Privacy Advisor

ITALY—Customer Care outside the EU, new rules coming from the Italian DPA

November 7, 2013

By Rocco Panetta

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, provides its general rules to protect the privacy of Italian citizens.

At the end of a complex investigation, the Garante stressed the rules to be applied to both companies and government agencies, whose customer care or call centers are located outside the EU. The DPA recalls the general rules to be observed for data transfers; i.e., authorization by the Garante, adoption of Binding Corporate Rules, Standard Contractual Clauses, but introduces new important provisions: The data controllers will be obliged to give users specific information, at the time of contact, by specifying the nation from which they call or respond.

Therefore, all the data controllers that intend to transfer the processing of personal data to non-EU member countries will have to notify the Italian DPA, by means of a model that will be made available on the authority’s website. The company having their call centers already operating outside the EU, on the other side, will have to inform the Garante within 30 days of publication of the provision in the Official Gazette.

Rocco Panetta is an Italian lawyer and partner of Panetta & Associati Studio Legale in Rome. He is the former head of legal at the Italian Data Protection Authority and a member of the IAPP Europe Advisory Board.