On October 10, 2013, the Italian Data Protection Authority issued a new resolution related to the processing of personal data carried out through the use of call centers established in the territory of a country outside the European Union.
This new resolution introduced new binding rules, which apply to subjects, public administrative agency or private entity, which can be considered data controllers, under the Italian Personal Data Protection Code, that carry on data processing either directly or in outsourcing, through call centers, established in third country outside the European Union, regardless of the number of employees engaged.
The aim of the resolution is the protection of Italian citizens and their personal data because it sets out measures that limit the increased phenomenon of data transfer to call centers, sited in third country, which do not comply with the European and Italian law and regulation on privacy and data protection.
Under the resolution, end users’ rights should be guaranteed by more protection and transparency.
However, the measures adopted by the Italian Data Protection Authority should have a direct impact on the business strategies of the Italian undertakings because they potentially constraint the outsourcing of personal data to data processors (call centers) located in third country, which does not guarantee the protection of personal data under the EU standards.
Under the resolution, a data controller, which wants to outsource the processing of personal data to call center, established in third country, shall have to adopt procedures that allow preliminary end users, who are making a call to call centers, (or are receiving a call from call centers) to know which is the location of the operator, and to choose eventually the operator, located in the national territory.
Substantially, in case of data transfer to call centers established to third country, the resolution binds data controllers to guarantee the engagement of call center operators even in the national territory.
We recommend to data controllers to comply with the measures mentioned above because the Italian Data Protection Authority will perform the required inspections, also submitting the special notice required by the resolution to the Italian Authority, before the personal data transfer (or the outsourcing of the processing of personal data) to call centers, sited outside the European Union.
Finally, we think it is important to highlight that the measures apply even to data controllers, which are already processing personal data by means of call center outside the European Union. They are required to inform the Italian Data Protection Authority within 30 days from the publication of the resolution in the Official Journal.
The Italian data protection Authority is deeply committed to figure out how many personal data are transferred in third country, in order to take the required actions in case of breach and violation of the Italian personal data protection Code.