From October 1, 2016, the measures called for by the "Code of conduct for the use of personal data carried out for commercial information purposes” will be applicable. The Code of Conduct (available in full at the following link: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4298343) has been promoted by the Italian Data Protection Authority and prepared in cooperation with various associations concerned to the field. 

The new Code is directed to companies that provide information on the commercial reliability of entrepreneurs and managers, and aims at regulating the activities of those entities through a balance between their freedom of economic initiative, on one hand, and the security, individual freedom and dignity of the people whose data are processed, on the other hand. In fact, the data collected and processed by those companies are particularly sensitive, as they refer to the economic and financial position of entrepreneurs. It follows that the incorrect use of databases and invasive analysis tools can cause serious damages to the dignity and privacy of all the people involved.

Here are the most significant rules introduced by the Data Protection Authority in the Code of Conduct: 

  • Scope: the new Code of Conduct will only apply to commercial information relating to individuals. The Code, in fact, takes over the definition of “personal data” provided for by Article. 4 of the Legislative Decree  no. 196/2003 ("Privacy Code"), which refers to "any information concerning a natural person, identified or identifiable". It follows that all the commercial information that do not make reference to individuals are freely usable (point 3 of Preamble);
  • Data traceability: in order to create a business information dossier on a manager or an entrepreneur, only the personal data referring to that person - or to people or entities that have or have had legal and/or economical connections with it – can be used (the mentioned connection exists, for instance, when the data subject owns a company through a direct or indirect control of shares) (Art. 2, par. 3 and 4);
  • Usable data and consent: only the following data can be used: i) data coming from public sources, cognizable by anyone (and thus the information contained in the companies’ register and within balance sheets, real estate deeds, detrimental acts); ii) data extracted from publicly available sources and generally accessible by anyone (such as newspapers, telephone directories, government or control and surveillance agencies’ websites); iii) personal data that the data subject freely decided to communicate to the commercial information provider (art. 3, par. 1 and 2). In the cases refered to in points i) and ii) the data may be processed without the consent of the data subject (art. 5);
  • Data processing arrangements: when they collect and keep personal data, the commercial information providers are required to: i) ensure that the acquired information are correct and pertaining to the pursued purpose; ii) take note of the source of the data; iii) keep the data up-to-date (Art. 3, par. 4);
  • Information to data subjects: for the processing of the above mentioned data the commercial information providers give to the data subject a non-individual information which is released in accordance with simplified modalities compared to than the ordinary ones provided for by art. 13 of Privacy Code. In particular, the information must be released within a portal specifically created by the commercial information providers, in case they have an annual turnover of more than € 300,000.00; within the website of the single commercial information provider, in case its annual turnover is lower than the above mentioned amount (Art. 4);
  • Time-limits for use and keeping of data: the personal data collected for commercial information purposes may only be kept until they remain knowable and/or published in the public sources where they come from (Art. 8). As far as concerns detrimental information (such as bankruptcies, insolvency proceedings, mortgages, etc.), Art. 7, par. 4, introduces stricter deadlines (for instance, the information relating to insolvency proceedings normally cannot be used for more than 10 years from the date of opening of the insolvency proceedings itself);
  • Security: all commercial information providers are required to implement appropriate measures in order to ensure the security, integrity and confidentiality of the collected and processed information (Art. 10);
  • Entry into force: the new Code of Conduct shall enter into force on October 1, 2016. Therefore, from said date, any processing of personal data with commercial information purposes shall be considered as illicit if it is not compliant to the Code.