The Italian Data Protection Authority issued regulations introducing new relevant data protection obligations for banks in the processing of customers’ personal data by their employees.  These are aimed at monitoring the transfer of personal data by banks and at tracking the activities performed by bank’s employees on such data.

The regulations were the consequence of a number of complaints by data subjects whose banking-related data had been disclosed by banks’ employees to third parties that subsequently had used them in court proceedings against the data subjects themselves. Following such complaints, the Italian Data Protection Authority performed inspections from 2009 to 2011 and the regulations are the result of such inspections.

However, given the burdensome measures required by the regulations their coming into force was postponed twice up to the 30th of September 2014 when they came into force.

Scope of the data protection regulations

The regulations are applicable to the processing of personal data performed by the employees of not only banks, but also of all the companies belonging to the banks’ group even if they are not banks in case their process financial and accounting data of clients.

This large scope of the regulations in some cases might have a relevant impact on groups that have interests in a number of different sectors as the entire group shall comply with the regulations. However asset management companies (the so called “SGR”) and insurance companies would be excluded from the scope of regulations even if they belong to banking groups since they do not process personal data of banks’ customers.

In particular, the regulations force banking groups to adopt group privacy policies and measures together with trainings – that are already required as part of the security measures prescribed by the Italian Privacy Code – on privacy obligations for employees to ensure a level of consistency in the processing of customers’ personal data within the group and to avoid that potential abuses by employees can expose the entire group to relevant sanctions and negative publicity.

Also, the Italian data protection authority clarified that the regulations apply not only to saving and crediting transactions performed by banks, but also to any other financial activity that they run with an implication also with reference to new products that will be launched in the next years.

Communication of customers’ personal data within a group of banks

Because of the relevant number of abuses in accessing to customers’ databases, banks are now obliged to allow the transfer of customers’ personal data to other banks of the same group only with the prior consent of the relevant customers, unless one of the data protection exceptions apply such as in the case of transfer of a business or a going concern to another entity.

This obligation does not apply also to branches belonging to the bank collecting the customers’ personal data because such branches will act as data processors rather than data controllers and therefore a free transfer of the data between banks and their branches will be allowed.

On the contrary, this might be a relevant issue for groups which include a number of different banks as the customers’ databases shall be separated and, only with the express consent of the customers, employees of one bank will be able to have access to the data of customers of another bank belonging to the same group.

The relevance of such obligation is minimized in case of groups that have a high level of integration where some of the services offered by a bank to its customers are provided by other group’s companies. Indeed in this case it might be possible to argue that the transfer of personal data within the group is necessary for the performance of the agreement with the customer and therefore it is not subject to a prior consent.

Outsourcers

Outsourcers have to be appointed in writing by banks as external data processor (i.e. as entities processing the personal data on behalf of the bank). Such appointment under Italian law is performed through a letter of appointment setting out all the data protection obligations of the outsourcer.

The consequence of such obligation is that banks will be responsible for the data processing performed by the outsourcers. It is crucial that the data processing agreement expressly outline the outsourcer’s obligations also prescribing liability obligations for potential disputes, fines or sanctions that the bank can face because of the breaches performed by the outsourcer.

Tracking of operations

Banks have to implement adequate IT measures to ensure that the operations carried out by the bank employees on the databases are duly tracked in a log file. Log files relating to inquiry operations shall be kept by the bank for a minimum period of 24 months.

This obligation requires some technological investments by banks and indeed some banks took over 6 months to implement this system, but might represent a relevant safeguard for banks themselves in case of disputes.

It is worth to mention that Italian labour and privacy laws prescribe a number of restrictions to the activities that can directly or indirectly trigger a monitoring of employees. Therefore tracking activities shall be performed within the limits prescribed by regulations prohibiting monitoring activities and with the prior approval from trade unions. Also an express policy setting out how and in which circumstances the bank can have access to employees’ data is necessary to avoid that banks in case of disputes are prevented from accessing such data to avoid a data protection breach.

Alerts and internal audit

Banks shall implement alert systems in order to detect anomalous or risky inquiry operations carried out by those employees who have been appointed as persons in charge of the processing. At least annually the data controller shall carry out an internal audit to ensure that the security and organization measures still comply with the applicable law. Such internal audit shall be performed by individuals who do not belong to the same group/department in charge of the relevant processing examined in the audit.

The internal audit activities must be duly documented and a report shall be provided to the management of the bank and sent to the Italian Data Protection Authority if so requested.

Again also in this case alert systems shall comply with restrictions applicable to monitoring of employees’ activity and an adequate privacy policy shall be in place to ensure that in case of suspect activity the bank can access to the employee’s data.

Data breach and cybersecurity

Banks are recommended (even if they are not obliged to do so) to notify with no delay both the relevant customers and the Italian Data Protection Authority of any unlawful data breach (e.g. data destruction, loss, modification and unauthorized access or disclosure). This is to allow data subjects to implement measures aimed at minimising the negative effects of the data breach.

Such recommendation will become an obligation for any entity processing personal data as a consequence of the coming into force of the new EU Privacy Regulation with consequential possible reputational damages and fines up to 5% of the global turnover. Cybersecurity will become exponentially relevant for banks and any other company also because according to the new EU Privacy Regulations the notification to customers of a data breach will not be necessary if the data controller shows to have adopted adequate security measures to avoid the unauthorised access and loss of the data.

The obligations above are already into force and banks that are not compliant shall quickly adopt the necessary measures.