Communication of personal data within a banking group
Outsourcing
Tracking of operations
Alerts and internal auditing
Data breaches
The Data Protection Authority recently published a new decision on banks and data protection in the Official Gazette. The authority has dealt with several issues. This update summarises the main points.
Communication of personal data within a banking group
Banks can communicate customers' personal data to other banks belonging to the same group only with the prior and informed consent of the data subjects, unless one of the exceptions provided for by the applicable data protection law applies (eg, if the communication is necessary to perform an agreement with the data subject).
Outsourcing
As a general rule, outsourcers shall be appointed in writing by banks as external data processors.
Tracking of operations
Banks must implement adequate IT measures to ensure that database operations carried out by bank employees are duly tracked in a log file. Log files relating to inquiry operations must be kept by the bank for a minimum period of two years.
Alerts and internal auditing
Banks must implement alert systems in order to detect anomalous or risky inquiry operations carried out by those employees who are in charge of processing. Furthermore, the data controller must carry out an internal audit at least once a year to ensure that security and organisation measures continue to comply with the applicable law. The internal audit must be carried out by individuals who do not belong to the same group or department in charge of the relevant processing examined in the audit. Internal audit activities must be duly documented and a report must be:
- provided to the management of the bank;
- incorporated into the data protection security policy document; and
- given to the authority, if so requested.
Data breaches
Banks are recommended to notify without delay both the relevant data subjects both the relevant data subjects and the authority of any accidental or illicit privacy data breaches (eg, data destruction, loss, modification and unauthorised access or disclosure).
The outsourcing, tracking of operations and auditing measures must be implemented within 30 months of June 3 2011.
For further information on this topic please contact Marco Leone at DLA Piper Italy by telephone (+39 02 80 61 81), fax (+39 02 80 61 82 01) or email ([email protected]).