For a long time they have been talking about simplification for the application of the minimum security measures concerning personal data protection.
Finally, through Parliament Act n. 133 dated August 6th 2009, a new subparagraph has been added to article 34 of the Personal Data Protection Code (D. Lgs. 196/2003) according to which an entity that only processes non-sensitive personal data or processes sensitive data that only consist in the health or disease status related to their employees and collaborators (whereby no reference is made to the respective diagnosis), or in their employees’ and collaborators’ membership of trade union organizations, can replace the security policy document (DPS) with a self-executing affidavit signed by the data controller, in pursuance of section 47 of Presidential Decree n. 445 dated December 28th 2000, certifying that the data controller only processes the above mentioned data in compliance with the other security measures provided by the Code.
This amendment will bring a significant relief to most companies, who – as observed by the Italian Privacy Authority too – considered the security policy document as a redundant bureaucratic requirement.
As regards the said processing operations, the Privacy Authority shall determine simplified arrangements to implement the minimum security measures by small companies, professionals and handicrafts.
