The Italian Data Protection Authority continues the enforce a wrong interpretation of ? the Data Protection Code to affirm back ? its jurisdiction over the legal person.
On Feb. 7, 2014 an Italian company active in the ICT VAS received a decision issued by the Italian Data Protection Authority that challenged the handling of legal person data on the basis that, no matter what the recent amendment of the Data Protection Act says, the legal person data are still under the IDPA jurisdiction.
While the appeal against this decision is still to be (filed and) decided, it is important to understand the background of the IDPA assumptions. The EU Directive 95/46/CE clearly states that the its realm of application is limited to a “natural person” only, therefore the “legal person” are not subjected to the Data Protection Code and – a fortiori -to the jurisdiction of the DP Commissioner. Contrary to what the Directive said, Italy passed a “modified” DP Act extending its reach up to legal person. This lead to a waste of time and (huge quantity of) money to comply with something that the EU never asked for.
Only on Dec. 24, 2011 (better late than never) the Law n. 214 fixed this appalling mistake but the Data Protection Authority didn’t agree with the Parliament and issued an order where with a byzantine and convolute syllogism tries to get the notion of legal person back under its reach.
As the Italian Courts often show, the IDPA is not always right in its interpretation of the DP Act and in this specific case it will be interesting to see on which basis the Authority will affirm the superiority of the DP Act over another Law that, by coming later, has the power to limit or provide means of interpretation – even implicitly – an older one. To put it short, the Data Protection Act is not a Constitutional Law and can be interpreted and modified by later-issued law, as in this case.