The provision to the data subject of a privacy information notice must now list key information, including all the information prescribed by Italian law, whether there are alternative technologies available to collecting biometric data, and specific instructions on how to use the device, along with any signs or warnings where biometric data is being collected to access specific areas.
The data protection authority (DPA) must be notified prior to the data processing with the exception of cases where the processing is being performed by medical practitioners. Data can be stored for no longer than the required term. In the event of a data breach, the DPA must be notified via e-mail within 24 hours of its occurrence. The DPA must approve in advance the detailed application measures to be implemented in the data processing.
Prior consent from the individuals must also be given, except in specific scenarios where the Italian DPA has identified the processing of biometric data to face a lower risk. These cases include the biometric fingerprint or issue voice of a person to access databases and information systems, accessing sensitive areas or using dangerous machines where the data processing can also likely occur without the individual’s consent, confirming the content of electronic documents through advanced electronic signature, and scanning fingerprints and the topography of the palm of the hand to gain access to either public or private areas.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now