New Italian Code of Conduct: the rules for commercial information companies

The Italian Data Protection Authority approved the new Code of Conduct for the processing of personal data in commercial communications, which regulates the processing of personal data of persons coming from registers, lists, deeds or public documents known to anyone or accessible to the public. Based on the rules contained therein, companies that offer information on the commercial reliability of entrepreneurs and managers will be able to process the personal data of the controlled individual without asking for their consent but on the legal basis of legitimate interest. However, they will have to inform them via a privacy notice. What measures will have to be taken to avoid the risk of destruction, loss or modification of the data?

The Italian Data Protection Authority (the Garante) has approved a new Code of Conduct relating to the processing of personal data as part of Commercial Communications submitted by the ANCIC, the National Association of Commercial Information and Credit Management Companies.

The Code regulates the processing of personal data of individuals coming from public registers, lists, deeds or documents known by anyone or publicly accessible (the so-called public sources which include for instance the Internet and newspapers), as well as the processing of personal data provided directly by the interested parties. It applies data are processed to provide information to clients for checks on the economic, financial and asset situation of the parties concerned, as well as on their soundness, solvency, and reliability for the analysis and definition of strategies and policies of a company’s business activities.

For instance they include the identification of the relevant individuals for the setting up of a new business relationships, the establishment and management of relationships, including pre-contractual relationships, the supply of goods, services and services to interested parties and the related payment terms and conditions, the fulfilment of the relevant regulatory obligations, including those relating to money laundering, the prevention and combating of fraud and the protection of the related rights by clients, including in court.

The data processing activity include the elaboration of personal data through statistical processes or automated models, or through analyses and evaluations carried out by experts, also on the basis of pre-defined classifications, in order to formulate an opinion on the soundness, solvency and reliability of the assessed person, possibly expressed in predictive, probabilistic or in the form of alphanumeric indicators, codes or symbols.

The new Code replaces and updates the old Code of Conduct on Commercial Information – which will remain in force until September 19, 2019 – helping companies in the sector to comply with the EU General Data Protection Regulation (GDPR) and the supplementing Italian legislation integrating the GDPR which came into force at the end of 2018.

The Code of Conduct applies the principle of accountability, which is strongly supported by the GDPR and requires trade associations and companies to apply the regulations in an informed, transparent, and effective manner.

Companies that offer information on the commercial reliability of entrepreneurs and managers will be able to process the personal data of the checked individual without asking for their consent but on the legal basis of legitimate interest.

However, they will need to inform them about the data processing activities performed through a privacy information notice that shall be published on the ANCIC website so relying on article 14.5, letter b), of the GDPR. Also, they will need to enable the exercise of the privacy rights provided for by the EU Data Protection Regulation, such as the right to object to the processing of personal data well as the right of rectification and updating of processed data.

There are several innovations. Participating providers will have to operate according to a risk-based approach, adopting technical, procedural, physical and organizational measures to prevent or minimize the risks of destruction, loss, modification, and unauthorized disclosure or access to personal data. Each provider shall also undertake to comply with the guidelines, recommendations and best practices adopted by the European Data Protection Board (EDPB) or other relevant industry authorities, and shall designate a Data Protection Officer (DPO) when required.

Finally, an independent monitoring body (ODM), external to the ANCIC, will be set up, composed of experts chosen according to the criteria of respectability, autonomy, independence and professionalism provided for by the GDPR and detailed in the recently definitively approved Guidelines of the European Data Protection Board on Codes of Conduct. The ODM shall verify the observance of the Code of Conduct by the adherents and manage the resolution of complaints.

Final considerations

The new Code of Conduct is a significant improvement for both Italian and foreign companies operating in Italy. Indeed, even foreign companies will need to rely on the services of providers that subscribed the Code of Conduct rather than their international providers.

Also, for instance, checks on criminal records might be considerably affected. The Code of Conduct allows the processing of data relating to criminal convictions and offenses that originated from public registries. On the contrary, for other public sources such as the Internet or newspaper, only data relating to criminal convictions and offences published during the last six months may be processed, starting from the date of receipt of the request for the service by the customer, and without any possibility for the provider (i) to make changes to the content of such information – except for any updating thereof – and (ii) to use it for the purposes of processing evaluative information.

The Code of Conduct will come into force following the accreditation of the ANCIC according to the procedure still to be finalized by the European Data Protection Board.