December 1, 2014 -
With the Internet of Things technologies and specifically biometric wearables significantly relying on the processing of biometric data, the Garante has introduced the new rules to aid companies in developing these technologies.
First, the provision to the data subject of a privacy information notice must now list key information, including all the information prescribed by Italian law, whether there are alternative technologies available to collecting biometric data, and specific instructions on how to use the device, along with any signs or warnings where biometric data is being collected to access specific areas.
The data protection authority (DPA) must be notified prior to the data processing with the exception of cases where the processing is being performed by medical practitioners.
There must be strict security measures in place for deleting the raw data collected during the biometric capture, using encryption technologies for their storage and transfer and using mobile device auditing technologies.
Data can be stored for no longer than the required term which varies based on the type of processed biometric data.
In the event of a data breach, the DPA must be notified via email within 24 hours of its occurrence.
The DPA must approve in advance the detailed application measures to be implemented in the data processing.
Prior consent from the individuals must also be given, except in specific scenarios where the Italian DPA has identified the processing of biometric data to face a lower risk and therefore does not require prior consent.
These cases include the biometric fingerprint or issue voice of a person to access databases and information systems, accessing sensitive areas or using dangerous machines where the data processing can also likely occur without the individual’s consent, confirming the content of electronic documents through advanced electronic signature, and scanning fingerprints and the topography of the palm of the hand to gain access to either public or private areas.