Istat – Violation Found (Italy, 2020)

With the provision No. 10 of 23 january 2020, the Italian Data Protection Authority assessed Istat's request for authorization to process data, pursuant to article 2-quinquiesdecies of the Privacy Code (Legislative Decree 196/2003). The Authority: *has informed Istat that, from a methodological point of view, the data controller is required to implement adequate technical and organizational measures to guarantee and demonstrate that the treatment carried out is in compliance with the discipline; *has prescribed to adopt suitable pseudonymisation techniques to guarantee the effectiveness of the principles of minimization and limitation of conservation; *has prescribed to integrate the general census plan with an indication of the methods for returning to the municipalities, in aggregate form, the information collected according of the census; *has prescribed to integrate the impact assessment on the protection of personal data relating to statistical works related to the creation of the permanent Census with the indication of the probabilities, through specific metrics, of re-identification of the interested parties. *required to Istat to communicate, within 120 days from the notification of this provision, what initiatives it has undertaken or intends to undertake to implement the prescriptions indicated in this provision, especially regarding the techniques of pseudonymisation, and to still provide adequately documented feedback; any lack of feedback may result in the application of the administrative fine pursuant to art. 83, par. 5 of the Regulation. The Authority authorized Istat to carry out the processing of personal data necessary for the creation of the permanent census, highlighting the persistence of problems and giving explicit warning and prescriptions. The Data Protection Authority indicates to Istat (national census body) that, in order to carry out the permanent census, it must adopt adequate pseudonymisation techniques within 4 months to avoid ide