Treatment of personal data for the purpose: the end of the protection

By | Wednesday March 2nd, 2016

In my courses on privacy I’m fond of saying that the Italian regulation protects against gossip. A friendly manner to highlight (what is not well known) that the Privacy Code must be respected by all citizens, who are not only protected persons, but must themselves respect the privacy policy.

In fact, the d.lgs 196/03 states in Section 5 (Subject-Matter and Scope of Application)

  1. This Code shall only apply to the processing of personal data carried out by natural persons for exclusively personal purposes if the data are intended for systematic communication or dissemination. The provisions concerning liability and security referred to in Sections 15 and 31 shall apply in any case.

So, anyone processing personal data, even the ordinary citizen, is required to adopt appropriate safety measures to protect them and responds civilly, under Article 15, for damage resulting from the processing of personal data.

However the most important aspect and real protection, is the fact that no one, not even your spouse, can publish your photos on a website or talk about you in public, without your consent. Given that in both cases of dissemination of personal data, the entire Privacy Code is fully applicable, even to private citizens,.

So before anyone can talk about you in public or publish your photo it is necessary they release an information note and ask your permission (this at least in theory). Otherwise the persons in question are liable on one side of the administrative and criminal sanctions of the Code and the other side of a possible compensation for damage resulting from their behavior. Therefore, a very strong protection, perhaps little known and rarely used. This protection has been guaranteed by the new EU Regulation.

In fact the Article 2 (Material scope) of Regulation states:

2. This Regulation does not apply to the processing of personal data:

(d) by a natural person in the course of a purely personal or household activity;

What does all this mean? Anyone can publish your photos or talk about you as long as they do it on their profile of any social network or on its website? Recital number 15 seems to go in this direction.

(15) This Regulation should not apply to processing of personal data by a natural person in the course of a purely personal or household activity and thus without a connection with a professional or commercial activity. Personal and household activities could include correspondence and the holding of addresses, or social networking and on-line activity undertaken within the context of such personal and household activities. However, this Regulation should apply to controllers or processors which provide the means for processing personal data for such personal or household activities.

Certainly with respect to the clarity of expression of the above mentioned article of the Italian Privacy Code, the new EU Regulation provides too much scope for interpretation, as in many other points.

The EU Regulation has put special emphasis on the introduction of safeguards such as the Right to erasure (“right to be forgotten”), little has been said about the protections that, compared to the current Italian Privacy Code, will be more difficult to implement.

Category: Legal framework Tags: , ,

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

One thought on “Treatment of personal data for the purpose: the end of the protection

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.