Recent regulatory interventions to the Privacy Code (Legislative Decree no. 196/2003)

The protection of the taxpayer's privacy seems to suffer a serious setback due to the recent amendments made by Law Decree no. 139/2021 (the so-called "Capienze Decree"), to Legislative Decree no. 196/2003 (the so-called "Privacy Code"), aimed at implementing the powers of the Tax Authorities in relation to the processing of taxpayers' personal data and, consequently, at reducing the preventive controls of the Guarantor for the personal data protection (hereinafter, "Guarantor").

Article 9 of the Capienze Decree adds a new paragraph 1-bis to Article 2-ter of the Privacy Code, according to which "the processing of personal data by a public administration [...] is also allowed if necessary for the performance of a task carried out in the public interest or for the exercise of public powers vested in it. To ensure that such exercise cannot cause actual and concrete prejudice to the protection of the rights and freedoms of data subjects, the provisions referred to in this paragraph shall be exercised in accordance with Article 6 of the GDPR".

Therefore, the provision in comment extends the public administration’s (1) powers to process the personal data, giving it wider discretion in the identification of the purposes of the processing special categories of personal data, such as, for example, the sensitive data (economic-patrimonial) of the taxpayers.

In particular, under Article 9 above, tax authorities may process (2) the personal data (3) of taxpayers for purposes of public interest (i.e., the fight against tax evasion) or to exercise public powers, even in the absence of a legitimizing regulatory provision. This provision is in express contradiction with the first paragraph of Article 2 ter of the Privacy Code, which identifies the legal basis for the data processing, exclusively in a law or, in cases provided for by law, in a regulation; with the consequence that, in the absence of a specific provision of law, it will be the same financial administration to identify, by its own administrative act, the purpose of the processing.

In other words, the Financial Administration can process the personal data of taxpayers, as long as it identifies and communicates the relative purposes; in this way, it would be the same P.A. to legitimize ex post its own processing of sensitive data, in the absence of a normative provision which expressly allows it (for example, if the Financial Administration held it necessary to process some data, to "cross-check" the income data of the citizens, in the absence of a regulation which provides for it, it could, with an administrative act, indicate for what reason it holds it necessary to process the data, thus justifying it).

In this regulatory panorama, pursuant to the Art. 9 above, the Guarantor cannot intervene, on a preventive basis, on the processing of data, carried out by the P.A., relative to reforms, measures and projects of the National Plan of Recovery and Resilience (4), of the National Plan for Complementary Investments (5), as well as of the National Integrated Plan for Energy and Climate 2030, but may provide its opinion, optional and ex post, within the non-extendable term of thirty days from the request, after which it will proceed independently of the acquisition of such opinion.

The aforementioned novelties, on the subject of privacy, give rise to perplexity: an extension of the discretionary power of the P.A. in the mentioned terms risks facilitating abuses to the detriment of the concerned parties, who could see their personal data (including economic and financial data) processed by virtue of a mere evaluation of interests, autonomously and discretionally carried out by the Tax Agencies, in absence of an ex-ante regulatory basis legitimizing the processing.

The importance of personal data protection, also in fiscal matters, would impose, in the opinion of the writer, the adoption of greater limits to the acquisition, the utilization and the conservation of the aforesaid data by the Financial Administration, in the perspective of balancing the need to combat tax evasion with the need to protect personal data of the concerned subjects, both at a national and supranational level.

These limits are only partially provided for by the Art. 9, which requires the Public Administration, when processing the personal data of the data subjects, only to (i) not cause actual and concrete prejudice to the protection of the rights of the parties concerned; (ii) guarantee the legitimacy of the processing under art. 9 of GDPR.

These limitations are necessary but not sufficient to ensure the full protection of the interests and rights of taxpayers in terms of privacy and data protection. A corrective action, bringing significant modifications to the original text, with the purpose of guaranteeing a greater dialogue between the P.A. and the Guarantor and, also, to safeguard the interest of the taxpayer to the protection and non-disclosure of the data, except within the strictly necessary limits, is to be hoped for. However, should this not be the case, the taxpayer, should he consider that his rights have been violated by the P.A., is entitled to lodge a complaint with the Guarantor or, alternatively, to appeal before the judicial authorities, also in relation to the specific motivations adopted by the P.A. to justify its conduct.

Pubblished by: Avv. Olga Aldinio

Ph: designed by Rawpixel
-----

(1) Including the independent authorities, the administrations included in the ISTAT list, such as the fiscal agencies (cf. Article 1, para 3, Law no. 196/2009), as well as the companies under public State control (cf. article 16, Legislative Decree no. 175/2016) and the bodies of public law.

(2) "Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction" (Art. 4 no. 2) of Regulation (EU) 2016/679, hereinafter "GDPR").

(3) "Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art. 4 no. 1) of GDPR).

(4) Cf. Regulation (EU) no. 241/2021 of the European Parliament and Council

(5) Cf. Law Decree no. 59/2021