Telemarketing: the Italian Privacy Authority approves the Code of Conduct

By Order No. 70 of March 9, 2023, the Italian Data Protection Authority approved the Code of Conduct for Telemarketing and Teleselling Activities (hence also referred to as the “Code” or the “Conduct Code”).

The Privacy Authority has assessed that the draft of the Code of Conduct, which was submitted by a number of associations of buyers, call centres, telesellers, list providers and consumer associations, provides sufficient guarantees for the protection of the rights and freedoms of data, as required by Article 40(5) of Regulation (EU) 2016/679 (GDPR).

The drafting of the Code of Conduct thus aims to ensure the legitimacy of data processing throughout the telemarketing “chain” and to combat the phenomenon of aggressive telemarketing and teleselling, as well as practices that violate the laws on the protection of personal data and the individual’s right to privacy.

The Code, therefore, aims to promote the adoption by its members of specific measures aimed to ensure that users are properly informed, that the correct legal basis for processing is adopted and that data subjects’ rights are exercised. It also provides that data controllers (as defined in Article 4(1)(7) of the GDPR), should check their lists with the Public Register of Objections (RPO).before launching a telemarketing or tele-sales campaign.

The Code of Conduct therefore sets out a number of obligations for data controllers, in particular with regard to due diligence in the selection of business partners and the adoption of procedures for the pre-qualification of suppliers, the handling of requests to exercise the rights of data subjects and data breaches, as well as staff training plans at least once a year.

In addition, the Code sets out specific obligations for contactors, including the requirement to register with the Register of Communication Operators (ROC), even if telemarketing or teleselling is not their main business activity.

Those to whom the Code of Conduct is addressed are also required to conduct a privacy impact assessment of the processing of personal data, where necessary or otherwise appropriate, in accordance with Article 35 of the GDPR, to take appropriate technical and organisational measures to limit the risk of a breach of data protection law, and to appoint a Data Protection Officer (DPO), where appropriate, in accordance with Article 37 of the GDPR.

The Code places special emphasis on data processing safeguards by prohibiting the processing of personal data relating to criminal convictions and crimes for advertising purposes, while special categories of data, as defined in Article 9 of the GDPR, may only be processed if collected in the context of specific contractual relationships with the data subjects and subject to their specific consent.

In any case, the Code provides that the data subject must be adequately informed about the processing of his personal data at the beginning and during the telephone call, by means of a simplified information note. In addition the operator shall inform the data subject regarding the extended information note, which shall be provided before the execution of any contract.

In conclusion, the Code of Conduct provides for the establishment of a Monitoring Body (ODM), an independent body in charge of verifying, with complete independence and impartiality that members are complying with the Code of Conduct. The ODM will consist of a maximum of nine members, whose term of office will be five years. It will have the power to settle guidelines for the management and resolution of disputes between members or between members and interested parties and will adopt internal rules of procedure.

The Code of Conduct will become effective after the approval of the Monitoring Body and will enter into force fifteen days after its publication in the Official Journal.

Adhering parties will have to take the necessary measures to implement the Code within six months of its entry into force.