Tag Archives: personal data

Personal Data of Deceased People: Clear Indications by the Italian Data Protection Authority

Access to personal data concerning deceased people may represent an issue and a necessity, especially for their heirs. How is such kind of access to personal data currently regulated under the Italian Law (Legislative Decree n. 196/2003), as amended after GDPR?

The Italian Data Protection Authority, in its efforts to combine data protection legislation and clarity, recently issued an outline of article 2-terdecies of the Legislative Decree n. 196/2003.

  • Who is entitled to such right to access? Whoever (i) has a vested interest; (ii) acts in the interest of the deceased person (who is the “interested party” pursuant to data protection laws); (iii) acts as mandatary; or (iv) acts for worthwhile reasons of family protection.
  • To whom should the request to access data be addressed? The request should be addressed to the relevant Data Controller (i.e., the natural or legal person, public authority, agency or other body, either private or public, which determines the purposes and means of the processing of personal data), also through the Data Processor (i.e., the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller), where appointed.
  • Which information may be requested? (i) Access to personal data of the deceased person; (ii) the purpose of processing data; (iii) which data have been communicated and the related addressees; (iv) the retention period; (v) the origin of such data and (vi) whether data are subject to an automatic decisional processing (Sections 15-22 of GDPR).
  • Do you have to pay to access data? No, it is free (unless the request is manifestly unfounded or excessive).
  • Are there any exceptions or limits? Yes, it is not possible to access data in the event it is forbidden (i) by the law or (ii) by the interested party, who released an express and unequivocal declaration addressed to the Data Controller. However, even in the latter hypothesis, third parties exercising their patrimonial rights originating from the death of the interested party cannot be prejudiced in their rights.
  • Do you have to motivate your request? No.
  • How long does it take to get a feedback on your request? Maximum one monthsince your request, except in some particular cases, as provided by GDPR.
  • What can you do if your request is refused or in lack of any feedback? You may address the Italian Data Protection Authority or the relevant court.

Access to data concerning deceased people seems to be quite easy in theory. However, balancing patrimonial rights of heirs and assessing “express and unequivocal” declarations of the deceased may prove to be more complex in practice.

Italian Data Protection Authority Authorizes the “Privacy Shield”

The Italian Data Protection Authority has authorized the transfer of personal data to the United States on the basis of the new “Privacy Shield” program, designed by the European Commission and the U.S. Department of Commerce to provide companies with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. On July 12, 2016 the European Commission deemed that the “Privacy Shield” offered adequate protection and could enable data transfers under EU legislation.

The Italian Data Protection Authority has now issued a general authorization for the processing and transfer of personal data in accordance with the “Privacy Shield” program and with the European Commission adequacy decision. The general authorization will be published today on the Official Gazette. Italian companies and multinational corporations active in Italy will therefore be able to transfer personal data to United States entities adhering to the “Privacy Shield”.

This latest decision comes after the expiration of the previous general authorization allowing the transfer of personal data to the United States pursuant to the “Safe Harbor” framework, held invalid by the Court of Justice of the European Union on October 22, 2015.

The European Commission plans to implement a continuous monitoring of the “Privacy Shield”, while at the moment it remains unclear how many business entities will seize this opportunity and join in the new program.