Update on the latest data protection news in Italy

18 March 2008

Debora Stella, Giulia Mozzato

In the past few months the Italian Data Protection Authority has issued a number of guidance documents and press communications aimed at providing more information about the application of Italian data protection legislation in certain sectors

Proposals to accept Binding Corporate Rules

Multinational corporations need new mechanisms by which intra-group transfers of data to group members in non-EU countries will be permitted. The various means of transferring personal data set out in the Data Protection Directive, such as the use of standard contractual clauses, have been criticised in Italy when used in intra-group transfers. Consequently the Data Protection Authority strongly supports adoption of legislation that will allow Binding Corporate Rules to be used in Italy.

The Italian Data Protection Authority submitted a formal request to the Italian Parliament and Government requesting that it changes the law to allow Binding Corporate Rules. This would mean that the Italian Data Protection Authority could authorise companies to transfer personal data using Binding Corporate Rules to members of its Group outside the EEA. Under Italian civil law these Binding Corporate Rules would bind companies within and outside the group.

Clinical trials

The Italian Data Protection Authority has adopted Guidelines on processing data as part of clinical trials. It has started a public consultation with the intention of collecting comments from members of the pharmaceutical industry and other organisations in the clinical sector by 15 February 2008.

The Guidelines set out the measures that should be taken to ensure that patients’ personal and sensitive data are processed legally during clinical trials. This is especially important as the personal data from such trials are accessible to sponsor companies also, who can be members of the same group but established in other countries.

The Guidelines standardise legislation that is currently in force; Legislative Decree No. 196/2003 and, more specifically, Annex 4 to the decree on “Processing of personal data for statistical and scientific purposes”. The Guidelines set out in detail the main principles of data processing, and in particular the methods and procedures (e.g. notice, patient’s consent, retention period, security measures) that have to be followed. The Guidelines also provides practical advice on the possible roles of various groups involved in the processing (e.g. pharmaceutical companies, clinical study monitors, patients, etc.) as autonomous data controllers or data processors.

Simplification of customer care procedure

On 10 December 2007 the Italian Data Protection Authority issued general guidance concerning activities relating to calls received by companies responsible for customer care, after-sales assistance and telephone banking. The Authority stated that these companies should always inform customers that their personal data may be processed, unless the customer has already been informed, (e.g. at subscription, or during the call). A proper notice that is clear, immediately comprehensible and concise, should always be given by call centre operators (or through a recorded message) when the company intends to use the data for a different purpose, such as marketing activity.

The Authority also invited companies operating in the telephony sector to ensure professionalism and proper security of the data when it is processed. In particular, the guidance underlined the importance exercising caution when the same call centremanages different databases for different data controllers.

Processing customers' data in the Banking sector

In October 2007, the Italian Data Protection Authority provided guidance to banks on how to process customers’ personal data, in compliance with the Italian Data Protection Code (Legislative Decree No. 196/2003). The Authority requires banks to provide updated information to customers, to ask for identity documents only if strictly necessary, and to adopt proper security measures. These guidelines also apply, insofar as they are compatible with specific sector-related features, to similar activities carried out by post offices in providing banking and financial services.

Deletion of web navigation information

At the end of January 2008, the Italian Data Protection Authority required certain telephone and internet operators (i.e. Telecom, Vodafone IT, H3G, Wind) to delete all traffic data that can reveal the content of the communication (i.e. web pages visited or destination IP addresses) as these could potentially disclose users’ sensitive data,(e.g. data concerning personal relationships, religious beliefs, political opinions, health and sex life). All this data must be deleted within two months of the adoption of the provision. Telephone and internet operators are only allowed to retain data that is required to provide the services and send invoices.

The provision also prevents operators from using any proxy servers that are not necessary for routing the communication or invoicing the services. This is because these servers sit between the users and the website and are able to collect a large amount of data related to sites visited by the user during the web session.

New Regulation on security for telephone and internet traffic data

On 1 February 2008 the Italian Data Protection Authority published new regulations. This covered security measures to be implemented by electronic communication providers when processing telephone and internet traffic data (for the purposes of justice, and invoicing payments and marketing).

Under this new regulation electronic communication providers are required to implement strong security measures, listed in the regulation, by 31 October 2008 and to notify the Italian Data Protection Authority when they have complied with the new provisions.