Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by Laura Greco on maggio 15, 2017


(No comments)

The Italian Court of Cassation has recently been called on to deal with the issue of whether payment descriptions for bank transfers qualify as sensitive data, in cases in which they specify indemnity payments for illness or disability using the wording “allowance ex L. 210/1992”, (the law which grants allowances to parties who have suffered irreversible complications due to mandatory vaccination and blood transfusions, or in cases of decease, to their families).

The Supreme Court judges have expressed conflicting decisions in several such cases. In all the examined cases, the matter concerned the relations between the Region, which issues the allowance and authorizes the bank transfer, and the ill or disabled party’s bank, which is the recipient of the allowance on behalf of its current account holder.

In the case of the first decision dating from 2014 (judgement n. 10947 of 19th May 2014), the Court considered the payment description, which quoted the above-mentioned legislative references, as sensitive data and thus determined that both the Region and the bank had unlawfully processed personal data since they had not adopted security measures for the transmission and dissemination of said data, such as encryption techniques and non-identifiable codes, as provided for by Art. 22, 6° par. of the Personal Data Protection Code.

In the second decision (judgement n. 10280 of 20th May 2015), which is clearer and better developed than the previous one, the Supreme Court judges overturned their first approach and followed a quite different decision-making process. Firstly, they rejected the concept that payment descriptions for allowances filled out in such a way constituted sensitive data, as the law quoted provided that the recipients of these allowances could either be the parties directly affected or otherwise their families. Since the payment of the allowance did not depend on the illness of the party who actually received it, the judges concluded that the information was not sufficient to reveal the recipient’s state of health and, therefore, did not constitute sensitive data.

Secondly, according to the Supreme Court, it was not a question of the Region rendering the data transferred to the bank public, as this would have implied – in conformity with Art. 4, lett. m) of the Code – disclosure of the data to unspecified parties, whereas in this case the disclosure was only made to the bank of the current account holder who was the beneficiary of the allowance.

Furthermore, the judges considered that references to Art. 22, 6° par. of the Code were groundless, since, as correctly quoted, the adoption of encryption techniques is only required in specific cases where the data originate from directories or registries and the aim is to manage and consult them. Neither could the bank be considered to have the responsibility for adopting these measures for three different reasons: firstly, the provision is only applicable to public bodies; secondly, private entities are only obliged to adopt encryption measures in relation to sensitive data which would reveal a state of health and were processed with electronic systems, both of which conditions are missing in the present case; finally, communicating to a client of the bank’s his/her personal data does not constitute processing of personal data.

Finally, in the opinion of the Court, the role of the bank was that of the current account holder’s representative and it received the payment from the Region on his/her behalf: thus, the payment was to be considered as being directly effected by the debtor (the Region) to the creditor (the recipient of the allowance). Therefore, the Supreme Court considered both the Region’s and the bank’s conduct to be within the law and acknowledged there had been no illegal processing of personal data.

This question has recently once again been deliberated by the 1st Civil Division of the Court of Cassation, which has issued two interlocutory orders (no. 3455 and no. 3456 registered on 9th February 2017) delegating the “Sezioni Unite” (the Joint Divisions), the task of devising a solution to this conflict of case law. On this occasion the Supreme Court has abstained from expressing its own opinion one way or the other with regard to the different interpretations of case law regarding this issue, and has simply commented on the nature of payment descriptions as “sensitive data”. The Court has pointed out that, even if payment can be made both to the family and the ill or disabled party, only the latter would receive payment in instalments (whereas family would receive a lump sum). This particular method of payment would clearly identify the recipient of the payment as the victim of illness or disability and for this reason the indication of a payment in instalments would constitute sensitive data.

We will have to wait to see how the Joint Divisions will solve this conflict of case law we have just described and in particular whether they opt for a broad or restrictive interpretation of the concept of sensitive data.



posted by Giusella Finocchiaro on agosto 12, 2011


(No comments)

The recent publication of the ruling of the Italian Supreme Court (17 February-1 June 2011, No 21839) offers much food for thoughts.

The facts behind the decision seem, in their essence, very simple: one person published on the Internet the mobile phone number of another person without his consent.

Such conduct, according to the decision, falls within the crime of unlawful processing of personal data, governed by art. 167 of the Italian Code for the protection of personal data.

That the elements that constitute this kind of crime are three:

1) the process should be in violation of some specific provisions of the Code

2) there should be a specific intent, such as the will to cause harm or make a profit

3) the damage (harm) should have actually been caused.

Now, from what is stated in the decision, the data process was definitely illegal. The personal information (the phone number) had been processed, more precisely, via Internet, without consent.

This conduct, as it follows, was put in place by the offender in order to cause harm to the person and the damage was actually produced. On this point, it should be noted that the Supreme Court seems to favor the recognition of harm in re ipsa, but we’re not deepening this aspect here.

For such reasons the Supreme Court confirmed the sentence of criminal conviction.

However, while the decision seems to be correct, within the limits of the meager facts reported in the published ruling, there was an error.

Contrary to what the Court stated, the number of mobile phone is certainly not a sensitive personal data.

The two definitions of Art. 4 of the Italian Code for the protection of personal data are very clear and do not give rise to misunderstandings.

The personal data is, in short, an information attributable to an individual: thus the number of users fixed telephone, mobile telephone and the number of users.

However, “sensitive” data are only expressly and exhaustively listed in Article. 4, paragraph 1, lett. d), namely “personal data revealing racial or ethnic, religious, philosophical or other beliefs, political opinions, membership of political parties, unions, associations or organizations of a religious, philosophical, political or trade union, as well as personal data disclosing health and sex life.” Among these there is not the number of mobile phone users.

“Sensitive data” is not, in legal terms, synonymous with “confidential data”. The confidential data does not exist in the Italian law, while sensitive data is only what is listed above.

The number of mobile phone is a personal data but not sensitive one. This is a mistake that is frequently committed by non-experts.

However, this does not mean that the number of mobile phone can be treated and distributed freely by anyone: it is a personal and then for its treatment it is necessary to obtain the consent of the person involved.

If it had been sensitive data, then it would also need the authorization of the Italian Authority for the protection of personal data and the offense would be aggravated.

This error of the Supreme Court shows that the so-called privacy law is still far from being known and that the level of awareness and legal culture regarding this subject is still very low.

  • Recent comments

  • Popular posts

    • None found