The new UE Regulation on privacy introduced some rights for data subjects, such as oblivion, which have caused at the same time praise and concern (either for the effort required to Holders to guarantee them or for fear that important information can be lost, for example for the assessment of the reliability of a creditor).
In fact, already in the current legislation people have a substantial number of rights that are specified in the Dlgs 196/03 (articles 7, 8, 9 and 10).
In particular article 7 lists the rights that the parties concerned have (and only they, being excluded from the protection provided by the standard for other parties such as contractors).
The following articles 8, 9 and 10 specify:
• how people may exercise their rights
• the circumstances in which these rights cannot be exercised
• the forms in which the Holder has to give responses to the requests made by the interested parties.
The formulation of the rights of subjects is expressed in law in a not particularly clear form, but fortunately the Garante has “translated” into an intelligible form these rights, by listing them in the specific document available on its website:
These rights include:
• data access (confirmation of the existence and / or communication of the same in an intelligible form)
• knowledge of some news regarding the processing (those provided in the privacy statement written pursuant to article 13)
• Updating, correctional and integration actions on the data
• Action on data as a consequence of law violations (deletion, anonymization, blocking)
• Objection to the processing, both for legitimate reasons and for advertising purposes
• the attestation that an intervention requested on the data has been made known, also regarding its content, to those to whom the data were communicated or diffused.
The rights of interested subjects are therefore particularly wide.
Some formulations are clear in themselves, such as the right to object to the processing for advertising purposes.
More subjective is the definition of what may be legitimate reasons for which we can be opposed to a data processing; in this regard it is also useful to refer to the pronunciations that the Garante has issued over the past few years.
Possible violations of law include, for example, a data processing without the release of adequate information or without an expression of consent,
In this regard it is important to remember that these cases don’t necessarily relate to a total lack of information and consent, as just a single data processing.
The form of the Garante helps to identify specifically: the personal data, the categories of data or processing referred.
It is useful to recall that, according to what is stated in the first paragraph of Articles 8 and 9 of Decree 196/03 the exercising of rights can be executed without formalities and as far as the request for information or access to data, the request may also be made orally.
Therefore the Holder must be suitably trained to be able to answer requests to exercise the rights and must have appropriate procedures and have trained his staff.
It mustn’t be forgotten that the activities put in place to respond to requests of an interested party itself engenders an action of processing the personal data.
Paradoxically, in the case of a request by an interested party previously unknown to the Data Owner, the demand itself engenders a data processing activity.