Italy: Data Protection Legislation In Italy - Deadline Of June 30, 2004, Due To Expire Soon!

Last Updated: 23 June 2004
Article by Paola Sangiovanni

On June 22, 2004, the Government enacted a law decree which postpones the deadline for drafting the Security Policy Document to December 31, 2004, and for complying with minimum security measures by March 30, 2005.

(a) Data Protection Legislation In Italy. European Directive 95/46/EC on privacy protection was implemented in Italy in 1996 by Law no. 675. This first privacy act was followed by other pieces of legislation, recently consolidated in a single code (Legislative Decree 196 of 2003, hereinafter "Privacy Code"), which came into force on January 1, 2004.

(b) Basic Principles. The purpose of the Privacy Code is to ensure that personal data are processed by respecting the rights, fundamental freedoms and dignity of the data subject (i.e., of the subject whose data are processed), particularly with regard to confidentiality, personal identity and the right to personal data protection. Personal data undergoing processing must be processed lawfully and fairly, collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that it is not inconsistent with said purposes, accurate and, when necessary, kept up to date, relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed, kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed. The Privacy Code also mandates the so called "principle of data minimization", i.e., the obligation to minimize intrusion into interested subjects’ personal data to the extent possible, and to use either anonymous data or suitable arrangements to allow identifying data subjects only in cases of necessity.

(c) Scope of the Privacy Code. The Privacy Code applies to the processing of personal data, including data held abroad, where the processing is performed by any entity established in Italy. Further, the Privacy Code applies to the processing of personal data by an entity established in the territory of a country outside the European Union, where said entity uses in connection with the processing equipment, whether electronic or otherwise, situated in Italy, unless such equipment is used only for purposes of transit through the territory of the European Union.

(d) Information and Consent. Before personal data are collected and processed, the interested subject providing such data must be fully informed of the purpose and the modalities of the processing, the optional or mandatory nature of the provision of the requested data and the consequence of his/her refusal to provide the requested data, the rights to which he/she is entitled pursuant to the law, the subjects to which the data may be communicated and those who are responsible for the processing. The above described information must be followed by the express consent of the interested subject. Such consent must be expressed in writing if the personal data provided fall within the category of "sensitive data", i.e., personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life.

(e)Notification. When certain specific types of data processing are performed, the data controller must file a notification to the Italian Data Protection Authority. Such notification must describe the kind of personal data processed, as well as the purpose and modalities of the processing. The notification form which is available on the Authority’s web site ( must be filled out, signed by electronic signature and submitted on-line to the Authority.

(f) Authorization to Process Sensitive Data. If personal data processed fall within the category of the so called sensitive data described above, in addition to the procedure of notification, data controllers must also request for an authorization to the Italian Data Protection Authority to process them. Such authorization to process the data must be obtained in advance to any collection or use thereof. The Italian Data Protection Authority issued 7 general authorizations, which permit the processing of sensitive data within the limit set forth therein. For example, such authorizations cover, among others, the processing of sensitive data of employees.

(g) The Minimum Security Measures. The Privacy Code imposes an obligation on data processors to preserve personal data in a manner that minimizes the risk that the data may be destroyed, dispersed, made known outside the allowed instances or processed in any unlawful way. Further, the processor is under a duty to use state-of-the-art protective measures. The Privacy Code sets forth the minimum required security measures ("Minimum Security Measures"), which must be adopted by private and public entities to avoid criminal sanctions such as up to two years’ incarceration or a monetary penalty between 10,000 and 50,000 euros. Enclosure B to the Privacy Code specifies in detail the Minimum Security Measures that must be adopted for processing, electronically or otherwise, of personal data.

(h) The Security Policy Document. Among the Minimum Security Measures required by the Privacy Code is the drafting of a security policy document ("SPD") by any person or entity that processes sensitive or judiciary data electronically. The SPD is a document that sets forth information on the type of processing to which personal data are subject, the risks affecting the data and the security measures protecting the data. The SPD must be kept in the records of the processing entity, and no notification to the Italian Data Protection Authority is required.

(i) Content of SPD. The required content of the SPD may be summarized as follows:

(i) list of types of processing of personal data;

(ii) allocation of duties and responsibilities within the organization of the data-processing entity;

(iii) analysis of risks affecting data;

(iv) measures to be adopted to preserve the integrity and availability of data, protect the areas and premises where data are kept, and safeguard their safety and accessibility;

(v) description of criteria and procedures for data recovery in case of destruction or damage;

(vi) training of the staff appointed to process data (incaricati), aimed at informing them of the risks affecting the data, the measures available to prevent damage to the data, providing basic information about the relevant legal provisions applicable to their activities, their consequent responsibilities, and of the means adopted by the processor of the data to update these employees’ knowledge of Minimum Security Measures. This training program must be in place starting from the moment employees start their duties, and must be provided whenever such duties change, or whenever any relevant change in the processing of data is introduced;

(vii) description of guidelines to guarantee that the Minimum Security Measures are followed if personal data are processed, in conformity with the Privacy Code, outside the organization of the processor;

(viii) for personal data that may reveal health status or information about the individual’s sexual life processed by an entity or professionals operating in the health sector, the processing protocol must identify criteria to encrypt or segregate such data from that individual’s other personal data.

(l) Deadline to Draft the SPD. On March 22, 2004, the Italian Data Protection Authority issued an opinion which, in light of the new provisions introduced by the Privacy Code, provided certain guidance on Minimum Security Measures and extended the deadline for adoption of SPDs from March 31 to June 30, 2004. For this year only, private companies and public bodies will have until the end of June to apply the Minimum Security Measures introduced by the Privacy Code and to draft their SPDs. It appears that the June 30, 2004 deadline will be applied both to entities which are drafting their first SPD, and to entities which are updating an SPD drafted last year. Note that an updated SPD must be drafted every year and, beginning with 2005, the deadline for the annual update of the SPD will be March 31.

(m) Other Minimum Security Measures. As mentioned above, the Privacy Code has strengthened the Minimum Security Measures to protect against risks of destruction, intrusion and unlawful use of personal data. In addition to the protections already provided by the legislation previously in force (identification code, password, antivirus, etc.), the Privacy Code has specified certain further safety measures, e.g., password of no less than eight digits, electronic authentication, encryption mechanisms and procedures to save data. Companies should carefully evaluate their systems to ensure that they are in compliance with the Minimum Security Measures set forth in Enclosure B to the Privacy Code.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.