Positive opinion of the Italian Data Protection Authority on the National Information System for unaccompanied foreign minors
The Italian Data Protection Authority issued a positive opinion to the Ministry of Labour and Social Policies on the compliance of the draft Presidential Decree on the National Information System for Unaccompanied Foreign
Minors (SIM) with the personal data protection legislation. This is a System that makes it possible to monitor the presence of unaccompanied foreign minors, to track their movements on the national territory and to manage their registry, status and placement data.
However, given the qualitative and quantitative relevance of the information processed, the Authority asked the Ministry to carry out a Data Protection Impact Assessment (DPIA).
The Data Protection Authority had already commented in an opinion on the purpose of the processing of which the Ministry is the Data Controller dating back to 2019. In the new text of the decreee, these observations have been incorporated almost in their entirety. In addition, the modalities and guarantees with which to legitimize the dissemination of data have been specified. The draft of the decree also specifies the categories of data and operations that can be performed and the methods of access to the SIM information.
The Italian Data Protection Authority requests the integration of the Electronic Identity Card (CIE)
The Italian Data Protection Authority issued an opinion to the Ministry of the Interior on the draft decree regulating the organizational and technical procedures for issuing the Electronic Identity Card (CIE) to Italian citizens living abroad.
In the measure, the Authority pointed out that the use of only the terms ‘father’ and ‘mother’ to identify persons exercising parental responsibility is not in line with the Opinion already expressed on 25 March 2021 (web doc. no. 9677947). In that opinion, in fact, the Authority had asked the Ministry to add on the CIE of citizens resident in Italy the notion of “parent” in the composition “father/parent” or “mother/parent”.
The Authority affirmed that the correct representation of the role played by the subject requesting the issuance of the CIE for the minor is functional to the compliance with the principle of the data accuracy of the European Regulation 2016/679, in relation to the cases in which the subjects exercising parental responsibility are not exactly traceable to the paternal or maternal figure.
On the other hand with regard to the entire procedure, which is based on the infrastructure and technical solutions already validly used for the ordinary issuance of the CIE, the Authority did not consider it necessary to indicate further measures.
A database to fight AML: a significant information asset
The Italian Data Protection Authority recently gave a favorable opinion on a rule aimed at setting up a centralized database with the purpose of preventing the use of the financial system for laundering the proceeds of criminal activities and financing terrorism.
The database, fed by the acts sent by professionals (accountants, lawyers, notaries, labor consultants) in the exercise of their activities, represents for the Authority “a significant information asset” for the analysis and investigation activities of the competent authorities.
The database would be implemented with automated systems capable of alerting operators, in the case of potentially risky transactions, ensuring greater uniformity, on the part of professionals, in the way they fulfill the anti-money laundering obligations imposed by the legislation. With regard to the latter aspect, the Authority asked the Ministry to delegate to a rule at least of a regulatory nature the description of how the alert will be processed and the provision of the related guarantees for those concerned. In fact, the alert could imply a personal data processing, potentially also belonging to special categories or related to criminal convictions or offenses, with a highly profiling content.
Cybersecurity certification: national framework defined
Recently, Legislative Decree No. 123/2022 was issued and published in the Gazzetta Ufficiale. It regulates rules for adapting national legislation to the provisions of Title III “Cybersecurity Certification Framework” of Regulation (EU) 2019/881 on ENISA Certification for Information and Communication Technologies.
The Title III establishes a common European cybersecurity system to certify that ICT products, services and processes evaluated under them comply with certain security requirements. The aim is to protect the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed or the functions or services offered by or accessed through such products, services and processes throughout their life cycle. As a result, any national cybersecurity certification systems are canceled and cease to have effect from entry into force of that European system (Art. 57).
More specifically, the measure defines certification procedures, penalties, controls and judicial remedies related to violations.