Abstract
This chapter outlines the experiences of attempting to exercise one’s right of access in Italy. Using rich, ethnographic examples, this chapter tests how easy or difficult it is for a data subject based in Italy to obtain their personal data, firstly by locating the required information about organisations and their data controllers and secondly by submitting subject access requests to these organisations. The chapter reflects on the differences (if any) between public and private sector organisations in the process of responding to access requests as well as the role of the national Data Protection Authority in Italy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
D.L.gs. 30 June 2003 n. 196, in G.U. 29 July 2003 n. 174 – Supplemento Ordinario n. 123.
- 2.
Art. 15, Italian Constitution.
- 3.
Art. 22, Italian Constitution.
- 4.
Art. 4, lett. (b), (c), (d), (e), D. Lgs 30 June 2003 n. 196.
- 5.
Art. 2, lett. (a), European Parliament and the Council, Directive 95/46/EC of 24.10.1995, in OJ L 281/31-39, 23.11.95.
- 6.
Art. 4, lett. (f), (g), D. Lgs 30 June 2003 n. 196.
- 7.
The data protection legislation does not provide a clear definition or any guidance on what the term ‘legitimate motive’ means. Instead, this is subject to interpretation on a case by case basis.
- 8.
Art. 13, D.L. 18.10.2012, n. 179, in G.U. 19.10.2012 n. 194/L – Supplemento Ordinario n. 245 – Serie Generale.
- 9.
Specifically, the issue concerns the electronic protection in order to avoid easy online access to “sensitive data” (as defined by the Art. 4, let. d), L. n. 196/2003 -DP Code-) or the possibility that any hacking/cracking activity on the internet could violate the software and lead to the misuse of personal data of an individual, specifically regarding the health condition of the person.
- 10.
TAR: Tribuanle Amministrativo Regionale (Administrative Regional Tribunal). It is the first instance of the administrative justice in the Italian judicial system.
- 11.
In fact, besides the salary earned by these employees and their job position described in the contract, the documents also contained an historical description of the career and private life of these people, i.e. sick-leave, leave of absence, etc.
- 12.
See Consiglio di Stato, sez. V, 17 September 2010, Sent. n. 6953; Consiglio di Stato, Sez. V, 7 September 2004, Sent. n. 5873; Consiglio di Stato, Sez. VI, 22 October 2002, Sent. n. 5814.
- 13.
The right of data protection in this context should be taken to mean the right of access to information.
- 14.
Indeed, a priori the plaintiff always declared she was not interested in those aspects of the documents for which she required access. TAR Firenze, Sez. I, 12.05.2011, Sent. n. 80, in www.giustizia-amministrativa.it/DocumentiGA/Firenze/Sezione%202/2011/201101050/Provvedimenti/201300220_01.XML (last accessed 15 June 2013).
- 15.
TAR: Tribuanle Amministrativo Regionale (Administrative Regional Tribunal). It is the first instance of the administrative justice in the Italian judicial system.
- 16.
Cass. Civile, Sez. I, 09.01.2013, Sent. n. 349, in www.ilsole24ore.com/pdf2010/SoleOnLine5/Oggetti_correlati/Documenti/Norme%20e%20Tributi/2013/01/corte-cassazione-sentenza-349-2013.pdf
- 17.
TAR: Tribunale Amministrativo Regionale (Administrative Regional Tribunal). It is the first instance of the administrative justice in the Italian judicial system.
- 18.
In the hierarchy of the Italian legal sources the Italian Constitution and its fundamental rights is part of the “primary legislation”.
- 19.
TAR Sardegna, Sez. II, 02.08.2011, Sent. n. 865, in www.giustizia-amministrativa.it/DocumentiGA/Cagliari/Sezione%202/2011//201100270/Provvedimenti/20110865_01.XML (last accessed 15 June 2013).
- 20.
Consiglio di Stato: it is the last instance (Supreme Court) of the administrative judicial system.
- 21.
In fact, the association required a list of documents, including the temporary adoption certificates of dogs to third parties (namely, individuals), definitive adoption certificates of dogs, certificates attesting the restitution of the animal to the legitimate owners, data referring to the adoption of dogs by third parties, etc.
- 22.
Regarding the fact that the censure (“omissis”) of sensitive data (identities of third parties) hampered the investigation of the association, the Consiglio di Stato explained that the suspicious activities run by the public kennels would be the subject of an ad hoc criminal proceeding, through an ex officio procedure, automatically transmitting the judicial documents, as the judges of the criminal court would be legitimate in also having access to the sensitive data for investigative and judicial reasons. Consiglio di Stato, Sez. V, 28.09.2007, Sent. n. 4999, in www.altalex.com/index.php?idnot=38736 (last accessed 15 June 2013).
- 23.
D.L.gs 30 June 2003 n. 196, in G.U. 29 July 2003 n. 174 – Supplemento Ordinario n. 123, implementation of the EU Directive 95/46/EC.
- 24.
The right of defence implies that the lawyer or the accused person can access the data referred to incoming telephone communications when they are fundamental evidences for an effective defensive strategy during a trial.
- 25.
Ced – Centro Elaborazione Dati Interforze (i.e. interforce data elaboration centre): it is a central database managed by the Minister of Interior, aimed at gathering data shared among the several security forces (i.e. national police, carabinieri, guardia di finanza, judicial police). The collected data refer to people involved in judicial police investigations and/or criminal proceedings, http://www.interno.gov.it/mininterno/export/sites/default/it/sezioni/ministero/dipartimenti/dip_pubblica_sicurezza/direzione_centrale_della_polizia_criminale/scheda_16059.html
- 26.
Testo Unico sulla Privacy (T.U. Privacy)
- 27.
Art. 30, L. 31 December 1996 n. 675, in G.U. 8 January 1997 n. 5 – Supplemento Oridnario n. 3
- 28.
Section 3.5, Provision on Video Surveillance
- 29.
Italian Personal Data Protection Code, Part III, Title I, III (Non-Judicial Remedies): http://www.privacy.it/privacycode-en.html#sect147 (last accessed 15 June 2013).
- 30.
It is worth noting that the role of the DPA changed widely from 2001 to 2010 due to the implementation of the DP Code in 2003. Additionally, the word “complaint” here refers to part III, Title I, sections 145–151 of the DP Code, namely “Administrative Remedies” and “Non-Judicial Remedies”.
- 31.
These were credit card records; banking records; mobile phone carrier records; Microsoft; Google
- 32.
However, it should be noted, that the language setting of our account is English. This may partly explain why we received files written in English and not in our mother tongue.
- 33.
References
Legislation and Case Law
Consiglio di Stato, Sez. V, 28.09.2007, Sent. n. 4999, in www.altalex.com/index.php?idnot=38736 (last accessed 15 June 2013).
Corte di Cassazione, Sez. III Pen., Sent. 01.06.2011, n. 21839, www.penale.it/page.asp?idpag=960; www.cortedicassazione.it/Documenti/21839_06_11.pdf (last accessed 15 June 2013).
D.L.gs. 30 June 2003 n. 196, in G.U. 29 July 2003 n. 174 – Supplemento Ordinario n. 123.
European Parliament and the Council, Directive 2006/24/EC of 15.03.2006 on the retention of data generated or processed in connection with the provision of public available electronic communications services or of public communication networks and amending Directive 2002/58/EC, in OJ L 105/54-63, 13.04 2006.
European Parliament and the Council, Directive 95/46/EC of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in OJ L 281/31-39, 23.11.95.
TAR Firenze, Sez. I, 12.05.2011, Sent. n. 80, in www.giustizia-amministrativa.it/DocumentiGA/Firenze/Sezione%202/2011/201101050/Provvedimenti/201300220_01.XML (last accessed 15 June 2013).
TAR Sardegna, Sez. II, 02.08.2011, Sent. n. 865, in www.giustizia-amministrativa.it/DocumentiGA/Cagliari/Sezione%202/2011//201100270/Provvedimenti/20110865_01.XML (last accessed 15 June 2013).
Tribunale di Milano, Sent. 04.02.2009 and Corte d’Appello di Milano, Sent. 11.05.2010.
www.garanteprivacy.it (last accessed 15 June 2013).
Articles and Reports
Banca d’Italia (2013) http://www.bancaditalia.it/statistiche/racc_datser/intermediari/centrarisk (last accessed 15 June 2013)
Ferrucci A. (2005) Diritto di accesso e riservatezza. Osservazioni sulle modifiche alla L. 241/1990, in www.giustamm.it/new_2005/ART_2005.html (last accessed 15 June 2013).
Garante per la protezione dei dati personali (2014a) Protection Code – Legislative Decree n. 196/2003, http://www.garanteprivacy.it/web/guest/home_en/Italian-legislation#1 (last accessed 15 June 2014).
Garante per la protezione dei dati personali (2014b), Cosa è il diritto alla protezione dei dati personali?, www.garanteprivacy.it/web/guest/home/diritti/cosa-e-il-diritto-alla-protezione-dei-dati-personali (last accessed 15 June 2014).
Garante per la protezione dei dati personali (2014c), Limitazione all’esercizio dei diritti (articolo 8 del Codice), http://www.garanteprivacy.it/web/guest/home/diritti/cosa-e-il-diritto-alla-protezione-dei-dati-personali (last accessed 15 June 2014).
Garante per la protezione dei dati personali, (2014d) http://www.garanteprivacy.it/ (last accessed 15 June 2014)
Garante per la protezione dei dati personali, (2014e) Modello esercizio diritti in materia di protezione dati personali http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924 (last accessed 15 June 2014)
Garante per la protezione dei dati personali (2014f) How can you protect your personal data? http://www.garanteprivacy.it/home_en/rights#how (last accessed 15 June 2013 (last accessed 15 June 2014)
Garante per la protezione dei dati personali (2014g) Relazione Annuali, http://www.garanteprivacy.it/web/guest/home/attivita-e-documenti/documenti/relazioni-annuali (last accessed 15 June 2014)
Garante per la protezione dei dati personali (2014h) Personal Data Protection Code http://www.garanteprivacy.it/documents/10160/2012405/DataProtectionCode-2003.pdf (last accessed 15 June 2014)
Garante per la protezione dei dati personali (2011) Relazione 2011, http://www.garanteprivacy.it/home/attivita-e-documenti/documenti/relazioni-annuali (last accessed 15 June 2013)
Garante per la protezione dei dati personali (2010) Video Surveillance decision dated 8 April 2010: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1734653 (last accessed 15 June 2013).
Garante per la protezione dei dati personali (2005) Code of conduct and professional practice applying to information systems managed by private entities with regard to consumer credit, reliability, and timeliness of payments http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1079077 (last accessed 15 June 2013).
Garante per la protezione dei dati personali (1999), Accordo di Schengen. Audizione parlamentare del Presidente del Garante – 12 luglio 1999, http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/48005 (last accessed 15 June 2013).
Garante per la protezione dei dati personali (2003) Relazione 2003, http://www.garanteprivacy.it/home/attivita-e-documenti/documenti/relazioni-annuali (last accessed 15 June 2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Fonio, C., Ceresa, A. (2017). Exercising Access Rights in Italy. In: Norris, C., de Hert, P., L'Hoiry, X., Galetta, A. (eds) The Unaccountable State of Surveillance. Law, Governance and Technology Series(), vol 34. Springer, Cham. https://doi.org/10.1007/978-3-319-47573-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-47573-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47571-4
Online ISBN: 978-3-319-47573-8
eBook Packages: Law and CriminologyLaw and Criminology (R0)