The rules related to data privacy legislation are born with the directive 95/46/CE of the European Parliament and Council, of the 24th of October 1995, concerning the "safeguard of individuals" and the treatment of the personal and confidential data, as well as the free circulation of such data.

The directive 2002/58/CE of the European Parliament and Council, of the 12th of July 2002 instead, is further considering carefully the private individual life and the electronic communications.

The primary goalof the privacy legislation is to grant that the treatment of the personal data is carried out in respect of the essential rights, freedom and dignity of the individual, with particular reference to confidentiality, to personal identity and to the right of protection of the personal data.

The national laws do discipline further in detail the treatment of the personal data.

As "treatment" it is intended whatever operation or the whole operations made, even without the help of any electronic instruments concerning the collection, the registration, the organization, the retention/preservation, the cancellation and the distribution of the data, even though these have not been registered in a data bank.

In order to respect the privacy law it is usually required in the different local legislations (Italy could be considered an example of a procedure which has reached an advanced level of evolution):

A. to process an organizational chart before the activity start, parallel to the company operative one, including assigned roles for data privacy management.

B. identification and nomination in written and related acceptance of the following actors usually foreseen from the current local legislation.

• owner of the data treatment process (the company legal representative or with a proper attorney)
• responsible of the data treatment (person to whom operators in charge and system administrator are responding to)
• operators in charge for the data treatment (internal or external employees/ self employees in charge for specific activities)
• operators assigned to data treatment, employees/ self employees managing the data during their own internal activities
• system administrator, person who supports through technical knowledge the technical coordination of the process.

The treatment of the information is usually then allowed, only if data are treated in compliance with the foreseen rules, and respecting the minimum measures, like for example the following ones:

1. Authentication through some information technology safe procedure
2. Credentials of the authentication to manage the data treatment procedure
3. Use of an authorization procedure and system (an organization chart is suggested)
4. Periodical update of the identification codes for operators in charge and assigned to data management through electronic instruments
5. Protection of the electronic instruments and of their data in relation with the illegal treatment of the same, with not allowed access and of specific protection software and hardware (antivirus, firewall, access hardware keys);
6. Use of procedures in order to preserve/ protect backup/ security copies, and allow the data recovery;

Annual processing and update of a written plan for confidential data security.

Transfer of the data abroad, inside or outside the European Union: according to the applicable principles, new rules can be applied concerning limits and obligations to forbid the free circulation of the confidential data among the Member States of the European Union, with the exception of data transfer in order to avoid current rules application.

Out of the European Union: The transfer of the data is allowed only when:

1. the person concerned has expressed his own consent, or in case of sensible data, in written;
2. It is necessary that the execution of obligations, deriving from a contract, of which one part is interested to or to fulfil (before the conclusion of the contract, with specific requests of the interested part), or for the conclusion of execution of a contract agreed in favour of the interested part;
3. the treatment of the data is concerning legal entities, institutions or associations;
4. it is authorized from the Guarantor authority.

A 'general measures procedure' regarding video surveillance: the installation of a video surveillance system implies, shortly, the introduction of limits and conditions, for the worker considered, making essential the respect of some fundamental principles.

In order to obtain more information concerning the world-wide legislation and rules, the main reference web sites are the following:

HTLC Network is supplying a full service administrative kit or as alternative simply an 'on demand' assistance for single pieces of services (integrating legal advise and administrative / information technology assistance) , customized to the client's needs, according to what has been or will be done internally or outsourced.