PERSONAL DATA PROTECTION CODE
Legislative Decree no. 196 of 30 June 2003
TITLE II – DATA SUBJECT’S RIGHTS
Section 7
(Right to Access Personal Data and Other
Rights)
1. A data subject shall have the right to obtain confirmation as to
whether or not personal data
concerning him exist, regardless of their being already recorded, and
communication of such data in
intelligible form.
2. A data subject shall have the right to be informed
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out
with the help of electronic
means;
d) of the identification data concerning data controller, data
processors and the
representative designated as per Section 5(2);
19
e) of the entities or categories of entity to whom or which the personal
data may be
communicated and who or which may get to know said data in their
capacity as designated
representative(s) in the State’s territory, data processor(s) or
person(s) in charge of the processing.
3. A data subject shall have the right to obtain
a) updating, rectification or, where interested therein, integration of
the data;
b) erasure, anonymization or blocking of data that have been processed
unlawfully,
including data whose retention is unnecessary for the purposes for which
they have been collected
or subsequently processed;
c) certification to the effect that the operations as per letters a) and
b) have been notified, as
also related to their contents, to the entities to whom or which the
data were communicated or
disseminated, unless this requirement proves impossible or involves a
manifestly disproportionate
effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part,
a) on legitimate grounds, to the processing of personal data concerning
him/her, even though
they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is
carried out for the
purpose of sending advertising materials or direct selling or else for
the performance of market or
commercial communication surveys.
Section 8
(Exercise of Rights)
1. The rights referred to in Section 7 may be exercised by making a
request to the data controller or
processor without formalities, also by the agency of a person in charge
of the processing. A suitable
response shall be provided to said request without delay.
2. The rights referred to in Section 7 may not be exercised by making a
request to the data controller
or processor, or else by lodging a complaint in pursuance of Section
145, if the personal data are
processed:
a) pursuant to the provisions of decree-law no. 143 of 3 May 1991, as
converted, with
amendments, into Act no. 197 of 5 July 1991 and subsequently amended,
concerning money
laundering;
b) pursuant to the provisions of decree-law no. 419 of 31 December 1991,
as converted, with
amendments, into Act no. 172 of 18 February 1992 and subsequently
amended, concerning support
for victims of extortion;
c) by parliamentary Inquiry Committees set up as per Article 82 of the
Constitution;
20
d) by a public body other than a profit-seeking public body, where this
is expressly required
by a law for purposes exclusively related to currency and financial
policy, the system of payments,
control of brokers and credit and financial markets and protection of
their stability;
e) in pursuance of Section 24(1), letter f), as regards the period
during which performance
of the investigations by defence counsel or establishment of the legal
claim might be actually and
concretely prejudiced;
f) by providers of publicly available electronic communications services
in respect of
incoming phone calls, unless this may be actually and concretely
prejudicial to performance of the
investigations by defence counsel as per Act no. 397 of 7 December 2000;
g) for reasons of justice by judicial authorities at all levels and of
all instances as well as by
the Higher Council of the Judiciary or other self-regulatory bodies, or
else by the Ministry of
Justice;
h) in pursuance of Section 53, without prejudice to Act no. 121 of 1
April 1981.
3. In the cases referred to in paragraph 2, letters a), b), d), e) and
f), the Garante, also following a
report submitted by the data subject, shall act as per Sections 157, 158
and 159; in the cases referred
to in letters c), g) and h) of said paragraph, the Garante shall act as
per Section 160.
4. Exercise of the rights referred to in Section 7 may be permitted with
regard to data of nonobjective
character on condition that it does not concern rectification of or
additions to personal
evaluation data in connection with judgments, opinions and other types
of subjective assessment, or
else the specification of policies to be implemented or decision-making
activities by the data
controller.
Section 9
(Mechanisms to Exercise Rights)
1. The request addressed to the data controller or processor may also be
conveyed by means of a
registered letter, facsimile or e-mail. The Garante may specify other
suitable arrangements with
regard to new technological solutions. If the request is related to
exercise of the rights referred to in
Section 7(1) and (2), it may also be made verbally; in this case, it
will be written down in summary
fashion by either a person in charge of the processing or the data
processor.
2. The data subject may grant, in writing, power of attorney or
representation to natural persons,
bodies, associations or organisations in connection with exercise of the
rights as per Section 7. The
data subject may also be assisted by a person of his/her choice.
3. The rights as per Section 7, where related to the personal data
concerning a deceased, may be
exercised by any entity that is interested therein or else acts to
protect a data subject or for familyrelated
reasons deserving protection.
21
4. The data subject’s identity shall be verified on the basis of
suitable information, also by means of
available records or documents or by producing or attaching a copy of an
identity document. The
person acting on instructions from the data subject must produce or
attach a copy of either the proxy
or the letter of attorney, which shall have been undersigned by the data
subject in the presence of a
person in charge of the processing or else shall bear the data subject's
signature and be produced
jointly with a copy of an ID document from the data subject, which shall
not have to be certified true
pursuant to law. If the data subject is a legal person, a body or
association, the relevant request shall
be made by the natural person that is legally authorized thereto based
on the relevant regulations or
articles of association.
5. The request referred to in Section 7(1) and (2) may be worded freely
without any constraints and
may be renewed at intervals of not less than ninety days, unless there
are well-grounded reasons.
Section 10
(Response to Data Subjects)
1. With
a view to effectively exercising the rights referred to in Section 7, data
controllers shall
take suitable measures in order to, in particular,
a) facilitate access to personal data by the data subjects, even by
means of ad hoc software
allowing accurate retrieval of the data concerning individual identified
or identifiable data subjects;
b) simplify the arrangements and reduce the delay for the responses,
also with regard to
public relations departments or offices.
2. The data processor or the person(s) in charge of the processing shall
be responsible for retrieval
of the data, which may be communicated to the requesting party also
verbally, or else displayed by
electronic means - on condition that the data are easily intelligible in
such cases also in the light of
the nature and amount of the information. The data shall be reproduced
on paper or magnetic media,
or else transmitted via electronic networks, whenever this is requested.
3. The response provided to the data subject shall include all the
personal data concerning him/her
that are processed by the data controller, unless the request concerns
either a specific processing
operation or specific personal data or categories of personal data. If
the request is made to a health
care professional or health care body, Section 84(1) shall apply.
4. If data retrieval is especially difficult, the response to the data
subject’s request may also consist
in producing or delivering copy of records and documents containing the
personal data at stake.
5. The right to obtain communication of the data in intelligible form
does not apply to personal data
concerning third parties, unless breaking down the processed data or
eliminating certain items from
the latter prevents the data subject’s personal data from being
understandable.
6. Data are communicated in intelligible form also by using legible
handwriting. If codes or
abbreviations are communicated, the criteria for understanding the
relevant meanings shall be made
available also by the agency of the persons in charge of the processing.
22
7. Where it is not confirmed that personal data concerning the data
subject exist, further to a request
as per Section 7(1) and (2), letters a), b) and c), the data subject may
be charged a fee which shall
not be in excess of the costs actually incurred for the inquiries made
in the specific case.
8. The fee referred to in paragraph 7 may not be in excess of the amount
specified by the Garante in
a generally applicable provision, which may also refer to a lump sum to
be paid in case the data are
processed by electronic means and the response is provided verbally.
Through said instrument the
Garante may also provide that the fee may be charged if the personal
data are contained on special
media whose reproduction is specifically requested, or else if a
considerable effort is required by
one or more data controllers on account of the complexity and/or amount
of the requests and
existence of data concerning the data subject can be confirmed.
9. The fee referred to in paragraphs 7 and 8 may also be paid by bank or
postal draft, or else by
debit or credit card, if possible upon receiving the relevant response
and anyhow within fifteen days
of said response.