Scope of application
The Data Protection Authority has issued regulations for banks and companies within banking groups on the lawful processing of clients' personal data.
The regulations apply to:
- banks, including those belonging to groups, whose activity is governed in general terms by Article 2359 of the Civil Code and specifically by Articles 60 and following of the Banking Act (Legislative Decree 385/1993);
- companies which are not banks but belong to banking groups, in respect of their performance of processing operations that involve their clients' personal data; and
- Poste Italiane SpA, Italy's main postal services operator, in respect of its banking and financial services activities.(1)
Foreign banks and foreign companies within banking groups that operate in Italy under the right of establishment are subject to the regulations; however, the requirements do not apply to entities that operate under the principle of freedom to provide services.
The regulations govern the circulation of information related to banking clients and the ability to track banking operations (relating to money flow or information) performed by bank employees. The authority has set out the measures that the relevant entities must adopt in order to ensure compliance with the Privacy Code (Legislative Decree 196/2003).
Tracking and logging information
The regulations set out requirements for tracking operations concerning clients' personal data and its retention. In order to monitor each employee's activities involving such data (apart from his or her qualification and scope of operations), appropriate IT solutions must be implemented in order to track activities performed on databases. This information - including the date and time of the operation and identification codes for both the client and the individual who performed the operation - must be retained for a minimum period, which is determined by the nature of the information. For example, information on log tracking enquiry operations must be retained for at least 24 months.
Alert systems must be implemented to detect anomalous behaviour or risks related to enquiry operations.
Internal audits and periodical reports
The management of banking data must be checked at least annually. Such internal auditing activity must be properly documented and must be carried out by a specific unit (or by employees other than those to whom the processing of client banking data is entrusted).
Outsourcing to data processors
If banks entrust the processing of relevant data to third parties, the latter must be appointed as data processors under Article 29 of the Privacy Code.
These measures, which the authority has classified as 'necessary', must be implemented by December 3 2013 (ie, within 30 months of publication of the regulations in the Official Gazette). Failure to do so carries a fine of between €30,000 and €180,000 under Article 162(2)ter. However, these amounts can be increased or reduced for more or less serious violations. In addition, banks and banking group companies will be liable to indemnify third parties for any damage suffered as a result of non-implementation.
In addition, the regulations require the adoption of certain 'suitable' measures; Failure to comply is not punishable by a fine, but entities will be required to indemnify third parties for any damage resulting from non-implementation. The regulations list the following suitable measures:
- The information notice that must be communicated to clients under Article 13 of the Privacy Code must mention that personal data belonging to clients may be circulated among the bank's agencies and branches;
- Banks must notify their clients without delay of any illegal operations that pose a security threat to their personal data, so that clients can adopt appropriate measures and, where possible, reduce the risks involved; and
- Banks must inform the authority of any event or circumstance which represents a verified breach of data protection law that is particularly significant in terms of the quality and quantity of the data or the number of clients involved.
For further information on this topic please contact Giorgia Masina at Pavia e Ansaldo by telephone (+39 02 855 81), fax (+39 02 8901 1995) or email ([email protected]).