Simplification Law 2025: tightening on the legal bases for judicial data.

The Simplification Law 2025 (Law 182/2025) intervenes on the regulation of the processing of data relating to criminal convictions and offences in the Privacy Code, restricting the scope for integration through secondary sources.

Article 72, letter g) repeals paragraphs 2, 4 and 6 of Article 2-octies, i.e. those provisions that allowed the Ministry of Justice to adopt supplementary decrees to authorise or regulate the processing of data relating to criminal convictions and offences. The effect of the choice is immediate and systemic: the processing once again requires a primary regulatory basis defined directly by law, without the possibility of "completion" through a secondary source. The intervention, therefore, does not make the discipline more permissive; on the contrary, it makes it more bound to the law and reduces the space for regulatory integration, in a sector in which the relationship between law, regulations and ministerial powers has been the subject of interpretative reconstructions that are not always unambiguous.

In detail, the repeal of paragraph 2 eliminates the possibility for the Ministry of Justice to authorise, in the presence of a regulatory vacuum or an insufficiently detailed basis, specific processing of judicial data by decree, subject to the opinion of the Guarantor. The consequence is clear: today, if there is no legal provision expressly authorizing the processing, the processing cannot take place. The primary source becomes the only legitimizing garrison.

The same approach is reflected in the repeal of paragraph 4, which allowed the introduction, again by ministerial decree, of the "appropriate guarantees" when the law authorized the processing without fully defining conditions and precautions. With the removal of this option, the message is clear: the enabling law must be "complete" from the outset, including the guarantees required by the GDPR without deferring to subsequent measures.

An immediate operational impact also concerns anti-mafia protocols and organized crime prevention activities. Paragraph 6 provided for decrees of the Ministry of Justice (in collaboration with the Ministry of the Interior) to define which data could be processed, in what ways and with what guarantees. With the repeal, this tool is no longer usable: to process data relating to crimes in these contexts, a clear and complete primary rule is needed; The protocols, in themselves, are no longer sufficient and it is no longer possible to use ministerial decrees with a supplementary or "substitute" function.

On the application level, the consequences are significant. For companies and professionals, there is a growing need for rigorous verification of the existence of an adequate primary legal basis: in the absence of a clear and complete rule, the processing remains precluded and there are no suitable regulatory instruments to fill any gaps. For the Guarantor Authority, on the other hand, involvement in the preventive phase is reduced (with the absence of mandatory opinions on decrees), but the ex post role of control and supervision is strengthened, becoming a central safeguard with respect to processing based on unsuitable legal bases or on excessively extensive interpretations of existing rules.