The Italian Data Protection Authority issued a new decision on the security measures to be taken for the appropriate processing of biometric data.
The decision named “Sistema per la sottoscrizione in forma elettronica di atti, contratti e altri documenti relativi a prodotti e servizi offerti da una banca” of 12th September 2013 gives much cause for reflection.
It is interesting to note when expressly referring to the technical rules relating to electronic signatures, how the Italian D.P.A. emphasizes the instrumentality of personal data, including biometric data, in order to generate graphometric signatures as advanced electronic signatures.
Moreover, the Italian D.P.A. highlights how the handling of data can be an effective instrument of proof, in case of dispute.
In fact, the decision reads:”(…) the use of the proposed solution could effectively contribute to lending greater certainty in legal relationships existing with users through the guarantee of authenticity, non-repudiation and integrity of documents signed electronically”.
The decision expressly mentions the provisions of the law requiring the written form for bank contracts and confirms the suitability of the graphometric signature in meeting the requirement of the written form ad substantiam. In addition, the Italian D.P.A. makes an important statement of economic policy of law, arguing that the graphometric signature “complies with society’s legitimate organisational needs”.
Finally, the decision draws attention to the necessary safety precautions to be taken to reduce the risk of unauthorised software installation or the modification of the configuration of the systems used. It is additionally necessary to adopt security policies especially in cases where the data controller makes use of external parties and in any case obtain from the installer a written description of the steps taken, in order to certify their compliance with enforceable regulations.
Some general clarifications should be made, however.
The Italian D.P.A.’s decision on the graphometric signatures is not as yet the general decision the market expected.
The Italian D.P.A.’s decision is still one of an individual nature (referring to Fineco): that is to say one concerning a specific request.
The Italian D.P.A. general decision cannot of course refer to specific solutions.
The importance of this decision is evident, however.
It is the first decision of the Italian D.P.A. on graphometric signatures as advanced electronic signatures for the signing of contracts in the banking sector. In the other two decisions of the Italian D.P.A. dated 31st January last (referring to Unicredit and Cariparma) the graphometric signatures are considered a mechanism of authentication. Identification, of course, remains visual.
It confirms that the “graphometric signatures” can be “advanced electronic signatures”.
It also confirms it to be a very popular procedure in the market and that there should also be the maximum attention focused on the safety of the process. And many indications in this regard can be drawn from this decision.
Finally, it confirms the viability of graphometric signatures in mobility.
Add comment