DATA PROCESSING IN ITALY. Ten Simple Practices to Improve Business

Transcription

1 DATA PROCESSING IN ITALY Ten Simple Practices to Improve Business

2 CONTENTS Preface The Value of Data Taking on Responsibility Business Transparency and Fairness Resumés and Curricula Vitae Risky Data Processing New Technologies Defending Data Controlling the Controller Exporting Data Personal Data Customer Care

3 Preface In an effort at helping companies comply with data privacy rules and obligations, the Italian Data Protection Authority ( IDPA ) published guidelines called Ten Simple Practices to Improve Business. The guide is intended to promote the idea that compliance with data privacy is not a burden for a company but rather a way to better business. By adopting a few simple expedients, a company can improve its organization and make its business more efficient with beneficial effects in terms of competitiveness. The guidelines give ten suggestions on how to enhance the conduct of business and indicate best practices that can also improve the company s reputation. These ten best practices are outlined below. 1. The Value of Data It is important to bear in mind the importance of a business s data. A company s data is made up of precious commercial, financial and technical information capable of increasing the company s value. The data s potential depends largely on the owner s capability to make proper use of it and this potential will certainly increase through the correct use and processing of same. In this regard the IDPA noted that the data s actual potential is conditioned upon its lawful use. It is hence necessary to know the difference between various types of data (i.e., sensitive, judicial, genetic, etc.) and the use that may be made of same.

4 2. Taking on Responsibility A business is organized in such a way that tasks and responsibilities are clearly assigned. The same type of organization is required when it comes to data processing. The chief role in data processing is played by the data controller. The data controller is not randomly selected within a company s organization but is the party that exercises control over the data and its use. In turn, and depending on the size and organization of the business, the data controller will appoint the data processor(s) and will be responsible for monitoring over their performance. The choice of data processors should depend on capacity and experience and the selection may fall upon parties that are not a part of the company s internal organization. The persons in charge of processing are the persons that materially perform data processing activities. They must act under the data controller s direct responsibility. Persons in charge of processing must be appointed in writing, however the IDPA has clarified that it is sufficient for it to appear that a person has been inserted in a specific unit that is authorized to process certain data (for example, commercial or marketing). 3. Business Transparency and Fairness It is good practice to inform a data subject that his/her data will be processed and to ask permission to do so. In addition to being a good practice, obtaining the data subject s prior consent and authorization is also an obligation 4

5 under the data privacy code; it is also an obligation to inform the data subject on the intended use of his/her data by providing him/her with an information notice. With a view at simplifying compliance with this obligation, the guidelines specify that a company must provide data subjects with a clear and comprehensive information notice on data processing. The IDPA further highlights that the information notice must be concise and understandable; the use of symbols and icons is thus welcomed. Moreover, depending on the circumstances, the information notice may be given verbally or by using signs (for example, by hanging a sign with a video camera). In addition to informing data subjects, a data controller must also obtain the data subjects consent to processing and, in order for processing to be lawful, consent must be freely given and in writing. The IDPA notes that if a data bank is purchased from a third party, the new owner should verify that consent was given to process the personal data contained therein. The guidelines also highlights that certain processing does not require the data subject s consent. By way of example, consent is not required when data is processed for compliance with the law or for the performance of a contract. Further, a company is not required to obtain customers consent for promotional or marketing activities. Likewise consent is not needed to process data that is available through public registers; nevertheless, the data must be utilized for purposes similar to those of the register where the data was first recorded. Finally, consent is not required for legal defense activities. 5

6 Written consent must always be given to process sensitive data. Moreover, the data controller is required to obtain the IDPA s authorization to process sensitive data. However, the data controller may operate under a general authorization issued by the IDPA for a specific category of sensitive data or of business activities, thus waiving the need to apply for an ad hoc authorization 4. Resumés and Curricula Vitae Throughout its ordinary course of business, a company may find itself dealing with a significant number of CVs and resumés submitted by persons interested in an employment opportunity. If a CV is spontaneously submitted, the company is not required to either request the data subject s consent or to provide an informative notice on processing. The rules change however if the company opens a personnel selection process. In this case the prospective employer is required to ask the data subject s consent and inform him/her on data processing. 5. Risky Data Processing The processing of sensitive data must be duly authorized and the specific nature of the processing or of the data may require an express authorization by the IDPA. Should the processing as authorized change in any way whatsoever, the IDPA must be informed and the authorization modified accordingly. With a view at facilitating compliance, the IDPA has made it possible to file notifications and applications online. Further, the IDPA has exonerated certain categories of data controllers 6

7 (such as medical doctors and lawyers) from certain notification and filing obligations. 6. New Technologies The use of new technologies is often boarder-line with an employee s rights and data protection rules. The IDPA recommends that the company should carefully assess the means and the purposes for processing data by using technological instruments in order to prevent discriminatory and unlawful processing. Moreover, the use of technology at the workplace for surveillance purposes must comply with both the stringent rules set by labor law as well as with the provisions on data processing. The IDPA does not prohibit the utilization of technological systems however a preliminary verification by the IDPA will be necessary to ensure that employees dignity and rights will not be negatively affected by the utilization of surveillance or distant control systems. In general terms, the IDPA allows the utilization of new technologies as long as they do not interfere with individual rights. 7. Defending Data A company s data banks (list of client, contacts, intellectual property information, etc.) are an asset considering the economic potential that they represent. It follows that a company will adopt the most appropriate means to protect these data banks. While the protecting a data bank may represent a good business practice, it becomes an obligation whenever the data bank contains personal data that fall under the scope of the data protection code. 7

8 If personal data are stored electronically, the data controller should adopt appropriate measures to protect them. However, the selected measures may not be sufficient and therefore the IDPA may independently indicate additional measures in order to ensure that processing meets privacy requirements. The IDPA recommends special care when disposing of IT hardware. No matter how obsolete, it is possible to recover data from old machines. Therefore, the IDPA suggests deleting all data before dispose of the hardware. The IDPA has acknowledged that more and more frequently data is processed and stored in the cloud. While recommending the implementation of reliable protection measures, the IDPA has published a set of guidelines to facilitate cloud computing in compliance with the ruled on data protection. In particular, when storing data in the cloud, the guidelines recommend to: Verify the reliability of the provider Prefer services that allow data portability Verify the possibility of retrieving data Select the data to store in the cloud Always keep an eye on the data Ask where the data are physically stored Read the contract clauses carefully Check the terms and conditions on data storage Demand for appropriate safety measures Train personnel 8

9 8. Controlling the Controller All IT systems are controlled by a system administrator who has indiscriminated access to all data. In light of the system administrator s broad access to data, the IDPA provides that the system administrator should operate under the data processor s control. Moreover, the IDPA recommends selecting the system administrator based on experience, capability and reliability. Moreover, in order to be able to monitor over the system administrator, the company should adopt systems that allow traceability of the administrator s access to electronic archives and data elaboration systems and more generally allow periodic verifications (at least once a year) of the system administrator s activities. 9. Exporting Data Exporting data from Italy to another country is allowed provided that the receiving country has enforced laws that ensure an adequate standard of protection. Data can be freely exported within the European Union and to countries that offer the same if not higher standards of protection as the EU. With a view at simplifying the exportation of data outside of the EU, the IDPA has published on its website a list of non-eu states that are considered reliable for data protection purposes. If the country of destination is not included in this list, the transfer of data is permitted if the receiving country offers other adequate guarantees of protection. By way of example, the EU and USA have entered into the Safe Harbor 9

10 Act whereby the United States sets forth shared rules on data protection. There are some exemptions to the prohibition of exporting to data non-eu member States. For example, the exportation of data in other countries is allowed upon the data subject s consent or when the export of data is required for the performance of a contract the data subject is a party to. 10. Personal Data Customer Care A competitive company is a company that provides efficient customer care. The IDPA holds that modern companies must also offer data processing and data protection customer care service. Data subjects are entitled to a wide range of rights, from receiving information on the type of data held by a company to receiving information on how the company intends to process this data or requesting a company to cease processing. The IDPA considers companies capable of giving a prompt and through reply to these questions as especially efficient and transparent and therefore worthy of consumer trust. Similarly, a company should promptly inform data subjects of any problems arising from or related to the processing of their data and should take all necessary action to prevent any events capable of jeopardizing a person s personal data, such as, for example, the loss of identity. 10

11 *** We will be pleased to provide further information on the above and assistance on data processing compliance matters. Gianfranco Puopolo Partner E.: OFFICES Milan Rome Via Sant Andrea, 3 Via Lisbona, Milan Rome T T F F Also in Naples and Genoa Angela Rinaldi Partner E.: rinaldi@pglegal.it Please follow us on Twitter Facebook LinkedIn 11