On September 12, 2019, the Italian Supervisory Authority (“Garante”) approved a code of conduct for consumer credit agencies (the “Code”), pursuant to Art. 40 GDPR (see here in Italian).

The Code already existed prior to the GDPR, but it had to be amended to meet the requirements of the GDPR and be approved by the Garante in accordance with the GDPR procedures. The Code was submitted for approval by the Italian associations AISREC, CTC and ASSILEA on March 19, 2019, after a consultation with representatives of the relevant data subjects and the sector.

The Code regulates the processing of personal data of individuals located in Italy. It can be adhered to by entities located in Italy that professionally manage credit information systems (e.g., banks, financial intermediaries and other entities offering credit services).

The Code’s structure follows the requirements of Art. 40(2) of the GDPR.  The Code installs a monitoring body, composed by three members: a representative of the Italian National Consumer and User Council, a person designated unanimously by the entities adhering to the Code and a person appointed by the two other members, who will also serve as president.

The Code provides that the legal basis for processing the personal data contained in credit information systems for credit scoring purposes is the legitimate interest of the credit agencies, hence it is not necessary to obtain consent.  Nevertheless, data subjects must receive a complete and clear information notice – Annex 3 of the Code contains a template notice.  The Code itself does not serve as a legal basis for international transfers.

The Code’s approval is made conditional on the accreditation of the monitoring body by the Garante which, according to the Garante, is not yet possible because of the lack of uniform criteria for accreditation at EU level. Pending the accreditation, Code members shall “carry out the processing operations of personal data in compliance with the rules and principles governed by it as well as any other applicable legislation”.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.