THE SCOPE OF MATERIAL APPLICATION: THE LIMITS

By | Wednesday September 30th, 2015
0 Comment

The General Data Protection Regulation (the text of June 2015) defines  the scope of material application as provided by the law in force, in observation of section 3: This Regulation applies to the processing of personal data, entirely or partly automated and to the processing of personal data not automated contented in a record or destined to be there. In particular the ambit of application of the General Data Protection Regulation is  the processing of personal data. Recovering the Regulation’s definitions we have, as regards to the processing: (3) ‘processing’ means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination (…) restriction, erasure or destruction; (3a) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future; and as regards to the personal data: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly (…), in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. What are the significant factors of change for people obliged to respect the new Regulation in Italy? To understand this it is necessary to analyse the content of the definitions  of the Dlgs 196/03 in force. The formulation utilized in Dlgs 196/03 is really wide and a literal interpretation has the consequences of begin extremely onerous for the Owners who operate in Italy. In fact the Dlgs 196/03  considers as personal data: a) ‘personal data’ shall mean any information relating to natural persons that are or can be identified, even indirectly, by reference to any other information including a personal identification number; and as processing: b) ‘processing’ shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a data bank; At first sight the difference may be slender but in Italian formulation in every moment of professional or private life some processing of personal data happen so the regulations could be applied. In fact it is necessary to recall that:

  • even if the regulation protects only persons (except that provided for Title X-Electronic Communications, which protects everybody) in reality it is also applies to relations between Alpha firm and Beta firm the only information unguarded by rules are those specifically related to firm Alpha or to firm Beta. In fact the Alpha firm will guard among others not only personal data of its own collaborators, but also personal data of collaborators of the Beta firm, such as phone numbers or e-mail addresses. Similar implementation will be required of the Beta firm;
  • the private citizen too has to respect always, at least, section 15 “damages caused on account of the processing” and section 31 “security requirements” of Dlgs 196/93, and it would be safer to respect the entire norms if the data are intended for systematic communication or diffusion.

In the ambit of material application provided by the new Regulations, the introduction of two different cases is a discriminant: • processing of personal data wholly or partly by automated means • processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. While the first point appears clear enough (presupposing the understanding of what “automated” means), the second is designed to leave out of protection wide ambits of processing personal data, with something similar also from whereas number 13 Whereas: 13) The protection of individuals should be technologically neutral and not depend on the techniques used; otherwise this would create a serious risk of circumvention. The protection of individuals should apply to processing of personal data by automated means as well as to manual processing, if the data are contained or are intended to be contained in a filing system. Files or sets of files as well as their cover pages, which are not structured according to specific criteria, should not fall within the scope of this Regulation. The definition of filing system contained in section 4 explains the ambit of exclusion better. (4)  ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis; I think that the consequences of this limitation of protection can be very significant. We can imagine immediately many possibilities, such as;- to diffuse personal data via street posters written by hand or by mechanical type-writer (that is without use of automated processing), why should this be any different to a bill produced with a word processing program? The definitions  of the new Regulation simplify the fulfillment by Owners who process data in Italy but, at the same time, introduce elements of ambiguity which will  cause problems of univocal interpretation. The strictness of the Italian discipline, even with results that are sometimes paradoxical, certainly have the merit of leaving space for interpretation. Therefore for Owners, who process data in Italy and have already applied extensive limits for personal data in compliance with current regulation, it is suitable to maintain the protection on all of their processes, independently of whether or not they are or are not automated.

Category: Legal framework Tags: , , , ,

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.