Italian DPA publishes first draft of the Code of Conduct for “commercial information activity”
March 30, 2015
On 2 February 2015, the Italian Data Protection Authority (the “DPA”) published the first draft of the Code of Conduct for “commercial information activity”.
The code applies to all entities performing investigations or research or collecting data in the interest of private parties for purposes of providing information on, among others, patrimonial, economic, financial and industrial status of a certain subject (so called “commercial information”).
In principle, those providers process information only on companies. However, the DPA outlined that often information on companies are strictly linked to data of individuals, such as directors or shareholders. This is the reason why the DPA deemed appropriate to intervene.
The draft of the code provides some interesting proposed provisions relating to data processing.
The code will apply to “commercial information” related to individuals. This is contained in public registers or documents accessible to the public. It will also apply to data communicated directly by the data subjects to entities falling within the scope of the code.
The processing of sensitive or judicial data shall, in principle, not be allowed for commercial information purposes. By way of exception, it is possible to process judicial data available from “public sources” (such as public registers, companies register, financial statements of the companies, tax authority registers); while judicial data available from “sources generally accessible by the public” (such as newspapers and websites) may be processed only if made available no more than 6 months before the request of provision of the service.
The service providers shall adopt all appropriate measures in order to ensure the correctness and reliability of the data collected. They shall also update the data and detail the source of information.
The DPA specifies that the service providers are not requested to obtain specific consent by the data subjects. They shall render the privacy statement in a simplified way and on a non-individual basis, by making it available on the websites.
Regarding the retention period, the service providers may keep the information as long as they are available in the public sources, except for data pertaining to bankruptcy proceedings, which can be retained for no more than ten years from the beginning of the proceeding.
After this period, information may be used by the service providers only in specific cases: i.e. when further information about a different bankruptcy proceeding are available, or when a new bankruptcy proceeding regarding the same subject (or another subject having some connection with the former) has been started.
Also in case of mortgage and seizure, the data may be kept for a maximum period of ten years, starting from the date of their registration, save in case of cancellation of mortgage or seizure before the expiration of such period. In such event, the cancellation notice shall be kept for two years.
The draft is currently under the examination of the services providers and any interested party including consumers’ associations. They have the opportunity to provide the DPA with their comments by 26 April 2015.
The results of such consultation will be quite interesting as it shall reflect the different interests involved in the provision of commercial information. On one side, the provision of a correct and complete set of information on certain subjects which is necessary to take conscious decision on making business; on the other side, the protection of the individuals involved in bankruptcy, seizure or mortgage proceedings.