The Italian privacy authority (DPA) issued a decision introducing more stringent obligations for the transfer of data to call centers located in countries outside of the European Union such as India or the US, but also Albania that is very close to Italy and is a popular place for call centers of Italian companies.
The decision is quite interesting since it regulates the frequent scenario where there is an Italian company outsourcing the call center service to a company located in the European Union which in turn will rely on the services provided by entities located outside the European Union.
In such circumstances, the Italian DPA identified 3 possible scenarios allowing the transfer of data to companies located in non-EU countries that are applicable provided that there is the prior consent from the data controller:
- either the data controller (i.e. the company outsourcing the call center service) enters into the Standard Contractual Clauses for transfer of data to processors directly with the non-EU entity;
- or the data controller grants a PoA to the outsourcee for the execution of the Standard Contractual Clauses with the non-EU entity, but in such case, it will be necessary to enter in such Standard Contractual Clauses with reference to each contract entered by the outsourcee and it will not be possible to rely on a framework agreement;
- or the data controller and the non-EU entity enter into an ad hoc agreement ensuring the same guarantees as the Standard Contractual Clauses that however shall be previously approved by the Italian DPA.
Moreover, the privacy authority provided for the obligation on data controllers established in Italy to perform a training activity on the call centers’ personnel and periodic checks on their compliance with the instructions provided. Additionally, the data processing shall comply with the security measures required by the Italian Privacy Code and in particular adequate technological measures preventing the personnel of the call center to perform activities on the processed data that go beyond the scope of the work requested to them shall be adopted.
Finally, the Italian DPA obliged any entity running directly or indirectly call center activities in countries located outside of the EU to:
- disclose to their customers the location of the call center operator if placed outside of the EU allowing them to opt for an operator located in Italy in case of inbound calls;
- previously notify the Italian DPA the transfer of data to call centers located outside of the EU; and
- in relation to transfers already occurred to notify them to the Italian DPA within 30 days from the issue of the decision of the DPA.
Such provisions will make the life of companies relying on call centers located abroad tougher and it will be interesting to see the reaction of companies.
Also, this decision is interesting since once again it clarifies the position of the Italian DPA with reference to the usage of the Standard Contractual Clauses in any sector clarifying that it is not possible to rely on them in case of data transfers within the EU with sub-processors located outside the EU.
You may find interesting on a similar topic Call centers require immediate action in Italy.