Legislative Decree 30 June 2003, n. 196

"Code regarding the protection of personal data"

published in the Official Gazette no. 174 of 29 July 2003 - Ordinary Supplement n. 123

Holder of the treatment

Pursuant to art. 13 of Legislative Decree 30 June 2003 n. 196, regarding the protection of personal data, we inform you that the data controller of the data you provide is Elettrix Srl, with registered office in Via Milano 70, Napola (TP) 91016

THE PRESIDENT OF THE REPUBLIC

HAVING REGARD to articles 76 and 87 of the Constitution;

HAVING REGARD to article 1 of the law of 24 March 2001, n. 127, delegating the Government to issue a single text on the processing of personal data;

GIVEN Article 26 of Law No. 14 of 3 February 2003, containing provisions for the fulfillment of obligations deriving from Italy's membership of the European Communities (Community Law 2002);

GIVEN the law of 31 December 1996, n. 675, and subsequent modifications;

GIVEN the law of 31 December 1996, n. 676, delegating to the Government for the protection of persons and other subjects regarding the processing of personal data;

HAVING REGARD to the Directive 95/46 / EC of the European Parliament and of the Council, of 24 October 1995, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of data;

HAVING REGARD to Directive 2002/58 / EC of the European Parliament and of the Council, of 12 July 2002, relating to the processing of personal data and the protection of private sites in the electronic communications sector;

GIVEN the preliminary resolution of the Council of Ministers, adopted at the meeting of 9 May 2003;

HAVING HEARD the Guarantor for the protection of personal data;

ACQUIRED the opinion of the competent parliamentary committees of the Chamber of Deputies and the Senate of the Republic;

GIVEN the resolution of the Council of Ministers, adopted at the meeting of 27 June 2003;

ON THE PROPOSAL of the President of the Council of Ministers, the Minister for the public function and the Minister for Community policies, in agreement with the Ministers of Justice, Economy and Finance, Foreign Affairs and Communications;

EMANA
the following legislative decree:

PART I.
GENERAL PROVISIONS

Title I.
GENERAL PRINCIPLES

Art. 1
(Right to the protection of personal data)

1. Anyone has the right to the protection of personal data concerning him.

Art. 2
(Purpose)

1. This consolidated act, hereinafter referred to as the "code", guarantees that the processing of personal data is carried out in compliance with the fundamental rights and freedoms, as well as the dignity of the interested party, with particular reference to confidentiality, personal identity and the right to the protection of personal data.

2. The processing of personal data is governed by ensuring a high level of protection of the rights and freedoms referred to in paragraph 1 in compliance with the principles of simplification, harmonization and effectiveness of the methods envisaged for their exercise by the interested parties, as well as for the fulfillment of the obligations by the data controllers.

Art. 3
(Principle of necessity in data processing)

1. The information systems and computer programs are configured by minimizing the use of personal data and identification data, so as to exclude their processing when the purposes pursued in individual cases can be achieved through, respectively, anonymous data or appropriate methods 'that allow the data subject to be identified only in case of need'.

Art. 4
(Definitions)

1. For the purposes of this code, the following definitions apply:
a) "treatment", any operation or set of operations, carried out even without the aid of electronic tools, concerning the collection, registration, organization, storage, consultation, processing, modification, selection, the extraction, comparison, use, interconnection, blocking, communication, dissemination, cancellation and destruction of data, even if not registered in a database;
b) "personal data", any information relating to a natural person, legal person, organization or association, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number;
c) "identification data", personal data that allow the direct identification of the interested party;
d) "sensitive data", personal data suitable for revealing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious or philosophical nature , political or trade union, as well as personal data suitable for revealing the state of health and sexual life;
e) "judicial data", personal data suitable for disclosing provisions referred to in article 3, paragraph 1, letters from a) to o) and from r) to u), of Presidential Decree 14 November 2002, n. 313, in the matter of criminal records, the registry of administrative sanctions depending on a crime and related pending charges, or the quality of accused or suspected person pursuant to articles 60 and 61 of the criminal procedure code;
f) "owner", the natural person, legal person, public administration and any other body, association or organization which is responsible, even jointly with another owner, for decisions regarding the purposes and methods of processing personal data and the tools used, including the safety profile;
g) "manager", the natural person, legal person, public administration and any other body, association or organization appointed by the owner to process personal data;
h) "persons in charge", the natural persons authorized to carry out processing operations by the owner or manager;
i) "interested party", the natural person, legal person, body or association to which the personal data refer;
l) "communication", the giving knowledge of personal data to one or more specific subjects other than the interested party, the owner's representative in the State, the manager and the persons in charge, in any form, including by making them available o consultation;
m) "dissemination", the disclosure of personal data to undetermined subjects, in any form, including by making them available or consulted;
n) "anonymous data", data that originally, or following processing, cannot be associated with an identified or identifiable data subject;
o) "block", the storage of personal data with temporary suspension of any other processing operation;
p) "data bank", any organized complex of personal data, divided into one or more units located in one or more sites;
q) "Guarantor", the authority referred to in article 153, established by law no. 675,

2. For the purposes of this code, it is also understood that:
a) "electronic communication", any information exchanged or transmitted between a finite number of subjects through an electronic communication service accessible to the public. Information transmitted to the public via an electronic communications network, as part of a broadcasting service, is excluded, unless the same information is linked to an identified or identifiable receiving subscriber or user;
b) "call", the connection established by a telephone service accessible to the public, which allows two-way communication in real time;
(c) "electronic communications networks" means transmission systems, switching or routing equipment and other resources enabling the transmission of signals by cable, radio, optical fiber or other electromagnetic means, including satellite networks , fixed and circuit-switched and packet-switched terrestrial networks, including the Internet, networks used for the circular broadcasting of sound and television programs, systems for the transport of electricity, insofar as they are used to transmit signals , cable television networks, regardless of the type of information carried;
d) "public communications network" means an electronic communications network used wholly or predominantly to provide publicly available electronic communications services;
e) "electronic communications service", services consisting exclusively or mainly in the transmission of signals over electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, within the limits set out in Article 2 , letter c), of Directive 2002/21 / EC of the European Parliament and of the Council of 7 March 2002;
f) "subscriber", any natural person, legal person, entity or association party to a contract with a provider of publicly available electronic communications services for the provision of such services, or in any case recipient of such services through prepaid cards;
g) "user", any natural person who uses an electronic communications service accessible to the public, for private or commercial reasons, without necessarily being a subscriber;
h) "traffic data", any data subjected to processing for the purpose of transmitting a communication over an electronic communications network or the related invoicing;
i) "location data" means any data processed in an electronic communications network that indicates the geographic location of the terminal equipment of the user of a publicly available electronic communications service;
l) "value added service", the service that requires the processing of traffic data or location data other than traffic data, in addition to what is necessary for the transmission of a communication or related billing ;
m) "electronic mail", messages containing texts, voices, sounds or images transmitted through a public communication network, which can be stored on the network or in the receiving terminal equipment, until the recipient has become aware of them.

3. For the purposes of this code, it is also intended by:
a) "minimum measures", the set of technical, IT, organizational, logistic and procedural security measures that configure the minimum level of protection required in relation to the risks envisaged in article 31;
b) "electronic tools", processors, computer programs and any electronic or automated device with which the processing is carried out;
c) "computer authentication", the set of electronic tools and procedures for verifying, even indirectly, identity;
d) "authentication credentials", data and devices, in the possession of a person, known to him or uniquely related to him, used for computer authentication;
e) "keyword", component of an authentication credential associated with a person and this note, consisting of a sequence of characters or other data in electronic form;
f) "authorization profile", the set of information, univocally associated with a person, which makes it possible to identify which data he can access, as well as the treatments permitted to him;
g) "authorization system", the set of tools and procedures that enable access to data and the methods of processing them, according to the authorization profile of the applicant.

4. For the purposes of this code, the following definitions apply:
a) "historical purposes", the purposes of study, investigation, research and documentation of figures, facts and circumstances of the past;
b) "statistical purposes", the purposes of statistical survey or production of statistical results, also by means of statistical information systems;
c) "scientific purposes", the purposes of study and systematic investigation aimed at developing scientific knowledge in a specific sector.

Art. 5
(Object and scope of application)

1. This code governs the processing of personal data, including those held abroad, carried out by anyone established in the territory of the State or in a place subject to the sovereignty of the State.

2. This code also applies to the processing of personal data carried out by anyone who is established in the territory of a country not belonging to the European Union and uses, for the processing, instruments located in the territory of the State also other than electronic ones, unless they are used only for the purpose of transit in the territory of the European Union. In case of application of this code, the data controller designates a representative established in the territory of the State for the purposes of applying the regulations on the processing of personal data.

3. The processing of personal data carried out by natural persons for exclusively personal purposes is subject to the application of this code only if the data are intended for systematic communication or dissemination. In any case, the provisions on responsibility and data security referred to in Articles 1 and 31 apply.

Art. 6
(Discipline of the treatment)

1. The provisions contained in this Part apply to all data processing, except as provided, in relation to some treatments, by the supplementary or amending provisions of Part II.

Title II
RIGHTS OF THE INTERESTED PARTY

Art. 7
(Right to access personal data and other rights)

1. The interested party has the right to obtain confirmation of the existence or not of personal data concerning him, even if not yet recorded, and their communication in an intelligible form.

2. The interested party has the right to obtain the indication:
a) the origin of the personal data;
b) the purposes and methods of the processing;
c) of the logic applied in case of treatment carried out with the aid of electronic instruments;
d) the identity of the owner, manager and the representative appointed under article 5, paragraph 2;
e) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the territory of the State, managers or agents.

3. The interested party has the right to obtain:
a) updating, rectification or, when interested, integration of data;
b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data which need not be kept for the purposes for which the data were collected or subsequently processed;
c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment is proves impossible or involves the use of means that are manifestly disproportionate to the protected right.

4. The interested party has the right to object, in whole or in part:
a) for legitimate reasons to the processing of personal data concerning him, even if pertinent to the purpose of the collection;
b) to the processing of personal data concerning him for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication.

Art. 8
(Exercise of rights)

1. The rights referred to in Article 7 are exercised with a request addressed without formalities to the owner or manager, also through a person in charge, to whom suitable feedback is provided without delay.

2. The rights referred to in Article 7 cannot be exercised with a request to the owner or manager or with an appeal pursuant to Article 145, if the processing of personal data is carried out:
a) based on the provisions of the decree-law of 3 May 1991, no. 143, converted, with modifications, by the law July 1991, n. 197, and subsequent amendments, regarding money laundering;
b) based on the provisions of the decree-law of 31 December 1991, n. 419, converted, with modifications, by the law 18 February 1992, n. 172, and subsequent amendments, regarding support for victims of extortion requests;
c) by parliamentary committees of inquiry established pursuant to article 82 of the Constitution;
d) by a public entity, other than public economic entities, on the basis of an express provision of the law, for exclusive purposes relating to monetary and currency policy, the payment system, the control of intermediaries and credit and financial markets, as well as the protection of their stability;
e) pursuant to article 24, paragraph 1, letter f), limited to the period during which an effective and concrete prejudice could arise for the conduct of defensive investigations or for the exercise of the right in court;
f) by providers of publicly available electronic communications services in relation to incoming telephone communications, unless it may result in an effective and concrete prejudice for the carrying out of the defensive investigations referred to in the law of 7 December 2000, n. 397;
g) for reasons of justice, in judicial offices of all levels or the Higher Council of the Judiciary or other self-governing bodies or the Ministry of Justice;
h) pursuant to article 53, without prejudice to the provisions of law no. 121.

3. The Guarantor, also upon notification of the interested party, in the cases referred to in paragraph 2, letters a), b), d), e) and f), shall act in the manner referred to in articles 157, 158 and 159 and, in cases referred to in letters c), g) and h) of the same paragraph, shall proceed in the manner referred to in Article 160.

4. The exercise of the rights referred to in Article 7, when it does not concern data of an objective nature, may take place unless it concerns the rectification or integration of personal data of an evaluation type, relating to judgments, opinions or others subjective assessments, as well as the indication of conduct to be held or decisions being taken by the data controller.

Art. 9
(Method of exercise)

1. The request addressed to the owner or manager can also be sent by registered letter, fax or e-mail. The Guarantor can identify another suitable system with reference to new technological solutions. When it concerns the exercise of the rights referred to in article 7, paragraphs 1 and 2, the request can also be formulated orally and in this case it is briefly noted by the person in charge or manager.

2. In exercising the rights referred to in Article 7, the interested party may confer, in writing, delegation or proxy to individuals, entities, associations or organizations. The interested party can also be assisted by a trusted person.

3. The rights referred to in Article 7 referring to personal data concerning deceased persons can be exercised by those who have an interest of their own, or act to protect the interested party or for family reasons worthy of protection.

4. The identity of the interested party is verified on the basis of suitable elements of evaluation, also by means of available deeds or documents or by showing or attaching a copy of an identification document. The person acting on behalf of the interested party exhibits or attaches a copy of the power of attorney, or of the proxy signed in the presence of an appointee or signed and presented together with an unauthenticated photocopy of an identification document of the interested party. If the interested party is a legal person, an organization or an association, the request is made by the natural person legitimated on the basis of the respective statutes or regulations.

5. The request referred to in article 7, paragraphs 1 and 2, is formulated freely and without constraints and can be renewed, unless there are justified reasons, after not less than ninety days.

Art. 10
(Feedback to the interested party)

1. To ensure the effective exercise of the rights referred to in Article 7, the data controller is required to adopt suitable measures aimed, in particular:
a) to facilitate access to personal data by the interested party, also through the use of specific computer programs aimed at an accurate selection of data concerning identified or identifiable individual interested parties;
b) to simplify the procedures and to reduce the time required for replying to the applicant, also in the context of offices or services in charge of relations with the public.

2. The data are extracted by the manager or persons in charge and can be communicated to the applicant also orally, or offered for viewing by electronic means, provided that in such cases the understanding of the data is easy, also considering the quality and quantity 'information. If required, the data will be transposed on paper or computer, or their transmission electronically.

3. Unless the request refers to a particular treatment or to specific personal data or categories of personal data, the reply to the interested party includes all personal data concerning the interested party however processed by the owner. If the request is addressed to a health professional or to a health organization, the provision referred to in article 84, paragraph 1 is observed.

4. When the extraction of data is particularly difficult, the response to the request of the interested party can also take place through the exhibition or delivery of copies of deeds and documents containing the personal data requested.

5. The right to obtain the communication of the data in an intelligible form does not concern personal data relating to third parties, unless the breakdown of the data processed or the deprivation of some elements makes the personal data relating to the interested party incomprehensible.

6. The communication of data is carried out in an intelligible form also through the use of an understandable handwriting. In case of communication of codes or abbreviations, the parameters for understanding their meaning are provided, also through the persons in charge.

7. When, following the request referred to in Article 7, paragraphs 1 and 2, letters a), b) and c), the existence of data concerning the interested party is not confirmed, a non-refundable expense contribution may be requested. exceeding the costs actually incurred for the research carried out in the specific case.

8. The contribution referred to in paragraph 7 cannot in any case exceed the amount determined by the Guarantor with a general provision, which can identify it on a flat-rate basis in relation to the case in which the data are processed by electronic means and the answer is provided. orally. With the same provision, the Guarantor can provide that the contribution may be requested when the personal data appear on a special support for which reproduction is specifically requested, or when, with one or more owners, a considerable use of means is determined. in relation to the complexity or entity of the requests and the existence of data concerning the interested party is confirmed.

9. The contribution referred to in paragraphs 7 and 8 is also paid by postal or bank transfer, or by payment or credit card, where possible upon receipt of the reply and in any case no later than fifteen days from such reply.

Title III
GENERAL RULES FOR DATA PROCESSING

CHAPTER I.
RULES FOR ALL TREATMENTS

Art. 11
(Methods of processing and data requirements)

1. The personal data being processed are:
a) processed lawfully and fairly;
b) collected and recorded for specific, explicit and legitimate purposes, and used in other processing operations in terms compatible with these purposes;
c) accurate and, if necessary, updated;
d) pertinent, complete and not excessive in relation to the purposes for which they are collected or subsequently processed;
e) kept in a form that allows the identification of the interested party for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed.

2. Personal data processed in violation of the relevant regulations regarding the processing of personal data cannot be used.

Art. 12
(Codes of ethics and good conduct)

1. The Guarantor promotes within the categories concerned, in compliance with the principle of representativeness and taking into account the directive criteria of the recommendations of the Council of Europe on the processing of personal data, the signing of codes of ethics and good conduct for certain sectors, verifies compliance with laws and regulations also by examining the observations of interested parties and contributes to guaranteeing their dissemination and compliance.

2. The codes are published in the Official Gazette of the Italian Republic by the Guarantor and, by decree of the Minister of Justice, are listed in Annex A) of this code.

3. Compliance with the provisions contained in the codes referred to in paragraph 1 is an essential condition for the lawfulness and correctness of the processing of personal data carried out by private and public subjects.

4. The provisions of this article also apply to the code of ethics for the processing of data for journalistic purposes promoted by the Guarantor in the manner referred to in paragraph 1 and in article 139.

Art. 13
(Disclosure)

1. The interested party or the person from whom the personal data are collected are previously informed orally or in writing about:
a) the purposes and methods of the processing for which the data are intended;
b) the mandatory or optional nature of providing the data;
c) the consequences of any refusal to respond;
d) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as managers or agents, and the scope of dissemination of the data;
e) the rights referred to in article 7;
f) the identification details of the owner and, if designated, of the representative in the territory of the State pursuant to article 5 and of the person in charge. When the owner has designated more than one responsible, at least one of them is indicated, indicating the site of the communication network or the methods through which the updated list of managers is easily known. When a person in charge has been designated to reply to the interested party in case of exercise of the rights referred to in article 7, this person in charge is indicated.

2. The information referred to in paragraph 1 also contains the elements provided for by specific provisions of this code and may not include the elements already known to the person providing the data or whose knowledge may concretely hinder the completion, by a public entity, of inspection or control functions carried out for purposes of defense or security of the State or for the prevention, detection or repression of crimes.

3. The Guarantor can identify with its own provision simplified procedures for the information provided in particular by telephone assistance and information services to the public.

4. If the personal data are not collected from the interested party, the information referred to in paragraph 1, including the categories of data processed, is given to the interested party at the time of data registration or, when the their communication, no later than the first communication.

5. The provision referred to in paragraph 4 does not apply when:
a) the data are processed on the basis of an obligation established by law, by a regulation or by community legislation;
b) the data are processed for the purpose of carrying out defensive investigations pursuant to law no. 397, or, in any case, to assert or defend a right in court, provided that the data are processed exclusively for these purposes and for the period strictly necessary for their pursuit;
c) the information to the interested party involves the use of means that the Guarantor, prescribing any appropriate measures. declares manifestly disproportionate to the protected right, or proves, in the opinion of the Guarantor, impossible.

Art. 14
(Definition of profiles and personalities of the interested party)

1. No judicial or administrative act or measure that involves an evaluation of human behavior can be based solely on an automated processing of personal data aimed at defining the profile or personality of the interested party.

2. The interested party may oppose any other type of determination adopted on the basis of the treatment referred to in paragraph 1, pursuant to article 7, paragraph 4, letter a), unless the determination was adopted on the occasion of the conclusion o the execution of a contract, in acceptance of a proposal from the interested party or on the basis of adequate guarantees identified by this code or by a provision of the Guarantor pursuant to article 17.

Art. 15
(Damage caused by the treatment)

1. Anyone who causes damage to others as a result of the processing of personal data is required to pay compensation pursuant to article 2050 of the civil code.

2. Non-pecuniary damage is also refundable in case of violation of article 11.

Art. 16
(Termination of processing)

1. In the event of termination, for any reason, of a treatment, the data are:
a) destroyed;
b) transferred to another owner, provided that they are intended for processing in terms compatible with the purposes for which the data are collected;
c) kept for exclusively personal purposes and not intended for systematic communication or dissemination;
d) stored or transferred to another owner, for historical, statistical or scientific purposes, in compliance with the law, regulations, community legislation and codes of ethics and good conduct signed pursuant to article 12.

2. The transfer of data in violation of the provisions of paragraph 1, letter b), or of other relevant provisions regarding the processing of personal data has no effect.

Art. 17
(Treatment presenting specific risks)

1. The processing of data other than sensitive and judicial data which presents specific risks for the fundamental rights and freedoms, as well as for the dignity of the interested party, in relation to the nature of the data or the methods of treatment or the effects that it can determine, is admitted in compliance with measures and precautions to guarantee the interested party, where prescribed.

2. The measures and precautions referred to in paragraph 1 are prescribed by the Guarantor in application of the principles enshrined in this code, as part of a preliminary check at the beginning of the treatment, also carried out in relation to certain categories of data controllers or treatments , also following a ruling by the owner.

CHAPTER II
ADDITIONAL RULES FOR PUBLIC SUBJECTS

Art. 18
(Principles applicable to all processing carried out by public entities)

1. The provisions of this chapter concern all public entities, excluding public economic entities.

2. Any processing of personal data by public entities is permitted only for the performance of institutional functions.

3. In processing data, the public subject observes the conditions and limits established by this code, also in relation to the different nature of the data, as well as by law and regulations.

4. Except as provided in Part II for health professions and public health organizations, public entities must not request the consent of the interested party.

5. The provisions of article 25 on communication and dissemination are observed.

Art. 19
(Principles applicable to the processing of data other than sensitive and judicial data)

1. The treatment by a public subject concerning data other than sensitive and judicial data is allowed, without prejudice to the provisions of article 18, paragraph 2, even in the absence of a law or regulation that expressly provides for it.

2. Communication by a public entity to other public entities is allowed when it is required by a law or regulation. In the absence of this provision, communication is allowed when it is in any case necessary for the performance of institutional functions and can be started if the term referred to in Article 39, paragraph 2 has elapsed and the different determination indicated therein.

3. Communication by a public entity to private individuals or public economic entities and dissemination by a public entity are permitted only when provided for by a law or regulation.

Art. 20
(Principles applicable to the processing of sensitive data)

1. The processing of sensitive data by public entities is permitted only if authorized by an express provision of the law which specifies the types of data that can be processed and the operations that can be performed and the purposes of significant public interest pursued.

2. In cases where a legal provision specifies the purpose of significant public interest, but not the types of sensitive data and operations that can be performed, the processing is permitted only with reference to the types of data and operations identified and made public by the subjects who carry out the treatment, in relation to the specific purposes pursued in individual cases and in compliance with the principles referred to in Article 22, with a regulatory act adopted in accordance with the opinion expressed by the Guarantor pursuant to Article 154, paragraph 1, letter g), also on standard schemes.

3. If the processing is not expressly provided for by a legal provision, public subjects may request the Guarantor to identify the activities, among those delegated to the same subjects by law, which pursue purposes of significant public interest and for which the processing of sensitive data is consequently authorized, pursuant to article 26, paragraph 2. The processing is allowed only if the public entity also identifies and makes public the types of data and operations in the manner referred to in paragraph 2.

4. The identification of the types of data and operations referred to in paragraphs 2 and 3 is periodically updated and supplemented.

Art. 21
(Principles applicable to the processing of judicial data)

1. The processing of judicial data by public entities is permitted only if authorized by an express provision of the law or provision of the Guarantor which specifies the purposes of relevant public interest of the processing, the types of data processed and the operations that can be performed.

2. The provisions of article 20, paragraphs 2 and 4, also apply to the processing of judicial data.

Art. 22
(Principles applicable to the processing of sensitive and judicial data)

1. Public subjects conform the processing of sensitive and judicial data according to methods aimed at preventing violations of the rights, fundamental freedoms and dignity of the interested party.

2. In providing the information referred to in article 13, public subjects make express reference to the legislation that provides for the obligations or tasks on the basis of which the processing of sensitive and judicial data is carried out.

3. Public entities can only process sensitive and judicial data essential for carrying out institutional activities that cannot be fulfilled, case by case, through the processing of anonymous data or personal data of a different nature.

4. Sensitive and judicial data are collected, as a rule, from the interested party.

5. In application of article 11, paragraph 1, letters c), d) and e), public entities periodically verify the accuracy and updating of sensitive and judicial data, as well as their relevance, completeness, not excess and indispensability with respect to the purposes pursued in individual cases, also with reference to the data that the interested party provides on his own initiative. In order to ensure that sensitive and judicial data are indispensable with respect to the obligations and tasks assigned to them, public entities specifically evaluate the relationship between the data and the obligations. The data that, even following the verifications, are excessive or irrelevant or not indispensable cannot be used, except for the possible conservation, according to law, of the deed or document that contains them. Specific attention is paid to verifying the indispensability of sensitive and judicial data referring to subjects other than those to whom the services or obligations directly refer.

6. Sensitive and judicial data contained in lists, registers or databases, kept with the aid of electronic instruments, are processed with encryption techniques or through the use of identification codes or other solutions which, considering the number and the nature of the data processed make them temporarily unintelligible even to those authorized to access them and allow the data subjects to be identified only in case of need.

7. The data suitable for revealing the state of health and sexual life are kept separately from other personal data processed for purposes that do not require their use. The same data are processed in the manner referred to in paragraph 6 even when they are kept in lists, registers or databases without the aid of electronic tools.

8. The data suitable to reveal the state of health cannot be disseminated.

9. With respect to sensitive and judicial data essential pursuant to paragraph 3, public subjects are authorized to carry out only the processing operations essential for the pursuit of the purposes for which the processing is permitted, even when the data are collected in the carrying out supervisory, control or inspection tasks.

10. Sensitive and judicial data cannot be processed in the context of psycho-aptitude tests aimed at defining the profile or personality of the interested party. The comparison operations between sensitive and judicial data, as well as the processing of sensitive and judicial data pursuant to article 14, are carried out only after written annotation of the reasons.

11. In any case, the operations and treatments referred to in paragraph 10, if carried out using data banks of different owners, as well as the dissemination of sensitive and judicial data, are allowed only if provided for by express provision of the law.

12. The provisions of this article contain principles applicable, in accordance with the respective regulations, to the treatments governed by the Presidency of the Republic, the Chamber of Deputies, the Senate of the Republic and the Constitutional Court.

CHAPTER III
ADDITIONAL RULES FOR PRIVATE INDIVIDUALS AND ECONOMIC PUBLIC BODIES

Art. 23
(Consent)

1. The processing of personal data by private individuals or public economic entities is permitted only with the express consent of the interested party.

2. The consent may concern the entire treatment or one or more operations of the same.

3. Consent is validly given only if it is expressed freely and specifically with reference to a clearly identified treatment, if it is documented in writing, and if the information referred to in Article 13 has been provided to the interested party. 4. Consent is expressed in writing when the processing concerns sensitive data.

Art. 24
(Cases in which processing can be carried out without consent)

1. Consent is not required, other than in the cases provided for in Part II, when the processing:
a) it is necessary to fulfill an obligation established by law, by a regulation or by community legislation;
b) it is necessary to perform obligations deriving from a contract of which the interested party is a party or to fulfill, before the conclusion of the contract, specific requests of the interested party;
c) it concerns data coming from public registers, lists, deeds or documents that can be known by anyone, without prejudice to the limits and modalities that the laws, regulations or community legislation establish for the knowledge and publicity of the data;
d) concerns data relating to the performance of economic activities, processed in compliance with current legislation on business and industrial secrecy;
e) it is necessary to safeguard the life or physical safety of a third party. If the same purpose concerns the interested party and the latter cannot give his consent due to physical impossibility, incapacity to act or incapacity to understand or want, the consent is expressed by those who legally exercise the potesta ', or by a close relative, by a family member, by a cohabitant or, in their absence, by the manager of the facility where the person is staying. The provision referred to in article 82, paragraph 2 applies;
f) with the exclusion of dissemination, it is necessary for the purpose of carrying out the defensive investigations referred to in the law of 7 December 2000, n. 397, or, in any case, to assert or defend a right in court, provided that the data are processed exclusively for these purposes and for the period strictly necessary for their pursuit, in compliance with current legislation on business and industrial secrecy. ;
g) with the exclusion of disclosure, it is necessary, in the cases identified by the Guarantor on the basis of the principles established by law, to pursue a legitimate interest of the owner or a third party recipient of the data, also with reference to the activity of banking groups and of subsidiary or associated companies, if the fundamental rights and freedoms, dignity or legitimate interest of the data subject do not prevail;
h) with the exclusion of external communication and dissemination, it is carried out by associations, bodies or non-profit organizations, even if not recognized, in reference to subjects who have regular contacts with them or to adherents, for the pursuit of purposes determined and legitimate identified by the deed of incorporation, by the statute or by the collective agreement, and with methods of use expressly provided for with a determination made known to the interested parties at the time of the disclosure pursuant to article 13;
i) it is necessary, in accordance with the respective codes of ethics referred to in Annex A), for exclusive scientific or statistical purposes, or for exclusive historical purposes in private archives declared of considerable historical interest pursuant to article 6, paragraph 2, of the legislative decree 29 October 1999, n. 490, approving the consolidated act on cultural and environmental heritage or, according to the provisions of the same codes, in other private archives.

Art. 25
(Prohibitions on communication and dissemination)

1. Communication and dissemination are prohibited, as well as in the event of a prohibition ordered by the Guarantor or by the judicial authority:
a) with reference to personal data whose cancellation has been ordered, or when the period of time indicated in article 11, paragraph 1, letter e) has elapsed;
b) for purposes other than those indicated in the notification of the processing, where required.

2. This is without prejudice to the communication or dissemination of data requested, in accordance with the law, by police forces, judicial authorities, information and security organizations or other public entities pursuant to article 58, paragraph 2, for defense or state security purposes or for the prevention, detection or repression of crimes.

Art. 26
(Guarantees for sensitive data)

1. Sensitive data can be processed only with the written consent of the interested party and with the prior authorization of the Guarantor, in compliance with the conditions and limits established by this code, as well as by law and regulations.

2. The Guarantor communicates the decision taken on the request for authorization within forty-five days, after which failure to pronounce is equivalent to rejection. With the authorization provision, or subsequently, also on the basis of any verifications, the Guarantor can prescribe measures and precautions to guarantee the interested party, which the data controller is required to adopt.

3. Paragraph 1 does not apply to the processing:
a) data relating to adherents to religious confessions and to subjects who, with reference to purely religious purposes, have regular contact with the same confessions, carried out by the relevant bodies, or by civilly recognized entities, provided that the data are not disclosed or communicated outside the same confessions. The latter determine suitable guarantees regarding the treatments carried out, in compliance with the principles indicated in this regard with the authorization of the Guarantor;
b) data concerning the membership of trade union or trade associations or organizations to other associations, trade union or category organizations or confederations.

4. Sensitive data can be processed even without consent, subject to the authorization of the Guarantor:
a) when the processing is carried out by associations, bodies or non-profit organizations, even if not recognized, of a political, philosophical, religious or trade union nature, including political parties and movements, for the pursuit of specific and legitimate purposes identified by the 'deed of incorporation, by the statute or by the collective agreement, relating to the personal data of the members or subjects who in relation to these purposes have regular contacts with the association, institution or body, provided that the data are not communicated externally or disseminated and the entity, association or body determines suitable guarantees in relation to the treatments carried out, expressly providing for the methods of use of the data with a determination made known to the interested parties at the time of the disclosure pursuant to article 13;
b) when the processing is necessary to safeguard the life or physical safety of a third party. If the same purpose concerns the interested party and the latter cannot give his consent due to physical impossibility, incapacity to act or incapacity to understand or want, the consent is expressed by those who legally exercise the potesta ', or by a close relative, by a family member, by a cohabitant or, in their absence, by the manager of the facility where the person is staying. The provision referred to in article 82, paragraph 2 applies;
c) when the processing is necessary for the purpose of carrying out the defensive investigations pursuant to the law of 7 December 2000, n. 397, or, in any case, to assert or defend a right in court, provided that the data are processed exclusively for these purposes and for the period strictly necessary for their pursuit. If the data are suitable for revealing the state of health and sexual life, the right must be of a rank equal to that of the interested party, or consisting of a right of the personality or another fundamental and inviolable right or freedom;
d) when it is necessary to fulfill specific obligations or tasks provided for by law, by a regulation or by community legislation for the management of the employment relationship, also in the field of hygiene and safety in the workplace and of the population and social security and assistance, within the limits set by the authorization and without prejudice to the provisions of the code of ethics and good conduct referred to in article 111.

5. The data suitable to reveal the state of health cannot be disseminated.

Art. 27
(Guarantees for judicial data)

1. The processing of judicial data by private individuals or public economic entities is permitted only if authorized by an express provision of the law or provision of the Guarantor which specifies the relevant purposes of public interest of the processing, the types of data processed and operations that can be performed.

TITLE IV
SUBJECTS WHO CARRY OUT THE TREATMENT

Art. 28
(Data Controller)

1. When the processing is carried out by a legal person, a public administration or any other body, association or body, the data controller is the entity as a whole or the unit or peripheral body that exercises a completely autonomous decision-making power on the purposes and methods of processing, including the security profile.

Art. 29
(Responsible for the treatment)

1. The manager is optionally designated by the owner.

2. If designated, the person in charge is identified among subjects who, due to experience, ability and reliability, provide a suitable guarantee of full compliance with the current provisions on processing, including the safety profile.

3. Where necessary for organizational needs, multiple persons responsible can be designated, also by subdivision of tasks.

4. The tasks entrusted to the manager are analytically specified in writing by the owner.

5. The person in charge carries out the treatment by following the instructions given by the owner who, also through periodic checks, monitors the timely observance of the provisions referred to in paragraph 2 and of his own instructions.

Art. 30
(Persons in charge of processing)

1. The processing operations can only be carried out by persons in charge who operate under the direct authority of the owner or manager, following the instructions given.

2. The designation is made in writing and punctually identifies the scope of the permitted processing. The documented preposition of the natural person to a unit is also considered as such for which the scope of the treatment allowed to the employees of the unit itself is identified in writing.

Title V
SECURITY OF DATA AND SYSTEMS

CHAPTER I.
SECURITY MEASURES

Art. 31
(Safety obligations)

1. The personal data being processed are kept and controlled, also in relation to the knowledge acquired on the basis of technical progress, the nature of the data and the specific characteristics of the processing, in order to minimize, through the adoption of suitable and preventive security measures, the risks of destruction or loss, even accidental, of the data itself, of unauthorized access or treatment that is not permitted or does not comply with the purposes of the collection.

Art. 32
(Owners details)

1. The provider of an electronic communications service accessible to the public adopts, pursuant to article 31, suitable technical and organizational measures appropriate to the existing risk, to safeguard the security of its services, the integrity of traffic data, data relating to the location and electronic communications with respect to any form of use or unauthorized knowledge.

2. When the security of the service or personal data also requires the adoption of measures concerning the network, the provider of the publicly available electronic communications service shall adopt these measures jointly with the provider of the public communications network. In case of lack of agreement, at the request of one of the suppliers, the dispute is defined by the Authority for guarantees in communications in accordance with the procedures provided for by current legislation.

3. The provider of a publicly available electronic communications service shall inform subscribers and, where possible, users, if there is a particular risk of breach of network security, indicating when the risk is outside the scope of application of the measures that the supplier is required to adopt pursuant to paragraphs 1 and 2, all possible remedies and the related presumable costs. Similar information is provided to the Guarantor and the Authority for guarantees in communications.

CHAPTER II
MINIMUM SECURITY MEASURES

Art. 33
(Minimum measures)

1. Within the framework of the more general security obligations referred to in article 31, or provided for by special provisions, the data controllers are in any case required to adopt the minimum measures identified in this chapter or pursuant to article 58, paragraph 3 , aimed at ensuring a minimum level of protection of personal data.

Art. 34
(Treatments with electronic tools)

1. The processing of personal data carried out with electronic tools is allowed only if the following minimum measures are adopted, in the manner provided for by the technical specification contained in Annex B):
a) computer authentication;
b) adoption of procedures for managing authentication credentials;
c) use of an authorization system;
d) periodic updating of the identification of the scope of processing allowed to individual persons in charge of managing or maintaining electronic tools;
e) protection of electronic tools and data against illegal data processing, unauthorized access and certain computer programs;
f) adoption of procedures for the custody of safety copies, the restoration of the availability of data and systems;
g) keeping an updated security policy document;
h) adoption of encryption techniques or identification codes for certain data processing suitable for revealing the state of health or sexual life carried out by health organizations.

Art. 35
(Treatments without the aid of electronic tools)

1. The processing of personal data carried out without the aid of electronic tools is permitted only if the following minimum measures are adopted, in the manner provided for by the technical specification contained in Annex B):
a) periodic updating of the identification of the scope of the processing allowed to individual persons in charge or to organizational units;
b) provision of procedures for the proper custody of deeds and documents entrusted to the persons in charge for the performance of their duties;
c) provision of procedures for the conservation of certain documents in selected access archives and regulation of access procedures aimed at identifying the persons in charge.

Art. 36
(Adjustment)

1. The technical specification referred to in annex B), relating to the minimum measures referred to in this chapter, is periodically updated by decree of the Minister of Justice in agreement with the Minister for innovations and technologies, in relation to technical and to the experience gained in the sector.

Title VI
FULFILLMENTS

Art. 37
(Notification of processing)

1. The owner notifies the Guarantor of the processing of personal data which he intends to proceed, only if the treatment concerns:
a) genetic, biometric data or data indicating the geographical location of persons or objects via an electronic communications network;
b) data suitable for revealing the state of health and sexual life, processed for the purposes of assisted procreation, provision of health services by electronic means relating to databases or the supply of goods, epidemiological investigations, detection of mental, infectious and diffusion, seropositivity, organ and tissue transplantation and monitoring of health expenditure;
c) data suitable for revealing sexual life or the psychic sphere processed by associations, bodies or non-profit organizations, even if not recognized, of a political, philosophical, religious or trade union nature;
d) data processed with the aid of electronic tools aimed at defining the profile or personality of the interested party, or to analyze consumption habits or choices, or to monitor the use of electronic communication services with the exclusion of technically indispensable treatments to provide the same services to users;
e) sensitive data recorded in databases for personnel selection purposes on behalf of third parties, as well as sensitive data used for opinion polls, market research and other sample research;
f) data recorded in special databases managed with electronic tools and relating to the risk on economic solvency, the financial situation, the correct fulfillment of obligations, illegal or fraudulent behavior.

2. The Guarantor may identify other treatments likely to prejudice the rights and freedoms of the interested party, by reason of the relative modalities or the nature of the personal data, with its own provision also adopted pursuant to article 17. With a similar provision published in the Official Gazette of the Italian Republic, the Guarantor may also identify, in the context of the treatments referred to in paragraph 1, any treatments not likely to cause said prejudice and therefore exempt from the obligation of notification.

3. Notification is carried out with a single act even when the processing involves the transfer of the data abroad.

4. The Guarantor inserts the notifications received in a treatment register accessible to anyone and determines the modalities for its free consultation electronically, also through agreements with public entities or at its own Office. The news accessible through the consultation of the register can be treated for the exclusive purposes of application of the rules on the protection of personal data.

Art. 38
(Method of notification)

1. The notification of the treatment is presented to the Guarantor before the start of the treatment and only once, regardless of the number of operations and the duration of the treatment to be carried out, and may also concern one or more treatments with related purposes .

2. The notification is validly carried out only if it is transmitted electronically using the model prepared by the Guarantor and observing the prescriptions given by the latter, also as regards the methods of signature with digital signature and confirmation of receipt of the notification.

3. The Guarantor favors the availability of the model electronically and the notification also through agreements stipulated with authorized subjects on the basis of current legislation, including with trade associations and professional orders.

4. A new notification is required only before the termination of the processing or the change of any of the elements to be indicated in the notification itself.

5. The Guarantor can identify another suitable system for notification with reference to new technological solutions provided for by current legislation.

6. The data controller who is not required to notify the Guarantor pursuant to Article 37 shall provide the information contained in the model referred to in paragraph 2 to those who request it, unless the processing concerns public registers, lists, deeds or documents that anyone can know.

Art. 39
(Communication obligations)

1. The data controller is required to communicate the following circumstances to the Guarantor in advance:
a) communication of personal data by a public subject to another public subject not provided for by a law or regulation, carried out in any form, including by agreement;
b) processing of data suitable for revealing the state of health envisaged by the biomedical or health research program referred to in article 110, paragraph 1, first sentence.

2. The treatments subject to communication pursuant to paragraph 1 may be started after forty-five days from receipt of the communication unless otherwise determined, even later, by the Guarantor.

3. The communication referred to in paragraph 1 is sent using the model prepared and made available by the Guarantor, and transmitted to the latter electronically observing the methods of signature with digital signature and confirmation of receipt referred to in Article 38 , paragraph 2, or by fax or registered letter.

Art. 40
(General permissions)

1. The provisions of this code which provide for an authorization from the Guarantor are also applied through the issue of authorizations relating to certain categories of holders or treatments, published in the Official Gazette of the Italian Republic.

Art. 41
(Authorization requests)

1. The data controller who falls within the scope of an authorization issued pursuant to article 40 is not required to submit an authorization request to the Guarantor if the treatment he intends to carry out complies with the relevant provisions.

2. If an authorization request concerns an authorized treatment pursuant to article 40, the Guarantor may in any case provide for the request if the specific methods of treatment justify it.

3. Any request for authorization is formulated exclusively using the form prepared and made available by the Guarantor and transmitted to the latter electronically, observing the procedures for signing and confirming receipt referred to in Article 38, paragraph 2 The same request and authorization can also be sent by fax or registered letter.

4. If the applicant is invited by the Guarantor to provide information or to exhibit documents, the term of forty-five days referred to in article 26, paragraph 2, starts from the expiry date of the term set for the fulfillment requested.

5. In the presence of particular circumstances, the Guarantor may issue a temporary authorization for a fixed period.

TITLE VII
TRANSFER OF DATA ABROAD

Art. 42
(Transfers within the European Union)

1. The provisions of this code may not be applied in such a way as to restrict or prohibit the free circulation of personal data between the Member States of the European Union, without prejudice to the adoption, in accordance with the same code, of any measures in case of data transfers carried out in order to circumvent the same provisions.

Art. 43
(Transfers allowed to third countries)

1. The transfer, even temporary outside the territory of the State, by any form or means, of personal data being processed, if directed to a country not belonging to the European Union, is allowed when:
a) the interested party has given his express consent or, in the case of sensitive data, in writing;
b) it is necessary for the execution of obligations deriving from a contract of which the interested party is a party or to fulfill, before the conclusion of the contract, specific requests of the interested party, or for the conclusion or execution of a contract stipulated in favor of the interested party;
c) it is necessary to safeguard a significant public interest identified by law or regulation or, if the transfer concerns sensitive or judicial data, specified or identified pursuant to articles 20 and 21;
d) it is necessary to safeguard the life or physical safety of a third party. If the same purpose concerns the interested party and the latter cannot give his consent due to physical impossibility, incapacity to act or incapacity to understand or want, the consent is expressed by those who legally exercise the potesta ', or by a close relative, by a family member, by a cohabitant or, in their absence, by the manager of the facility where the person is staying. The provision referred to in article 82, paragraph 2 applies;
e) it is necessary for the purposes of carrying out the defensive investigations pursuant to law no. 397, or, in any case, to assert or defend a right in court, provided that the data are transferred exclusively for these purposes and for the period strictly necessary for their pursuit, in compliance with current legislation on business and industrial secrecy;
f) is carried out in acceptance of a request for access to administrative documents, or a request for information that can be extracted from a public register, list, deed or document that can be known by anyone, in compliance with the rules governing the matter;
g) it is necessary, in accordance with the respective codes of ethics referred to in Annex A), for exclusive scientific or statistical purposes, or for exclusive historical purposes in private archives declared of considerable historical interest pursuant to article 6, paragraph 2, of the legislative decree 29 October 1999, n. 490, of approval of the consolidated act on cultural and environmental heritage or, according to the provisions of the same codes, in other private archives;
h) the processing concerns data concerning legal persons, entities or associations.

Art. 44
(Other transfers allowed)

1. The transfer of personal data being processed, directed to a country that does not belong to the European Union, is also permitted when it is authorized by the Guarantor on the basis of adequate guarantees for the rights of the interested party:
a) identified by the Guarantor also in relation to guarantees given under a contract;
b) identified with the decisions provided for in articles 25, paragraph 6, and 26, paragraph 4, of Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995, by which the European Commission finds that a country does not belonging to the European Union guarantees an adequate level of protection or that some contractual clauses offer sufficient guarantees.

Art. 45
(Transfers prohibited)

1. Outside the cases referred to in articles 43 and 44, the transfer, even temporary outside the territory of the State, by any form or means, of personal data being processed, directed to a country not belonging to the European Union, is prohibited when the law of the country of destination or transit of data does not ensure an adequate level of protection for individuals. The modalities of the transfer and the foreseen treatments, the relative purposes, the nature of the data and the security measures are also evaluated.

PART II
PROVISIONS RELATING TO SPECIFIC SECTORS

TITLE I.
TREATMENTS IN THE JUDICIAL FIELD

CHAPTER I.
GENERAL PROFILES

Art. 46
(Data controllers)

1. The judicial offices of all levels, the Higher Council of the Judiciary, the other self-governing bodies and the Ministry of Justice are holders of the processing of personal data relating to the respective powers conferred by law or regulation.

2. By decree of the Minister of Justice, the non-occasional treatments referred to in paragraph 1 carried out with electronic tools, relating to central databases or interconnected between several offices or owners, are identified in Annex C) to this code. . The measures with which the High Council of the Judiciary and the other self-governing bodies referred to in paragraph 1 identify the same treatments they carry out are listed in Annex C) by decree of the Minister of Justice.

Art. 47
(Treatments for reasons of justice)

1. In case of processing of personal data carried out at judicial offices of all levels, at the Higher Council of the Judiciary, the other self-governing bodies and the Ministry of Justice, they do not apply, if the processing is carried out for reasons of justice, the following provisions of the code:
a) articles 9, 10, 12, 13 and 16, from 18 to 22, 37, 38, paragraphs from 1 to 5, and from 39 to 45;
b) Articles 145 to 151.

2. For the purposes of this code, the processing of personal data directly related to the judicial treatment of business and disputes, or which, in the matter of legal and economic treatment of judicial staff, have a direct impact on the judicial function, as well as inspective activities on offices judicialt. The same reasons of justice do not apply to the ordinary administrative-managerial activity of personnel, means or structures, when the secrecy of documents directly connected to the aforementioned treatment is not compromised.

Art. 48
(Databases of judicial offices)

1. In cases where the judicial authority of any order and degree can acquire data, information, deeds and documents from public entities in compliance with the current procedural provisions, the acquisition can also be carried out electronically. To this end, the judicial offices can make use of the standard agreements stipulated by the Ministry of Justice with public entities, aimed at facilitating the consultation by the same offices, through electronic communication networks, of public registers, lists, files and databases, in compliance with the relevant provisions and principles referred to in articles 3 and 11 of this code.

Art. 49
(Implementing provisions)

1. By decree of the Minister of Justice, n. 334, the regulatory provisions necessary for the implementation of the principles of this code in criminal and civil matters.

CHAPTER II
MINORS

Art. 50
(News or images relating to minors)

1. The prohibition referred to in article 13 of the decree of the President of the Republic 22 September 1988, n. 448, of publication and dissemination by any means of news or images suitable to allow the identification of a minor is also observed in the case of involvement in any capacity of the minor in judicial proceedings in matters other than criminal.

CHAPTER III
LEGAL COMPUTER SCIENCE

Art. 51
(General principles)

1. Without prejudice to the provisions of the procedural provisions concerning the viewing and issuing of extracts and copies of deeds and documents, the identification data of the issues pending before the judicial authorities of all levels are made accessible to those who have an interest in them. also through electronic communication networks, including the institutional site of the same authority on the Internet.

2. The sentences and other decisions of the judicial authority of every order and degree filed with the registry or secretariat are also made accessible through the information system and the institutional site of the same authority on the Internet, observing the precautions provided for in this chapter. .

Art. 52
(Identification data of the interested parties)

1. Without prejudice to the provisions concerning the drafting and content of judgments and other judicial provisions of the judicial authority of all levels, the interested party may request for legitimate reasons, with a request filed in the registry or secretariat of the 'office that proceeds before the relative grade of judgment is defined, whether it is affixed by the same registry or secretariat, on the original of the sentence or provision, an annotation aimed at precluding, in case of reproduction of the sentence or provision in any form, for the purpose of legal information in legal journals, electronic media or through electronic communication networks, the indication of the generalities and other identification data of the same interested party reported on the sentence or provision.

2. The authority which pronounces the sentence or adopts the provision shall provide at the bottom of the request referred to in paragraph 1 by decree, without further formalities. The same authority may ex officio arrange for the annotation referred to in paragraph 1 to be affixed, to protect the rights or dignity of the interested parties.

3. In the cases referred to in paragraphs 1 and 2, at the time of filing the sentence or provision, the registry or secretariat affixes and signs the following annotation, indicating the details of this article: "In case of diffusion omit the generalities and the other identification data of .... " .

4. In the event of dissemination, also by third parties, of sentences or other provisions bearing the annotation referred to in paragraph 2, or the relative legal maximums, the indication of the generalities and other identification data of the interested party is omitted. .

5. Without prejudice to the provisions of article 734-bis of the criminal code relating to persons offended by acts of sexual violence, anyone who disseminates sentences or other judicial provisions of the judicial authority of any order and degree is required to omit in any case , even in the absence of the annotation referred to in paragraph 2, the generalities, other identification data or other data also relating to third parties from which the identity of minors or of the parties in proceedings relating to relationships can be inferred even indirectly of family and status of people.

6. The provisions of this article also apply in the case of filing of the award pursuant to article 825 of the code of civil procedure. The party may make the request referred to in paragraph 1 to the arbitrators before the award is delivered and the arbitrators affix the annotation referred to in paragraph 3 to the award, also pursuant to paragraph 2. The arbitration panel established at the arbitration chamber for public works pursuant to article 32 of law no. 109, provides in a similar way in the event of a request by a party.

7. Apart from the cases indicated in this article, the diffusion in any form of the content, even integral, of judgments and other judicial measures is permitted.

TITLE II
TREATMENT BY POLICE FORCES

CHAPTER I.
GENERAL PROFILES

Art. 53
(Application scope and data controllers)

1. To the processing of personal data carried out by the Data Processing Center of the Department of Public Security or by the police on the data intended to flow into it according to the law, or by public security bodies or other public entities for the purpose of order protection and public safety, prevention, detection or repression of crimes, carried out on the basis of an express provision of the law that specifically provides for the processing, the following provisions of the code do not apply:
a) articles 9, 10, 12, 13 and 16, from 18 to 22, 37, 38, paragraphs from 1 to 5, and from 39 to 45;
b) Articles 145 to 151.

2. With a decree of the Minister of the Interior, the non-occasional treatments referred to in paragraph 1 carried out with electronic tools are identified, in annex C) to this code, and the related titles art.

Art. 54
(Methods of processing and data flows)

1. In cases where the public security authorities or the police forces can acquire data, information, deeds and documents from other subjects in compliance with the current provisions of law or regulations, the acquisition can also be carried out for via telematics. To this end, the bodies or offices concerned may make use of agreements aimed at facilitating the consultation by the same bodies or offices, through electronic communication networks, of public registers, lists, files and databases, in compliance with the relevant provisions and principles referred to in Articles 3 and 11. The standard agreements are adopted by the Ministry of the Interior, with the consent of the Guarantor, and establish the methods of connections and access also in order to ensure selective access to only the necessary data to the pursuit of the purposes referred to in Article 53.

2. The data processed for the purposes referred to in the same article 53 are kept separately from those recorded for administrative purposes that do not require their use.

3. Without prejudice to the provisions of Article 11, the Data Processing Center referred to in Article 53 ensures the periodic updating and the relevance and non-excess of the personal data processed also through authorized interrogations of the criminal record and the pending criminal record of the Ministry of Justice referred to in the decree of the President of the Republic November 14, 2002, n. 313, or other police force databases, necessary for the purposes referred to in Article 53.

4. The police bodies, offices and commands periodically verify the requirements referred to in Article 11 with reference to the data processed even without the aid of electronic instruments, and update them also on the basis of the procedures adopted by the Data Processing Center for pursuant to paragraph 3, or, for treatments carried out without the aid of electronic tools, through annotations or additions to the documents that contain them.

Art. 55
(Particular technologies)

1. The processing of personal data which involves greater risks of damage to the data subject, with particular regard to genetic or biometric databases, to techniques based on location data, to databases based on particular techniques for processing information and the introduction of particular technologies, is carried out in compliance with the measures and precautions to guarantee the interested party prescribed pursuant to article 17 on the basis of prior communication pursuant to article 39.

Art. 56
(Protection of the interested party)

1. The provisions referred to in article 10, paragraphs 3, 4 and 5, of law no. 121, and subsequent amendments, also apply, in addition to the data destined to flow into the data processing center referred to in article 53, to data processed with the aid of electronic instruments by bodies, police offices or headquarters.

Art. 57
(Implementing provisions)

1. By decree of the President of the Republic, following a resolution of the Council of Ministers, on the proposal of the Minister of the Interior, in agreement with the Minister of Justice, the methods of implementation of the principles of this code relating to the processing of data carried out are identified for the purposes referred to in Article 53 by the Data Processing Center and by police bodies, offices or commands, also to supplement and amend the decree of the President of the Republic May 3, 1982, n. 378, and in implementation of Recommendation R (87) 15 of the Council of Europe of 17 September 1987, and subsequent amendments. The methods are identified with particular regard to:
a) the principle according to which the collection of data is related to the specific purpose pursued, in relation to the prevention of a concrete danger or the repression of crimes, in particular as regards the treatments carried out for the purpose of analysis;
b) the periodic updating of data, also relating to assessments carried out on the basis of the law, the various methods relating to the data processed without the aid of electronic tools and the methods for making updates available to other bodies and offices to whom the data were previously communicated;
c) the conditions for carrying out treatments for temporary needs or connected to particular situations, also for the purpose of verifying the data requirements pursuant to Article 11, the identification of the categories of data subjects and the separate storage from other data that do not require the their use;
d) the identification of specific data retention terms in relation to the nature of the data or the tools used for their treatment, as well as the type of procedures in which they are processed or the measures are adopted;
e) the communication to other subjects, even abroad or for the exercise of a right or a legitimate interest, and their dissemination, where necessary in compliance with the law;
f) the use of particular techniques for processing and searching for information, including through the use of index systems.

TITLE III
DEFENSE AND SECURITY OF THE STATE

CHAPTER I.
GENERAL PROFILES

Art. 58
(Applicable provisions)

1. To the treatments carried out by the bodies referred to in articles 3, 4 and 6 of the law 24 October 1977, n. 801, or on data covered by a state secret pursuant to article 12 of the same law, the provisions of this code apply only to those provided for in articles 1 to 6, 11, 14, 15, 31, 33, 58, 154, 160 and 169.

2. The provisions of this code apply only to those indicated in paragraph 1, as well as to provisions of Articles 37, 38 and 163.

3. The security measures relating to the data processed by the bodies referred to in paragraph 1 are established and periodically updated by decree of the President of the Council of Ministers, in compliance with the rules governing the matter.

4. By decree of the President of the Council of Ministers, the methods of application of the applicable provisions of this code are identified with reference to the types of data, of interested parties, of executable processing operations and of persons in charge, also in relation to updating and storage.

TITLE IV
PUBLIC TREATMENTS

CHAPTER I.
ACCESS TO ADMINISTRATIVE DOCUMENTS

Art. 59
(Access to administrative documents)

1. Without prejudice to the provisions of article 60, the conditions, the modalities, the limits for exercising the right of access to administrative documents containing personal data, and the related judicial protection, remain governed by the law of 7 August 1990, no. . 241, and subsequent amendments and by the other provisions of the law on the subject, as well as by the relative implementation regulations, also for what concerns the types of sensitive and judicial data and the processing operations that can be carried out in execution of an access request. The activities aimed at the application of this discipline are considered to be of significant public interest.

Art. 60
(Data suitable for disclosing the state of health and sexual life)

1. When the processing concerns data suitable for revealing the state of health or sexual life, the processing is allowed if the legally relevant situation that is intended to be protected with the request for access to administrative documents is of a rank at least equal to the rights of the interested party, or consists of a right of personality or another right or freedom fundamental and inviolable.

CHAPTER II
PUBLIC REGISTERS AND PROFESSIONAL REGISTERS

Art. 61
(Use of public data)

1. The Guarantor promotes, pursuant to article 12, the signing of a code of ethics and good conduct for the processing of personal data from archives, registers, lists, deeds or documents held by public entities, also identifying cases in which the source of data acquisition must be indicated and providing appropriate guarantees for the association of data from multiple archives, bearing in mind the provisions of Recommendation no. R (91) 10 of the Council of Europe in relation to Article 11.

2. For the purposes of applying this code, personal data other than sensitive or judicial data, which must be included in a professional register in accordance with the law or a regulation, may be disclosed to public and private or disseminated subjects, to pursuant to article 19, paragraphs 2 and 3, also through electronic communication networks. The existence of provisions which provide for suspension or which affect the exercise of the profession may also be mentioned.

3. The professional association or board may, at the request of the person enrolled in the register who has an interest in it, integrate the data referred to in paragraph 2 with further relevant and not excessive data in relation to the professional activity.

4. At the request of the interested party, the professional body or board may also provide third parties with news or information relating, in particular, to special professional qualifications not mentioned in the register, or to the availability to take on assignments or to receive information material to scientific character also inherent in conferences or seminars.

CHAPTER III
CIVIL STATUS, REGISTRY AND ELECTORAL LISTS

Art. 62
(Sensitive and judicial data)

1. Pursuant to articles 20 and 21, the purposes relating to the keeping of the acts and registers of the civil status, of the registry offices of the population resident in Italy and of Italian citizens residing abroad, and of the electoral lists, as well as the issue of identification documents or the change of personal details.

Art. 63
(Consultation of documents)

1. The records of the civil status kept in the State Archives can be consulted within the limits established by article 107 of the legislative decree of 29 October 1999, n. 490.

CHAPTER IV
PURPOSE OF RELEVANT PUBLIC INTEREST

Art. 64
(Citizenship, immigration and status of the foreigner)

1. The purposes of applying the regulations on citizenship, immigration, asylum, status of foreigners and refugees and on refugee status are considered to be of significant public interest, pursuant to articles 20 and 21.

2. Within the scope of the purposes referred to in paragraph 1, the processing of sensitive and essential judicial data is permitted:
a) issuing and renewing visas, permits, certificates, authorizations and documents, including health documents;
b) the recognition of the right to asylum or refugee status, or the application of temporary protection and other humanitarian institutions or measures, or the implementation of legal obligations regarding migration policies;
c) in relation to the obligations of employers and workers, to reunification, to the application of the regulations in force on education and housing, to participation in public life and social integration.

3. This article does not apply to the processing of sensitive and judicial data carried out in execution of the agreements and conventions referred to in article 154, paragraph 2, letters a) and b), or in any case carried out for purposes of defense or security of the State or the prevention, detection or repression of crimes, based on an express provision of the law that specifically provides for the treatment.

Art. 65
(Political rights and publicity of organ activity)

1. Pursuant to articles 20 and 21, the purposes of applying the regulations on the subject of:
a) active and passive electorate and exercise of other political rights, in compliance with the secrecy of the vote, as well as exercising the mandate of the representative bodies or keeping the lists of popular judges;
b) documentation of the institutional activity of public bodies.

2. The processing of sensitive and judicial data for the purposes referred to in paragraph 1 is allowed to perform specific tasks provided for by laws or regulations including, in particular, those concerning:
a) carrying out electoral consultations and verifying their regularity;
b) the requests for referendums, the relative consultations and the verification of the relative regularities;
c) ascertaining the causes of ineligibility, incompatibility or forfeiture, or removal or suspension from public office, or suspension or dissolution of the bodies;
d) the examination of reports, petitions, appeals and bills of popular initiative, the activity of committees of inquiry, the relationship with political groups;
e) the designation and appointment of representatives in commissions, bodies and offices.

3. For the purposes of this article, the dissemination of sensitive and judicial data is permitted for the purposes referred to in paragraph 1, letter a), in particular with regard to the signing of lists, the presentation of candidacies, positions in organizations o political associations, institutional offices and elected bodies.

4. For the purposes of this article, in particular, the processing of sensitive and essential judicial data is permitted:
a) for the preparation of minutes and reports of the activity of representative assemblies, commissions and other collegial or assembly bodies;
b) for the exclusive performance of a control, political orientation or inspection function and for access to documents recognized by the law and regulations of the bodies concerned for exclusive purposes directly connected to the fulfillment of an elective mandate.

5. Sensitive and judicial data processed for the purposes referred to in paragraph 1 may be communicated and disseminated in the forms provided for by the respective regulations. However, the disclosure of sensitive and judicial data that is not essential to ensure compliance with the publicity principle of institutional activity is not permitted, without prejudice to the prohibition of dissemination of data suitable for revealing the state of health.

Art. 66
(Tax and customs matters)

1. Pursuant to articles 20 and 21, the activities of public entities aimed at the application, also through their concessionaires, of the provisions on taxes, in relation to taxpayers, substitutes and responsible for taxes, as well as for deductions and deductions and for the application of the provisions whose execution is entrusted to customs.

2. In addition, pursuant to articles 20 and 21, activities directed towards the prevention and repression of violations of obligations and the adoption of measures provided for by laws, regulations or community legislation are also considered of significant public interest. , as well as the control and forced execution of the exact fulfillment of these obligations, the making of refunds, the allocation of tax quotas, and those aimed at the management and sale of state properties, the inventing and qualification of the properties and to the conservation of real estate registers

Art. 67
(Control and inspection activities)

1. The purposes of:
a) verification of the legitimacy, the good performance, the impartiality of the administrative activity, as well as the compliance of said activity with the requirements of rationality, economy, efficiency and effectiveness for which they are, however, attributed by the law to public subjects control, feedback and inspection functions in relation to other subjects;
b) verification, within the limits of institutional purposes, with reference to sensitive and judicial data relating to complaints and petitions, or to acts of control or inspection referred to in Article 65, paragraph 4.

Art. 68
(Economic benefits and qualifications)

1. Pursuant to articles 20 and 21, the purposes of applying the rules on the granting, liquidation, modification and revocation of economic benefits, concessions, donations, other emoluments and authorizations are considered to be of significant public interest.

2. The treatments regulated by this article also include those indispensable in relation to:
a) the communications, certifications and information required by the anti-mafia legislation;
b) the donations of contributions provided for by the legislation on usury and victims of extortion requests;
c) the payment of war pensions or the recognition of benefits in favor of politically persecuted and inmates in extermination camps and their relatives;
d) the recognition of benefits related to civil disability;
e) the granting of grants for professional training;
f) the granting of grants, loans, donations and other benefits provided for by law, regulations or community legislation, also in favor of associations, foundations and entities;
g) the recognition of exemptions, concessions or tariff or economic reductions, deductibles, or the issue of concessions, including radio and television concessions, licenses, authorizations, registrations and other qualifications required by law, by a regulation or by community legislation.

3. The treatment may include the diffusion only in the cases in which this is indispensable for the transparency of the activities indicated in this article, in compliance with the laws, and for the purpose of supervision and control consequent to the activities themselves. , without prejudice to the prohibition of disclosure of data suitable for revealing the state of health.

Art. 69
(Honors, rewards and recognitions)

1. The purposes of applying the rules on the conferral of honors and rewards, the recognition of the legal personality of associations, foundations and bodies, including religious ones, are considered to be of significant public interest, pursuant to articles 20 and 21. to ascertain the requisites of integrity and professionalism for the appointments, for the profiles of competence of the public subject, to offices also of worship and to managerial positions of legal persons, companies and non-state educational institutions, as well as of issue and revocation authorizations or qualifications, granting of patronages, patronages and representation awards, adherence to committees of honor and admission to ceremonies and institutional meetings.

Art. 70
(Volunteering and conscientious objection)

1. The purposes of applying the rules on relations between public entities and voluntary organizations are considered to be of significant public interest, pursuant to articles 20 and 21, in particular as regards the provision of targeted contributions to their support, the keeping of general registers of the same organizations and international cooperation.

2. The purposes of application of the law of 8 July 1998, no. 230, and the other provisions of the law on conscientious objection.

Art. 71
(Sanctioning and protection activities)

1. The following purposes are considered to be of significant public interest, pursuant to articles 20 and 21:
a) application of the rules on administrative sanctions and appeals;
b) aimed at asserting the right of defense in administrative or judicial matters, including by a third party, also pursuant to article 391-quater of the criminal procedure code, or directly related to the reparation of a judicial error or in case of violation of the reasonable time limit of the trial or of an unjust restriction of personal freedom.

2. When the processing concerns data suitable for revealing the state of health or sexual life, the processing is permitted if the right to be asserted or defended, referred to in letter b) of paragraph 1, is of a rank at least equal to that of the interested party, or consists in a right of the personality or in another fundamental and inviolable right or freedom.

Art. 72
(Relations with religious bodies)

1. Pursuant to articles 20 and 21, the purposes relating to the carrying out of institutional relations with religious bodies, religious confessions and religious communities are considered to be of significant public interest.

Art. 73
(Other administrative and social purposes)

1. Social-welfare purposes are considered to be of significant public interest, pursuant to articles 20 and 21, in the context of the activities that the law assigns to a public entity, with particular reference to:
a) psycho-social support and training interventions in favor of young people or other subjects in conditions of social, economic or family hardship;
b) interventions also of medical importance in favor of needy or non self-sufficient or incapable subjects, including economic or home assistance services, remote assistance, accompaniment and transport services;
c) assistance towards minors, also in relation to legal matters;
d) psycho-social investigations relating to adoption measures, including international ones;
e) supervisory tasks for temporary assignments;
f) surveillance and support initiatives in relation to the stay of nomads;
g) interventions on architectural barriers.

2. The following purposes are also considered to be of significant public interest, pursuant to articles 20 and 21, in the context of the activities that the law assigns to a public entity:
a) management of nursery schools;
b) concerning the management of school canteens or the supply of subsidies, contributions and teaching material;
c) recreation or promotion of culture and sport, with particular reference to the organization of stays, exhibitions, conferences and sporting events or the use of real estate or the occupation of public land;
d) the assignment of housing for public housing;
e) relating to military conscription;
f) administrative police, including local ones, except for the provisions of article 53, with particular reference to hygiene services, mortuary police and controls relating to the environment, protection of water resources and defense of the soil;
g) the offices for relations with the public;
h) in the matter of civil protection;
i) to support the placement and start-up of work, in particular by local initiative centers for employment and job-desks;
l) regional and local ombudsmen.

CHAPTER V
SPECIAL LABELS

Art. 74
(Marks on vehicles and accesses to historic centers)

1. The badges issued for any reason for the circulation and parking of vehicles serving disabled people, or for transit and parking in limited traffic areas, and which must be displayed on vehicles, contain only the data necessary to identify the authorization issued and without the affixing of symbols or wordings from which the special nature of the authorization can be deduced as a result of the mere vision of the mark.

2. The details and the address of the natural person concerned are shown on the labels in ways that do not allow their direct visibility, except in the case of a request for exhibition or the need for verification.

3. The provision referred to in paragraph 2 also applies in the event of an obligation to display a copy of the vehicle registration document or other document for any reason whatsoever.