GNOSIS
Rivista italiana
diintelligence
Agenzia Informazioni
e Sicurezza Interna
» ABBONAMENTI

» CONTATTI

» DIREZIONE

» AISI





» INDICE AUTORI

Italiano Tutte le lingue Cerca i titoli o i testi con
GNOSIS 1/2009
The respect for privacy
and the need for security


INTERVIEW with Francesco PIZZETTI - President of the Guarantor Authority for the safeguard of personal data
by Pio MARCONI


Born in Alessandria, the 21st November, 1946, he is full-professor of Constitutional Law at the University of Turin.
He has held numerous and prestigious posts, among which are:
1984/1987: Vice-Rector of the University of Turin;
1990/1993: Vice Mayor of Turin;
1996/1998: Constitutional Advisor of the President of the Council and Secretary of the State-City local Autonomies Conference, instituted at the Presidency of the Council of Ministers;
From 1998 he has been the President of the Advisory Commission for the agreements with the religious denominations, instituted at the Presidency of the Council of Ministers;
1998/2001:Director of the Secondary School of the Public Administration;
2000/2004: Member of the Council of the Presidency of the Administrative Justice;
He is author of many texts and publications.
From 18 april 2005 he has been President of the Guarantor Authority for the safeguard of personal data.



For about a decade, Italy has had legislation on privacy, and an institution delegated to guarantee the protection of personal data. In the same ten years, enormously disproportionate technology and instrumentation has been developed, able to damage communication and store and preserve any type of information for absolutely indeterminable periods. The manifestation of devastating international conflicts and a new distribution of the populations favoured by globalization have suggested and, at times, imposed penetrating forms of control on the persons united in the construction of huge archives of data.
Today, the possibility of disposing of a huge mass of data belongs also to the business world and to the private individual who operates in the civil society.
A threat to privacy also comes from possible misuses generated in the world of economic interests. Finally, to the phenomena of a global and structural type must be added episodes which have given rise to hypothesize on further pathologies.
A distorted use of legitimate judicial interceptions, the illegal disclosure of them, and certain controls on the traffic of the communications has had – in some cases that have received wide publicity – seriously damaging effects on the dignity of non-investigated persons, going as far as to alter the correct trial dynamics and jeopardize the regular performance of the institutional political life.
What are the instruments designed by the Legislator for the safeguard of privacy? How has the Guarantor Authority worked over the years? What regulations have been issued to protect communications and persons? Have the instruments designed by the Legislator been sufficient? How can security and transparency be combined – in the movements of the population – with the fundamental rights of the individual? Twelve questions on these and other subjects have been put to Professor Francesco Pizzetti, President from 18th April, 2005 of the Guarantor Authority for the protection of personal information.




In the developed societies privacy is expected, but also security is expected. It is the result of epoch making changes: in the culture, in the composition of the populations, and in the geopolitical scenario. After the 11th September, measures were introduced that accentuate the acquisition of personal data, and from such knowledge to create huge databases. Alarms, complaints and protests have resulted and in Great Britain conservative parliament members have likened the situation to that of George Orwell’s Big Brother of ‘1984’. Can the needs of defence against terrorism co-exist with the safeguard of privacy?
In what way?
Globalization (together with the relative or absolute impoverishment of certain areas on the planet) leads to an acceleration of migration. It concerns a physiological aspect of the global society in which merchandise, work and innovation must circulate freely. It is a phenomenon that produces anomalous social conditions and social tension. In the United States and in Europe, today, measures of control and new forms of control have priority on the political agenda. The collection of biometric data: iris (rainbow), fingerprints and DNA is proposed. The debate is fierce. How can the need for the registration of the population be reconciled with respect for human dignity?
With the proliferation of the new technologies that make information and data more available, the cognitive request by the investigative sector is intensified. In fact, those who work and operate in the investigation sectors of prevention and repression of crime, underline the usefulness of any kind of relative information.
If this is plausible, it is also, however, the right of the citizen to see their own personal sphere protected against undue and excessive control and intrusion. Today, the “security” objective has assumed maximum centrality in political and government action at the European and world level.
The study of the threats that surround us has led to refining and increasing the use of the instruments and techniques of social control and to multiplying the collection and classification of information that concerns the life and conduct of the citizen.
If we consider the Passenger Name Record required of the Countries of the EU by the United States, it is easy to understand the mountain of information which is conserved and analyzed everyday.
On our own Continent, we see the gradual, but rapid intensification of the interconnection of the Data Banks used for control on the movements of persons for counteracting clandestine immigration (the new systems SIS II and VIS II), or for the reinforced cooperation which is the foundation of the Treaty of Prum, which provides for the possibility of exchanging information regarding also DNA profiles. It concerns, as is evident, solutions that imply an ever increasing intensification of broader exchange and communication of data between the Countries of the Union. It is clear to everyone what this means at the level of the indispensable guarantees that are assured to avoid errors, serious violations or the damage of individual rights.
The Treaty of Prum provides for the obligation of the Member States to create and manage national archives for the analysis and the conservation of the DNA profiles, solely for identification reasons and only for the exchange between Member States, leaving the discipline of the treatment of the data to the internal regulations.
For some time the Guarantor has pointed out the need of a legislative intervention which regulates the interaction of Data Banks and their relation with the gathering and utilization of the information for security and judicial purposes, with particular reference to the handling and conservation of the biological samples and of identification codes of the DNA.
Furthermore, the matter imposes complex and important interventions also with regard to the reinforcement of the powers of control on this data, both in the collection phase and in the subsequent moment of its utilization.
In the report of the 19th September, 2007, the Guarantor sensitized the Parliament and the Government on regulation choices which assure effective and concrete guarantees.
Subsequently, on the 15th October, 2007, the Presidency of the Council of Ministers requested the opinion of the Guarantor on a draft of a Bill designed to institute a national Data Bank of the DNA and a connecting central laboratory.
The Guarantor, in expressing his opinion, stated that the Bill in question needed certain improvements for the purpose of conforming to the important need of effective counteraction to crime with an adequate protection of the rights of the parties concerned.
In the first place, the necessity has been proposed to the Legislator of defining a model of a Data Bank. Activated only for the specific purposes of identification of people, in keeping with what was provided for in the already mentioned Treaty of Prum and with the Decision adopted at European level. Furthermore, the Authority has asked the Government to
individuate suitable guarantees to assure that the operations of sample taking, analysis of same and of conservation and successive destruction of the data are performed by highly specialized personnel.
Finally, the opportuneness has been recommended of re-evaluating the provision contained in the scheme relative to the obligatory taking of samples from entire categories of subjects, as well as the absolute necessity of determining suitable modalities to avoid the risk that the taking of a biological sample is performed more than once on the same person without justified reason.
On December 22nd, 2008, the Senate approved the Bill which contained the regulations for the ratification of the adhesion to the Treaty of Prum.
In this way, Italy can fully participate in the exchange of information provided for by the Treaty in the ambit of the trans-frontier cooperation in the fight against terrorism, organized crime and illegal migration.
The Bill institutes the National Data Bank of DNA of an inter-force character, situated in the ambit of the Department of Public Security of the Department of the Interior, and the Central Laboratory of the Data Bank, at the Department of the Penitentiary Administration of the Ministry of Justice.

Certain forms of interception of communications are essential to investigations. The registrations are often divulged before the trial and the pre-trial hearing.Conversations of suspects and of absolutely uninvolved persons are thrown to the public for mastication. With the publication of totally irrelevant questions at a judicial level, many reputations have been destroyed, serious alterations of the market have been produced and the political dialectic has been conditioned. Where are the faults in the System? Disorganization of the offices? Scarce surveillance? Breach of ethics by the media? What can be done?
Without a doubt, recent years have been characterized by increasing publications – work of the press and television- of material taken from investigation information.
These incidents which have involved politicians, entrepreneurs and people from the entertainment field indicate how frequently information gleaned during the investigations has been object of publication and diffusion outside the ambit of the trial and, often, even before the beginning of the trial.
All this has certainly contributed to consolidate the existing alliance between the legal system and the media, as well as to re-evoke the age-old debate on the compatibility between the freedom of the press and the right to the protection of private data, within which is included the relation between the use of the investigative instrument of interception communications and telephone conversations, and the limits to the lawfulness of the integral publication of their contents by journalists.
Certainly, the interceptions represent a useful instrument of enquiry for the investigating officer, but, at the same time, it must not be forgotten that such activity also constitutes one of the most invasive forms of the personal sphere of the individual, since it affects that form of freedom of communication that Article 15 of the Constitution considers as a fundamental right, withheld only with motivated reason of the Judicial Authority and with the established guarantees of the Law.
The activity of telephonic interception as a means of legitimate investigation is, however, very widespread in our Country. This entails, in the first place, the necessity that the judicial offices adopt measures of adequate security to safeguard all the data collected and utilized for judicial ends and, in particular, to protect the transcriptions and reports of the interceptions from media diffusion and, in general, from illegal appropriation.
With regard to the problem of possible publication on the part of the media of the contents of interceptions, it is necessary to point out that in numerous occasions the Authority has dealt with the profile of the protection of the rights of the individual in relation to the publications of transcriptions of telephonic interceptions, and has admonished the Press operators to respect the regulations dictated by the Code of Criminal Procedure, by the Code in matters of the protection of personal data, and by the ethical Code of journalists.
The Authority has intervened more than once to invite journalists to evaluate the information with attention, also with respect to public prominence, in order to distinguish between information necessary to the evaluation of facts and information which, instead, belongs primarily to the private sphere of the subject.The Authority has also furnished important indications regarding the necessity of protecting the position of the subjects touched by the publications, but who are extraneous to the facts of criminal relevance, together with the offended persons, and of all those who do not result under investigation at the moment of the publication. The Authority has also stressed that the position of guiltless third parties, of the family or minors must always be safeguarded, just as particular caution must be given to information of a sensitive nature.
Also in occasion of the presentation of the Annual Report to Parliament, the Authority called attention to the publication of information acquired during the course of judicial investigations and in repeating that all the judicial data must be protected with clearer juridical restrictions and with technically adequate measures, it recalled the commitment with which the Office has worked in this delicate sector, indicating precise instructions also to the judicial offices.
Another question that is strictly correlated to the protection of the information coming from the activity of interception, relates to the “security” of the conservation of the collected personal data and of the informative flows, contained in the Data Banks, of traffic in the ambit of telecommunications, with reference to the activities carried out by the telephonic and telematic managers for the interceptions decided by the Judiciary.
In this matter, the Authority set up a careful activity of verification, and already in 2005, it intervened, prescribing the adoption of rigid measures by the managers, with the objective of increasing – on a significant scale – the levels of security of the systems utilized.


The investigators, in order to build evidence for trial, draw on the contribution of technical experts for the examination and the collection of sensitive data. One can refer to the elaboration of the telephonic contacts. Work of this kind involves a gigantic amount of information. How is the matter regulated? What are the duties of the technical expert? What are the limitations that the Enquiry Authority must impose? Has the Guarantor Authority of privacy intervened to regulate this material? Have guidelines been issued on the duties of the technical experts and judges who assign the tasks? Is it legal to conserve documented material in a private office after the conclusion of the work of the technical expert? Up to the present time, have any sanctions been inflicted?
In the face of the necessity of outlining an homogenous framework of measures and devices for the professionals who, in the ambit of the criminal, civil and administrative procedures, handle the personal data as auxiliary experts or technical consultants of the Judge and of the Public Prosecutor or carry out the same activities for a private party, the Authority, on June 26th, 2008, adopted a measure of a general character, entitled as follows: “Guidelines in matters of the treatment of personal data by the technical consultants and auxiliary experts of the Judge and the Public Prosecutor”.
The Guidelines have furnished rigorous indications on the management of the gathered information and of the archives of these professionals who, operating on behalf of one or more judicial authority and, therefore, also for different trials, come to know and accumulate a huge quantity of personal data.
Such professionals, in fact, by virtue of their extra-legal expertise of a technical and scientific nature come into contact with an enormous amount of information and personal data referring to both sides and to the subjects who, for different reasons, participate in the trial.
Among the indications contained in the measure, it is important to note that the consultant and the technical expert can gather and lawfully deal with personal data within the limits in which it is necessary to perform the received task and only within the ambit of the entrusted
verification. Consequently, the reports and information supplied to the Judge and, if necessary, to both sides of the trial, must not contain data that is not pertinent to the object of the evaluation, nor contain personal information on subjects who are not involved in the proceedings.
The possible use of cross-checking of data is allowed only if it is connected with the investigations that have been delegated and authorized by the single judicial authorities involved.
Once the task has been performed, the auxiliary of the Judge must consign, for storage of the acts of the proceedings, not only his own report, but also the documentation furnished by the magistrate and any additional documentation acquired during the course of the activities.
Beyond the hypotheses established by Law or by specific authorizations of the Judge, the consultant and the technical expert cannot, therefore, conserve in the original or in copy, in electronic format or on paper, the personal information collected during the course of the task.
The information acquired during the course of the verification can be communicated to the sides with the modalities, and in respect of, the limits fixed by the regulations on the secrecy and privacy of the trial acts. Eventual communication of the data to third parties, if thought to be indispensable for the outcome of the investigation, must respect that which is established by Law or previously authorized by the Judge.
Up until the moment of delivery to the Judge or to the Public Prosecutor of the results of the activity carried out, consultants and technical experts are obliged to adopt technical and organizational measures to avoid unlawful disclosure of the information or its loss or destruction.
Furthermore, the technical expert can be authorized to avail himself of trusted auxiliaries for the performance of material activities. In such case, the expert or consultant, assuming, therefore, the role of the head authority for the handling, with a previously written assignment, must furnish all necessary instructions on the correct modalities of utilization, conservation, storage and safekeeping of the data and the ambit of permitted usage.
Finally, the Guidelines supply – to those who perform the activity of technical consultant to a party – certain useful indications, among which are numerous devices and measures, in particular, the obligation to apply the general and minimum measures of security, the nomination of the assignees, the obligation of secrecy and the duty of respecting the principles of lawfulness, pertinence and necessity.


The Legislator has oriented the protection of privacy towards prevention. The Law of1996 and then, the Code of 2003, give much attention to professional ethics and to the professional Codes of self-discipline. Are these instruments sufficient?
The European Directive 95/46/CE – of which the Law No.675 of 1996 and subsequently the Legislative Decree No. 196 of 2003, constitute implementation – introduced into the Community system and into that of the Member Countries of the European Union, the formula of the Codes of professional ethics which constitute a new model of norm establishment based on a process of self-production of rules on the part of the same categories of subjects who must apply them.
It deals with a phenomenon that expresses a real and proper need to substitute, in certain particular sectors of activity, a general and abstract law, with specific rule establishment, directed to favour well-defined values of the person and particular interests of the social formations and of the citizens, being they the producers, users and consumers.
According to the outline of the Legislator, the role of the Guarantor in this matter is not only of an actuation character, since the Authority must exercise a wide power of direction and control, starting from the evaluation of the level of representativeness of the subjects called upon to collaborate with the elaboration of the common rules, until there is verification of the conformity of the regulation projects to the established principles on the subject of personal data from the Italian legislation, from the Community regulations and from the Recommendations of the European Council. The “supervision” of the Guarantor, therefore, is fundamental, insofar as through the drafting of a good text of regulations, it becomes possible to integrate the discipline of the regulations and, at the same time, to give a further sense of responsibility to the those who actually handle the protection of privacy, with a consequent overall deflationary effect on the possible controversies in the matter.
The last professional ethics Code that we have approved is the Code of Professional Ethics and Good Conduct for the Treatment of Personal Data, effectuated to carry out defensive investigations or to assert or defend a right in a judicial ambit.
It is an extremely important result, which has allowed the adaptation of the general principles set out by the regulations on the protection of personal data to the particular professional sectors of lawyers and private investigators.


In the last ten years, the violations of privacy have even multiplied. Technology has furnished devastating instruments. The digital memory allows the cataloguing of enormous masses of data, which can be accessed almost immediately. The Internet offers an extremely rapid diffusion of the information. The faults of the system are numerous. Will the regulations in force be integrated? In what way?
The right to the protection of data is experiencing a constant evolution due to the effect of the contextual change of social values and of the dominion of the scientific and technological innovations.
The informatics technology and, in particular, the large diffusion of Internet, by now, holds a fundamental role in all sectors of civil life, to the point where it constitutes an autonomous sector of the economy.
Also the protection of data has become a protagonist of the informatics technology and, therefore, of the Internet.
The virtual world of the Net allows circulation without barriers; every day, an infinity of information and personal data is poured into the Net, making available a potential of content, without precedent.
Without a doubt, this new means of communication represents a powerful instrument for civilization, but is wanting in strong systems of regulations. Today, with the spreading of always more sophisticated forms of communication, the problem has become that of protecting the veracity of the information, in other words, the correspondence to reality of the “data” as it is presented to us.
In the virtual world, in the world of the telecommunications and, more in general, of the telematic networks, the physical state is totally absent, so that one can only have a presumption of correspondence of the virtual data to the real data.
Consequently, today, the security of the paths of communication through which the data circulates assumes fundamental importance, to the point that it has become a strategic pillar of the world in which we live.
These considerations bring the subject of data protection into a completely new dimension, which makes the data protection authorities fundamental subjects of the contemporary system.
As mentioned, the protection and the security of the communication systems have become one of the fundamental problems among those of contemporary society. If we do not have the reasonable security of thinking that the communication system is adequately protected, we risk living in a reality difficult to master.
We are dealing with complex subjects which will require global approaches. One of the biggest problems of the contemporary world is, nevertheless, represented by the fact that, as of today, there lacks any possibility of above-national regulation of the so-called virtual world. Everything is entrusted to governments which have intrinsic limitations – regarding the authority of protection of data which was created in another epoch and for other purposes – to the self-regulation of the operators of the sector.
Also the financial crisis, which only recently has begun to show its effects, is one of the consequences of a globalization that has come into being without rules. It is, in fact, reasonable clear that the crisis is due, to a large extent, to a totally unregulated world financial system, if for no other reason than the lack of an adequate regulatory subject.
Also the same thing could come about with the telecommunication systems and, in particular, with Internet. For this reason, I believe it is important to begin reflecting on this possibility – without alarming the cibernauts – who consider the regulating of Internet a way of limiting freedom of the Net.
Over a period of just a few years, we have come to a different reality, in the face of which it will be necessary to seek above-national contingencies of individuation of rules for the protection of the communication systems which individuate suitable measures and subjects in charge of guaranteeing them.
For such reason this terrain represents the elective ground to measure the effective level of the safeguard of the right to the protection of data and, therefore, constitutes a challenge for all the Authorities of control at the European and world level.
An adequate protection of data, in a society always more projected into the era of telematic innovation, is the only suitable guarantee to ward off the danger that the new technologies – indispensable for purposes of simplifying the activities of a single individual, facilitate the inter-change of information and improve the life of connection – translate themselves into pernicious instruments capable of damaging the dignity of a person.
To be certain that the data is protected and conserved safely constitutes an essential condition for the correct functioning of the Democracy and the effective enjoyment of freedom and fundamental rights.


The Italian legislator provides for pecuniary sanctions for certain forms of violations of the rules on the conservation and collection of data. How many pecuniary sanctions have the Guarantor Authority exacted over time?And of what entity?
The recent years of the Authority have been characterized by an intense process of development of the activities of control, in particular, through a substantial increment of the inspection and sanctioning activities.
In this regard, for example, in 2008, five hundred inspections were effectuated, in consequence of which three hundred and thirty-eight administrative sanctions were contested and 12 reports were sent to the Judicial Authority for violations of a criminal nature.
In the inspection ambit, the relation with the Guardia di Finanza (Military Corp. dealing with customs, excise and tax crimes) is essential. It is regulated on the basis of a protocol of agreement, initialled in 2005, which allows the Guarantor to avail himself of the Corp, in the activity of inspection.
With the coordination of the Inspection Department of the Authority, the Guardia di Finanza carries out accesses to the Data Banks, makes inspections and verifications, and other collections useful to the activities of verification, effects cognitive investigations on the respect for the Law in determinate sectors and proceeds to the notification of the administrative sanctions.
In practice, the Guarantor, each time he finds it necessary to avail himself of the collaboration of the Corp, activates the special private Squad (with seat in Rome), which disposing of specialized personnel, immediately effects the inspections of verification, and where necessary, also through the territorially competent units.
Regarding the entity of the administrative sanctions, it is necessary to underline the innovation introduced by the Law Decree, No. 207/ 2008, converted in Law, 27th February, 2009, No.41, which has led to significant modifications to the sanctioning apparatus. The modifications were mainly concentrated on the administrative sanctions, while the criminal sanctioning structure remained substantially unaltered.
As a general rule, the interventions have entailed: an increase in the pecuniary penalties provided for in each violation; the prevision of new sanctioning hypotheses; the creation of mechanisms to allow for a major flexibility of the sanctions in relation to the concrete case.
The parameters on the basis of which sanctions can be applied in an aggravated form relate to the greater gravity of the violations, the circumstance in which the violations were committed, in relation to Data Banks of particular importance and dimensions, and the great number of the people involved.
Also the new regulation is extremely important, which allows the Authority to increase, up to four times, the amount of the sanctions when these same result inefficacious in light of the economic conditions of the transgressor.
Among the new particularly important cases in point is that which provides for – in the case of committing more violations of one or more regulations, also at different times, in relation to Data Banks of particular importance or dimensions – the application of a sanction from fifty thousand euro to three hundred thousand euro, without the possibility of availing oneself of the extinction of the sanctioning procedure with reduced payment.
The aim of this measure is to increase the deterrent effect of the sanction in relation to violations of greater importance, inasmuch as not committed occasionally and in relation to the management of Data Banks.
Also this new regulation is extremely important, which allows the Authority to increase up to four times the amount of the sanctions when these same result inefficacious in light of the economic conditions of the lawbreaker.


Who pay the pecuniary sanctions? The natural person or the body corporate? The executive, the entrepreneur, the company or the organization? The difference is noteworthy. A sanction directed to a natural person could represent a deterrent. If the burden weighs on the body corporate, it is distributed in the cost system and is made up with an increase in prices. In certain cases, it could be hypothesized that the taxpayer finishes, in an indirect way, by paying the sanctions. What can be done? How can operators, entrepreneurs and executives be made to feel more responsible in this area?
As a general rule, the violation is notified to the natural person who contravenes the regulation. If the natural person who has committed the violation is clearly identifiable because there has been, for example, the nomination of a person in charge of the handling of the data and the tasks have been specifically assigned to this last, the notification will be made directly to him.
On the other hand, if, on the basis of the acts, elements do not emerge that permit the violation to be attributed to a specific person within the agency/authority or company, the sanction is notified to the legal representative.
However, it is necessary to underline that the regulations provide for a liability “jointly and severally” of the body corporate or of the agency/authority for violations committed by its own employees.


The protection of privacy allows no slowness or delays. The Law provides for two forms of appeal. To the Guarantor Authority or the Judicial Authority. What are the respective times? Is it possible to abbreviate them?
The Code in matters of protection of personal data(Legislative Decree, No. 196 of 2003) Art.1, guarantees to “anyone” the right to the protection of personal data, extending the forms of protection correlated to it, not only to the natural persons, but also to the bodies corporate, agencies and associations.
Among these the Code provides that the person concerned (that is, the subject to which the data refers) is invested with real and proper power of control and that his/her personal information is treated lawfully and according to correctness and, in general, in observance of the general principles and regulations relevant to matters of the treatment of personal data. Such power of control is guaranteed to the person concerned through the acknowledgement of a preventive protection impemented through the exercise of the rights in Art. 7. of the Code, by which the violation legitimizes the concerned party to lodge appeal with the Guarantor or, as an alternative, to the Judge.
Among the rights contained in Art.7, is the right of access to the information of a personal nature, which is substantiated in the right of the party concerned to know the existence of the handling of his own data being carried out by another subject. In fact, the party concerned – having access to the information relative to the purpose and modality with which the treatment of his own data is carried out, and to the subjects who effect the treatment – is able to evaluate whether their activity is imbued with the principles of lawfulness and correctness and, in the case of a negative evaluation, to exercise the further instruments of control and protection of his own personal data. Furthermore, Article 7, pinpoints the right of the concerned party to obtain the up-dating and rectification of his own data, as well as the right to ask for cancellation, transformation into an anonymous form, or the blockage of said data. In this last case, it is presumed that the data was processed in violation of the Law or that its conservation is no longer necessary inasmuch as, the purposes for which the data was collected and treated were followed through or were no longer realizable.
Finally, Art. 7, indicates the right to opposition that the concerned party can exercise in the presence of two distinct assumptions: when legitimate motives exist where the treatment can be damaging to the rights of the concerned party, and in the case of treatment finalized to the sending of publicity material, direct marketing or commercial communication.
As already mentioned, the Code provides that the violation of the rights referred to in Art. 7, permits the injured party, through the appeal instrument, to take alternative steps through the Judicial Authority or the Guarantor Authority for the protection of his personal data.
All the other violations of the Code can be brought before the Guarantor Authority, but only through the procedures of report or protest.
In fact, the Code regulates the cases in which the concerned party can turn to the Guarantor, making clear distinction between the simple reports and protests sent to the Authority and the real and proper appeals.
The appeal to be forward to the Guarantor is of a formal nature and the lack of just one of the formal requisites provided for by the Code determines it as inadmissible. Notwithstanding this, the Guarantor can invite the appellant to regularize the appeal.
The presentation to the Guarantor of the appeal renders the same claim before the Judicial Authority improbable. However, it could, subsequently, initiate proceedings in opposition. The relations between the administrative protection and that of the jurisdictional are, therefore, regulated in terms of alternatives, but the Guarantor is not authorized to rule on the compensation for damages.
The appeal is not free of charge. The Guarantor, with the appropriate measures, establishes the amount of the fees correlated to the presentation of the appeal.
It should be remembered that the appeal can be presented only after unsuccessful consultation with the person in charge of the data treatment (except for the cases in which the elapse of the deadline for the presentation of the appeal could expose someone to imminent and irreparable damage).
The procedure that is established following the presentation of an appeal is based on the principle of “what is required by the parties” and the decision of the Authority must respect the relation between ‘what is requested by the appellant” and “what is ruled by the Judges”.
It must be observed that the procedural time-limits are rigorously fixed under penalty of forfeiture. The Code has provided that the proceedings must terminate within the maximum time limit of 60 days, at the expiry of which, if the judge does not rule – with regard to both the ordinary and the provisional motion – it is equivalent to rejection.
Once the appeal is received, that is, with the exception of the cases where it has been declared inadmissible or unfounded, the appeal is communicated to the parties by the Office of the Guarantor, with the invitation to the resistant party to adhere spontaneously, within and not beyond 10 days of its receipt, to the request of protection advanced by the appellant.
The spontaneous adhesion determines the ordinance to not proceed with the appeal.
Concomitant to the communication of the appeal and to the request of spontaneous adhesion, the Guarantor indicates the time limit in which the parties can present notations and documents and the date of eventual cross-questioning hearings.
The ruling, both definitive and rendered in via of a provisional motion, is not of a jurisdictional nature, but of an administrative decision nature, adopted following a contentious administrative procedure.
If the Guarantor holds that that the appeal is founded, he orders the
cessation of the illegal conduct by the responsible party, indicating the necessary measures to protect the rights of the person concerned and allotting a time limit for their adoption.
If difficulties or protests arise regarding the execution of the ruling, the Guarantor has at his disposal the modalities of implementation, availing himself, if necessary, of the personnel of the Authority and the collaboration of other bodies of the State.
Also in these circumstances, the sentence concerning the expenses falls on the responsibility of the party who loses the case.
The party against which the decision is taken pays the trial expenses in the amount – determined by the final ruling – established à forfeit.
The measures of the Guarantor, both those expressed and those implied by rejection, are appealable through a proposition of opposition before the local Court of the residence of the person in charge of the treatment of the personal data. This juridical recourse, which, however, does not suspend the measures, must be exercised within 30 days from the date of communication of the measure of the Authority.
With the sentence (not appealable, but recourse can be made to the Supreme Court), the Judge accepts or rejects the request, in total or in part, prescribes the necessary measures, rules on the compensation of damages, where requested, and assigns the responsibility of the expenses of the proceedings to the party who loses the case.


Also criminal sanctions are provided for. What is the direction tendency of the jurisprudence on the subject? Is there information on the number of inflicted sentences? What is the entity of the punishments? The punishments provided for represent a deterrent. Why not introduce severe forms of disqualifications?
The criminal sanctions provided for by the Code concern both the part that is fundamentally important on the subject of the protection of personal data (illicit treatment of the data and failure to adopt the minimum measures of security) and the procedural part (false declaration to the Guarantor and non-observance of the measures of the Guarantor).
The first part has as juridical objective, the protection of the personal data realized through the respect of the provisions stated in the incriminatory regulations (such as, for example, the respect of the provisions on the consent of the party concerned or those provisions on the treatment of sensitive data, as well as the provision relative to the adoption of the minimum measures of security).
In the case of the illicit treatment of data, the regulations provide for a crime punished in the most serious form, with imprisonment from one to three years. To enforce the sanction, however, the lack of respect of the relative provisions is not sufficient, the Law requires two further elements.
One of these elements refers to the so-called “psychological element” of the perpetrator of the crime who, according to the regulations must be shown to have knowingly wanted to gain profit or cause damage.
In essence, since the conduct is attributed to the perpetrator as a crime, it is necessary to demonstrate that the offender committed the violation being motivated by this psychological element (specific criminal intent) required by the regulations.
The second element required by the Law consists in the demonstration that harm has derived from the fact. In practice, according to what emerges also from the rulings of the Supreme Court, the Legislator has provided for an objective condition of liability, which has the scope of establishing a “threshold” of criminal importance of the fact. In absence of the verification of the previously mentioned condition of ‘criminal intent’, although relevant from the point of view of the eventual administrative sanctioning or of the measures of the Authority, does not amount to having criminal importance.
It concerns, as it emerges also from the synthetic illustrations effected, an extremely articulated regulation, which delineates a complex probative picture, with the consequence that, although not disposing of precise statistics at a national level, the incidence of verification of responsibility for this case in point is really very rare.
The regulations relative to the omission of adopting adequate measures of security is another discussion. In this case the Law provides for, in existence of the verification of violation, a procedure that allows the perpetrator of the crime, through the fulfilment of a prescription furnished by the Guarantor and the payment of an administrative fine, to avoid the “rigours” of the criminal proceedings, (the so-called “voluntary pecuniary contribution from the offender to redress his crime”. Unlike what happens for the illicit treatment of data, in matters of the measures of minimum security, the Authority disposes of some information (this because, in every proceeding, the Guarantor is called to furnish the due “corrective” prescriptions).
In 2008, 26 proceedings were started against reports for the omission of adopting the minimum measures of security. It is necessary to underline that, in this ambit, in the vast majority of cases, those responsible for the violations in question accede to the above described “voluntary” procedure and consequently, the formation of a criminal judgement is not reached. In rare cases, where the person held responsible does not benefit from this opportunity, it is because he feels able to demonstrate in court his complete extraneousness to the violation, remaining valid, however, that he can still avail himself of the possibility of extinguishing the crime by means of a cash settlement of a fine.
With reference to the congruity and efficacy of the penalties and to the possibility of introducing alternative forms of sanctions to the criminal sanctions (not always effective as a dissuasive element), the subject is very large and goes far beyond the sector of the protection of personal data. More in general, it concerns the necessity of a rethink of the so-called sanctioning law. In general terms, also thanks to the recent measures previously illustrated, the picture of the powers and sanctions in this matter appear, today, suitable to allow the Authority to counteract illicit conduct.
One last consideration concerns the subject of compensation of the damage caused by the effect of illicit treatment of personal data. One must keep in mind that the Code provides that: “Whoever causes damage to others from the effect of the treatment of personal data is held responsible to pay compensation” In this matter, the probative regime provided for by the Article 2050 of the Civil Code – which is particularly favourable for the concerned person – is applied, which entails the reversal of the burden of furnishing evidence; it will be the person in charge of treating the data who must demonstrate to have adopted all measures suitable to avoid production of the damage reported by the concerned party.


Privacy can be protected through education of self-defence. The citizen can and must be informed of his rights. In a contract of agreement the requests of assent in matters of treatment of the information are multiplying and, in general, are written in very small print. Instead of parcelling out information, would not a huge pounding public campaign be more useful?
Ten years have passed since the regulations in matters of the protection of personal data came into force in our System. The first phase of activity of the Authority was programmed in advance to the formation of that which might be defined the “learning of privacy”. For some years, in particular, with the new College, a second phase was inaugurated, characterized by a commitment to “modernize” the sector of the protection of personal data, adapting it to the needs of a society in continual technological and social change.
The episodes of the last years and, in particular, those connected to the activity of making, filing and keeping illicit dossiers), line tapping, access to Data Banks – from the Data Bank of telephonic traffic to that of the tax records – demonstrate the real role of this Authority, called to monitor and accompany the rapid expansion of the treatment of personal data phenomenon.
Individuals are, inevitably led to produce data and this is a phenomenon destined to grow in an ever increasing measure, also through the auxiliary of the modern technology which facilitates the collection of information.
This data, in fact, can be gathered, cross-checked, treated and conserved with extremely facility and speed, because it can be transferred on informatics supports, of telematic regulations and elaborated with programmes which our sociology and informatics science tend to multiply.
One thinks of what could happen with the access to the data of a clinical history or the acquisition of the telephonic traffic of an individual with the complete mapping of all his communications.
In general, in the relations between private citizens, any treatment of data that takes place without the consent of the person concerned must be considered illicit. In fact, the use of personal data is not allowed if the person concerned has not expressed a conscious agreement and has not been previously informed of the modality and the finality of its use.
Such authorization is usually acquired, also in cases in which the permission is not given in a written form, but through the so-called “little signature for privacy” which, usually, must be applied at the bottom of a very long informative printed passage, the meaning of which is often not understood.
In reality, this set-up limits the protection of data to a purely bureaucratic fact which, in essence, leaves the subject without protection. And it is necessary to give much thought to this situation, also in view of the new economic and social picture that is being delineated.
As far as the institutional campaign of information is concerned, we should remember the production of popular leaflets and brochures on themes of great prominence, from Internet to video-surveillance to health. Furthermore, the Authority has directed and realized, since 1999 – the 19th edition is in preparation – a Cd rom that gathers together the national and international regulations and all the provisions and measures of the Guarantor.
Lastly, it is worth remembering the radio-television spot realized in 2003, dedicated to the damage that can be caused with the practice of signing, without due attention, “forms for the privacy”.
In fact, it is starting to be understood that the protection of private data constitutes an essential value, and the Authority is committing itself to make this awareness always more diffused, not only through important measures which have streamlined the required fulfilments for the treatments connected to the relations between private citizens, but also through a constant activity of information and numerous events dedicated to the importance of the protection of personal data, such as those organized in occasion of the European Day of Data Protection which, this year was dedicated to the social network.



The Guarantor Authority intervened to limit the diffusion of data relative to the fiscal position of citizens. With what reasons? Within what limits is the fiscal transparency acceptable?
The innovation technology is determining a profound transformation in the Public Administration. It becomes, consequently, fundamental to prevent an uncontrolled circulation of data, as well, as the indiscriminate access by the operators.
With regard to the affair connected to the diffusion on Internet of data on the earnings declarations of tax payers, as soon as the Authority had news of this diffusion, it decided, on the basis of a preliminary verification, that it was not in conformity with the regulations of the sector.
With the first measure of 30th April, 2008, the Guarantor invited the Agency to immediately suspend the diffusion of the data on the Internet, and the means of the information not to divulge the data extracted from the lists made available to Internet by the Agency with the aforesaid modality.
With this measure, the Guarantor also invited the Agency to furnish further clarification.
With a subsequent measure, issued on 6th May, 2008, the Authority, on confirmation of the suspension of the publication of the lists of names for the year 2005 of the tax payers who presented declarations for the purposes of the imposed tax on earnings and of the VAT, established that the Agency abstain from further publications on the Internet of the lists of tax payers and, similarly, specified that it is held to be illicit also the further diffusion of the data of the tax payer by anyone who had acquired it, also indirectly, from the Internet site of the Agency. Such further diffusion, in fact, could expose them to consequences of a civil and criminal character.
The Director of the Agency could establish only “the terms and modalities” for the formation of the lists. The ‘knowability’ of these last is, in fact, directly regulated by disposition of Law, which provides for, as the only modality, the distribution of such lists only to offices of the Agency that are territorially competent, and their transmission, also through magnetic supports or, in other words, telematics systems, only to
townships concerned, in both cases in relation to only tax payers of the territorial ambit concerned. This, for the purposes of their storage and consultation for the duration of one year – without the possibility of extracting copies – by anyone )Art. 69, paras 4ss., Decree of the President of the Republic, No. 600/1973 cited, also see Art. 66 bis, D.P.R. 26th October, 1972 No. 633.
The Code of digital Administration, pleaded by the Agency in support of its own choice, stimulates the use of the information and communication technologies in the utilization of data of the public administrations. Nevertheless, the Code confirms the limits to the ‘knowability’ of data as provided for by laws and regulations (as happens with the mentioned Art. 69), as well as the regulations and guarantees in the matter of the protection of the personal data (Art. 2, para 5 and 50 Legislative Decree, 7th March, 2005, No.82).
The previously mentioned circulation of the data on Internet, beyond being in itself illegal because it is lacking a juridical base and was set-up without the knowledge of the Guarantor, has led to also a modality of disproportionate diffusion in relation to the finalities for which the actual discipline provides a relative transparency. The data was made consultable not at each territorial ambit concerned, but liberally on the whole of the national territory and abroad. . The innovativeness of this modality, which emerged from the same deductions of the Agency itself, was not apparent from the general information given to the tax payers in the tax declaration form for 2005. The Agency had not provided for “filters” in the on-line consultation and made it possible for numerous users of the site to save a copy of the lists with functions of file transfer. The centralization of the consultation at a national level enabled the same users, already in the limited number of hours in which the aforementioned web site was consultable, to have access to an enormous quantity of tax payer data, to make copies, to form archives, to modify and elaborate the data itself, to create lists of profiles and feed such information into further circulation on the network, as well as, in some cases, putting the data on sale.
With this, of course, posing a risk to the correctness of the data and precluding any possibility of guaranteeing that it is not consultable after the one year elapses provided for by the aforementioned regulations.
Finally, the Authority was not consulted previously by the Agency as is prescribed with respect to the regulations and to the administrative acts pertinent to the protection of personal data (Art. 154, para 4, of the Code.

Privacy, at times, becomes a suit of armour that can make the Public Administration impenetrable. What are the rights of the citizen? What data relative to the public official is knowable? Within what limits can the Administration oppose the diffusion of data relative to the treatment and the position of the officials?
Treatment of personal data is understood to mean any operation or group of operations effected, also without the aid of auxiliary electronic instruments, which concern, in particular, the collection, the conservation, the utilization and the communication of data.
Without doubt, also the activity of the Public Administration correlated to the acceptance of the request from the subject who exercises the right of access to administrative documents is qualifiable as a treatment of data if, in the administrative documents, information of a personal nature is also contained.
As a general rule, the Administration can treat the data, without needing the consent of the party concerned, as long as the treatment is finalized to the execution of institutional functions. If this is not the case, the treatment is not allowed, also in the case where there exists the consent of the person to whom the data refers.
In fact, the P.A. pursues institutional interests and purposes fixed by Law, the so-called “public ends”. Consequently, public officials can effect only those treatments of data connected to the exercise of their institutional functions, or provided for by rule of law or regulation in the event that among the operations of treatment figure the communication and the diffusion of the data to third parties.
And, acceptance of the request for access to administrative documents containing personal data of third party individuals actually is a communication by the Public Administration to the subject, whose legally important position can be protected through the knowledge of the document for which viewing has been requested.
With particular reference to sensitive data, the Code legitimizes the Public Administration to the treatment of such data only in the presence of a precise disposition of law in which is specified the type of data which can be treated and the operations that can be followed, as well as the ends of important public interest pursued by each Administration. Similarly, the Code has provided for the obligation by each Administration to provide itself with a special regulation for the individuation of the sensitive data treated and of the operations that can be followed, in the cases in which the Law limits itself to specify the purposes of important public interest and the authorized treatment is functional to the implementation of same.
The relation between the activity of the Public Administration and the confidentiality of third parties was shown in all its complexity when the Legislator with the Law No. 142 of 1990 and the LawNo.241of 1990, overturned the traditional foundation anchored to the administrative secret, making the right of access and of publicity the new rule of the administrative action, and relegating the secret to the role of exception.
In deference to the principles of impartiality and good performance that govern the administrative action under the Clause 97, of the Constitution, access was configured as a general principle of the administrative activity for the purpose of favouring the participation and of assuring the transparency and impartial execution.
With the Law No. 675 of 1996, the right to privacy found its formal recognition, placing itself on an equal level with respect to the rules on administrative transparency. Consequently, in the presence of a normative panorama directed to guarantee the principle of transparency and the need for privacy, the doctrine and the jurisprudence intervened for the purpose of individuating the modalities of coordination between the two provisions and between two rights placed at the defence of two opposing interests.
The relation between the regulations on the subject of access and the regulation on the subject of privacy has been enriched following the coming into force of the Code on matters of data protection, introduced with the Legislative Decree, No.196 of 2003, and of the issue of the Law No.15 of 2005 which, bringing significant changes to the Law No. 241 of 1990, has, among other things, raised the right of access to the rank of general principle of the administrative activity.
From the modifications to the regulations that discipline the right of access, emerges the desire of the Legislator to realize an effective normative connection with the regulations contained in the Code on the subject of data protection and, in particular, with the Articles 59 and 60, for the purpose of defining the operativeness and the limits of the right of access, should the ostensive request for administrative documents involve also personal data of third parties.
Generally, the right of access tends to prevail over the right to privacy, if the documents required to be shown contain common personal data.
In the presence of sensitive data different from that suitable to reveal the state of health or sex life of a person, the Public Administration, held to evaluate the interests implied by the request for access, will be called, in the case of the acceptance of the request, to show exclusively the data, the ‘knowability’ of which could be considered indispensable to the pursuit of the prerogatives of the subject who consults the Public Administration.
If, instead, the request for access concerns administrative documents containing personal data suitable to reveal the state of health or sex life of a person, the Public Administration must proceed to a further evaluation and verify whether the important legal situation which one intends to protect with the request for access to administrative documents ranks, at least, equal to the rights of the person concerned or consists in a right of the person, or in another fundamental and inviolable right or liberty.




© AGENZIA INFORMAZIONI E SICUREZZA INTERNA