DATA PROCESSING

General principles

Any processing of personal data must take place in compliance with the principles set out in Article 5 of Regulation (EU) 2016/679, as indicated below:

  • lawfulness, correctness and transparency of the processing, towards the interested party;

  • limitation of the purpose of the processing, including the obligation to ensure that any subsequent processing is not incompatible with the purposes of data collection;

  • data minimization: that is, the data must be adequate, relevant and limited to what is necessary with respect to the purposes of the processing;

  • accuracy and updating of data, including the timely deletion of data that are inaccurate with respect to the purposes of the processing;

  • limitation of conservation: that is, it is necessary to provide for the conservation of data for a time not exceeding that necessary with respect to the purposes for which the treatment was carried out;

  • integrity and confidentiality: the adequate security of the personal data being processed must be guaranteed.

 

Lawfulness

The Regulation, as already provided for by the Code regarding the protection of personal data, provides that each treatment must be based on an appropriate legal basis. The grounds for the lawfulness of the processing of personal data are indicated in Article 6 of the Regulation:

The legal bases on which the processing of data concerning the interested party are based are 6 (six) and specifically they are:

  1. consent;

  2. fulfillment of contractual obligations;

  3. vital interests of the data subject or third parties;

  4. legal obligations to which the owner is subject;

  5. public interest or exercise of public authority;

  6. overriding legitimate interest of the owner or third parties to whom the data are communicated.

 

Personal data

Personal data is information that identifies or makes identifiable, directly or indirectly, a natural person and that can provide information on his characteristics, his habits, his lifestyle, his personal relationships, his state of health, his economic situation, etc ..

In particular:

• data that allow direct identification - such as personal data (for example: name and surname), images, etc. - and data that allow indirect identification, such as an identification number (for example, the tax code, the IP address, the license plate number);

• data falling into particular categories: these are so-called "particular", ex sensitive data, that is, those that reveal racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, relating to health or to sex life. Regulation (EU) 2016/679 (article 9) also included genetic data, biometric data and those relating to sexual orientation in the notion;

• data relating to criminal convictions and offenses: these are so-called "judicial" data, that is, those that can reveal the existence of certain judicial measures subject to registration in the criminal record (for example, definitive criminal convictions, release conditional, prohibition or obligation to stay, alternative measures to detention) or the status of accused or suspected person. Regulation (EU) 2016/679 (article 10) includes in this concept the data relating to criminal convictions and offenses or related security measures.

With the evolution of new technologies, other personal data have assumed a significant role, such as those relating to electronic communications (via the Internet or telephone) and those that allow geolocation, providing information on places frequented and movements.

 

Particular data

For the "special categories of personal data" (article 9 of the Regulation), their processing is prohibited, except in the event that the owner can demonstrate that he meets at least one of the conditions set out in article 9, paragraph 2 of the Regulation , as shown below:

  1. the interested party has given his explicit consent to the processing of such personal data for one or more specific purposes;

  2. the processing is carried out by a non-profit organization that pursues political, philosophical, religious or trade union purposes;

  3. the processing concerns personal data made manifestly public by the interested party;

  4. processing of personal data carried out by companies for telemarketing activities. In general, then, the conditions of lawfulness of the processing and the conditions for consent will be verified if the processing is based on this premise, compliance with the obligation to provide information as well as the duration of data retention.

  5. the processing is necessary for one of the following purposes:

  • to fulfill the obligations and exercise the specific rights of the data controller or the data subject in the field of labor law and social security and social protection;

  • to protect a vital interest of the data subject or of another natural person if the data subject is physically or legally incapable of giving his consent;

  • to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions;

  • for reasons of substantial public interest on the basis of Union or Member State law;

  • for purposes of preventive medicine or occupational medicine;

  • for reasons of public interest in the public health sector;

  • for the pursuit of archiving purposes in the public interest, for scientific or historical research or for statistical purposes.

 

The notice

The GDPR provides that, based on the purpose of the processing, the data controller must provide the data subjects, before processing, with the information required by the rules (Article 12). This is done through the information.

The information is a communication addressed to the interested party which has the purpose of informing about the purposes and methods of the treatments carried out by the Data Controller.

It is a condition, not so much of the respect for the individual right to be informed, but of the duty of the data controller to ensure the transparency and correctness of the treatments right from the design phase (privacy by design and default) of the treatments themselves, and to be in able to prove it at any time (accountability principle).

The disclosure also has the purpose of allowing the person concerned can make a valid consent, if required as b legal ase of the treatment. In this case, the information is not only due on the basis of the principle of transparency and correctness, but is also a condition of legitimacy of the consent.

The information (articles 13 and 14 of the Regulation) must be provided to the interested party BEFORE carrying out the processing, therefore before data collection (if collected directly from the interested party: article 13 of the Regulation).

In the case of personal data not collected directly from the interested party (Article 14 of the Regulation), the information must be provided within a reasonable period that cannot exceed 1 month from collection, or at the time of communication (not registration) of the data (to third parties or to the interested party) (unlike the provisions of Article 13, paragraph 4, of the Code).

In particular, the information must contain all the following information:

  • the identity and contact details of the data controller and, where applicable, of his representative;

  • the contact details of the Data Protection Officer , when required;

  • the purposes of the processing for which the personal data are intended as well as the legal basis of the processing;

  • if the processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, the legitimate interests pursued by the data controller or third parties;

  • any recipients or any categories of recipients of the personal data;

  • where applicable, the intention of the controller to transfer personal data to a third country or to an international organization and the existence or absence of a Commission adequacy decision;

In addition to this information, when the data were obtained from the interested party, the data controller must give the following additional information:

  • the data retention period;

  • the intention of the data controller to transfer personal data to a third country or to an international organization;

  • the right of the interested party to lodge a complaint with a supervisory authority;

  • the existence of an automated process, including profiling, and an indication of the logic used, the importance and consequences of the processing;

  • the right of access to data by the interested party;

  • the right to rectification and cancellation,

  • the limitation of the treatment or the opposition to the same;

  • the right to portability;

  • the right to withdraw consent.

 

Method of disclosure

The information must have a concise form, must be clear, easily accessible and intelligible for the interested party (Recital 39), possibly also using images or icons. The information must be made in writing or by other means (including electronic, such as, for example, e-mail). If requested by the interested party, the information must be given orally (provided that the identity of the interested party is proven by other means). It is preferable to provide it in such a form as to prove its existence and to allow the supervisory authorities to verify its completeness and correctness.

It is possible to publish the information on a website, by inserting the link (link) to this web page on the main page (home) of the website, but also in communications and correspondence, including paper correspondence. In the case of postal communications, however, it is also necessary to provide alternative forms, such as sending faxes following a request by the interested parties, for those who do not have the possibility to read it online.