On February 19, 2015 (decision no. 96) the Italian Data Protection Authority (“DPA”) opened for comments a draft of a code of conduct for companies processing personal data for business information purpose.
Based on the definition given in the draft, the covered companies are those that provide information and evaluation services that may involve the research, collection, processing, analysis and supplying of business information (i.e. patrimonial, economic, financial, and industrial information), which can be used to check someone’s solvency.
The code also applies to business information available on public registries and sources – included newspapers and court documents – as well as those made available by data subjects themselves.
The code sets forth several privacy measures applying to those companies. Some important points:
– In order to simplify the procedure, informed consent of data subject is not required and companies providing these services can notify data subjects of the processing through notices posted on their website.
– The retention period of data is limited: all information regarding bankruptcy and other insolvency procedures cannot be retained for more than 10 years from the commencement date.
– The commercial data relating to legal proceedings can be processed only if published within the previous six months from the moment in which the request for information was received and shall not be modified nor utilized to provide evaluations.
Comments on the draft are possible for 40 days from the publication in the Italian Official Gazette and, once the final text will be approved, it will enter into force within one year.
The draft of a code of conduct on the processing of personal data for commercial information purpose is available (in Italian) at http://www.garanteprivacy… Open Pdf
The press released on March 16, 2015, is available (in Italian) at http://www.garanteprivacy…