Although the news has not attracted particular media response, the draft of the so-called Development Decree which has been circulating in the last few days would also have an impact on the protection of personal data.
Among other things art. 94 of the decree provides for nothing less than a change in the concept of personal data, adding a significant limitation on legal persons. In fact personal data would now come to mean “any information concerning a natural person and only regarding the electronic communications sector, any information concerning a legal person, body or association subscribing to an electronic communications service available to the public, provided that those persons can be identified or are identifiable even indirectly, by reference to any other information, including a personal identification number. “
Therefore the concept of interested party would also be changed. It would identify the natural person and the legal person, body or association subscribing to an electronic communications service available to the public, limited to the processing of personal data in the field of electronic communications.
Besides the debatable wording of the rule, which raises doubts about its interpretation, the theoretical framework and consequently the practical concept of personal data has been radically changed.
The innovations do not stop here, although the following are less significant.
In fact, there are also new provisions for digital prescriptions and electronic health records (Articles 129 and 130), and from 1 January 2013 school reports and certificates will be issued in an electronic format and made available on the web, by email or other digital formats (Art. 132) Leave certificates for employees whose children are off school ill will also be online (art. 131). As for transport, tickets for buses, trams or other local forms of transportation will be issued in an electronic format (Art. 137).
Finally, the draft decree contains regulations for the increase in the use of Certified email (Article 134), which must be adopted by all companies, not just those constituted in a corporate form. With regard to professionals already affected by this obligation, professional registers are also expected to publish “in any and every case” the certified email addresses of their members.
These predictions are not in fact final and we will follow their procedures and practical implications, which do however, arouse immediate interest and will soon be the subject of lively debate.
The Law Decree regarding “Prime disposizioni urgenti per l’economia” (Urgent First measures for the Economy), also called “Decreto-Sviluppo” (Development Decree), which was published in the Official Journal on May 13 and which led to much discussion of provisions concerning beach concessions, also contains several relevant amendments to the Privacy Code.
This Law Decree must be approved by parliament within 60 days of publication in the Official Gazzette, before it can be changed.
The following is a brief summary of the main changes:
Data regarding public and private bodies
The new art. 3-bis states that the processing of data regarding public and private bodies
in communications between such bodies and for administration and accountancy purposes is no longer subject to the application of the Privacy Code. So, this exemption will not include all data regarding private or public bodies but only data that matches all of the following criteria:
1) data concerning private or public bodies.
2) data used for communications between these bodies
3) data used for administrative and accountancy purposes
Therefore, as an example, invoicing data shared by companies for administrative purposes.
We would like to underline that EU Directive 46/95/EC applies only to data regarding individual persons and that in 1996 the Italian legislator made a different choice.
CVs of job seekers
CVs sent of their own free will by job seekers would no longer need to be given the information by data controllers. The information even in an unwritten form will only be required on the occasion of a first contact after CVs have been sent. In such cases, the consent of CVs senders would be no longer necessary, even if the CVs contained sensitive data.
Consent in relationships between companies
The consent to data communications between companies (in specific areas) for administrative and accountancy purposes will no longer be necessary.
Data controllers who handle as sensitive and judiciary data only that regarding their employees and collaborators and their partners and relatives will no longer be obliged to compile the document which is a particular security measure provided for by Italian law. Instead, they can present self-certification.
However we must bear in mind that self-certification also involves relevant consequences regarding responsibility according to the Criminal Code.
The Italian Privacy Authority could further simplify matters on the issue of security.
Administrative accountancy aims are precisely defined in new art. 34, sub. 1 ter.
Unwanted marketing communications
In the same way as for marketing calls, consent will no longer be necessary and the opt-out system with its register of opposition will also be extended to ordinary mail communications.