Luca Davini
Avvocato in Milan and Turin

Developed by the Italian National Association of Commercial Information and Credit Management Companies (ANCIC), the Code of Conduct on Commercial Information is the first to be adopted in the private sphere under the General Data Protection Regulation (GDPR).

The Code thus outlined will be applied on the Italian territory and will concern the commercial information service, that is “the execution of research activities, collection, registration, organization, analysis, evaluation, processing and communication of information from public sources generally accessible by anyone, or otherwise provided directly by the interested party, suitable for providing additional knowledge to third party clients“(Article 2, letter d of the Code).

Drafted in 2019 and recently approved by the Privacy Authority, this Code represents an effective method of accountability of companies, as it allows to demonstrate the compliance of data processing with the provisions and principles of the GDPR.

With the Code, in fact, all companies that provide information on the commercial reliability of entrepreneurs and managers will be able to process the personal data of the interested parties without their necessary consent, but always having regard to the guarantee of sufficient protection of these subjects and their personal data.

In other words, in providing commercial information, the company may lawfully process the personal data of the interested parties, without prior consent, on the basis of the legitimate interest of the suppliers providing the commercial information services, or of the customers who request them, or the common interest in the fairness of commercial transactions and the proper functioning of the market.

However, by virtue of the absence of explicit consent from the interested party, the Code provides for the necessary adoption of a specific, explicit and clear information in order to better protect the interested party.

The objective is, on the one hand, to allow operators in the sector to operate more easily (not requiring the express consent of the interested party each time) and, on the other, to equally protect the interested party, by guaranteeing the knowledge about personal data that are processed, the purpose of this processing and the categories of data processed, as well as ensuring the right to rectify, delete or limit the data processed.

Another relevant element concerns the provision of a monitoring body, that is an intermediate subject between ANCIC and the Privacy Authority, assigned to a supervisory function on the subjects adhering to the Code and verifying compliance with the relative provisions.

If properly used, the self-regulation code thus developed will therefore guarantee certainty and transparency in commercial relations, as well as adequate knowledge and circulation of commercial and economic information, also marking a step forward as regards the protection of the processing of personal data.

#personaldataprotection #commercialinformation #personaldataprocessing #commercialinformationprocessing #Privacycode #GeneralDataProtectionRegulation #GDPR #commercialinformationCode #PrivacyAuthority #monitoringboby #privacyprotection #GDPRcompliance