Background Information

All Italian lawyers are obligated by current professional legislation (Art. 11 of Law n. 247 of 31 December 2012) to take part in compulsory trainings (online or through offline trainings such congresses) which award professional credits.

On 26 July 2017, the Italian Data Protection Authority (“Garante”) authorised the use of an IT system that can verify the identity of Lawyers when they take part in online professional courses. The aim of this IT system is to avoid fraudulent behaviour to obtain professional credits by means of distance learning. Accordingly, the IT system does not involve the use of biometric data for identity verification.           

Main issues

With its decision the Garante clarified how the IT system will work: during the training streamed online, a picture of each participant will be taken through their web-cams at random intervals. At the end of this process, the pictures taken throughout the training session will be part of the personal card of every participant, showing if the participant attended. An operator will then compare the pictures with the identity card of the participants who have subscribed to the training session. The Garante confirms that automated verifications of digital images are not possible. In fact, the Garante has specifically forbidden facial recognition as defined by Article 29 Working Party as “the automatic processing of digital images which contain the faces of individuals for the purpose of identification, authentication/verification or categorisation1 of those individuals”. Finally, the processing by means of the IT system will be lawful only subject to a prior informed consent for the processing of images. In addition, a detailed privacy notice is necessary and it will explain the purposes, means, and the period of retention.

Practical implications

In order to comply with these indications, online training companies adopting a similar IT system shall:

  • provide a prior information notice explaining the processing of the IT system which shall be fair, lawful, transparent, ensuring the exercise of the rights by data subjects, respect the principle of confidentiality and collect a specific informed consent with regard to the processing of the range of pictures;
  • permit access to professionals’ personal data only to data processors or to persons acting under the authority of the data controller or of the data processor;
  • adopt adequate security measures in order to guarantee the right of privacy of data subjects.