list of contributors - GALA
list of contributors - GALA
list of contributors - GALA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
When: March 2005<br />
Where: Italy<br />
What Happened: The local independent Authority (i.e. the Privacy Commissioner), competent<br />
on supervising proper domestic enforcement <strong>of</strong> the general principles<br />
established by the EU-Directives on protection <strong>of</strong> personal data, recently has<br />
come to focus its attention on two ‘hot topics’.<br />
(i) The Authority felt necessary to deal with issues and problems linked to<br />
Radio Frequency Identification – RFID technology and particularly to socalled<br />
‘intelligent labels/packaging’.<br />
Specific guidelines have been issued in order to grant sufficient protection to<br />
personal data handled with the process <strong>of</strong> application <strong>of</strong> such technology.<br />
The basic principles set by the Commissioner’s guidelines require that<br />
processing <strong>of</strong> personal data through RFID technology involves:<br />
- adequate information to subjects who’s data are handled,<br />
- possibility for those subjects to express specific consent for the processing <strong>of</strong><br />
their data,<br />
- possibility to disable the chips allowing such processing.<br />
In detail the guidelines establish that:<br />
- the public has to be made clearly aware <strong>of</strong> the fact that RFID technology is<br />
applied and that devices able to track “intelligent labels/packaging” are in<br />
place (such alert must be provided on products’ packaging as well as in<br />
locations – e.g. shops – where such technology is in use),<br />
- private subjects may apply RFID technology only after obtaining specific<br />
and explicit consent from the targeted public and such consent may not be<br />
achieved through improper pressure or conditioning,<br />
- ‘intelligent labels’ have to be placed in a way that allows customers to<br />
disable them easily after the product’s purchase (basically RFID chips should<br />
not remain active after the cashier barrier; finally such chips may not be<br />
placed in a way that they interact with the product’s functionality)<br />
- RFID technology applied to control access to restricted areas has to consider<br />
and respect employee’s rights and liberties,<br />
- subcutaneous chips (to be previously approved by the competent authority<br />
as to their technical function) may be placed only in exceptional cases and for<br />
justified purposes <strong>of</strong> health care/protection (the implantation <strong>of</strong> such devices<br />
has to be kept strictly confidential and the interested subjects may ask for<br />
removal at any time),<br />
- the use <strong>of</strong> RFID technology has to be proportionate to the purposes aimed<br />
at and the data collected may be stored only for a reasonable period <strong>of</strong> time,<br />
- whoever applies such technology, has to grant proper safety measures in<br />
order to reduce the risks <strong>of</strong> destruction or loss <strong>of</strong> the collected data as well as<br />
<strong>of</strong> undue access to or mishandling <strong>of</strong> them,<br />
- the collection <strong>of</strong> data, performed through means <strong>of</strong> electronic<br />
communication, allowing to locate a person/product geographically or<br />
aimed at data subject’s ‘pr<strong>of</strong>iling’, have to be notified to the Privacy<br />
Commissioner prior to the start <strong>of</strong> such procedure.<br />
(ii) Acknowledging the widespread use <strong>of</strong> so-called ‘fidelity cards’ in areas<br />
such as retail, transportation, financial, phone and publishing services, the<br />
local Privacy Commissioner also considered it necessary to set some basic<br />
principles for the processing <strong>of</strong> personal data (sometimes even <strong>of</strong> sensitive<br />
data) performed in this particular context.