Court of Cassation: INPS software does not infringe thee data protection rules.

The ruling originates from the opposition to the order-injunction for the payment of an administrative penalty imposed by the Italian Data Protection Authority on the Nationa Social Security Agency (INPS,) with regard to the alleged violations of Articles 13, 20 and 27 of Legislative Decree No. 196/2003 (The Italian Data Protection Code, applicable ratione temporis) in the use of the 'data mining Savio' software.

In the opinion of the Italian Data Protection Authority, by using that system - which automatically attributes a conventional score to the medical certificates produced by workers, so as to target the system of medico-legal inspections in a targeted and more efficient manner - the Social Security Institution had: i) processed sensitive data without having issued the appropriate information; ii) in the absence of the necessary prerequisites, unlawfully processed personal data, including data disclosing health status; iii) carried out profiling activities using workers' personal data, without having notified the Authority of such processing in advance.

The Italian Data Protection Authority's measure was challenged by INPS, but the Court rejected the appeal. The social security institute then appealed to the Court of Cassation, claiming the unlawfulness of the decision on the merits on the basis of five grounds.

In particular, the institute pointed out that the control activity carried out, being directly based on the law, did not entail the obligation to provide the persons concerned with the required information.

With regard to the censured profiling activity, the appellant noted how the computerised procedure used did not identify a specific person and the same was not included in certain categories or profiles, taking into consideration only the application for sickness benefits submitted by the worker.

The appeal was upheld by the Supreme Court under these two specific profiles.