The new Italian privacy rules on commercial information remove considerable restrictions on access by companies to such data, granting the opportunity to exploit new categories of data.
The Italian Privacy Authority (the Garante) approved a new code of conduct relating to the processing of personal data concerning commercial information submitted by the ANCIC, the National Association of Commercial Information and Credit Management Companies.
What is the Italian privacy code of commercial information about?
The Code regulates the processing of personal data of individuals coming from public registers, lists, deeds or documents known by anyone or publicly accessible (the so-called public sources which include for instance the Internet and newspapers), as well as the processing of personal data provided directly by the interested parties. And it applies when such data are processed with the purpose of providing information to clients for checks on the economic, financial and asset situation of the parties concerned, as well as on their soundness, solvency, and reliability for the analysis and definition of strategies and policies of a company’s business activities.
For instance they include the identification of the relevant individuals for the setting up of a new business relationships, the establishment and management of relationships, including pre-contractual relationships, the supply of goods, services and services to interested parties and the related payment terms and conditions, the fulfilment of the related regulatory obligations, including those relating to money laundering, the prevention and combating of fraud and the protection of the related rights by clients, including in court.
The data processing activity include the elaboration of personal data through statistical processes or automated models, or through analyses and evaluations carried out by experts, also on the basis of pre-defined classifications, in order to formulate a report on the soundness, solvency and reliability of the assessed person, possibly expressed in predictive, probabilistic or in the form of alphanumeric indicators, codes or symbols.
Why is the new code better than the one before?
The new privacy code replaces and updates the old code of conduct on commercial information – which will remain in force until 19 September 2019 – helping companies operating in the sector to comply with the EU General Data Protection Regulation (GDPR) and the supplementing Italian legislation integrating the GDPR which came into force at the end of 2018 (Read on the topic Italian privacy law integrating the GDPR approved, with big questions!).
The code of conduct applies the principle of accountability, which is strongly supported by the GDPR and requires trade associations and companies to apply the regulations in an informed, transparent and effective manner.
Companies that offer information on the commercial reliability of entrepreneurs and managers will be able to process the personal data of the checked individuals without asking for their consent but on the legal basis of legitimate interest. However, they will need to inform them about the data processing activities performed by means of a privacy information notice that shall be published on the ANCIC website so relying on article 14.5, letter b), of the GDPR. Also, they will need to enable the exercise of the privacy rights provided for by the EU Data Protection Regulation, such as the right to object to the processing of personal data well as the right of rectification and updating of processed data.
The major innovations of the new privacy code on commercial information
Several innovations have been introduced. Participating providers will have to operate according to a risk-based approach, adopting technical, procedural, physical and organizational measures to prevent or minimize the risks of destruction, loss, modification, and unauthorized disclosure or access to personal data. Each provider shall also undertake to comply with the guidelines, recommendations and best practices adopted by the European Data Protection Board (EDPB) or other relevant industry authorities, and shall designate a Data Protection Officer (DPO) when required.
Finally, an independent monitoring body (ODM), external to the ANCIC, will be set up, composed of experts chosen according to the criteria of respectability, autonomy, independence and professionalism provided for by the GDPR and detailed in the recently definitively approved Guidelines of the European Data Protection Board on Codes of Conduct. The ODM will have to verify the observance of the code of conduct by the adherents and manage the resolution of complaints.
The new Italian privacy code of conduct on commercial information is a major improvement for both Italian and foreign companies operating in Italy. Indeed, even foreign companies will need to rely on the services of providers that subscribed the code of conduct rather than their international providers.
And for instance, checks on criminal records might be considerably affected. The code of conduct allows the processing of data relating to criminal convictions and offenses originated from public registries. On the contrary, for other public sources such as the Internet or newspaper, only data relating to criminal convictions and offences published during the last six months may be processed, starting from the date of receipt of the request for the service by the customer, and without any possibility for the provider (i) to make changes to the content of such information – except for any updating thereof – and (ii) to use it for the purposes of processing evaluative information (Read on the topic How data on criminal convictions of employees become a privacy risk).
On a similar topic, you may find interesting The new draft ePrivacy Regulation changes on digital marketing.