Article 45 of Law-Decree no. 5 dated February 9, 2012 containing Urgent simplification and development measures has formally eliminated from Italian law the obligation to draft Data Security Documentd in all those cases provided for under Legislative Decree 196/2003.
The wording of article 45 leaves, in fact, very little space for doubt: Letter g) of paragraph 1 of article 34 is suppressed and paragraph 1-bis is repealed […], as regards the technical regulations on minimum safety measures contained in Annexe B, paragraphs 19 to 19.8 and 26 are hereby suppressed.
It follows therefrom that the obligation to draft the Data Security Document – even as regards minimum safety measures – has been suppressed in its entirety.
It must be pointed out – in relation thereto – that, under the previous version of the Italian Data Protection Code, personal data processed with electronic instruments was permitted only at the condition that – without prejudice to the other minimum security measures provided for thereunder – an updated data security was also drawn up, whose contents were set out in detail in point 19 of Annex B of the Data Protection Code.
The failure to draft the Data Security Document left the Data Controller vulnerable to the risk of being subjected to administrative fines and more specifically to fines ranging from 10,000 to 120,000 Euros (article 162, paragraph 2-bis), as well as to two years’ imprisonment (article 169, paragraph 1).
After the coming into force of the aforementioned Law-Decree, the failure to draw up a Data Security Document no longer entails the application of the aforementioned administrative and criminal sanctions.
Moreover, in light of consolidated criminal law principles, the abolition of the criminal provision previously contained in Legislative Decree 19672003 means, moreover, that whoever failed to draw up a Data Security Document prior to the entry into force of the aforementioned Law-Decree cannot be convicted.
