PERSONAL DATA PROTECTION CODE

Legislative Decree no. 196 of 30 June 2003

 

TITLE II Ė DATA SUBJECTíS RIGHTS

Section 7

(Right to Access Personal Data and Other Rights)

1. A data subject shall have the right to obtain confirmation as to whether or not personal data

concerning him exist, regardless of their being already recorded, and communication of such data in

intelligible form.

2. A data subject shall have the right to be informed

a) of the source of the personal data;

b) of the purposes and methods of the processing;

c) of the logic applied to the processing, if the latter is carried out with the help of electronic

means;

d) of the identification data concerning data controller, data processors and the

representative designated as per Section 5(2);

19

e) of the entities or categories of entity to whom or which the personal data may be

communicated and who or which may get to know said data in their capacity as designated

representative(s) in the Stateís territory, data processor(s) or person(s) in charge of the processing.

3. A data subject shall have the right to obtain

a) updating, rectification or, where interested therein, integration of the data;

b) erasure, anonymization or blocking of data that have been processed unlawfully,

including data whose retention is unnecessary for the purposes for which they have been collected

or subsequently processed;

c) certification to the effect that the operations as per letters a) and b) have been notified, as

also related to their contents, to the entities to whom or which the data were communicated or

disseminated, unless this requirement proves impossible or involves a manifestly disproportionate

effort compared with the right that is to be protected.

4. A data subject shall have the right to object, in whole or in part,

a) on legitimate grounds, to the processing of personal data concerning him/her, even though

they are relevant to the purpose of the collection;

b) to the processing of personal data concerning him/her, where it is carried out for the

purpose of sending advertising materials or direct selling or else for the performance of market or

commercial communication surveys.

Section 8

(Exercise of Rights)

1. The rights referred to in Section 7 may be exercised by making a request to the data controller or

processor without formalities, also by the agency of a person in charge of the processing. A suitable

response shall be provided to said request without delay.

2. The rights referred to in Section 7 may not be exercised by making a request to the data controller

or processor, or else by lodging a complaint in pursuance of Section 145, if the personal data are

processed:

a) pursuant to the provisions of decree-law no. 143 of 3 May 1991, as converted, with

amendments, into Act no. 197 of 5 July 1991 and subsequently amended, concerning money

laundering;

b) pursuant to the provisions of decree-law no. 419 of 31 December 1991, as converted, with

amendments, into Act no. 172 of 18 February 1992 and subsequently amended, concerning support

for victims of extortion;

c) by parliamentary Inquiry Committees set up as per Article 82 of the Constitution;

20

d) by a public body other than a profit-seeking public body, where this is expressly required

by a law for purposes exclusively related to currency and financial policy, the system of payments,

control of brokers and credit and financial markets and protection of their stability;

e) in pursuance of Section 24(1), letter f), as regards the period during which performance

of the investigations by defence counsel or establishment of the legal claim might be actually and

concretely prejudiced;

f) by providers of publicly available electronic communications services in respect of

incoming phone calls, unless this may be actually and concretely prejudicial to performance of the

investigations by defence counsel as per Act no. 397 of 7 December 2000;

g) for reasons of justice by judicial authorities at all levels and of all instances as well as by

the Higher Council of the Judiciary or other self-regulatory bodies, or else by the Ministry of

Justice;

h) in pursuance of Section 53, without prejudice to Act no. 121 of 1 April 1981.

3. In the cases referred to in paragraph 2, letters a), b), d), e) and f), the Garante, also following a

report submitted by the data subject, shall act as per Sections 157, 158 and 159; in the cases referred

to in letters c), g) and h) of said paragraph, the Garante shall act as per Section 160.

4. Exercise of the rights referred to in Section 7 may be permitted with regard to data of nonobjective

character on condition that it does not concern rectification of or additions to personal

evaluation data in connection with judgments, opinions and other types of subjective assessment, or

else the specification of policies to be implemented or decision-making activities by the data

controller.

Section 9

(Mechanisms to Exercise Rights)

1. The request addressed to the data controller or processor may also be conveyed by means of a

registered letter, facsimile or e-mail. The Garante may specify other suitable arrangements with

regard to new technological solutions. If the request is related to exercise of the rights referred to in

Section 7(1) and (2), it may also be made verbally; in this case, it will be written down in summary

fashion by either a person in charge of the processing or the data processor.

2. The data subject may grant, in writing, power of attorney or representation to natural persons,

bodies, associations or organisations in connection with exercise of the rights as per Section 7. The

data subject may also be assisted by a person of his/her choice.

3. The rights as per Section 7, where related to the personal data concerning a deceased, may be

exercised by any entity that is interested therein or else acts to protect a data subject or for familyrelated

reasons deserving protection.

21

4. The data subjectís identity shall be verified on the basis of suitable information, also by means of

available records or documents or by producing or attaching a copy of an identity document. The

person acting on instructions from the data subject must produce or attach a copy of either the proxy

or the letter of attorney, which shall have been undersigned by the data subject in the presence of a

person in charge of the processing or else shall bear the data subject's signature and be produced

jointly with a copy of an ID document from the data subject, which shall not have to be certified true

pursuant to law. If the data subject is a legal person, a body or association, the relevant request shall

be made by the natural person that is legally authorized thereto based on the relevant regulations or

articles of association.

5. The request referred to in Section 7(1) and (2) may be worded freely without any constraints and

may be renewed at intervals of not less than ninety days, unless there are well-grounded reasons.

Section 10

(Response to Data Subjects)

1. With a view to effectively exercising the rights referred to in Section 7, data controllers shall

take suitable measures in order to, in particular,

a) facilitate access to personal data by the data subjects, even by means of ad hoc software

allowing accurate retrieval of the data concerning individual identified or identifiable data subjects;

b) simplify the arrangements and reduce the delay for the responses, also with regard to

public relations departments or offices.

2. The data processor or the person(s) in charge of the processing shall be responsible for retrieval

of the data, which may be communicated to the requesting party also verbally, or else displayed by

electronic means - on condition that the data are easily intelligible in such cases also in the light of

the nature and amount of the information. The data shall be reproduced on paper or magnetic media,

or else transmitted via electronic networks, whenever this is requested.

3. The response provided to the data subject shall include all the personal data concerning him/her

that are processed by the data controller, unless the request concerns either a specific processing

operation or specific personal data or categories of personal data. If the request is made to a health

care professional or health care body, Section 84(1) shall apply.

4. If data retrieval is especially difficult, the response to the data subjectís request may also consist

in producing or delivering copy of records and documents containing the personal data at stake.

5. The right to obtain communication of the data in intelligible form does not apply to personal data

concerning third parties, unless breaking down the processed data or eliminating certain items from

the latter prevents the data subjectís personal data from being understandable.

6. Data are communicated in intelligible form also by using legible handwriting. If codes or

abbreviations are communicated, the criteria for understanding the relevant meanings shall be made

available also by the agency of the persons in charge of the processing.

22

7. Where it is not confirmed that personal data concerning the data subject exist, further to a request

as per Section 7(1) and (2), letters a), b) and c), the data subject may be charged a fee which shall

not be in excess of the costs actually incurred for the inquiries made in the specific case.

8. The fee referred to in paragraph 7 may not be in excess of the amount specified by the Garante in

a generally applicable provision, which may also refer to a lump sum to be paid in case the data are

processed by electronic means and the response is provided verbally. Through said instrument the

Garante may also provide that the fee may be charged if the personal data are contained on special

media whose reproduction is specifically requested, or else if a considerable effort is required by

one or more data controllers on account of the complexity and/or amount of the requests and

existence of data concerning the data subject can be confirmed.

9. The fee referred to in paragraphs 7 and 8 may also be paid by bank or postal draft, or else by

debit or credit card, if possible upon receiving the relevant response and anyhow within fifteen days

of said response.