Sensitive data in Italian data protection law

Substantial public interest

Article 2-sexies(2)(a-z) of the Italian Data Protection Code specifies what constitutes the reasons of “substantial public interest” under Article 9(2)(g) GDPR. These are, for example, access to administrative documents and civic access; citizenship, immigration, asylum, condition of the foreigner and refugee, state of refugee, monitoring of trials, pharmacovigilance, marketing authorization and importation of medicinal products and other health-related products.

Genetic, biometric and health data

Article 2-septies of the Italian Data Protection Code provides how the Italian Data Protection Authority (Garante) should adopt the safeguard measures on the processing of genetic, biometric and health data, which must be issued at minimum every 2 years. They will include security measures such as encryption and pseudonymization techniques, minimization measures, access control and other measures necessary to ensure data subjects’ rights.

Data regarding criminal convictions and offenses

Article 2-octies of the Italian Data Protection Code specifies the principles regarding the processing of data regarding criminal convictions and offenses. In principle, such data may be processed only if it is authorized by law. This provision lists also the examples when criminal data can be processed: the fulfillment of obligations and the exercise of rights under labor law; fulfillment of the obligations regarding mediation aimed at reconciling civil and commercial disputes; and the assessment, exercise or defense of a right in court.