PERSONAL DATA PROTECTION CODE
Legislative Decree no. 196 of 30 June 2003
TITLE II Ė DATA SUBJECTíS RIGHTS
(Right to Access Personal Data and Other Rights)
1. A data subject shall have the right to obtain confirmation as to whether or not personal data
concerning him exist, regardless of their being already recorded, and communication of such data in
2. A data subject shall have the right to be informed
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic
d) of the identification data concerning data controller, data processors and the
representative designated as per Section 5(2);
e) of the entities or categories of entity to whom or which the personal data may be
communicated and who or which may get to know said data in their capacity as designated
representative(s) in the Stateís territory, data processor(s) or person(s) in charge of the processing.
3. A data subject shall have the right to obtain
a) updating, rectification or, where interested therein, integration of the data;
b) erasure, anonymization or blocking of data that have been processed unlawfully,
including data whose retention is unnecessary for the purposes for which they have been collected
or subsequently processed;
c) certification to the effect that the operations as per letters a) and b) have been notified, as
also related to their contents, to the entities to whom or which the data were communicated or
disseminated, unless this requirement proves impossible or involves a manifestly disproportionate
effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part,
a) on legitimate grounds, to the processing of personal data concerning him/her, even though
they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the
purpose of sending advertising materials or direct selling or else for the performance of market or
commercial communication surveys.
(Exercise of Rights)
1. The rights referred to in Section 7 may be exercised by making a request to the data controller or
processor without formalities, also by the agency of a person in charge of the processing. A suitable
response shall be provided to said request without delay.
2. The rights referred to in Section 7 may not be exercised by making a request to the data controller
or processor, or else by lodging a complaint in pursuance of Section 145, if the personal data are
a) pursuant to the provisions of decree-law no. 143 of 3 May 1991, as converted, with
amendments, into Act no. 197 of 5 July 1991 and subsequently amended, concerning money
b) pursuant to the provisions of decree-law no. 419 of 31 December 1991, as converted, with
amendments, into Act no. 172 of 18 February 1992 and subsequently amended, concerning support
for victims of extortion;
c) by parliamentary Inquiry Committees set up as per Article 82 of the Constitution;
d) by a public body other than a profit-seeking public body, where this is expressly required
by a law for purposes exclusively related to currency and financial policy, the system of payments,
control of brokers and credit and financial markets and protection of their stability;
e) in pursuance of Section 24(1), letter f), as regards the period during which performance
of the investigations by defence counsel or establishment of the legal claim might be actually and
f) by providers of publicly available electronic communications services in respect of
incoming phone calls, unless this may be actually and concretely prejudicial to performance of the
investigations by defence counsel as per Act no. 397 of 7 December 2000;
g) for reasons of justice by judicial authorities at all levels and of all instances as well as by
the Higher Council of the Judiciary or other self-regulatory bodies, or else by the Ministry of
h) in pursuance of Section 53, without prejudice to Act no. 121 of 1 April 1981.
3. In the cases referred to in paragraph 2, letters a), b), d), e) and f), the Garante, also following a
report submitted by the data subject, shall act as per Sections 157, 158 and 159; in the cases referred
to in letters c), g) and h) of said paragraph, the Garante shall act as per Section 160.
4. Exercise of the rights referred to in Section 7 may be permitted with regard to data of nonobjective
character on condition that it does not concern rectification of or additions to personal
evaluation data in connection with judgments, opinions and other types of subjective assessment, or
else the specification of policies to be implemented or decision-making activities by the data
(Mechanisms to Exercise Rights)
1. The request addressed to the data controller or processor may also be conveyed by means of a
registered letter, facsimile or e-mail. The Garante may specify other suitable arrangements with
regard to new technological solutions. If the request is related to exercise of the rights referred to in
Section 7(1) and (2), it may also be made verbally; in this case, it will be written down in summary
fashion by either a person in charge of the processing or the data processor.
2. The data subject may grant, in writing, power of attorney or representation to natural persons,
bodies, associations or organisations in connection with exercise of the rights as per Section 7. The
data subject may also be assisted by a person of his/her choice.
3. The rights as per Section 7, where related to the personal data concerning a deceased, may be
exercised by any entity that is interested therein or else acts to protect a data subject or for familyrelated
reasons deserving protection.
4. The data subjectís identity shall be verified on the basis of suitable information, also by means of
available records or documents or by producing or attaching a copy of an identity document. The
person acting on instructions from the data subject must produce or attach a copy of either the proxy
or the letter of attorney, which shall have been undersigned by the data subject in the presence of a
person in charge of the processing or else shall bear the data subject's signature and be produced
jointly with a copy of an ID document from the data subject, which shall not have to be certified true
pursuant to law. If the data subject is a legal person, a body or association, the relevant request shall
be made by the natural person that is legally authorized thereto based on the relevant regulations or
articles of association.
5. The request referred to in Section 7(1) and (2) may be worded freely without any constraints and
may be renewed at intervals of not less than ninety days, unless there are well-grounded reasons.
(Response to Data Subjects)
1. With a view to effectively exercising the rights referred to in Section 7, data controllers shall
take suitable measures in order to, in particular,
a) facilitate access to personal data by the data subjects, even by means of ad hoc software
allowing accurate retrieval of the data concerning individual identified or identifiable data subjects;
b) simplify the arrangements and reduce the delay for the responses, also with regard to
public relations departments or offices.
2. The data processor or the person(s) in charge of the processing shall be responsible for retrieval
of the data, which may be communicated to the requesting party also verbally, or else displayed by
electronic means - on condition that the data are easily intelligible in such cases also in the light of
the nature and amount of the information. The data shall be reproduced on paper or magnetic media,
or else transmitted via electronic networks, whenever this is requested.
3. The response provided to the data subject shall include all the personal data concerning him/her
that are processed by the data controller, unless the request concerns either a specific processing
operation or specific personal data or categories of personal data. If the request is made to a health
care professional or health care body, Section 84(1) shall apply.
4. If data retrieval is especially difficult, the response to the data subjectís request may also consist
in producing or delivering copy of records and documents containing the personal data at stake.
5. The right to obtain communication of the data in intelligible form does not apply to personal data
concerning third parties, unless breaking down the processed data or eliminating certain items from
the latter prevents the data subjectís personal data from being understandable.
6. Data are communicated in intelligible form also by using legible handwriting. If codes or
abbreviations are communicated, the criteria for understanding the relevant meanings shall be made
available also by the agency of the persons in charge of the processing.
7. Where it is not confirmed that personal data concerning the data subject exist, further to a request
as per Section 7(1) and (2), letters a), b) and c), the data subject may be charged a fee which shall
not be in excess of the costs actually incurred for the inquiries made in the specific case.
8. The fee referred to in paragraph 7 may not be in excess of the amount specified by the Garante in
a generally applicable provision, which may also refer to a lump sum to be paid in case the data are
processed by electronic means and the response is provided verbally. Through said instrument the
Garante may also provide that the fee may be charged if the personal data are contained on special
media whose reproduction is specifically requested, or else if a considerable effort is required by
one or more data controllers on account of the complexity and/or amount of the requests and
existence of data concerning the data subject can be confirmed.
9. The fee referred to in paragraphs 7 and 8 may also be paid by bank or postal draft, or else by
debit or credit card, if possible upon receiving the relevant response and anyhow within fifteen days
of said response.