The general conditions for the processing of personal data are given in Decree 196/03, in particular in section 3
(Data Minimisation Principle)
- Information systems and software shall be configured by minimising the use of personal data and identification data, in such a way as to rule out their processing if the purposes sought in the individual cases can be achieved by using either anonymous data or suitable arrangements to allow identifying data subjects only in cases of necessity, respectively.
that anticipates the default protection concept mentioned in section 23 of GDPR, and section 11
(Processing Arrangements and Data Quality)
- Personal data undergoing processing shall be:
a) processed lawfully and fairly;
b) collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is not inconsistent with said purposes;
c) accurate and, when necessary, kept up to date;
d) relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed;
e) kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed.
Any personal data that is processed in breach of the relevant provisions concerning the processing of personal data may not be used.
that anticipates to a large extent the content of Article 5 of GDPR
Principles relating to personal data processing
- Personal data must be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall, in accordance with Article 83(1), not be considered incompatible with the initial purposes; (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
(eb) processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”);
A great difference between the current and the new legislation is represented by the impact that the violation of such requirements has towards those who process the treatment.
In the case of the current legislation, failure to comply with section 3 or section 11 does not appear to be sanctionable, although in reality the respect of section 3 is generally an essential condition in order to perform a treatment of sensitive or judicial data, as the Information Commissioner’s Office will always expressly refer to it in its general authorizations (and the ignoring of which are sanctionable).
The GDPR instead attaches fundamental importance to compliance with section 5 and with section 23 sanctioning both violations; the first is subject to administrative fines up to 20 000 000 EUR, or in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
and the second is subject to administrative fines up to 10 000 000 EUR, or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
It follows, for example, that the simple presence of incorrect data in their database is sanctioned. So the subject that is processing the personal data must refer each case to consolidated standards and reference models, to avoid inventing from scratch solutions designed to comply with the necessary regulations.
In the case of management of exact data the person executing the processing can be eased in the search for solutions of data governance and the definition of data quality policies which are already imposed by law in some sectors such as banking. The presence of sectors that have already had to deal with these requests can be an invaluable aid in identifying possible solutions applicable with appropriate adaptations also in other contexts.