PROCESSING OF SPECIAL CATEGORIES OF DATA

Article 22
(Sensitive data)

1. Personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade-unions, associations or organizations of a religious, philosophical, political or trade-unionistic character, as well as of health conditions and sex life may be processed only if the data subject gives his consent in writing, subject to authorization by the Garante.

2. The Garante shall communicate its decision concerning the request for authorization within thirty days; in default of such communication at the expiry of said term, the request shall be regarded as dismissed. Along with the authorization or thereafter, based also on appropriate checks, the Garante may provide for measures and precautions in order to safeguard the data subject, which the controller shall be bound to apply.

3. Processing of the data as per paragraph 1 by public bodies, apart from profit-seeking public entities, shall be allowed only where expressly authorised by a law specifying the data that may be processed, the operations that may be performed and the particularly important instance of public interest served by the processing. Failing an express authorization provided for by law, and apart from the cases referred to in the legislative decrees amending and supplementing this Act in pursuance of Act no. 676 of 31.12.96, public entities may request the Garante to determine, until this is specified by law, the activities that serve particularly important instances of public interest among those they are required to carry out under the law. Processing of the data referred to in paragraph 1 shall be authorized with regard to said activities in pursuance of paragraph 2 above.

4. Personal data allowing the disclosure of health conditions and sex life may be processed upon authorization by the Garante if processing is necessary for carrying out the investigations referred to in article 38 of the implementing, coordination and transitional provisions of the Criminal Procedure Code as approved by legislative decree no. 271 of 28 July 1989, subsequently amended, or else for exercising or defending a right of a level equal to the data subject's one before a judicial authority, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefor. The Garante shall lay down the measures and safeguards referred to in paragraph 2 and promote the adoption of a code of conduct in pursuance of para. 1, subheading h), of article 31. Article 43(2) shall further apply.

Article 23
(Medical data)

1. Health professionals and public health institutions may, even without being authorised by the Garante, process personal data disclosing health exclusively with regard to the data and operations required in order to safeguard the data subject's bodily integrity and health. Where the selfsame purposes concern a third party or the public as a whole and the data subject fails to give his consent, the data may be processed upon authorization by the Garante.

2. Personal data disclosing health may be communicated to the data subject or else to the entities referred to in paragraph 1-ter only by a physician who must have been designated either by the data subject or by the controller.

3. The authorization as per paragraph 1 shall be granted, except in cases of special urgency, after consulting the Higher Council for Health Care [Consiglio Superiore di Sanità]. It shall be prohibited to communicate data obtained in breach of the limitations laid down in said authorization.

4. Dissemination of data disclosing health shall be prohibited, except where it is necessary for the prevention, detection or control of offences, subject to compliance with the provisions applying to this sector.

Article 24
(Data concerning the measures as per article 686
of the Criminal Procedure Code)

1. Processing of personal data allowing the disclosure of measures as per para. 1, subheadings a) and d), 2 and 3 of article 686 of the Criminal Procedure Code shall be permitted only where expressly authorized by a law or an order of the Garante specifying the reasons of substantial public interest underlying such processing, the data to be processed and the operations that may be performed.

Article 25
(Processing of specific data within the scope of the journalistic profession)

1. The provisions concerning data subject's consent and authorization by the Garante as well as the limitations laid down in article 24 shall not apply if the processing of the data as per articles 22 and 24 is carried out within the scope of the journalistic profession and for the sole purposes related thereto. Journalists shall comply with the limitations imposed on freedom of the press, particularly as regards the material character of the information as related to facts of public interest, without prejudice to the possibility of processing the data concerning circumstances or events that have been made known either directly by the data subject or on account of the latter's public conduct.

2. The Garante shall encourage, in accordance with the arrangements laid down in para. 1, subheading h), of article 31, the adoption of a specific code of conduct by the National Council of the Press Association as regards processing of the data as per paragraph 1 of this article within the scope of the journalistic profession; such code shall include measures and provisions to safeguard data subjects as appropriate in respect of the nature of the data, particularly as regards those disclosing health and sex life. In the course of drawing up said code, or thereafter, the Garante in cooperation with the Council shall lay down measures and provisions to safeguard the data subjects, which the Council shall have to adopt. The Garante shall be responsible for having the code published in the Official Journal; the code shall enter into force fifteen days after its publication.

3. Where the code of conduct as per paragraph 2 is not adopted by the National Council of the Press Association within six months of the proposal submitted by the Garante, it shall be adopted in its stead by the Garante and be effective until a different code is adopted as required by paragraph 2. Upon infringement of the provisions laid down in the code of conduct, the Garante may prohibit the processing under para. 1, subheading l), of article 31.

4. The code referred to in para. 2 and 3 shall also include provisions relating to personal data other than those mentioned in articles 22 and 24. The code may lay down simplified arrangements for providing the information pursuant to article 10.

4-bis. The provisions of this Act concerning the exercise of the journalistic profession shall also apply to the processing carried out by persons included in the list of free-lance journalists or in the roll of trainee journalists as per articles 26 and 33 of Act no. 69 of 03.02.63, and to any temporary processing carried out exclusively for the purposes of publication or occasional circulation of articles, essays and other intellectual works.

Article 26
(Data relating to legal persons)

1. Processing and discontinuation of the processing of data relating to legal persons, bodies or associations shall not be subject to notification.

2. Article 28 shall not apply to data relating to legal persons, bodies or associations.

CHAPTER V

PROCESSING SUBJECT TO SPECIFIC PROVISIONS

Article 27
(Processing by public bodies)

1. Except as provided for in paragraph 2, processing of personal data by public entities other than profit-seeking public bodies shall be permitted exclusively for carrying out the functions conferred by law on such bodies, in compliance with the limitations set forth by laws and regulations.

2. Communication and dissemination of processed data to public entities other than profit-seeking public bodies shall be permitted if this is envisaged by laws or regulations or is anyhow necessary for carrying out the functions conferred by law on such bodies. In the latter case, the Garante must be preliminarly informed as required by para. 2 and 3 of article 7 and may prohibit, by means of a grounded provision, communication or dissemination in breach of this Act.

3. Communication and dissemination of personal data by public entities to private individuals or profit-seeking public bodies shall be only permitted in compliance with laws or regulations.

4. The organizational criteria applying to public administration as per article 5 of legislative decree no. 29 of 3 February 1993 shall be implemented in compliance with the provisions of this Act.

Article 28
(Transfer of personal data across national borders)

1. Cross-border transfer of personal data undergoing processing, temporarily or not, in any form and by any means whatsoever, shall have to be notified in advance to the Garante if the country of destination is not a Member State of the European Union or the transfer concerns the data as per articles 22 and 24.

2. Said transfer may be carried out no earlier than fifteen days after the date of notification; the term shall be of twenty days where the transfer concerns any of the data as per articles 22 and 24.

3. The transfer shall be prohibited where the laws of the country of destination or transit do not ensure an adequate level of protection of individuals or, in respect of the data as per articles 22 and 24, a protection level which is equal to that provided by Italian laws. Account shall also be taken of the methods used for the data transfer and the proposed processing, of the purposes thereof, the nature of the data and the relevant security measures.

4. Transfer shall be anyhow permitted:

a) if the data subject has given his consent either expressly or, where the transfer concerns the data as per articles 22 and 24, in writing;

b) if it is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or for gathering information at the data subject's request prior to entering into a contract, or for the conclusion or performance of a contract made in the interest of the data subject;

c) if it is necessary for safeguarding a specially important public interest as defined by laws or regulations or else specified in pursuance of articles 22(3) and 24, where the transfer concerns any of the data mentioned therein;

d) if it is necessary for carrying out the investigations referred to in article 38 of the implementing, coordination and transitional provisions of the Criminal Procedure Code as approved by legislative decree no. 271 of 28 July 1989, subsequently amended, or else for the exercise or defence of a legal claim, provided that the data are transferred exclusively for said purposes and for no longer than is necessary therefor;

e) if it is necessary to safeguard life or bodily integrity either of the data subject or of a third party, and the data subject cannot give his consent because of physical or legal incapacity or mental disorder;

f) if it is carried out in response to a request for access to administrative documents or for information included in a public register, list, act or document which are publicly available, in compliance with the provisions applying to this subject-matter;

g) if it is authorized by the Garante on the basis of adequate guarantees for the data subject's rights, as also resulting from contractual clauses;

5. The prohibition as per paragraph 3 above may be challenged pursuant to paragraphs 6 and 7 of article 29.

6. This article shall not apply to the transfer of personal data carried out within the scope of the journalistic profession and for the sole purposes related thereto.

7. The notification as per paragraph 1 of this article shall be given pursuant to article 7 and entered in the relevant section of the register as per paragraph 1, subheading a), of article 31. This notification may be given together with the one referred to in article 7.

CHAPTER VI

ADMINISTRATIVE AND JUDICIAL REMEDIES

Article 29
(Remedies)

1. The rights as per paragraph 1 of article 13 may be enforced by referring the case either to a judicial authority or to the Garante. Referral of the case to the Garante shall not be permitted if an action regarding the same matter and between the same parties has already been brought before a judicial authority.

2. Except where the running of time would cause imminent and irreparable harm to a person, referral to the Garante shall be permitted only after five days from the date on which an application was filed with the processor regarding the same matter. Referral to the Garante shall prevent an action from being brought by the same parties and for the same matter before a judicial authority.

3. If the case is referred to the Garante, data controller, processor and data subject shall have the right of being heard, personally or through a special agent, and of submitting pleadings or documents. The Garante may order, even ex officio, that a technical assessment be carried out.

4. Having gathered the necessary information, the Garante shall order by a decision with a statement of reasons, if the complaint is found to be grounded, that the controller and the processor abstain from the unlawful behaviour, also designating the remedies to enforce the data subject's rights and fixing a term for their implementation. The order shall be communicated without delay to the parties concerned by the authority"s Office. If no decision is rendered within thirty days of the date of referral, the complaint shall have to be regarded as dismissed.

5. If so required by the specific case, the Garante may provisionally order the partial or total blocking of some of the data, or the immediate interruption of one or more processing operations. Such order shall cease to be effective if the decision mentioned under paragraph 4 is not rendered within the ensuing twenty days and may be challenged together with said decision.

6. The controller or data subject may challenge the order or the dismissal referred to in paragraph 4 before the Court of the controller's place of residence, within thirty days of the date of communication of the order or dismissal. Challenging shall not suspend enforcement.

7. The Court shall deal with the case as provided for by articles 737 and subsequent ones of the Civil Procedure Code, even by derogating from the prohibition as per article 4 of Act no. 2248 of 20 March 1865, annex E), and may suspend, on application, enforcement of the measures. The order issued by the Court may be challenged solely before the Court of Cassation.

8. Ordinary judicial authorities shall be competent to decide on all disputes, including those which concern granting of the authorization as per paragraph 1 of article 22 or the enforcement of this Act.

9. Non-pecuniary damage shall entitle to compensation even upon infringement of article 9.

CHAPTER VII

GARANTE
FOR THE PROTECTION OF PERSONAL DATA

Article 30
(Garante)

1. The Garante for the protection of personal data is hereby set up.

2. The Garante shall be empowered to act autonomously and independently in its decisions and assessments.

3. The Garante shall be a body composed of four members, of whom two shall be elected by the Chamber of Deputies and two by the Senate through a specific voting procedure. The members thus elected shall appoint their chairman, who shall have the casting vote in the case where votes are equal. The members shall be persons ensuring independence and with proven experience in the field of law or computer science; experts from both sectors shall have to be included.

4. Chairman and members shall hold office for four years; their appointment shall not be renewable more than once. For the entire term of their office, chairman and members shall not be allowed - under penalty of losing office - to carry out professional or advisory activities, or to act as managers or be employees of public or private bodies or hold elective offices.

5. Once chairman and members have accepted their appointment, if they are employees in the public administration or judges/prosecutors not yet retired, they shall be assigned to the temporary staff; if they are professors at an University, they shall be put on leave of absence with no allowances as per article 13 of Presidential decree no. 382 of 11 July 1980 as subsequently amended. Staff members who have been assigned to the temporary staff or put on leave of absence may not be replaced.

6. The chairman shall be entitled to an allowance not exceeding the one paid to the judge presiding over the Court of Cassation (Corte di Cassazione). The members shall be entitled to an allowance not exceeding two-thirds of that to which the chairman is entitled. The aforementioned allowances shall be determined pursuant to the regulations as per article 33(3) in such a way as to be included in the ordinary budget.

Article 31
(Duties of the Garante)

1. The duties of the Garante shall be:

a) setting up and keeping a general register of processing operations based on the notifications received;

b) verifying whether data processing is carried out in compliance with laws and regulations in force as well as with said notification;

c) informing controllers or processors as to the changes which are necessary for the processing to comply with the provisions in force;

d) receiving reports and complaints lodged either by data subjects or by associations representing the latter, in respect of the infringement of laws or regulations, and taking steps as appropriate with regard to the complaints lodged pursuant to article 29;

e) taking the measures provided for by laws or regulations;

f) checking on all cases of termination of a processing, regardless of the cause;

g) reporting any acts, amounting to offences to be prosecuted ex officio, with which it has become acquainted in the performance of its duties or by reason thereof;

h) encouraging, within the categories concerned and in conformity with the principle of representation, the drawing up of codes of ethics and conduct for specific sectors, checking on their compliance with laws and regulations by also taking account of the considerations made by the subjects concerned, and contributing to the adoption of and compliance with such codes;

i) disseminating information among the public as to the laws governing this subject-matter and the purposes thereof as well as regarding the data security measures referred to in article 15;

l) prohibiting the processing of data, in whole or in part, or blocking such processing if there is an actual risk that it may adversely affect one or more of the data subjects, having regard to the nature of the data or the arrangements applying to the processing or the effects thereof;

m) informing the Government of the need for introducing legislative measures as required by the developments in this sector;

n) drawing up a yearly report on the activity performed and the implementation of this Act, which shall be submitted to Parliament and the Government by the 30th of April of the year following that to which the report refers;

o) as designated authority for the purposes of international cooperation, pursuant to article 13 of Convention no. 108 on the protection of individuals with regard to the automated processing of personal data, adopted in Strasbourg on 28 January 1981 and enforced in Italy by Act no. 98 of 21 February 1989, carrying out the assistance activity mentioned under Chapter IV of aforesaid Convention;

p) supervising the processing as per Article 4 and checking, also in response to the data subject's request, on its compliance with the laws or regulations in force.

2. The Chairman of the Council of Ministers and each Minister shall consult the Garante when drawing up regulations and administrative measures which may concern the sectors to which this Act applies.

3. The register referred to in paragraph 1, subheading a), of this article shall be kept as provided for in paragraph 5 of article 33. Within one year of its setting up, the Garante shall make suitable agreements with provinces and, possibly, other public bodies in order to allow searching the data contained in the aforesaid register by means of at least a computer terminal to be located in each province - preferably within the premises of the public relations department referred to in Article 12 of legislative decree no. 29 of 3 February 1993, as subsequently amended.

4. The prohibition as per subheading l) of paragraph 1 may be challenged pursuant to paragraphs 6 and 7 of article 29.

5. The Garante and the Authority for information technology in public administration shall cooperate in the performance of the relevant duties; to that end, each shall invite the chairman of the other one, or a member delegated by the latter, to take part in its meetings and contribute to the analysis of issues of common interest included in the agenda. Each may further request the cooperation of specialized staff working with the other authority.

6. Paragraph 5 shall also apply to the relationships between the Garante and the authorities competent to supervise crediting, insurance, broadcasting and publishing activities.

Article 32
(Checking and investigation)

1. In the performance of its duties, the Garante may request the processor, the controller, the data subject or a third party to provide such information and documents as may be necessary.

2. The Garante may order - availing itself, if necessary, of the cooperation of other public authorities - accesses to the data banks or other investigations and controls in the places where the processing is carried out or where information is to be gathered for supervisory purposes, whenever this is necessary to check on compliance with the provisions relating to the processing of personal data.

3. The investigations as per paragraph 2 shall be ordered upon authorization by the presiding judge of the Court having territorial competence on the place of investigation; said judge shall promptly take steps as regards the request of the Garante by issuing an order with a statement of reasons. The relevant performance modalities shall be set forth in the regulations referred to in article 33(3).

4. Those who are involved in the said investigations shall have to allow their being carried out.

5. This article shall be without prejudice to article 220 of the implementing, coordination and transitional provisions of the Criminal Procedure Code, as approved by legislative decree no. 271 of 28 July 1989.

6. With regard to the processing as per Article 4 and Article 14(1), the investigations shall be carried out by the agency of a member designated by the Garante. Should the processing fail to comply with the laws or regulations in force, the Garante shall point out the appropriate changes and additions to the processor or controller and verify that they are implemented. Where the request for the investigations was made by the data subject, the latter shall be informed of its outcome unless this is contrary either to the provisions of paragraph 4 of article 10 of Act no. 121 of 1 April 1981, as replaced by para. 1 of article 42 of this Act, or to reasons concerning the State defense or security.

7. The investigations as per paragraph 6 may not be committed to a third person. Where necessary on account of the specific nature of the checking, the member designated as above may be assisted by specialized staff who shall be subject to professional secrecy rules as per Article 33(6). All acts and documents, once acquired, shall be kept in such a way as to ensure their confidentiality and may be disclosed to the chairman and members of the Garante as well as,where necessary for the performance of the duties of such authority, to a limited number of employees in the relevant department, to be designated by the Garante pursuant to criteria laid down in the regulations as per Article 33(3). With regard to investigations into the bodies and data as per Article 4(1), subheading b), the designated member shall inspect the relevant acts and documents and report on them orally during the meetings of the Garante.

Article 33
(Office of the Garante)

1. The Garante shall be the head of an office including, in the initial implementing stage of this Act, State employees and employees of other public administrations; said employees shall be appointed to a temporary position on the conditions of the respective jurisdictions, while their functions at the office of the Garante shall be regarded for all legal purposes as equal to those performed in their respective administrations of origin. The staff shall include no more than forty-five employees, as designated, on proposal of the Garante, by decree of the Chairman of the Council of Ministers in agreement with the Ministers of the Treasury and of the Civil Service within ninety days of the date of election of the Garante. The Secretary General may be a member of the ordinary or administrative judiciary.

1-bis. An establishment table for the staff of the Garante is hereby set up. The Garante shall determine by its own regulations: a) career patterns and recruitment arrangements in pursuance of the procedure laid down in Article 36 of legislative decree no. 29 of 03.02.93, as subsequently amended; b) arrangements for inclusion into said establishment table of the staff already employed on the date of entry into force of above regulations; c) staff regulations and salaries by having regard to the provisions laid down in Act no. 249 of 31.07.97 and, in respect of managerial staff, in Article 19(6) of said legislative decree no. 29 as replaced by Article 13 of legislative decree no. 80 of 31.03.98, also taking account of specific functional and organisational requirements. The regulations shall be published in the Official Journal. Pending the general harmonisation of the salary conditions applying to independent administrative authorities, the staff of the Garante shall be granted eighty per cent of the salary paid to the staff employed by the Authority for safeguards in telecommunications. With regard to the period from the 8th of May 1997 up to the date of entry into force of said regulations, the allowance referred to in Article 41 of Presidential Decree no. 231 of 10.07.91 and granted to the staff already employed shall be left unprejudiced. The difference between the new salary and that already applying to staff, including said functional allowance, shall also be paid with regard to the period from the 1st of January 1998 up to the date of entry into force of said regulations.

2. The operational expenses for the office of the Garante shall be borne by a fund set up for this purpose in the national budget and included as a specific item in the budget of the Ministry of the Treasury. The statement of expenses shall undergo the control of the State Auditors" Department (Corte dei Conti).

3. In the initial implementing stage of this Act, the rules regarding organization and functioning of the office as well as collection of office charges and management of expenses, even by departing from the provisions applying to national income accounting, shall be adopted by a Presidential decree to be issued within three months of the date of entry into force of this Act, following a resolution of the Council of Ministers, after having heard the Council of State, on proposal of the Chairman of the Council of Ministers in agreement with the Ministers of the Treasury, of Justice and for Home Affairs, and with the consent of the Garante. Said decree shall lay down the allowance referred to in Article 30(6) and also include the provisions governing the proceeding before the Garante as per paragraphs 1 to 5 of article 29, in such a way as to ensure both an expeditious proceeding and full compliance with adversarial rules. The above decree shall further include the provisions governing the exercise of the rights referred to in article 13 and the notification as per article 7 via computerised or magnetic media, or through registered letter with notice of receipt or any other suitable means. The Council of State shall deliver its opinion concerning the draft regulations within thirty days of the receipt of the relevant application, after which date the regulations shall be adopted in any case.

4. Where necessary because of the technical or sensitive nature of the subject-matter, the Garante may be assisted by consultants, who shall be paid in accordance with current professional fees or else hired on a temporary basis for a period not in excess of two years, the hiring contract being renewable twice only.

5. In the performance of its duties, the office of the Garante may use computer processing systems and telematic equipment either of its own or, without prejudice to the safeguards provided for in this Act, belonging to the Authority for information technology in the public administration or, where not available otherwise, to public bodies in accordance with specific agreements.

6. Staff and consultants working for the office of the Garante shall be subject to secrecy rules as regards the information to which they have access, in the performance of their duties, regarding data banks and processing operations.

CHAPTER VIII

PENALTIES

Article 34
(Failure to notify or incorrect notification)

1. Whoever fails to comply with the notifications as per articles 7 and 28, or provides incomplete or incorrect information through such notifications, shall be punished by imprisonment for between three months and two years. If the act concerns the notification as per paragraph 1 of article 16, the punishment shall be imprisonment for up to one year.

Article 35
(Unlawful processing of personal data)

1. Any person who, with a view to gain for himself or another or with intent to cause loss to another, processes personal data in breach of articles 11, 20 and 27, shall be punished by imprisonment for up to two years or, if the fact consists in the communication or dissemination of data, by imprisonment for between three months and two years, unless the offence is more serious.

2. Any person who, with a view to gain for himself or another or with intent to cause loss to another, communicates or disseminates personal data in breach of articles 21, 22, 23 or 24, or of the prohibition as per article 28(3), shall be punished by imprisonment for between three months and two years, unless the offence is more serious.

3. Should the facts referred to in paragraphs 1 and 2 cause damage to another, the punishment shall be imprisonment for between one and three years.

Article 36
(Failure to adopt measures required for data security)

1. Whoever fails to adopt the measures he is required to adopt in order to ensure security of personal data, in breach of the regulations as per paragraphs 2 and 3 of article 15, shall be punished by imprisonment for up to one year. If the fact causes damage to another, the punishment shall be imprisonment for between two months and two years.

2. If the fact referred to in paragraph 1 was committed unintentionally, the punishment shall be imprisonment for up to one year.

Article 37
(Failure to comply with measures taken by the Garante)

1. Whoever fails to comply with measures taken by the Garante pursuant to paragraph 2 of article 22, or to paragraphs 4 and 5 of article 29, shall be punished by imprisonment for between three months and two years.

Article 38
(Collateral punishment)

1. Conviction for any of the offences as per this Act shall entail the collateral punishment of having the relevant judgment published in the press.

Article 39
(Administrative sanctions)

1. Whoever fails to provide the information or to produce the documents requested by the Garante pursuant to article 29(4) and article 32(1) shall be punished by an administrative sanction consisting in the payment of a sum of between Lit one million and Lit six million.

2. Failure to comply with the provisions of article 10 and article 23(2) shall be punished by an administrative sanction consisting in the payment of a sum of between Lit five hundred thousand and Lit three million.

3. The Garante shall be competent for receiving the report and imposing the sanctions referred to in this article. Act no. 689 of 24 November 1981, as subsequently amended, shall apply as appropriate. Fifty percent of the annual proceeds shall be paid into the fund referred to in Article 33(2) and shall only be used for performing the functions referred to in Article 31(1), litt. i), and in Article 32.

CHAPTER IX

TRANSITIONAL AND FINAL PROVISIONS
REPEALED PROVISIONS

Article 40
(Communications to the Garante)

1. A copy of any measure taken by judicial authorities with regard to this Act and Act no. 547 of 23 December 1993 shall be transmitted to the Garante by the court clerk"s office.

Article 41
(Transitional provisions)

1. Without prejudice to the exercise of the rights as per articles 13 and 29, the provisions of this Act concerning the data subject's consent shall not apply to personal data either collected before the date of entry into force of this Act or the processing of which began before the aforementioned date. This article shall be without prejudice to the implementation of the provisions concerning communication and dissemination of data as per this Act.

3. The minimum security standards as per article 15(2) shall be adopted within six months of the date of entry into force of the regulations mentioned therein. Before the expiry of such term, all personal data shall have to be kept in such a way as to avoid increasing the risks referred to in article 15(1).

4. The measures as per article 15(3) shall be adopted within six months of the date of entry into force of the regulations mentioned therein.

5. During the twenty-four months following the date of entry into force of this Act, processing by public entities, other than profit-seeking public bodies, of the data referred to in article 22(3) and in article 24 may continue even in the absence of the provisions referred to in said articles, subject to communication to the Garante.

6. The chairman of the Authority for information technology in the public administration shall act as supervisory authority during the initial implementing stage of this Act, until the Garante for data protection is elected pursuant to article 30, except as regards hearing the complaints referred to in article 29.

7. The provisions of this Act concerning the granting of an authorization by the Garante shall apply, as regards said authorization and except for article 28(4), subheading g), as from 30 November 1997. The aforesaid provisions may also be applied by the Garante by granting authorizations relating to specific categories of controllers or processing.

Article 42
(Amendments to laws in force)

1. For article 10 in Act no. 121 of 1 April 1981 there shall be substituted the following:

"Article 10. - (Controls) - 1. Controls on the data processing centre shall be carried out by the Garante for the protection of personal data pursuant to laws and regulations in force.

2. The data and information stored in the archives of the aforementioned centre may be used in judicial or administrative proceedings only upon acquisition of the original sources mentioned in article 7(1), without prejudice to the provisions of article 240 of the Criminal Procedure Code. If, during a judicial or administrative proceeding, the aforesaid data or information are found to be incorrect or incomplete or to have been processed unlawfully, the authority in charge of said proceeding shall inform the Garante for the protection of personal data.

3. Any data subject may request the office referred to under subheading a) of article 5(1) to confirm the existence of personal data relating to him, to communicate such data in an intelligible form and, where said data are found to have been processed in breach of laws or regulations in force, to have them erased or made anonymous.

4. Having carried out the necessary investigations, the office shall inform the applicant, no later than twenty days after the date of the application, as to the decision given. The office may omit to respond if this may adversely affect actions or interventions for the protection of public security and order or for preventing and prosecuting criminal offences, and shall inform thereof the Garante for the protection of personal data.

5. Any person who becomes acquainted with the existence of personal data relating to him which have been processed, even without automated means, in breach of laws or provisions in force, may request the court of the controller"s place of residence to carry out the necessary investigations and to order correction, completion, erasure or transformation into an anonymous form of the aforementioned data. The court shall comply with the above request as per articles 737 and subsequent ones of the Civil Procedure Code."

2. For paragraph 1 of article 4 of legislative decree no. 39 of 12 February 1993 there shall be substituted the following:

"1. An Authority for information technology in the public administration [Autorità per l"informatica nella pubblica amministrazione], referred to as "Authority" for the purposes of this decree, is hereby set up; the aforesaid Authority shall be fully autonomous in its operation and independent as to its judgments and evaluations."

3. For paragraph 1 of article 5 of legislative decree no. 39 of 12 February 1993 there shall be substituted the following:

"1. Any provisions concerning organization and operation of the Authority, establishment of the staff regulations, legal status and wages, career patterns and management of the expenses as provided for in this decree, even by derogating from the provisions governing the State accounting system, shall be adopted by Presidential decree, subject to aresolution by the Council of Ministers and after consulting the Council of State, upon the Prime Minister's proposal in agreement with the Minister of the Treasury and with the consent of said Authority. The opinion of the Council of State on the draft regulation shall be delivered within thirty days of the receipt of the relevant request, after which date the regulation shall be issued in any case. Salaries shall be determined as provided for regarding the staff of the supervisory authority for publishing and radiobroadcasting activities, or the staff of the body committed with the relevant functions, if any, without prejudice to the maximum total amount being put at one-hundred and fifty units. This article shall also be without prejudice to the appropriations referred to in paragraph 2 as determined for 1995, taking account of the increase limits laid down for category IV in the 1996 to 1998 period."

4. For the words "Garante for data protection" in article 9(2) and article 10(2) of Act no. 388 of 30 September 1993 there shall be substituted the following: "Garante for the protection of personal data".

Article 43
(Repealed provisions)

1. Laws and regulations which are incompatible with this Act, in particular article 8(4) and article 9(4) of Act no. 121 of 1 April 1981, are hereby repealed. Within six months of the date of issue of the decree as per article 33(1), the Minister for Home Affairs shall transmit to the office of the Garante the information collected up to that date pursuant to said article 8 of Act no. 121 of 1981.

2. This Act shall be without prejudice to Act no. 300 of 20 May 1970, as subsequently amended, Act no. 135 of 5 June 1990, as subsequently amended, legislative decree no. 322 of 6 September 1989 and the regulations in force with respect to access to administrative documents and national archives. The laws providing for further limitations or prohibitions as regards the processing of certain personal data shall further apply.

3. With regard to the processing operations as per paragraph 1, subheading e), of article 4 of this Act, the obligation to provide data and information as per paragraph 1, subheading a), of article 6 of Act no. 121 of 1 April 1981 shall further apply.

CHAPTER X

FUNDING AND ENTRY INTO FORCE

Article 44
(Funding)

1. The costs resulting from the implementation of this Act, put at Lit 8,029 million for 1997 and Lit 12,045 million from 1998, shall be borne by reducing accordingly the appropriation in the 1997-1999 budget under item 6856 of the budget of the Ministry of the Treasury for 1997. To that end, the appropriation pertaining to the Ministry for Foreign Affairs and that pertaining to the Office of the Chairman of the Council of Ministers shall be utilized at to Lit. 4,553 million and Lit. 3,476 million, respectively, for 1997; as to 1998 and 1999, the estimated appropriation for these years concerning the Ministry for Foreign Affairs and the Office of the Chairman of the Council of Ministers shall be utilized up to Lit. 6,830 million and Lit. 5,215 million, respectively.

2. The Ministry of the Treasury shall be authorized to introduce the necessary changes in its budget by decree.

Article 45
(Entry into force)

1. This Act shall enter into force one-hundred and twenty days after its publication in the Official Journal [Gazzetta Ufficiale]. With regard to the processing without electronic or automated means of data other than those referred to in articles 22 and 24, this Act shall apply as of 1 January 1998. Without prejudice to article 9(2) of Act no. 388 of 30 September 1993, this Act shall enter into force on the day following that of its publication in the Official Journal as regards both the processing of data which is carried out pursuant to the agreement as per para. 1, subheading a), of article 4 and the appointment of the Garante.