Share This Article
The Italian Data Protection Authority has now introduced new relevant data protection obligations for banks.
Indeed banks subject to Italian data protection law shall, among others,:
1. Communication of personal data within a group of banks
Banks will be able to transfer customers’ personal data to other banks of the same group only with the prior consent of the relevant customers, unless one of the data protection exceptions apply (e.g. the communication in necessary to perform an agreement with the data subject).
2. Outsourcers
Outsourcers shall be appointed in writing by banks as external data processor (i.e. as entities processing the personal data on behalf of the bank). Such appointment under Italian law is performed through a letter of appointment setting out all the data protection obligations of the outsourcer.
3. Tracking of operations
Banks shall implement adequate IT measures to ensure that the operations carried out by the bank employees on the databases are duly tracked in a log file. Log files relating to inquiry operations shall be kept by the bank for a minimum period of 24 months.
4. Alerts and internal audit
Banks shall implement alert systems in order to detect anomalous or risky inquiry operations carried out by those employees who have been appointed as persons in charge of the processing. Furthermore, at least annually the data controller shall carry out an internal audit to ensure that the security and organization measures still comply with the applicable law. The internal audit shall be carried out by individuals who do not belong to the same group/department in charge of the relevant processing examined in the audit. The internal audit activities must be duly documented and a report shall be (i) provided to the management of the bank, (ii) incorporated in the so called privacy security document (i.e. “documento programmatico per la sicurezza“) and (iii) sent to the Garante if so requested.
5. Data breach
Banks are recommended to notify with no delay both the relevant customers and the Data Protection Authority of any accidental or illicit privacy data breach (e.g. data destruction, loss, modification and unauthorized access or disclosure).
As it can appear from the above a number of new obligations have been now introduced on banks and they are even more relevant as according to the decision of the Italian Data Protection Authority the measures/obligations under points 2, 3 and 4 must be implemented by 3 December 2012.
Do you want to discuss the above? Do you want more information on the Garante’s decision? Feel free to contact me, Giulio Coraggio.
(Visited 1 times, 1 visits today)
