.............................................................................................................................27 3 (Principles Applying to the Processing of Sensitive Data as well as to Judicial Data) .....27 CHAPTER III – ADDITIONAL RULES APPLYING TO PRIVATE BODIES ...........................28 AND PROFIT-SEEKING PUBLIC BODIES .............................................................................28 Section 23.............................................................................................................................28 (Consent).......................................................................................................................28 Section 24.............................................................................................................................29 (Cases in Which No Consent Is Required for Processing Data)........................................29 Section 25.............................................................................................................................30 (Bans on Communication and Dissemination) ..................................................................30 Section 26.............................................................................................................................30 (Safeguards Applying to Sensitive Data)...........................................................................30 Section 27.............................................................................................................................31 (Safeguards Applying to Judicial Data) .............................................................................31 TITLE IV – ENTITIES PERFORMING PROCESSING OPERATIONS..............................32 Section 28.............................................................................................................................32 (Data Controller)................................................................................................................32 Section 29.............................................................................................................................32 (Data Processor).................................................................................................................32 Section 30.............................................................................................................................32 (Persons in Charge of the Processing) ...............................................................................32 TITLE V – DATA AND SYSTEM SECURITY .........................................................................33 CHAPTER I – SECURITY MEASURES.....................................................................................33 Section 31.............................................................................................................................33 (Security Requirements) ....................................................................................................33 Section 32.............................................................................................................................33 (Specific Categories of Data Controller) ...........................................................................33 CHAPTER II – MINIMUM SECURITY MEASURES................................................................34 Section 33.............................................................................................................................34 (Minimum Security Measures) ..........................................................................................34 Section 34.............................................................................................................................34 (Processing by Electronic Means)......................................................................................34 Section 35.............................................................................................................................35 (Processing without Electronic Means) .............................................................................35 Section 36.............................................................................................................................35 (Upgrading).....................................................................................................................35 TITLE VI – PERFORMANCE OF SPECIFIC TASKS............................................................35 Section 37.............................................................................................................................35 (Notification of the Processing) .........................................................................................35 Section 38.............................................................................................................................36 (Notification Mechanisms) ................................................................................................36 Section 39.............................................................................................................................37 (Communication Obligations)............................................................................................37 Section 40.............................................................................................................................37 (General Authorisations)....................................................................................................37 Section 41.............................................................................................................................38 (Authorisation Requests)....................................................................................................38 TITLE VII – TRANSBORDER DATA FLOWS.........................................................................38 Section 42.............................................................................................................................38 (Data Flows in the EU) ......................................................................................................38 Section 43.............................................................................................................................38 (Permitted Data Transfers to Third Countries) ..................................................................38 4 Section 44.............................................................................................................................39 (Other Permitted Data Transfers).......................................................................................39 Section 45.............................................................................................................................40 (Prohibited Data Transfers)................................................................................................40 PART II – PROVISIONS APPLYING TO SPECIFIC SECTORS .................... 41 TITLE I – PROCESSING OPERATIONS IN THE JUDICIAL SECTOR .............................42 CHAPTER I – IN GENERAL .....................................................................................................42 Section 46.............................................................................................................................42 (Data Controllers) ..............................................................................................................42 Section 47.............................................................................................................................42 (Processing Operations for Purposes of Justice)................................................................42 Section 48.............................................................................................................................43 (Data Banks of Judicial Offices)........................................................................................43 Section 49.............................................................................................................................43 (Implementing Provisions).................................................................................................43 CHAPTER II – CHILDREN.......................................................................................................43 Section 50.............................................................................................................................43 (Reports or Images Concerning Underage Persons) ..........................................................43 CHAPTER III – LEGAL INFORMATION SERVICES ..............................................................43 Section 51.............................................................................................................................43 (General Principles) ...........................................................................................................43 Section 52.............................................................................................................................44 (Information Identifying Data Subjects)............................................................................44 TITLE II – PROCESSING OPERATIONS BY THE POLICE................................................45 CHAPTER I – IN GENERAL .....................................................................................................45 Section 53.............................................................................................................................45 (Scope of Application and Data Controllers).....................................................................45 Section 54.............................................................................................................................45 (Processing Mechanisms and Data Flows) ........................................................................45 Section 55.............................................................................................................................46 (Specific Technology)........................................................................................................46 Section 56.............................................................................................................................46 (Safeguards for Data Subjects) ..........................................................................................46 Section 57.............................................................................................................................46 (Implementing Provisions).................................................................................................46 TITLE III – STATE DEFENCE AND SECURITY....................................................................47 CHAPTER I – IN GENERAL .....................................................................................................47 Section 58.............................................................................................................................47 (Applicable Provisions)......................................................................................................47 TITLE IV – PROCESSING OPERATIONS IN THE PUBLIC SECTOR..............................48 CHAPTER I – ACCESS TO ADMINISTRATIVE RECORDS ....................................................48 Section 59.............................................................................................................................48 (Access to Administrative Records) ..................................................................................48 Section 60.............................................................................................................................48 (Data Disclosing Health and Sex Life) ..............................................................................48 CHAPTER II – PUBLIC REGISTERS AND PROFESSIONAL REGISTERS............................48 Section 61.............................................................................................................................48 (Use of Public Information) ...............................................................................................48 CHAPTER III – REGISTERS OF BIRTHS, DEATHS AND MARRIAGES, CENSUS REGISTERS AND ELECTORAL LISTS.....................................................................................49 5 Section 62.............................................................................................................................49 (Sensitive and Judicial Data)..............................................................................................49 Section 63.............................................................................................................................49 (Interrogation of Records)..................................................................................................49 CHAPTER IV – PURPOSES IN THE SUBSTANTIAL PUBLIC INTEREST ............................50 Section 64.............................................................................................................................50 (Citizenship, Immigration and Alien Status) .....................................................................50 Section 65.............................................................................................................................50 (Political Rights and Public Disclosure of the Activities of Certain Bodies) ....................50 Section 66.............................................................................................................................51 (Taxation and Customs Matters)........................................................................................51 Section 67.............................................................................................................................51 (Auditing and Controls) .....................................................................................................51 Section 68.............................................................................................................................52 (Grants and Certifications).................................................................................................52 Section 69.............................................................................................................................52 (Honours, Rewards and Incorporation)..............................................................................52 Section 70.............................................................................................................................53 (Voluntary Organisations and Conscientious Objection) ..................................................53 Section 71.............................................................................................................................53 (Imposition of Sanctions and Precautionary Measures) ....................................................53 Section 72.............................................................................................................................53 (Relationships with Religious Denominations) .................................................................53 Section 73.............................................................................................................................54 (Other Purposes Related to Administrative and Social Matters) .......................................54 CHAPTER V – SPECIFIC PERMITS ........................................................................................54 Section 74.............................................................................................................................54 (Car Permits and Access to Town Centres) .......................................................................54 TITLE V – PROCESSING OF PERSONAL DATA IN THE HEALTH CARE SECTOR ...55 CHAPTER I – IN GENERAL .....................................................................................................55 Section 75.............................................................................................................................55 (Scope of Application) .......................................................................................................55 Section 76.............................................................................................................................55 (Health Care Professionals and Public Health Care Bodies) .............................................55 CHAPTER II – SIMPLIFIED ARRANGEMENTS CONCERNING INFORMATION AND CONSENT........................................................................................................................56 Section 77.............................................................................................................................56 (Simplification) ..................................................................................................................56 Section 78.............................................................................................................................56 (Information Provided by General Practitioners and Paediatricians) ................................56 Section 79.............................................................................................................................57 (Information Provided by Health Care Bodies) .................................................................57 Section 80.............................................................................................................................58 (Information Provided by Other Public Bodies)................................................................58 Section 81.............................................................................................................................58 (Providing One’s Consent) ................................................................................................58 Section 82.............................................................................................................................58 (Emergency and Protection of Health and Bodily Integrity) .............................................58 Section 83.............................................................................................................................59 (Other Provisions to Ensure Respect for Data Subjects’ Rights).......................................59 Section 84.............................................................................................................................60 6 (Data Communication to Data Subjects) ...........................................................................60 CHAPTER III – PURPOSES IN THE SUBSTANTIAL PUBLIC INTEREST ............................60 Section 85.............................................................................................................................60 (Tasks of the National Health Service) ..............................................................................60 Section 86.............................................................................................................................61 (Other Purposes in the Substantial Public Interest) ...........................................................61 CHAPTER IV – MEDICAL PRESCRIPTIONS..........................................................................62 Section 87.............................................................................................................................62 (Drugs Paid for by the National Health Service) ...............................................................62 Section 88.............................................................................................................................63 (Drugs Not Paid for by the National Health Service) ........................................................63 Section 89.............................................................................................................................63 (Special Cases)...................................................................................................................63 CHAPTER V – GENETIC DATA...............................................................................................63 Section 90.............................................................................................................................63 (Processing of Genetic Data and Bone Marrow Donors) ..................................................63 CHAPTER VI – MISCELLANEOUS PROVISIONS ..................................................................64 Section 91.............................................................................................................................64 (Data Processed by Means of Cards) .................................................................................64 Section 92.............................................................................................................................64 (Clinical Records) ..............................................................................................................64 Section 93.............................................................................................................................64 (Certificate of Attendance at Birth) ...................................................................................64 Section 94.............................................................................................................................65 (Data Banks, Registers and Filing Systems in the Health Care Sector) ............................65 TITLE VI – EDUCATION............................................................................................................65 CHAPTER I – IN GENERAL .....................................................................................................65 Section 95.............................................................................................................................65 (Sensitive and Judicial Data)..............................................................................................65 Section 96.............................................................................................................................66 (Processing of Data Concerning Students) ........................................................................66 CHAPTER III – PROCESSING FOR STATISTICAL OR SCIENTIFIC PURPOSES ...............69 TITLE VII – PROCESSING FOR HISTORICAL, STATISTICAL OR SCIENTIFIC PURPOSES ...............................................................................................................................66 CHAPTER I – IN GENERAL .....................................................................................................66 Section 97.............................................................................................................................66 (Scope of Application) .......................................................................................................66 Section 98.............................................................................................................................66 (Purposes in the Substantial Public Interest)......................................................................66 Section 99.............................................................................................................................67 (Compatibility between Purposes and Duration of Processing) ........................................67 Section 100............................................................................................................................67 (Data Concerning Studies and Researches) .......................................................................67 CHAPTER II – PROCESSING FOR HISTORICAL PURPOSES..............................................68 Section 101............................................................................................................................68 (Processing Arrangements) ................................................................................................68 Section 102............................................................................................................................68 (Code of Conduct and Professional Practice) ....................................................................68 Section 103............................................................................................................................68 (Interrogating Documents Kept in Archives).....................................................................68 Section 104............................................................................................................................69 7 (Scope of Application and Identification Data for Statistical or Scientific Purposes).......69 Section 105............................................................................................................................69 (Processing Arrangements) ................................................................................................69 Section 106............................................................................................................................69 (Codes of Conduct and Professional Practice)...................................................................69 Section 107............................................................................................................................70 (Processing of Sensitive Data) ...........................................................................................70 Section 108............................................................................................................................71 (National Statistical System)..............................................................................................71 Section 109............................................................................................................................71 (Statistical Data Concerning Birth Events)........................................................................71 Section 110............................................................................................................................71 (Medical, Biomedical and Epidemiological Research)......................................................71 TITLE VIII – OCCUPATIONAL AND SOCIAL SECURITY ISSUES ...................................72 CHAPTER I – IN GENERAL .....................................................................................................72 Section 111............................................................................................................................72 (Code of Conduct and Professional Practice) ....................................................................72 Section 112............................................................................................................................72 (Purposes in the Substantial Public Interest)......................................................................72 CHAPTER II – JOB ADS AND EMPLOYEE DATA..................................................................73 Section 113............................................................................................................................73 (Data Collection and Relevance) .......................................................................................73 CHAPTER III – BAN ON DISTANCE MONITORING AND TELEWORK...............................73 Section 114............................................................................................................................73 (Distance Monitoring)........................................................................................................73 Section 115............................................................................................................................74 (Telework and Home-Based Work)...................................................................................74 CHAPTER IV – ASSISTANCE BOARDS AND SOCIAL WORK...............................................74 Section 116............................................................................................................................74 (Availability of Data under the Terms Agreed upon with Data Subjects).........................74 TITLE IX – BANKING, FINANCIAL AND INSURANCE SYSTEMS....................................74 CHAPTER I – INFORMATION SYSTEMS................................................................................74 Section 117............................................................................................................................74 (Reliability and Timeliness in Payment-Related Matters).................................................74 Section 118............................................................................................................................75 (Commercial Information) .................................................................................................75 Section 119............................................................................................................................75 (Data Concerning Payment of Debts) ................................................................................75 Section 120............................................................................................................................75 (Car Accidents) ..................................................................................................................75 TITLE X – ELECTRONIC COMMUNICATIONS ....................................................................75 CHAPTER I – ELECTRONIC COMMUNICATION SERVICES...............................................76 Section 121............................................................................................................................76 (Services Concerned) .........................................................................................................76 Section 122............................................................................................................................76 (Information Collected with Regard to Subscribers or Users)...........................................76 Section 123............................................................................................................................76 (Traffic Data) .....................................................................................................................76 Section 124............................................................................................................................77 (Itemised Billing) ...............................................................................................................77 Section 125............................................................................................................................77 8 (Calling Line Identification) ..............................................................................................77 Section 126............................................................................................................................78 (Location Data) ..................................................................................................................78 Section 127............................................................................................................................79 (Nuisance and Emergency Calls).......................................................................................79 Section 128............................................................................................................................79 (Automatic Call Forwarding).............................................................................................79 Section 129............................................................................................................................80 (Directories of Subscribers) ...............................................................................................80 Section 130............................................................................................................................80 (Unsolicited Communications) ..........................................................................................80 Section 131............................................................................................................................81 (Information Provided to Subscribers and Users)..............................................................81 Section 132............................................................................................................................81 (Traffic Data Retention for Other Purposes)......................................................................81 CHAPTER II – INTERNET AND ELECTRONIC NETWORKS ................................................82 Section 133............................................................................................................................82 (Code of Conduct and Professional Practice) ....................................................................82 CHAPTER III – VIDEO SURVEILLANCE................................................................................82 Section 134............................................................................................................................82 (Code of Conduct and Professional Practice) ....................................................................82 TITLE XI – SELF-EMPLOYED PROFESSIONALS AND PRIVATE DETECTIVES.........83 CHAPTER I – IN GENERAL .....................................................................................................83 Section 135............................................................................................................................83 (Code of Conduct and Professional Practice) ....................................................................83 TITLE XII – JOURNALISM AND LITERARY AND ARTISTIC EXPRESSION ..................83 CHAPTER I – IN GENERAL .....................................................................................................83 Section 136............................................................................................................................83 (Journalistic Purposes and Other Intellectual Works)........................................................83 Section 137............................................................................................................................83 (Applicable Provisions)......................................................................................................83 Section 138............................................................................................................................84 (Professional Secrecy)........................................................................................................84 CHAPTER II – CODE OF PRACTICE......................................................................................84 Section 139............................................................................................................................84 (Code of Practice Applying to Journalistic Activities) ......................................................84 TITLE XIII – DIRECT MARKETING .........................................................................................85 CHAPTER I – IN GENERAL .....................................................................................................85 Section 140............................................................................................................................85 (Code of Conduct and Professional Practice) ....................................................................85 II – ADMINISTRATIVE REMEDIES .........................................................................................87 PART III – REMEDIES AND SANCTIONS .................................................. 86 TITLE I – ADMINISTRATIVE AND JUDICIAL REMEDIES..................................................87 CHAPTER I – REMEDIES AVAILABLE TO DATA SUBJECTS ..............................................87 BEFORE THE GARANTE .........................................................................................................87 I – GENERAL PRINCIPLES......................................................................................................87 Section 141............................................................................................................................87 (Available Remedies).........................................................................................................87 Section 142............................................................................................................................87 (Lodging a Claim)..............................................................................................................87 9 Section 143............................................................................................................................88 (Handling a Claim).............................................................................................................88 Section 144............................................................................................................................88 (Reports).......................................................................................................................88 III – NON-JUDICIAL REMEDIES ............................................................................................88 Section 145............................................................................................................................88 (Complaints) ......................................................................................................................88 Section 146............................................................................................................................89 (Prior Request to Data Controller or Processor) ................................................................89 Section 147............................................................................................................................89 (Lodging a Complaint).......................................................................................................89 Section 148............................................................................................................................90 (Inadmissible Complaints) .................................................................................................90 Section 149............................................................................................................................90 (Handling a Complaint) .....................................................................................................90 Section 150............................................................................................................................91 (Measures Taken Following a Complaint).........................................................................91 Section 151............................................................................................................................92 (Challenging) .....................................................................................................................92 CHAPTER II – JUDICIAL REMEDIES.....................................................................................92 Section 152............................................................................................................................92 (Judicial Authorities)..........................................................................................................92 TITLE II – THE SUPERVISORY AUTHORITY.......................................................................93 CHAPTER I – THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI ...................94 Section 153............................................................................................................................94 (The Garante) .....................................................................................................................94 Section 154............................................................................................................................94 (Tasks).........................................................................................................................94 CHAPTER II - THE GARANTE'S OFFICE...............................................................................96 Section 155............................................................................................................................96 (Applicable Principles) ......................................................................................................96 Section 156............................................................................................................................96 (Permanent and Other Staff) ..............................................................................................96 CHAPTER III - INQUIRIES AND CONTROLS ........................................................................98 Section 157............................................................................................................................98 (Request for Information and Production of Documents) .................................................98 Section 158............................................................................................................................98 (Inquiries).....................................................................................................................98 Section 159............................................................................................................................98 (Arrangements) ..................................................................................................................98 Section 160............................................................................................................................99 (Specific Inquiries).............................................................................................................99 TITLE III - SANCTIONS ...........................................................................................................100 CHAPTER I - BREACH OF ADMINISTRATIVE RULES .......................................................100 Section 161...........................................................................................................................100 (Providing No or Inadequate Information to Data Subjects) ...........................................100 Section 162...........................................................................................................................100 (Other Types of Non-Compliance) ..................................................................................100 Section 163...........................................................................................................................100 (Submitting No or an Incomplete Notification)...............................................................100 Section 164...........................................................................................................................101 10 (Failure to Provide Information or Produce Documents to the Garante).........................101 Section 165...........................................................................................................................101 (Publication of Provisions by the Garante) ......................................................................101 Section 166...........................................................................................................................101 (Implementing Procedure) ...............................................................................................101 CHAPTER II - CRIMINAL OFFENCES..................................................................................101 Section 167...........................................................................................................................101 (Unlawful Data Processing).............................................................................................101 Section 168...........................................................................................................................102 (Untrue Declarations and Notifications Submitted to the Garante).................................102 Section 169...........................................................................................................................102 (Security Measures) .........................................................................................................102 Section 170...........................................................................................................................102 (Failure to Comply with Provisions Issued by the Garante)............................................102 Section 171...........................................................................................................................103 (Other Offences) ..............................................................................................................103 Section 172...........................................................................................................................103 (Additional Punishments) ................................................................................................103 TITLE IV - AMENDMENTS, REPEALS, TRANSITIONAL AND FINAL PROVISIONS..103 CHAPTER I - AMENDMENTS................................................................................................103 Section 173...........................................................................................................................103 (Convention Implementing the Schengen Agreement)....................................................103 Section 174...........................................................................................................................104 (Service of Process and Judicial Sales)............................................................................104 Section 175...........................................................................................................................106 (Police)........................................................................................................................106 Section 176...........................................................................................................................107 (Public Bodies).................................................................................................................107 Section 177...........................................................................................................................107 (Census Registers, Registers of Births, Deaths and Marriages, and Electoral Lists) ......107 Section 178...........................................................................................................................108 (Provisions Concerning the Health Care Sector) .............................................................108 Section 179...........................................................................................................................109 (Other Amendments)........................................................................................................109 CHAPTER II - TRANSITIONAL PROVISIONS.......................................................................109 Section 180...........................................................................................................................109 (Security Measures) .........................................................................................................109 Section 181...........................................................................................................................110 (Other Transitional Provisions)........................................................................................110 Section 182...........................................................................................................................111 (Office of the Garante).....................................................................................................111 CHAPTER III - REPEALS .......................................................................................................111 Section 183...........................................................................................................................111 (Repealed Provisions) ......................................................................................................111 CHAPTER IV - FINAL PROVISIONS .....................................................................................113 Section 184...........................................................................................................................113 (Transposition of European Directives)...........................................................................113 Section 185...........................................................................................................................113 (Annexed Codes of Conducts and Professional Practice)................................................113 Section 186...........................................................................................................................113 (Entry into Force).............................................................................................................113 11 ANNEXES ...............................................................................................................................115 CODES OF CONDUCT (ANNEX A).......................................................................................116 A.1 – PROCESSING OF PERSONAL DATA IN THE EXERCISE OF JOURNALISTIC ACTIVITIES.....................................................................................................................116 A.2 – PROCESSING OF PERSONAL DATA FOR HISTORICAL PURPOSES.............121 A.3 – PROCESSING OF PERSONAL DATA FOR STATISTICAL PURPOSES WITHIN THE FRAMEWORK OF THE SI.STA.N. [NATIONAL STATISTICAL SYSTEM].......129 TECHNICAL SPECIFICATIONS CONCERNING MINIMUM SECURITY MEASURES (ANNEX B).............................................................................................................................141 12 THE PRESIDENT OF THE REPUBLIC HAVING REGARD to Articles 76 and 87 in the Constitution, HAVING REGARD to Section 1 of Act no. 127 of 24 March 2001, enabling Government to issue a consolidated text on the processing of personal data, HAVING REGARD to Section 26 of Act no. 14 of 3 February 2003, setting out provisions to ensure compliance with obligations related to Italy’s membership in the European Communities (Community Act of 2002), HAVING REGARD to Act no. 675 of 31 December 1996 as subsequently amended, HAVING REGARD to Act no. 676 of 31 December 1996, enabling Government to pass legislation concerning protection of individual and other entities with regard to the processing of personal data, HAVING REGARD to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, HAVING REGARD to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, on the processing of personal data and the protection of private life in the electronic communications sector, HAVING REGARD to the preliminary resolution adopted by the Council of Ministers at its meeting of 9 May 2003, HAVING HEARD the Garante per la protezione dei dati personali, HAVING ACQUIRED the opinion by the competent Parliamentary committees at the Chamber of Deputies and the Senate of the Republic, HAVING REGARD to the Council of Ministers’ resolution adopted at the meeting of 27 June 2003, ACTING ON THE PROPOSAL put forward by the Prime Minister, the Minister for Public Administration and the Minister for Community Policies, in agreement with the Ministers of Justice, of Economy and Finance, of Foreign Affairs and Communications, ISSUES the following legislative decree: 13 PART 1 – GENERAL PROVISIONS 14 TITLE I – GENERAL PRINCIPLES Section 1 (Right to the Protection of Personal Data) 1. Everyone has the right to protection of the personal data concerning him or her. Section 2 (Purposes) 1. This consolidated statute, hereinafter referred to as “Code”, shall ensure that personal data are processed by respecting data subjects’ rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection. 2. The processing of personal data shall be regulated by affording a high level of protection for the rights and freedoms referred to in paragraph 1 in compliance with the principles of simplification, harmonisation and effectiveness of the mechanisms by which data subjects can exercise such rights and data controllers can fulfil the relevant obligations. Section 3 (Data Minimisation Principle) 1. Information systems and software shall be configured by minimising the use of personal data and identification data, in such a way as to rule out their processing if the purposes sought in the individual cases can be achieved by using either anonymous data or suitable arrangements to allow identifying data subjects only in cases of necessity, respectively. Section 4 (Definitions) 1. For the purposes of this Code, 15 a) ‘processing’ shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a data bank; b) ‘personal data’ shall mean any information relating to natural or legal persons, bodies or associations that are or can be identified, even indirectly, by reference to any other information including a personal identification number; c) ‘identification data’ shall mean personal data allowing a data subject to be directly identified; d) ‘sensitive data’ shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life; e) ‘judicial data’ shall mean personal data disclosing the measures referred to in Section 3(1), letters a) to o) and r) to u), of Presidential Decree no. 313 of 14 November 2002 concerning the criminal record office, the register of offence-related administrative sanctions and the relevant current charges, or the status of being either defendant or the subject of investigations pursuant to Sections 60 and 61 of the Criminal Procedure Code; f) ‘data controller’ shall mean any natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine purposes and methods of the processing of personal data and the relevant means, including security matters; g) ‘data processor’ shall mean any natural or legal person, public administration, body, association or other agency that processes personal data on the controller’s behalf; h) ‘persons in charge of the processing” shall mean the natural persons that have been authorised by the data controller or processor to carry out processing operations; i) ‘data subject’ shall mean any natural or legal person, body or association that is the subject of the personal data; l) ‘communication’ shall mean disclosing personal data to one or more identified entities other than the data subject, the data controller’s representative in the State’s territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data; m) ‘dissemination’ shall mean disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data; n) ‘anonymous data’ shall mean any data that either in origin or on account of its having been processed cannot be associated with any identified or identifiable data subject; o) ‘blocking’ shall mean keeping personal data by temporarily suspending any other processing operation; 16 p) ‘data bank’ shall mean any organised set of personal data, divided into one or more units located in one or more places; q) ‘Garante’ shall mean the authority referred to in Section 153 as set up under Act no. 675 of 31 December 1996. 2. Furthermore, for the purposes of this Code, a) ‘electronic communication’ shall mean any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable or identified subscriber or user receiving the information; b) ‘call’ means a connection established by means of a publicly available telephone service allowing two-way communication in real time; c) ‘electronic communications network’ shall mean transmission systems and switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, networks used for radio and television broadcasting, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, and cable television networks, irrespective of the type of information conveyed; d) ‘public communications network shall mean an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services; e) ‘electronic communications service’ shall mean a service which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, to the extent that this is provided for in Article 2, letter c) of Directive 2202/21/EC of the European Parliament and of the Council of 7 March 2002; f) ‘subscriber’ shall mean any natural or legal person, body or association who or which is party to a contract with the provider of publicly available electronic communications services for the supply of such services, or is anyhow the recipient of such services by means of pre-paid cards; g) ‘user’ shall mean a natural person using a publicly available electronic communications service for private or business purposes, without necessarily being a subscriber to such service; h) ‘traffic data’ shall mean any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; i) ‘location data’ shall mean any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service; l) ‘value added service’ shall mean any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof; 17 m) ‘electronic mail’ shall mean any text, voice, sound or image message sent over a public communications network, which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient. 3. And for the purposes of this Code, a) ‘minimum measures’ shall mean the technical, informational, organizational, logistics and procedural security measures affording the minimum level of protection which is required by having regard to the risks mentioned in Section 31; b) ‘electronic means’ shall mean computers, computer software and any electronic and/or automated device used for performing the processing; c) “computerised authentication” shall mean a set of electronic tools and procedures to verify identity also indirectly, d) “authentication credentials” shall mean the data and devices in the possession of a person, whether known by or uniquely related to the latter, that are used for computer authentication, e) “password” shall mean the component of an authentication credential associated with and known to a person, consisting of a sequence of characters or other data in electronic format, f) “authorisation profile” shall mean the information uniquely associated with a person that allows determining the data that may be accessed by said person as well as the processing operations said person may perform, g) “authorisation system” shall mean the tools and procedures enabling access to the data and the relevant processing mechanisms as a function of the requesting party’s authorisation profile. 4. For the purposes of this Code, a) "historical purposes" shall mean purposes related to studies, investigations, research and documentation concerning characters, events and situations of the past; b) "statistical purposes" shall mean purposes related to statistical investigations or the production of statistical results, also by means of statistical information systems; c) "scientific purposes" shall mean purposes related to studies and systematic investigations that are aimed at developing scientific knowledge in a given sector. Section 5 (Subject-Matter and Scope of Application) 1. This Code shall apply to the processing of personal data, including data held abroad, where the processing is performed by any entity established either in the State’s territory or in a place that is under the State’s sovereignty. 18 2. This Code shall also apply to the processing of personal data that is performed by an entity established in the territory of a country outside the European Union, where said entity makes use in connection with the processing of equipment, whether electronic or otherwise, situated in the State’s territory, unless such equipment is used only for purposes of transit through the territory of the European Union. If this Code applies, the data controller shall designate a representative established in the State’s territory with a view to implementing the provisions concerning processing of personal data. 3. This Code shall only apply to the processing of personal data carried out by natural persons for exclusively personal purposes if the data are intended for systematic communication or dissemination. The provisions concerning liability and security referred to in Sections 15 and 31 shall apply in any case. Section 6 (Regulations Applying to Processing Operations) 1. The provisions contained in this Part shall apply to any processing operations except as specified in connection with some processing operations by the provisions contained in Part II that amend and/or supplement those laid down herein. means; TITLE II – DATA SUBJECT’S RIGHTS Section 7 (Right to Access Personal Data and Other Rights) 1. A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form. 2. A data subject shall have the right to be informed a) of the source of the personal data; b) of the purposes and methods of the processing; c) of the logic applied to the processing, if the latter is carried out with the help of electronic d) of the identification data concerning data controller, data processors and the representative designated as per Section 5(2); 19 e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing. 3. A data subject shall have the right to obtain a) updating, rectification or, where interested therein, integration of the data; a) on legitimate grounds, to the processing of personal data concerning him/her, even though b) erasure, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected. 4. A data subject shall have the right to object, in whole or in part, they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys. Section 8 (Exercise of Rights) a) pursuant to the provisions of decree-law no. 143 of 3 May 1991, as converted, with 1. The rights referred to in Section 7 may be exercised by making a request to the data controller or processor without formalities, also by the agency of a person in charge of the processing. A suitable response shall be provided to said request without delay. 2. The rights referred to in Section 7 may not be exercised by making a request to the data controller or processor, or else by lodging a complaint in pursuance of Section 145, if the personal data are processed: amendments, into Act no. 197 of 5 July 1991 and subsequently amended, concerning money laundering; c) by parliamentary Inquiry Committees set up as per Article 82 of the Constitution; b) pursuant to the provisions of decree-law no. 419 of 31 December 1991, as converted, with amendments, into Act no. 172 of 18 February 1992 and subsequently amended, concerning support for victims of extortion; 20 by a law for purposes exclusively related to currency and financial policy, the system of payments, control of brokers and credit and financial markets and protection of their stability; of the investigations by defence counsel or establishment of the legal claim might be actually and concretely prejudiced; d) by a public body other than a profit-seeking public body, where this is expressly required e) in pursuance of Section 24(1), letter f), as regards the period during which performance f) by providers of publicly available electronic communications services in respect of g) for reasons of justice by judicial authorities at all levels and of all instances as well as by h) in pursuance of Section 53, without prejudice to Act no. 121 of 1 April 1981. incoming phone calls, unless this may be actually and concretely prejudicial to performance of the investigations by defence counsel as per Act no. 397 of 7 December 2000; the Higher Council of the Judiciary or other self-regulatory bodies, or else by the Ministry of Justice; 3. In the cases referred to in paragraph 2, letters a), b), d), e) and f), the Garante, also following a report submitted by the data subject, shall act as per Sections 157, 158 and 159; in the cases referred to in letters c), g) and h) of said paragraph, the Garante shall act as per Section 160. 4. Exercise of the rights referred to in Section 7 may be permitted with regard to data of nonobjective character on condition that it does not concern rectification of or additions to personal evaluation data in connection with judgments, opinions and other types of subjective assessment, or else the specification of policies to be implemented or decision-making activities by the data controller. Section 9 (Mechanisms to Exercise Rights) 1. The request addressed to the data controller or processor may also be conveyed by means of a registered letter, facsimile or e-mail. The Garante may specify other suitable arrangements with regard to new technological solutions. If the request is related to exercise of the rights referred to in Section 7(1) and (2), it may also be made verbally; in this case, it will be written down in summary fashion by either a person in charge of the processing or the data processor. 2. The data subject may grant, in writing, power of attorney or representation to natural persons, bodies, associations or organisations in connection with exercise of the rights as per Section 7. The data subject may also be assisted by a person of his/her choice. 3. The rights as per Section 7, where related to the personal data concerning a deceased, may be exercised by any entity that is interested therein or else acts to protect a data subject or for familyrelated reasons deserving protection. 21 4. The data subject’s identity shall be verified on the basis of suitable information, also by means of available records or documents or by producing or attaching a copy of an identity document. The person acting on instructions from the data subject must produce or attach a copy of either the proxy or the letter of attorney, which shall have been undersigned by the data subject in the presence of a person in charge of the processing or else shall bear the data subject's signature and be produced jointly with a copy of an ID document from the data subject, which shall not have to be certified true pursuant to law. If the data subject is a legal person, a body or association, the relevant request shall be made by the natural person that is legally authorized thereto based on the relevant regulations or articles of association. 5. The request referred to in Section 7(1) and (2) may be worded freely without any constraints and may be renewed at intervals of not less than ninety days, unless there are well-grounded reasons. Section 10 (Response to Data Subjects) 1. With a view to effectively exercising the rights referred to in Section 7, data controllers shall take suitable measures in order to, in particular, a) facilitate access to personal data by the data subjects, even by means of ad hoc software allowing accurate retrieval of the data concerning individual identified or identifiable data subjects; b) simplify the arrangements and reduce the delay for the responses, also with regard to public relations departments or offices. 2. The data processor or the person(s) in charge of the processing shall be responsible for retrieval of the data, which may be communicated to the requesting party also verbally, or else displayed by electronic means - on condition that the data are easily intelligible in such cases also in the light of the nature and amount of the information. The data shall be reproduced on paper or magnetic media, or else transmitted via electronic networks, whenever this is requested. 3. The response provided to the data subject shall include all the personal data concerning him/her that are processed by the data controller, unless the request concerns either a specific processing operation or specific personal data or categories of personal data. If the request is made to a health care professional or health care body, Section 84(1) shall apply. 4. If data retrieval is especially difficult, the response to the data subject’s request may also consist in producing or delivering copy of records and documents containing the personal data at stake. 5. The right to obtain communication of the data in intelligible form does not apply to personal data concerning third parties, unless breaking down the processed data or eliminating certain items from the latter prevents the data subject’s personal data from being understandable. 6. Data are communicated in intelligible form also by using legible handwriting. If codes or abbreviations are communicated, the criteria for understanding the relevant meanings shall be made available also by the agency of the persons in charge of the processing. 22 7. Where it is not confirmed that personal data concerning the data subject exist, further to a request as per Section 7(1) and (2), letters a), b) and c), the data subject may be charged a fee which shall not be in excess of the costs actually incurred for the inquiries made in the specific case. 8. The fee referred to in paragraph 7 may not be in excess of the amount specified by the Garante in a generally applicable provision, which may also refer to a lump sum to be paid in case the data are processed by electronic means and the response is provided verbally. Through said instrument the Garante may also provide that the fee may be charged if the personal data are contained on special media whose reproduction is specifically requested, or else if a considerable effort is required by one or more data controllers on account of the complexity and/or amount of the requests and existence of data concerning the data subject can be confirmed. 9. The fee referred to in paragraphs 7 and 8 may also be paid by bank or postal draft, or else by debit or credit card, if possible upon receiving the relevant response and anyhow within fifteen days of said response. TITLE III – GENERAL DATA PROCESSING RULES CHAPTER I – RULES APPLYING TO ALL PROCESSING OPERATIONS a) processed lawfully and fairly; Section 11 (Processing Arrangements and Data Quality) 1. Personal data undergoing processing shall be: b) collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is not inconsistent with said purposes; c) accurate and, when necessary, kept up to date; d) relevant, complete and not excessive in relation to the purposes for which they are e) kept in a form which permits identification of the data subject for no longer than is collected or subsequently processed; necessary for the purposes for which the data were collected or subsequently processed. 2. Any personal data that is processed in breach of the relevant provisions concerning the processing of personal data may not be used. 23 Section 12 (Codes of Conduct and Professional Practice) 1. The Garante shall encourage, within the framework of the categories concerned and in conformity with the principle of representation, by having regard to the guidelines set out in Council of Europe recommendations on the processing of personal data, the drawing up of codes of conduct and professional practice for specific sectors, verify their compliance with laws and regulations by also taking account of the considerations made by the entities concerned, and contribute to adoption of and compliance with such codes. 2. The Garante shall be responsible for having the codes published in the Official Journal of the Italian Republic; the codes shall be included into Annex A) to this Code based on a decree by the Minister of Justice. 3. Compliance with the provisions included in the codes referred to in paragraph 1 shall be a prerequisite for the processing of personal data by public and private entities to be lawful. 4. The provisions of this Section shall also apply to the code of conduct on the processing of data for journalistic purposes as adopted further to the encouragement provided by the Garante in pursuance of paragraph 1 and Section 139. e) the rights as per Section 7; Section 13 (Information to Data Subjects) b) the obligatory or voluntary nature of providing the requested data; c) the consequences if (s)he fails to reply; 1. The data subject as well as any entity from whom or which personal data are collected shall be preliminarily informed, either orally or in writing, as to: a) the purposes and modalities of the processing for which the data are intended; d) the entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of said data; f) the identification data concerning the data controller and, where designated, the data controller’s representative in the State’s territory pursuant to Section 5 and the data processor. If several data processors have been designated by the data controller, at least one among them shall be referred to and either the site on the communications network or the mechanisms for easily accessing the updated list of data processors shall be specified. If a data processor has been 24 designated to provide responses to data subjects in case the rights as per Section 7 are exercised, such data processor shall be referred to. 2. The information as per paragraph 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain items if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defence or State security, or else for the prevention, suppression or detection of offences. 3. The Garante may issue a provision to set out simplified information arrangements as regards, in particular, telephone services providing assistance and information to the public. 4. Whenever the personal data are not collected from the data subject, the information as per paragraph 1, also including the categories of processed data, shall be provided to the data subject at the time of recording such data or, if their communication is envisaged, no later than when the data are first communicated. 5. Paragraph 4 shall not apply a) if the data are processed in compliance with an obligation imposed by a law, regulations or Community legislation; b) if the data are processed either for carrying out the investigations by defence counsel as per Act no. 397 of 07.12.2000 or to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor; c) if the provision of information to the data subject involves an effort that is declared by the Garante to be manifestly disproportionate compared with the right to be protected, in which case the Garante shall lay down suitable measures, if any, or if it proves impossible in the opinion of the Garante. Section 14 (Profiling of Data Subjects and Their Personality) 1. No judicial or administrative act or measure involving the assessment of a person’s conduct may be based solely on the automated processing of personal data aimed at defining the data subject’s profile or personality. 2. The data subject may challenge any other decision that is based on the processing referred to in paragraph 1, pursuant to Section 7(4), letter a), unless such decision has been taken for the conclusion or performance of a contract, further to a proposal made by the data subject or on the basis of adequate safeguards laid down either by this Code or in a provision issued by the Garante in pursuance of Section 17. 25 (Damage Caused on Account of the Processing) Section 15 1. Whoever causes damage to another as a consequence of the processing of personal data shall be liable to pay damages pursuant to Section 2050 of the Civil Code. 2. Compensation for non-pecuniary damage shall be also due upon infringement of Section 11. Section 16 (Termination of Processing Operations) b) assigned to another data controller, provided they are intended for processing under terms c) kept for exclusively personal purposes, without being intended for systematic 1. Should data processing be terminated, for whatever reason, the data shall be a) destroyed; that are compatible with the purposes for which the data have been collected; d) kept or assigned to another controller for historical, scientific or statistical purposes, in communication or dissemination; compliance with laws, regulations, Community legislation and the codes of conduct and professional practice adopted in pursuance of Section 12. 2. Assignment of data in breach either of paragraph 1, letter b), or of other relevant provisions applying to the processing of personal data shall be void. Section 17 (Processing Operations Carrying Specific Risks) 1. Processing of data other than sensitive and judicial data shall be allowed in accordance with such measures and precautions as are laid down to safeguard data subjects, if the processing is likely to present specific risks to data subjects’ fundamental rights and freedoms and dignity on account of the nature of the data, the arrangements applying to the processing or the effects the latter may produce. 2. The measures and precautions referred to in paragraph 1 shall be laid down by the Garante on the basis of the principles set out in this Code within the framework of a check to be performed prior to start of the processing as also related to specific categories of data controller or processing, following the request, if any, submitted by the data controller. 26 CHAPTER II – ADDITIONAL RULES APPLYING TO PUBLIC BODIES Section 18 (Principles Applying to All Processing Operations Performed by Public Bodies) 1. The provisions of this Chapter shall apply to all public bodies except for profit-seeking public bodies. 2. Public bodies shall only be permitted to process personal data in order to discharge their institutional tasks. 3. In processing the data, public bodies shall abide by the prerequisites and limitations set out in this Code, by having also regard to the different features of the data, as well as in laws and regulations. 4. Subject to the provisions of Part II as applying to health care professionals and public health care organisations, public bodies shall not be required to obtain the data subject’s consent. 5. The provisions laid down in Section 25 as for communication and dissemination shall apply. Section 19 (Principles Applying to the Processing of Data Other Than Sensitive and Judicial Data) 1. Public bodies may process data other than sensitive and judicial data also in the absence of laws or regulations providing expressly for such processing, subject to Section 18(2). 2. Communication by a public body to other public bodies shall be permitted if it is envisaged by laws or regulations. Failing such laws or regulations, communication shall be permitted if it is necessary in order to discharge institutional tasks and may be started upon expiry of the term referred to in Section 39(2) if it has not been provided otherwise as specified therein. 3. Communication by a public body to private entities or profit-seeking public bodies as well as dissemination by a public body shall only be permitted if they are provided for by laws or regulations. Section 20 (Principles Applying to the Processing of Sensitive Data) 1. Processing of sensitive data by public bodies shall only be allowed where it is expressly authorised by a law specifying the categories of data that may be processed and the categories of operation that may be performed as well as the substantial public interest pursued. 27 2. Whenever the substantial public interest is specified by a law in which no reference is made to the categories of sensitive data and the operations that may be carried out, processing shall only be allowed with regard to the categories of data and operation that have been specified and made public by the entities processing such data, having regard to the specific purposes sought in the individual cases and in compliance with the principles referred to in Section 22, via regulations or regulations-like instruments that shall be adopted pursuant to the opinion rendered by the Garante under Section 154(1), letter g), also on the basis of draft models. 3. If the processing is not provided for expressly by a law, public bodies may request the Garante to determine the activities that pursue a substantial public interest among those they are required to discharge under the law. Processing of sensitive data shall be authorised in pursuance of Section 26(2) with regard to said activities, however it shall only be allowed if the public bodies also specify and make public the categories of data and operation in the manner described in paragraph 2. 4. The specification of the categories of data and operation referred to in paragraphs 2 and 3 shall be updated and supplemented regularly. Section 21 (Principles Applying to the Processing of Judicial Data) 1. Processing of judicial data by public bodies shall only be permitted where expressly authorized by a law or an order of the Garante specifying the purposes in the substantial public interest underlying such processing, the categories of data to be processed and the operations that may be performed. 2. Section 20(2) and (4) shall also apply to processing of judicial data. Section 22 (Principles Applying to the Processing of Sensitive Data as well as to Judicial Data) 1. Public bodies shall process sensitive and judicial data in accordance with arrangements aimed at preventing breaches of data subjects’ rights, fundamental freedoms and dignity. 2. When informing data subjects as per Section 13, public bodies shall expressly refer to the provisions setting out the relevant obligations or tasks, on which the processing of sensitive and judicial data is grounded. 3. Public bodies may process exclusively such sensitive and judicial data as are indispensable for them to discharge institutional tasks that cannot be performed, on a case by case basis, by processing anonymous data or else personal data of a different nature 4. Sensitive and judicial data shall be collected, as a rule, from the data subject. 5. In pursuance of Section 11(1), letters c), d) and e), public bodies shall regularly check that sensitive and judicial data are accurate and updated, and that they are relevant, complete, not 28 excessive and indispensable with regard to the purposes sought in the individual cases - including the data provided on the data subject's initiative. With a view to ensuring that sensitive and judicial data are indispensable in respect of their obligations and tasks, public bodies shall specifically consider the relationship between data and tasks to be fulfilled. No data that is found to be excessive, irrelevant or unnecessary, also as a result of the above checks, may be used, except for the purpose of keeping - pursuant to law - the record or document containing said data. Special care shall be taken in checking that sensitive and judicial data relating to entities other than those which are directly concerned by the service provided or the tasks to be fulfilled are indispensable. 6. Sensitive or judicial data that are contained in lists, registers or data banks kept with electronic means shall be processed by using encryption techniques, identification codes or any other system such as to make the data temporarily unintelligible also to the entities authorised to access them and allow identification of the data subject only in case of necessity, by having regard to amount and nature of the processed data. 7. Data disclosing health and sex life shall be kept separate from any other personal data that is processed for purposes for which they are not required. Said data shall be processed in accordance with the provisions laid down in paragraph 6 also if they are contained in lists, registers or data banks that are kept without the help of electronic means. 8. Data disclosing health may not be disseminated. 9. As for the sensitive and judicial data that are necessary pursuant to paragraph 3, public bodies shall be authorized to carry out exclusively such processing operations as are indispensable to achieve the purposes for which the processing is authorized, also if the data are collected in connection with discharging supervisory, control or inspection tasks. 10. Sensitive and judicial data may not be processed within the framework of psychological and behavioural tests aimed at defining the data subject’s profile or personality. Sensitive and judicial data may only be matched as well as processed in pursuance of Section 14 if the grounds therefor are preliminarily reported in writing. 11. In any case, the operations and processing referred to in paragraph 10, if performed by using data banks from different data controllers, as well as the dissemination of judicial and sensitive data shall only be allowed if they are expressly provided for by law. 12. This Section shall set out principles that are applicable to the processing operations provided for by the Office of the President of the Republic, the Chamber of Deputies, the Senate of the Republic and the Constitutional Court, in pursuance of their respective regulations. CHAPTER III – ADDITIONAL RULES APPLYING TO PRIVATE BODIES AND PROFIT-SEEKING PUBLIC BODIES Section 23 (Consent) 29 1. Processing of personal data by private entities or profit-seeking public bodies shall only be allowed if the data subject gives his/her express consent 2. The data subject’s consent may refer either to the processing as a whole or to one or more of the operations thereof. 3. The data subject’s consent shall only be deemed to be effective if it is given freely and specifically with regard to a clearly identified processing operation, if it is documented in writing, and if the data subject has been provided with the information referred to in Section 13. 4. Consent shall be given in writing if the processing concerns sensitive data. Section 24 (Cases in Which No Consent Is Required for Processing Data) 1. Consent shall not be required in the cases referred to in Part II as well as if the processing a) is necessary to comply with an obligation imposed by a law, regulations or Community legislation; subject is a party, or else in order to comply with specific requests made by the data subject prior to entering into a contract; b) is necessary for the performance of obligations resulting from a contract to which the data c) concerns data taken from public registers, lists, documents or records that are publicly d) concerns data relating to economic activities that are processed in compliance with the available, without prejudice to the limitations and modalities laid down by laws, regulations and Community legislation with regard to their disclosure and publicity; legislation in force as applying to business and industrial secrecy; f) is necessary for carrying out the investigations by defence counsel referred to in Act no. e) is necessary to safeguard life or bodily integrity of a third party. If this purpose concerns the data subject and the latter cannot give his/her consent because (s)he is physically unable to do so, legally incapable or unable to distinguish right and wrong, the consent shall be given by the entity legally representing the data subject, or else by a next of kin, a family member, a person cohabiting with the data subject or, failing these, the manager of the institution where the data subject is hosted. Section 82(2) shall apply; 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor by complying with the legislation in force concerning business and industrial secrecy, dissemination of the data being ruled out; g) is necessary to pursue a legitimate interest of either the data controller or a third party recipient in the cases specified by the Garante on the basis of the principles set out under the law, also with regard to the activities of banking groups and subsidiaries or related companies, unless said interest is overridden by the data subject’s rights and fundamental freedoms, dignity or legitimate interests, dissemination of the data being ruled out; 30 i) is necessary exclusively for scientific and statistical purposes in compliance with the h) except for external communication and dissemination, is carried out by no-profit associations, bodies or organisations, recognised or not, with regard either to entities having regular contacts with them or to members in order to achieve specific, lawful purposes as set out in the relevant memorandums, articles of association or collective agreements, whereby the mechanisms of utilisation are laid down expressly in a resolution that is notified to data subjects with the information notice provided for by Section 13, respective codes of professional practice referred to in Annex A), or else exclusively for historical purposes in connection either with private archives that have been declared to be of considerable historical interest pursuant to Section 6(2) of legislative decree no. 499 of 29 October 1999, adopting the consolidated statute on cultural and environmental heritage, or with other private archives pursuant to the provisions made in the relevant codes. Section 25 (Bans on Communication and Dissemination) 1. Communication and dissemination shall be prohibited if an order to this effect has been issued by either the Garante or judicial authorities, as well as a) with regard to personal data that must be erased by order, or else upon expiry of the term referred to in Section 11(1), letter e), b) for purposes other than those specified in the notification, whenever the latter is to be submitted. 2. This shall be without prejudice to communication and dissemination of the data as requested, pursuant to law, by police, judicial authorities, intelligence and security agencies and other public bodies according to Section 58(2), for purposes of defence or relating to State security, or for the prevention, detection or suppression of offences. Section 26 (Safeguards Applying to Sensitive Data) 1. Sensitive data may only be processed with the data subject’s written consent and the Garante’s prior authorisation, by complying with the prerequisites and limitations set out in this Code as well as in laws and regulations. 2. The Garante shall communicate its decision concerning the request for authorisation within fortyfive days; failing a communication at the expiry of said term, the request shall be regarded as dismissed. Along with the authorisation or thereafter, based also on verification, the Garante may provide for measures and precautions in order to safeguard the data subject, which the data controller shall be bound to apply. 31 a) of the data concerning members of religious denominations and entities having regular 3. Paragraph 1 shall not apply to processing contact with said denominations for exclusively religious purposes, on condition that the data are processed by the relevant organs or bodies recognised under civil law and are not communicated or disseminated outside said denominations. The latter shall lay down suitable safeguards with regard to the processing operations performed by complying with the relevant principles as set out in an authorisation by the Garante; b) of the data concerning affiliation of trade unions and/or trade associations or organisations to other trade unions and/or trade associations, organisations or confederations. 4. Sensitive data may also be processed without consent, subject to the Garante’s authorisation, a) if the processing is carried out for specific, lawful purposes as set out in the relevant memorandums, articles of association or collective agreements by not-for-profit associations, bodies or organisations, whether recognised or not, of political, philosophical, religious or trade-unionist nature, including political parties and movements, with regard to personal data concerning members and/or entities having regular contacts with said associations, bodies or organisations in connection with the aforementioned purposes, provided that the data are not communicated or disclosed outside and the bodies, associations or organisations lay down suitable safeguards in respect of the processing operations performed by expressly setting out the arrangements for using the data through a resolution that shall be made known to data subjects at the time of providing the information under Section 13; b) if the processing is necessary to protect a third party’s life or bodily integrity. If this purpose concerns the data subject and the latter cannot give his/her consent because (s)he is physically unable to do so, legally incapable or unable to distinguish right and wrong, the consent shall be given by the entity legally representing the data subject, or else by a next of kin, a family member, a person cohabiting with the data subject or, failing these, the manager of the institution where the data subject is hosted. Section 82(2) shall apply; c) if the processing is necessary for carrying out the investigations by defence counsel referred to in Act no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor. Said claim must not be overridden by the data subject’s claim, or else must consist in a personal right or another fundamental, inviolable right or freedom, if the data can disclose health and sex life; d) if the processing is necessary to comply with specific obligations and/or tasks laid down by laws, regulations or Community legislation in the employment context, also with regard to occupational and population hygiene and safety and to social security and assistance purposes, to the extent that it is provided for in the authorisation and subject to the requirements of the code of conduct and professional practice referred to in Section 111. 5. Data disclosing health may not be disseminated. Section 27 (Safeguards Applying to Judicial Data) 32 1. Processing of judicial data by private entities and profit-seeking public bodies shall be permitted only where expressly authorized by a law or an order by the Garante specifying the reasons in the substantial public interest underlying such processing, the categories of processed data and the operations that may be performed. TITLE IV – ENTITIES PERFORMING PROCESSING OPERATIONS Section 28 (Data Controller) 1. Whenever processing operations are carried out by a legal person, a public administrative agency or any other body, association or organisation, the data controller shall be either the entity as a whole or the department or peripheral unit having fully autonomous decision-making powers in respect of purposes and mechanisms of said processing operations as also related to security matters. Section 29 (Data Processor) 1. The data processor may be designated by the data controller on an optional basis. 2. Where designated, the data processor shall be selected among entities that can appropriately ensure, on account of their experience, capabilities and reliability, thorough compliance with the provisions in force applying to processing as also related to security matters. 3. If necessary on account of organizational requirements, several entities may be designated as data processors also by subdividing the relevant tasks. 4. The tasks committed to the data processor shall be detailed in writing by the data controller. 5. The data processor shall abide by the instructions given by the data controller in carrying out the processing. The data controller shall supervise over thorough compliance with both said instructions and the provisions referred to in paragraph 2, also by means of regular controls. Section 30 (Persons in Charge of the Processing) 33 1. Processing operations may only be performed by persons in charge of the processing that act under the direct authority of either the data controller or the data processor by complying with the instructions received. 2. The aforementioned persons shall be nominated in writing by specifically referring to the scope of the processing operations that are permitted. This requirement shall be also fulfilled if a natural person is entrusted with the task of directing a department, on a documentary basis, whereby the scope of the processing operations that may be performed by the staff working in said department has been specified in writing. TITLE V – DATA AND SYSTEM SECURITY CHAPTER I – SECURITY MEASURES Section 31 (Security Requirements) 1. Personal data undergoing processing shall be kept and controlled, also in consideration of technological innovations, of their nature and the specific features of the processing, in such a way as to minimise, by means of suitable preventative security measures, the risk of their destruction or loss, whether by accident or not, of unauthorized access to the data or of processing operations that are either unlawful or inconsistent with the purposes for which the data have been collected. Section 32 (Specific Categories of Data Controller) 1. The provider of a publicly available electronic communications service shall take suitable technical and organisational measures under Section 31 that are adequate in the light of the existing risk, in order to safeguard security of its services and integrity of traffic data, location data and electronic communications against any form of unauthorised utilisation or access. 2. Whenever security of service or personal data makes it necessary to also take measures applying to the network, the provider of a publicly available electronic communications service shall take those measures jointly with the provider of the public communications network. Failing an agreement between said providers, the dispute shall be settled, at the instance of either provider, by the Authority for Communications Safeguards in pursuance of the arrangements set out in the legislation in force. 3. In case of a particular risk of a breach of network security, the provider of a publicly available electronic communications service shall inform subscribers and, if possible, users concerning said 34 risk and, when the risk lies outside the scope of the measures to be taken by said provider pursuant to paragraphs 1 and 2, of all the possible remedies including an indication of the likely costs involved. This information shall be also provided to the Garante and the Authority for Communications Safeguards. CHAPTER II – MINIMUM SECURITY MEASURES Section 33 (Minimum Security Measures) 1. Within the framework of the more general security requirements referred to in Section 31, or else provided for by specific regulations, data controllers shall be required in any case to adopt the minimum security measures pursuant either to this Chapter or to Section 58(3) in order to ensure a minimum level of personal data protection. c) use of an authorisation system, unauthorised access and specific software, system availability, Section 34 (Processing by Electronic Means) b) implementation of authentication credentials management procedures, 1. Processing personal data by electronic means shall only be allowed if the minimum security measures referred to below are adopted in accordance with the arrangements laid down in the technical specifications as per Annex B: a) computerised authentication, d) regular update of the specifications concerning scope of the processing operations that may be performed by the individual entities in charge of managing and/or maintenancing electronic means, e) protection of electronic means and data against unlawful data processing operations, f) implementation of procedures for safekeeping backup copies and restoring data and g) keeping an up-to-date security policy document, h) implementation of encryption techniques or identification codes for specific processing operations performed by health care bodies in respect of data disclosing health and sex life. 35 Section 35 (Processing without Electronic Means) a) regular update of the specifications concerning scope of the processing operations that 1. Processing personal data without electronic means shall only be allowed if the minimum security measures referred to below are adopted in accordance with the arrangements laid down in the technical specifications as per Annex B: may be performed by the individual entities in charge of the processing and/or by the individual organisational departments, c) implementing procedures to keep certain records in restricted-access filing systems and b) implementing procedures such as to ensure safekeeping of records and documents committed to the entities in charge of the processing for the latter to discharge the relevant tasks, regulating access mechanisms with a view to enabling identification of the entities in charge of the processing. Section 36 (Upgrading) 1. The technical specifications as per Annex B concerning the minimum measures referred to in this Chapter shall be regularly updated by a decree of the Minister of Justice issued in agreement with the Minister for Innovation and Technologies by having regard to both technical developments and the experience gathered in this sector. TITLE VI – PERFORMANCE OF SPECIFIC TASKS Section 37 (Notification of the Processing) a) genetic data, biometric data, or other data disclosing geographic location of individuals or 1. A data controller shall notify the processing of personal data he/she intends to perform exclusively if said processing concerns: objects by means of an electronic communications network, b) data disclosing health and sex life where processed for the purposes of assisted reproduction, provision of health care services via electronic networks in connection with data banks 36 c) data disclosing sex life and the psychological sphere where processed by not-for-profit and/or the supply of goods, epidemiological surveys, diagnosis of mental, infectious and epidemic diseases, seropositivity, organ and tissue transplantation and monitoring of health care expenditure, associations, bodies or organisations, whether recognised or not, of a political, philosophical, religious or trade-union character, e) sensitive data stored in data banks for personnel selection purposes on behalf of third d) data processed with the help of electronic means aimed at profiling the data subject and/or his/her personality, analysing consumption patterns and/or choices, or monitoring use of electronic communications services except for such processing operations as are technically indispensable to deliver said services to users, parties, as well as sensitive data used for opinion polls, market surveys and other sample-based surveys, f) data stored in ad-hoc data banks managed by electronic means in connection with creditworthiness, assets and liabilities, appropriate performance of obligations, and unlawful and/or fraudulent conduct. 2. The Garante may specify, by means of a decision that shall be adopted also in pursuance of Section 17, additional processing operations that are liable to affect the data subjects’ rights and freedoms on account of the relevant mechanisms and/or the nature of the personal data at stake. By means of a similar decision to be published in the Official Journal of the Italian Republic, the Garante may also specify the processing operations among those referred to in paragraph 1 that are not liable to be prejudicial in the way described above and are therefore exempted from notification. 3. The notification shall be submitted by means of a single form also if the processing entails transborder data flows. 4. The Garante shall enter the notifications submitted as above into a publicly available register of processing operations and shall set out the mechanisms for such register to be interrogated free of charge via electronic networks, also by means of agreements with public bodies or else at the Office of the Garante. Any information that is accessed by interrogating said register may only be processed for the purpose of implementing personal data protection legislation. Section 38 (Notification Mechanisms) 1. The notification of processing operations shall have to be submitted to the Garante in advance of the processing and once only, regardless of the number of operations to be performed and the duration of the processing, and may concern one or more processing operations for related purposes. 2. A notification shall only be effective if it is transmitted via electronic networks by using the form made available by the Garante and following the latter’s instructions, also with regard to the arrangements applying to digital signature and receipt confirmation. 37 3. The Garante shall enhance both availability of the electronic form and submission of notifications also by means of agreements with authorised entities pursuant to the legislation in force, including trade associations and professional councils. 4. A new notification shall only have to be submitted either prior to termination of processing operations or in connection with the modification of any of the items to be specified in the notification. 5. The Garante may set out further appropriate arrangements for notification by having regard to new technological solutions as referred to in the legislation in force. 6. Where a data controller is not required to submit a notification to the Garante in pursuance of Section 37, he/she shall make available the information contained in the form as per paragraph 2 to any person requesting it, unless the processing operations concern public registers, lists, records or publicly available documents. Section 39 (Communication Obligations) a) that personal data are to be communicated by a public body to another public body in the 1. Data controllers shall be required to communicate what follows in advance to the Garante: absence of specific laws or regulations, irrespective of the form taken by such communication and also in case the latter is based on an agreement, b) that data disclosing health are to be processed in pursuance of the biomedical or health care research programme referred to in Section 110(1), first sentence. 2. The processing operations that are the subject of a communication as per paragraph 1 may start after 45 days have elapsed since receipt of the relevant communication, except as provided otherwise by the Garante also thereafter. 3. The communication as per paragraph 1 shall be given by using the form drawn up and made available by the Garante; it shall be transmitted to the latter either electronically in compliance with the digital signature and receipt confirmation mechanisms outlined in Section 38(2), or by fac- simile or registered letter. Section 40 (General Authorisations) 1. The provisions of this Code referring to an authorisation to be granted by the Garante shall also be implemented by issuing authorisations applying to specific categories of data controller or processing, which shall be published in the Official Journal of the Italian Republic. 38 (Authorisation Requests) Section 41 1. Data controllers falling under the scope of application of an authorisation issued pursuant to Section 40 shall not be required to lodge an authorisation request with the Garante if the processing they plan to perform is compliant with the relevant provisions. 2.If an authorisation request concerns a processing operation that has been authorised pursuant to Section 40, the Garante may decide nevertheless to take steps regarding said request on account of the specific modalities of the processing. 3. Any authorisation request shall be submitted by using exclusively the form drawn up and made available by the Garante, and shall be transmitted to the latter electronically in compliance with the arrangements applying to digital signature and receipt confirmation as per Section 38(2). Said request and authorisation may also be transmitted by fac-simile or registered letter. 4. If the requesting party is called upon by the Garante to provide information or produce documents, the forty-five-day period referred to in Section 26(2) shall start running from the date of expiry of the term for complying with the above request. 5. Under special circumstances, the Garante may issue a provisional, time-limited authorisation. TITLE VII – TRANSBORDER DATA FLOWS Section 42 (Data Flows in the EU) 1. The provisions of this Code shall not be applied in such a way as to restrict or prohibit the free movement of personal data among EU Member States, subject to the taking of measures under this Code in case data are transferred in order to escape application of said provisions. Section 43 (Permitted Data Transfers to Third Countries) a) if the data subject has given his/her consent either expressly or, where the transfer 1. Personal data that are the subject of processing may be transferred from the State’s territory to countries outside the European Union, temporarily or not and in any form and by any means whatsoever, concerns sensitive data, in writing; 39 which the data subject is a party, or to take steps at the data subject’s request prior to entering into a contract, or for the conclusion or performance of a contract made in the interest of the data subject; by laws or regulations, or else that is specified in pursuance of Sections 20 and 21 where the transfer concerns sensitive or judicial data; b) if the transfer is necessary for the performance of obligations resulting from a contract to c) if the transfer is necessary for safeguarding a substantial public interest that is referred to d) if the transfer is necessary to safeguard a third party’s life or bodily integrity. If this e) if the transfer is necessary for carrying out the investigations by defence counsel referred purpose concerns the data subject and the latter cannot give his/her consent because (s)he is physically unable to do so, legally incapable or unable to distinguish right and wrong, the consent shall be given by the entity legally representing the data subject, or else by a next of kin, a family member, a person cohabiting with the data subject or, failing these, the manager of the institution where the data subject is hosted. Section 82(2) shall apply; to in Act no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are transferred exclusively for said purposes and for no longer than is necessary therefor in compliance with the legislation in force applying to business and industrial secrecy; f) if the transfer is carried out in response to a request for access to administrative records or for information contained in a publicly available register, list, record or document, in compliance with the provisions applying to this subject-matter; g) if the transfer is necessary, pursuant to the relevant codes of conduct referred to in Annex A), exclusively for scientific or statistical purposes, or else exclusively for historical purposes, in connection with private archives that have been declared to be of considerable historical interest under Section 6(2) of legislative decree no. 490 of 29 October 1999, enacted to adopt the consolidated statute on cultural and environmental heritage, or else in connection with other private archives pursuant to the provisions made in said codes; h) if the processing concerns data relating to legal persons, bodies or associations. Section 44 (Other Permitted Data Transfers) 1. The transfer of processed personal data to a non-EU Member State shall also be permitted if it is authorised by the Garante on the basis of adequate safeguards for data subjects’ rights a) as determined by the Garante also in connection with contractual safeguards, b) as determined via the decisions referred to in Articles 25(6) and 26(4) of Directive 95/46/EC of the European Parliament and of the Council, of 24 October 1995, through which the European Commission may find that a non-EU Member State affords an adequate level of protection, or else that certain contractual clauses afford sufficient safeguards. 40 (Prohibited Data Transfers) Section 45 1. Apart from the cases referred to in Sections 43 and 44, it shall be prohibited to transfer personal data that are the subject of processing from the State’s territory to countries outside the European Union, temporarily or not and in any form and by any means whatsoever, if the laws of the country of destination or transit of the data do not ensure an adequate level of protection of individuals. Account shall also be taken of the methods used for the transfer and the envisaged processing operations, the relevant purposes, nature of the data and security measures. 41 PART II – PROVISIONS APPLYING TO SPECIFIC SECTORS 42 TITLE I – PROCESSING OPERATIONS IN THE JUDICIAL SECTOR CHAPTER I – IN GENERAL Section 46 (Data Controllers) 1. Judicial offices at all levels and of all instances, the Higher Council of the Judiciary, the other self-regulatory bodies and the Ministry of Justice shall act as controllers of the processing operations concerning personal data in connection with the tasks respectively conferred on them by laws and/or regulations. 2. The non-occasional processing operations referred to in paragraph 1 that are performed by electronic means shall be specified in a decree by the Minister of Justice as per Annex C) to this Code where they concern data banks that are either centralised or interconnected with regard to several offices and/or data controllers. The provisions by which the Higher Council of the Judiciary and the other self-regulatory bodies referred to in paragraph 1 specify the processing operations they respectively perform shall be included into Annex C) pursuant to a decree by the Minister of Justice. b) Sections 145 to 151. Section 47 (Processing Operations for Purposes of Justice) 1. As for the processing of personal data carried out by judicial offices at all levels and of all instances, by the Higher Council of the Judiciary, other self-regulatory bodies and the Ministry of Justice, the following provisions of the Code shall not apply if the processing is carried out for purposes of justice: a) Sections 9, 10, 12, 13 and 16, 18 to 22, 37, 38 (paragraphs 1 to 5), and 39 to 45; 2. For the purposes of this Code, personal data shall be considered to be processed for purposes of justice if the processing is directly related to the judicial handling of matters and litigations, or if it produces direct effects on the functioning of courts as regards legal and economic status of members of the judiciary, as well as if it is related to auditing activities carried out in respect of judicial offices. Conventional administrative and management activities regarding personnel, assets or facilities shall not be considered to be carried out for purposes of justice if they do not affect the secrecy of acts that are directly related to the handling of matters and litigations referred to above. 43 (Data Banks of Judicial Offices) Section 48 1. Where judicial authorities at all levels and of all instances may acquire data, information, records and documents from public bodies pursuant to the procedural regulations in force, such acquisition may also take place electronically. To that end, judicial offices may avail themselves of the standard agreements made by the Minister of Justice with public bodies in order to facilitate interrogation by said offices of public registers, lists, filing systems and data banks via electronic communication networks, whereby compliance with the relevant provisions as well as with the principles laid down in Sections 3 and 11 of this Code shall have to be ensured. Section 49 (Implementing Provisions) 1. The regulatory provisions required to implement the principles of this Code with regard to civil and criminal matters shall be adopted by means of a decree of the Minister of Justice, which shall also supplement the provisions laid down in decree no. 334 of 30 September 1989 by the Minister of Justice CHAPTER II – CHILDREN Section 50 (Reports or Images Concerning Underage Persons) 1. The prohibition to publish and disseminate, by any means whatsoever, reports or images allowing an underage person to be identified, which is referred to in Section 13 of Presidential Decree no. 448 of 22 September 1988, shall also apply if an underage person is involved for whatever reason in judicial proceedings concerning non-criminal matters. CHAPTER III – LEGAL INFORMATION SERVICES Section 51 (General Principles) 1. Without prejudice to procedural regulations on viewing and obtaining abstracts and copies of