Categories :

What is the Personal Data Processing Authorization?

The Authorization document for the processing of personal data is used to be able to correctly use the data of a subject. In particular, it is the document with which the interested parties authorize the processing of their personal data and are informed about the purposes and methods of the processing.

In order for the authorization to process to be legitimate, in fact, the interested party must be able to know which data will be processed, with what methods, purposes, and rights attributed to him by the privacy legislation in force. Furthermore, in some cases, the subject must express his explicit consent to authorize certain data processing.

When the processing is based on the consent of the interested party, this must be expressed with a free and informedspecific, and unambiguous declaration. Therefore, it must always be able to demonstrate that the subject has given his authorization for each single processing purpose without having been conditioned in the choice and having first been informed about the use of his data.

The essential conditions of the legitimacy of the processing are regulated, in particular, by the legislative decree 196 of 2003 (Privacy Code) recently updated by the General Data Protection Regulation of the European Union (known as GDPR).

When it is necessary to request consent to the processing of personal data

The rules on privacy protect the only personal information that identifies or can identify natural persons, thus excluding the data of legal persons, entities, or associations.

The interested party must always be informed before the collection of data that can identify him. However, it is not necessary to inform him of the processing concerns:

  • an exclusively personal activity, for example, when you collect the personal data of your domestic worker;
  • a collection of data that is not archived in any way.

Once informed, the subject does not always have to ask for his explicit consent. In fact, it will be sufficient to inform the subject without requesting his explicit authorization if the processing is carried out:

  • exclusively for the execution of a contract with the subject (egg request for the address to deliver a product purchased by the subject);
  • for legal obligation/utilities (eg. the request of billing information);
  • to exercise a legitimate interest (e.g. defending oneself in court, some particular direct marketing activities);
  • in case you want to safeguard the vital interests of the data subject or of another natural person (egg collection of data for a patient).

Our authorization formula for the processing of personal data is suitable for any type of processing carried out and for any purpose pursued (whether it requires consent or not). For example, it can be used by a company that processes its customers’ data (e.g. for registering for an event, video surveillance of the premises, registration in a loyalty program), or that collects data from its employees or collaborators for proper internal management (e.g. data storage for administrative purposes).

Furthermore, this document can be used for the processing of any type of personal data including sensitive data. The sensitive data is data concerning the private life of the person, such as health data, race, political opinions, religious beliefs, genetic data, biometric data, etc. Given their nature, they require treatment that ensures absolute protection and confidentiality.

If the data is processed online through a website or app, however, it is necessary to use a specific document, the privacy policy for websites or apps that has the same legal purpose but which provides for some specific clauses for online use.

The authorization to process personal data in the curriculum vitae

An example of personal data processing is the management of the curriculum vitae of candidates that a company receives.

Although it is now common practice, it is not necessary for the candidate to give consent every time he/she sends a curriculum vita (e.g. with a declaration at the bottom of the document). The new article 111-bis of the Privacy Code, in fact, provides that in case of receipt of curricula for the purpose of establishing an employment relationship, consent to the processing of personal data is not required.

Furthermore, it is clear from the law that the company will not have to send a privacy notice to the interested party when they receive their curriculum vitae. The subject must, on the other hand, receive this information only if he is contacted by the possible employer or in any case at the first useful contract following the sending of the curriculum.

What does the processing authorization form contain?

Our document to obtain authorization for the processing of personal data is updated to comply with the European regulation for privacy and meets all legal requirements and contains all the information required by current legislation on privacy:

  • Types of personal data collected: it is necessary to communicate to the interested parties which data will be collected (contact data, sensitive, fiscal data, etc.);
  • Purpose and legal basis of the processing: the purposes for which the personal data are processed must be listed (e.g. communications with users, statistical purposes, payroll management, etc.) and the legitimacy on which the processing is based;
  • Third-party recipients: the names of any third parties to whom the data will be communicated must be indicated (egg suppliers or partners of the owner);
  • Place: it must be indicated where the data are processed and if they are transferred to a non-EU country;
  • Data retention period: it is necessary to specify how long the data are kept after the termination of the relationship with the interested party;
  • Security measures:  the technical measures that you adopt to secure the data being processed must be indicated;
  • Automated decision-making processes: it must be specified if you take decisions through technological means, without human involvement, with legal effects or other similarly significant effects that affect the user or that significantly affect his person;
  • Identification of the persons making the treatment is necessary to indicate all the data to identify who manages the processing of personal data (egg. The owner or his representative, and if appointed the controller and the DPO;
  • Consent management: we will insert the necessary clauses when the consent of the interested party is requested;
  • English language: the document can also be generated in English. It is mandatory that the authorization form for the processing of personal data is always understandable when the data subjects are foreigners.

At the end of the interview we will guide you step by step in all the subsequent necessary formalities (e.g. the impact assessment, the preparation of security measures, and the preparation of the treatment register) and so that all the related documents are correctly prepared. If you need more help you can also always request our GDPR consultation with an expert lawyer to be followed further on the processing of personal data, you carry out. You can also request a website GDPR adjustment to adapt your website or app.

Information you need

To complete the authorization document for the processing of personal data, all the data of the parties are required.

The document can be modified in all its parts without time limits. Don’t worry so if you don’t have all the information available during the interview, you can always enter it later.

Remember that our interview does not generate a simple facsimile of Authorization for the Processing of Personal Data. Based on your answers, the system automatically draws up a customized contract model for your exact needs, guaranteeing its legal correctness.

Other names

Authorization to process personal data is also known as:

  • Privacy policy (for offline activities)
  • privacy policy GDPR
  • Consent to the processing of personal data
  • Authorization to process personal data cv

Other useful templates and facsimiles

  • Personal Data Processing Register: to collect all information relating to the management of personal data processed
  • Appointment of the personal data processing manager: to appoint an external party who processes the data on behalf of the data controller
  • Photo and Video Release: to be able to publish (even on a website) the images of a person without affecting their privacy
  • Privacy Policy of a Website or an App: to inform the users of a website or an app about the use that will be made of their personal information
  • Cookie Policy: to inform your site visitors of the cookies you will save on their browser