On March 11, 2015 the Italian Data Protection Authority (Garante per la protezione dei dati personali) initiated a public consultation on the draft Code of Conduct concerning the processing of personal data for the purposes of business information. The draft aims at providing a first set of rules for companies which provide information-related services on the economic and financial position of companies and their shareholders, directors and main officers  (hereinafter, “business information“).

In a nutshell, the key features of the draft Code are the following:

  1. The companies providing business information services shall collect data either from the surveyed data subject or through public sources (e.g. business register, balance sheets, cadastral registers, etc.) as well as sources which are publicly and generally accessible by anyone or by subjects authorized for disseminating such information by the applicable laws (e.g. traditional and online newspapers, phone books, professional associations’ websites, etc.).
  2. The personal data collected and processed for the purpose of providing business information services may refer both to the data subject and to individuals or legal entities connected to the data subject due to a legal and/or economic relationship (e.g. individuals holding a position with effective management/control powers).
  3. The processing of personal data is subject to a prior information notice which, due to the number of individuals involved and the peculiar nature of the data to be processed, may be provided on a general basis through simplified procedures (in particular, through the provider’s website). In any case, the information notice shall include (i) the information on the data processor and any possible sub-processor; (ii) the references to the websites or other sources where to access a detailed information notice; and (iii) details on how to exercise the data subject’s rights listed under Section 7 of the Legislative Decree 30 June 2003, n. 196 (Codice in materia di protezione dei dati personali, the “Italian Data Protection Code“).
  4. In accordance with Section 24.1 lett. c) and d) of the Italian Data Protection Code, the data subjects’ consent is not required for the processing of personal data for the purposes of business information , while specific rules are set in relation to the usage and the storage of such business information.
  5. Sensitive and judicial data may not be processed, with the exception for judicial data collected through public sources or sources which are publicly and generally accessible by anyone (within the limits set by the applicable law in relation to their accessibility and usability).
  6. Providers of business information shall adopt adequate technical measures to ensure the security, integrity and confidentiality of the business information processed.
  7. Professional associations shall verify the compliance with the Code by the associated business information’s providers. Failure to comply with the provisions of the Code may result in sanctions applied also by the professional associations.

The consultation will continue for a period of 40 days starting from March 11.