We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
01 July 2011
The Data Protection Authority has issued regulations for banks and companies within banking groups on the lawful processing of clients' personal data.
The regulations apply to:
Foreign banks and foreign companies within banking groups that operate in Italy under the right of establishment are subject to the regulations; however, the requirements do not apply to entities that operate under the principle of freedom to provide services.
The regulations govern the circulation of information related to banking clients and the ability to track banking operations (relating to money flow or information) performed by bank employees. The authority has set out the measures that the relevant entities must adopt in order to ensure compliance with the Privacy Code (Legislative Decree 196/2003).
Tracking and logging information
The regulations set out requirements for tracking operations concerning clients' personal data and its retention. In order to monitor each employee's activities involving such data (apart from his or her qualification and scope of operations), appropriate IT solutions must be implemented in order to track activities performed on databases. This information - including the date and time of the operation and identification codes for both the client and the individual who performed the operation - must be retained for a minimum period, which is determined by the nature of the information. For example, information on log tracking enquiry operations must be retained for at least 24 months.
Alert systems must be implemented to detect anomalous behaviour or risks related to enquiry operations.
Internal audits and periodical reports
The management of banking data must be checked at least annually. Such internal auditing activity must be properly documented and must be carried out by a specific unit (or by employees other than those to whom the processing of client banking data is entrusted).
Outsourcing to data processors
If banks entrust the processing of relevant data to third parties, the latter must be appointed as data processors under Article 29 of the Privacy Code.
These measures, which the authority has classified as 'necessary', must be implemented by December 3 2013 (ie, within 30 months of publication of the regulations in the Official Gazette). Failure to do so carries a fine of between €30,000 and €180,000 under Article 162(2)ter. However, these amounts can be increased or reduced for more or less serious violations. In addition, banks and banking group companies will be liable to indemnify third parties for any damage suffered as a result of non-implementation.
In addition, the regulations require the adoption of certain 'suitable' measures; Failure to comply is not punishable by a fine, but entities will be required to indemnify third parties for any damage resulting from non-implementation. The regulations list the following suitable measures:
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.