October 2019
With the introduction of the General Data Protection Regulation UE 2016/679 (https://ec.europa.eu/info/law/law-topic/data-protection/reform_en) and the “Measure containing the provisions relating to the processing of special categories of data” by Italian data protection authority of 5 June 2019, pursuant to art. 21, com. 1 of D. Lgs. 10/8/2018, n. 101, all projects involving the processing of special categories of personal data (1) must ensure
“… appropriate safeguards for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudo-minimisation, provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner” (Art. 89 GDPR).
After an accurate decision process, involving technical and legal experts, we came to the conclusion that at the moment the Controller (2) (Project leader/User) and CINECA are not able to guarantee technical and organisational measures specifically for special categories of personal data HPC processing.
Therefore, we invite you to remove any personal data of special categories from CINECA storage resources as soon as possible. After that, we intended that data belonging to your HPC username do not include any personal data of special categories.
The User indemnifies CINECA from any damage caused to individuals as a result of treatments (processing) that do not comply with the GDPR requirements and the indications given by CINECA.
(1) Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (art. 9, GDPR).
(2) 'Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (art. 4, n. 7, GDPR).