On September 12, 2019, the Italian Supervisory Authority (“Garante”) approved a code of conduct for consumer credit agencies (the “Code”), pursuant to Art. 40 GDPR (see here in Italian).

The Code already existed prior to the GDPR, but it had to be amended to meet the requirements of the GDPR and be approved by the Garante in accordance with the GDPR procedures. The Code was submitted for approval by the Italian associations AISREC, CTC and ASSILEA on March 19, 2019, after a consultation with representatives of the relevant data subjects and the sector.

The Code regulates the processing of personal data of individuals located in Italy. It can be adhered to by entities located in Italy that professionally manage credit information systems (e.g., banks, financial intermediaries and other entities offering credit services).

The Code’s structure follows the requirements of Art. 40(2) of the GDPR.  The Code installs a monitoring body, composed by three members: a representative of the Italian National Consumer and User Council, a person designated unanimously by the entities adhering to the Code and a person appointed by the two other members, who will also serve as president.

The Code provides that the legal basis for processing the personal data contained in credit information systems for credit scoring purposes is the legitimate interest of the credit agencies, hence it is not necessary to obtain consent.  Nevertheless, data subjects must receive a complete and clear information notice – Annex 3 of the Code contains a template notice.  The Code itself does not serve as a legal basis for international transfers.

The Code’s approval is made conditional on the accreditation of the monitoring body by the Garante which, according to the Garante, is not yet possible because of the lack of uniform criteria for accreditation at EU level. Pending the accreditation, Code members shall “carry out the processing operations of personal data in compliance with the rules and principles governed by it as well as any other applicable legislation”.