On September 12, 2019, the Italian Supervisory Authority (“Garante”) approved a code of conduct for consumer credit agencies (the “Code”), pursuant to Art. 40 GDPR (see here in Italian).

The Code already existed prior to the GDPR, but it had to be amended to meet the requirements of the GDPR and be approved by the Garante in accordance with the GDPR procedures. The Code was submitted for approval by the Italian associations AISREC, CTC and ASSILEA on March 19, 2019, after a consultation with representatives of the relevant data subjects and the sector.

The Code regulates the processing of personal data of individuals located in Italy. It can be adhered to by entities located in Italy that professionally manage credit information systems (e.g., banks, financial intermediaries and other entities offering credit services).

The Code’s structure follows the requirements of Art. 40(2) of the GDPR.  The Code installs a monitoring body, composed by three members: a representative of the Italian National Consumer and User Council, a person designated unanimously by the entities adhering to the Code and a person appointed by the two other members, who will also serve as president.

The Code provides that the legal basis for processing the personal data contained in credit information systems for credit scoring purposes is the legitimate interest of the credit agencies, hence it is not necessary to obtain consent.  Nevertheless, data subjects must receive a complete and clear information notice – Annex 3 of the Code contains a template notice.  The Code itself does not serve as a legal basis for international transfers.

The Code’s approval is made conditional on the accreditation of the monitoring body by the Garante which, according to the Garante, is not yet possible because of the lack of uniform criteria for accreditation at EU level. Pending the accreditation, Code members shall “carry out the processing operations of personal data in compliance with the rules and principles governed by it as well as any other applicable legislation”.

Tags: Article 40 GDPR, Code of Conduct, Consumer credit agencies, Credit agencies, Garante, GDPR, Italy, national code of conduct
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de MenesesEmail
Show more Show less