Guidelines for the Processing of Customers' Data in the Banking Sector - 25 ottobre 2007 
[doc. web n. 1478096]
IL GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Guidelines for the Processing of Customers' Data in the Banking Sector
25 October 2007 – As published in Italy's Official Journal no. 273 dated 23 November 2007
2. Compliance with Personal Data Protection Principles
2.1. Lawfulness, Relevance, Transparency
2.2. Relevant, Non-Excessive Data: Customer Identifying Information
2.3. Relevant, Non-Excessive Data: Phone-Based Services and Recorded Calls
2.4. Data Quality: Payments Performed via Direct Debiting (RID)
3. Communicating Personal DataData Protection Rules and Banking Secrecy
3.1. Data Protection Rules and Banking Secrecy
3.2. Unauthorised Communication
3.3. Required and/or Authorised Communications
3.4. Communicating Personal Data to the "Centrale d'allarme interbancaria" [Bank Alert System]
3.5. Cheque Clearance
3.6. Communicating Customers' Data and Sale of Banking Offices: Exemption from Information Obligations
a) Meeting the preconditions for the processing of data: Balancing of Interests
b) Exemption from the obligation to provide information notices
c) Appropriate measures
4. Safeguarding the Bank's Interests
5. Exercise of the Rights Set out in Section 7 of the DP Code (Access, Rectification, etc.)
5.1. Access to Data
5.2. Access to One's Personal Data under Section 7 of the DP Code vs. Access to Banking Documents under Section 119 of the Consolidated Banking Statute
5.3. Access to the Data Related to A Deceased Person (Section 9 of the DP Code)
5.4. Access to Personal Data under Section 7 of the DP Code and Bankruptcy Proceedings
1.1. Purpose. These guidelines have been drafted by taking account of the reports, complaints and questions lodged with the Garante as well as of previous decisions made by the Garante; they are subject to review and upgrade and are aimed at providing general guidance on the processing of customers' personal data performed by banks in order to ensure compliance with data protection principles under Italy's data protection Code (decree no. 196 dated 30 June 2003).
1.2. Scope. These guidelines also apply, insofar they are compatible with specific sector-related features, to the corresponding activities carried out by post offices pursuant to the law within the framework of banking and financial services.
2.1. Lawfulness, Relevance, Transparency. Providing they are relevant and not excessive, personal data may only be processed by a bank for lawful purposes – e.g., to fulfil contractual obligations or meet legal requirements – in compliance with all the provisions set out in the legislation in force concerning personal data protection.
In particular, the data protection Code requires the data to be processed:
- only by the persons in charge of the processing (and/or the data processors, where appointed) within the framework of the authority conferred on them;
- in compliance with data minimization and data quality principles as regards data accuracy and updating (sections 3 and 11);
- by informing data subjects appropriately beforehand;
- by only requesting the data subjects' consent if no other precondition for the processing can be fulfilled by having also regard to the nature of the data (sections 23, 24, 26, and 43);
- in compliance with the requirements laid down in the (general) authorisations issued by the Garante as for sensitive or judicial data (sections 26 and 27);
- by taking suitable security measures in order to prevent certain events (in particular, unauthorised accesses and/or use of the data), for which a bank might be regarded as liable under both civil and criminal law (sections 15, 31 et seq., 167, and 169).
2.2. Relevant, Non-Excessive Data: Customer Identifying Information. The principle whereby personal data should be relevant also applies to the processing of information aimed at identifying customers when establishing a contractual relationship and/or performing certain banking operations (e.g., crediting of accounts, performing payments or other operations requested by customers, cashing of bank cheques and/or postal orders).
Customers are usually identified via ID documents, which in some cases are photocopied (this is especially so in respect of customers who do not patronise a bank and/or are unknown to the staff); such identification is an obligation imposed on banks pursuant to several items of legislation, in particular the laws on money laundering and the requirement whereby "banks, Poste Italiane S.p.A., financial brokers, investment companies, unit trusts, savings management companies, and any other financial operators are required – subject to the provisions applying (…) to non-residents – to collect and have at their disposal the identification data (including the Tax ID) of all entities having whatever relationships with them and/or performing whatever operations of a financial nature, whether on their own or on third parties' behalf, except for the operations performed via postal orders where the individual amounts are not in excess of Euro 1,500."
Banks and credit institutions are required to identify their customers also in order to cash cheques; in the latter case they may rely on appropriate items of information (e.g. personal knowledge, or documents already acquired for instance when a customer first applied to the bank) as well as on the customers' personal data as contained in an ID document. They may request customers to produce such document(s), whilst the information may be recorded either on the cheque or on the internal papers related to the specific operation.
There is no need for obtaining the customers' consent in order to perform the above processing operations, whilst it is necessary to inform them (at least once and for all), since the data are processed pursuant to legal requirements and/or to fulfil contractual obligations and/or comply with specific requests made by the customers (section 24(1), letters a. and b.).
2.3. Relevant, Non-Excessive Data: Phone-Based Services and Recorded Calls. A bank may record the contents of the phone calls made with regard to certain orders and instructions by customers, because the recording may be used to provide proof of and defend a judicial claim. This is in line with specific sector-related regulations, in particular those applying to stock exchange orders.
Apart from the specific situations mentioned above, the recording may be also justified on account of concrete requirements such as those related to, for instance, telephone banking services.
In all the cases at issue, the data subject must be informed about the recording in accordance with section 13 of the DP Code either when stipulating the relevant contract or at the onset of the first phone call.
The recordings and such personal data as are related thereto, where stored, are to be secured via measures aimed at preventing them from being accessed, modified or used by unauthorised entities; the contents of conversations, which may be accessed by data subjects in pursuance of section 7 of the DP Code (see 5.1 below), may not be stored for longer than is necessary to achieve the purposes of the recording.
2.4. Data Quality: Payments Performed via Direct Debiting (RID). When carrying out direct debit instructions as requested by their customers, the debtor's/interested party's bank (i.e. the payer's bank) is to check that the processed data are complete and accurate.
Whilst the information required to perform this operation – with particular regard to bank details and the account to be debited – may also be collected from the payer directly by the payee (e.g. by a service provider) and sent thereafter to the payer's bank via the payee's bank, errors or omissions might take place at this stage.
Therefore, it is necessary that appropriate controls are carried out beforehand by the payer's bank and/or in co-operation with the creditor if the forwarded data are found to be mismatched or inaccurate; where necessary, the customer should be contacted before the direct debit instruction is performed in order to ensure that the data are accurate and prevent debiting an account that is not the one specified by the payer.
3.1. Data Protection Rules and Banking Secrecy. Communicating a customer's personal data to third parties is allowed either with the customer's consent (section 23 of the DP Code) or if any of the conditions for processing the data without consent are fulfilled (section 24 of the DP Code).
Except where the data are communicated because this is instrumental to the activities requested and/or the services provided – in which case the data subjects' consent is unnecessary under section 24(1)b. of the DP Code – banks and the staff in charge of performing banking operations must keep confidential all the data at issue.
3.2. Unauthorised Communication. Communicating data to third parties without authorisation – which can have serious consequences also in terms of civil and criminal liability under sections 15 and 167 of the DP Code – may result from a number of reasons. Taking account of the reports and complaints lodged with the Garante, this may occur for instance in the following cases:
- because no measures have been deployed to prevent third parties from getting apprised of personal information, including appropriate waiting lines in the areas intended for the performance of banking operations;
- because the instructions given to the persons in charge of the processing have not been complied with, for instance because phone calls or interviews have been conducted in an inappropriately loud voice in the presence of third parties;
- because banking information has been communicated to third parties that had not been authorised by the data subject to carry out operations on their behalf or else be informed about their contractual relationship with the bank. This may concern for instance the following entities:
- a spouse to whom bank documents are delivered without his/her being concerned by the documents in question;
- family members who may receive phone calls intended for a given customer, thereby becoming apprised of information they are not entitled to know;
- professionals and/or other entities having contacts with the data subject on account of employment relationships;
- third parties receiving written communications containing bank information (e.g. statements of accounts) by mistake, e.g. because of mailing and/or enveloping errors;
- because banking information has been communicated to unauthorised addresses, so that third parties have been able to become apprised of information related to the data subject (e.g. in case of facsimile communications);
- more generally, on account of the failure to comply with security measures.
3.3. Required and/or Authorised Communications. In many cases it is permitted to communicate customer data without infringing the relevant data protection provisions; in fact, certain communications are mandatory under the law. Reference can be made for instance to the following:
- communications of personal data in pursuance of anti-money laundering legislation. In this connection, it should be pointed out that the bank may be required to process not only information related to individual banking operations, but also a wider gamut of personal data insofar they are necessary to detect abnormal/unusual operations by having regard to the individual customer;
- communications for the purpose of countering terrorism by financial means and/or the marketing of child pornography items, which at present must be addressed to Ufficio Italiano dei Cambi (Italian Foreign Exchange Office);
- communications of personal data to detect and counter taxation offences insofar they are provided for by the law. This may include specific circumstances such as those mentioned:
- in the final portion of the said section 7(6) of Presidential decree no. 605/1973, whereby "the existence and nature of such relationships are communicated to the taxation register and stored in an ad-hoc section including the holders' identification data and the respective tax IDs";
- in section 32(7) of Presidential decree no. 600/1973 setting out the common rules for calculating the income tax;
- in the legislation applying to communications intended for the so-called "register of current and deposit accounts";
- communications of information to the credit bureau managed by Banca d'Italia, the centralised service for detecting low-level risks (CRIC), and the Inter-bank alert system in pursuance of the relevant legislation (see also 3.4 below);
- communications to judicial authorities in pursuance of the law and/or to creditors in connection with enforcement proceedings (in compliance with the legislation in force regulating garnishment: section 543 et seq. of the Civil procedure code as amended by Act no. 52/2006);
- communications performed following requests for access to bank documents in pursuance of section 119 of the consolidated banking Act (385/1993; see 5.2 below).
Additionally, the "negative" personal information required to carry out processing operations in pursuance of the "Code of practice applying to information systems managed by private entities in respect of consumer credit, creditworthiness and timeliness in payments" may be communicated to the managers of "private" credit reference agencies (aka credit information systems in Italy) in accordance with the Garante's resolution no. 9 dated 16 November 2004 – providing the required advance notice is given (article 4(7) of the said Code of practice).
Finally, it is lawful to communicate certain personal information concerning the obligee (debtor) to the obligor (surety) insofar as that information is relevant to the suretyship agreement in place.
3.4. Communicating Personal Data to the "Centrale d'allarme interbancaria" [Bank Alert System]. A legislative decree (no. 507/1999) provided for setting up a computerised register of bank cheques and postal orders as well as of debit cards (Bank Alert System, BAS); this register is regulated more specifically by other pieces of legislation.
Based on the cases addressed by the Garante, it appears that the entities reporting information to the BAS should take special care in establishing whether the personal data at issue are accurate and complete, in particular with a view to preventing inclusion in the BAS of data related to identity theft victims; at all events, the data should be rectified and/or deleted timely, also following exercise of the data subjects' rights of access. The same applies to the individuals correctly reporting theft and/or loss of cheques, who at times are the subject of alerts entered because those cheques have been used unlawfully (e.g. in the case of bounced cheques, or cheques issued without authorisation, etc.)
The entities entering alerts in the BAS should process the data lawfully, i.e. in compliance with the sector-specific legislation applying to the register, as well as fairly (pursuant to section 11(1).a of the DP Code).
It should be pointed out that alerts may also be entered lawfully if a cheque is "withdrawn" by the negotiating bank, since the offence is committed at the time the cheque is issued if the cheque was issued without authorisation, whilst it is committed at the time the cheque is presented for payment in the case of cheque bouncing.
As regards bounced cheques, it should be recalled that no alerts may be entered in the BAS if the debtor timely complies with the requirements listed in section 8 of the relevant Act (386/1990). Additionally, an alert concerning the drawer/maker may not be entered if the bank preferring the information failed to send out a withdrawal notice beforehand, given that an alert may only be entered after at least ten days from the receipt of the said notice.
3.5. Cheque Clearance. Cheque clearance practices consist in communications between banks that there are sufficient funds available to debit the amount of a cheque to the drawer's account. The relevant information may be provided by banks in compliance with the general principles applying under the DP law to processing operations performed by banks as well as in pursuance of the information notices made available to customers – which should refer to this type of communication.
Still, there are some safeguards to be implemented. In particular, the information in question may only be provided to the entities authorised to handle negotiation and/or cashing-in of the cheques; additionally, the information provided by a bank following such requests must be accurate, updated and not excessive by having regard to the specific purpose - i.e. providing information on whether the drawer's account holds enough money to honour the cheque.
3.6. Communicating Customers' Data and Sale of Banking Offices: Exemption from Information Obligations. Specific consideration should be given to data communication and the provision of information notices in connection with the sale of banking offices – which usually entails transfer of the whole portfolio of assets and liabilities as well as of all the existing contractual relationships to the assignee bank.
The circumstances in question (see below) are such as to justify an exemption from the obligation for the assignee bank to provide information notices to the customers concerned; therefore, the bank may avail itself of simpler arrangements to inform customers on the processing of personal data related to the sale of certain banking offices:
a. Meeting the preconditions for the processing of data: Balancing of Interests. The sale of banking offices actually results into the communication of personal data – relating, e.g., to customers, suppliers and/or the bank employees – by the assignor bank to the assignee bank, which entails the application of DP Code provisions.
The assignor bank (which is the data controller) does not obtain, as a rule, the data subjects' consent; therefore, it is necessary to establish what other precondition may be relied upon with a view to communicating the data in question.
The sale of banking offices is regulated by a specific section (58) in the Consolidated Banking Statute, and this is to be taken into account in order to clarify data protection issues.
The said piece of legislation provides for facilitating this type of bulk transfer to reduce the attending costs and safeguard the legitimate interests of the entities concerned by the transfer.
The facilitated mechanisms envisaged by the law in respect of the bulk transfer of banking offices cannot but impact on the arrangements applying to the communication of the personal data related to such transfer. In the light of the specific provisions contained in the Consolidated Banking Statute and by having regard to the nature of the data at issue (mostly personal identification data and/or economic transactions), the rights and legitimate interests vested in the individuals whose data are transferred in accordance with the mechanisms described above cannot be considered to override the assignor bank's legitimate interest in communicating the data in question – partly because the purposes for which the data being transferred are intended do not change.
This means that the condition mentioned in section 24(1)g. of the DP Code is fulfilled, whereby the communication of personal data arising out of the transfer (or sale) of banking offices is lawful for the purposes related to the said transfer (or sale) also without the data subjects' consent – except for sensitive data.
b. Exemption from the obligation to provide information notices. The assignee bank is required to inform customers about the processing of their data at the time of recording those data – on account of its having collected the data in question from a third party, i.e. the assignor bank (see section 13(4) of the DP Code).
However, providing information to the individual customers in pursuance of the timeframe envisaged in the DP Code might prove impossible and anyhow requires clearly disproportionate costs and processing resources compared to the right to be protected – partly because of the high number of data subjects to be contacted in a limited time span.
Based on the above considerations, the Garante finds hereby that the efforts required to provide information notices to the individual data subjects concerned by the sale of banking offices is disproportionate compared to the interest safeguarded by the provisions laid down in section 13(4) of the DP Code.
Therefore, the information in question may be provided in accordance with the [simplified] arrangements set out in section 58 of the Consolidated Banking Statute.
c. Appropriate measures. Nevertheless, it is necessary to ensure that data subjects are informed adequately. This means that appropriate measures will have to be taken by any banks selling their banking offices.
To that end, it will be necessary to publish an information notice including the items mentioned in section 13(1) and (2) of the DP Code in the Official Journal of the Italian Republic, jointly with the publication of the notice that is provided for in section 58 of the Consolidated Banking Statute.
Pursuant to the simplification principle laid down in section 2 of the DP Code, data controllers are not required to lodge a request with the Garante for being exempted from the obligation to provide information. Nevertheless, to afford the highest standard of protection to data subjects as per section 2 above, it will be necessary to take the additional measure described hereinafter: the assignor bank will have to provide data subjects with the items of information mentioned in section 13(1) and (2) of the DP Code on the first available occasion after the bulk transfer/sale has taken place – e.g., when sending the monthly bank statement. This is aimed at raising awareness among customers that their data were collected by the assignee bank from third parties.
A bank may use information related to its relationships with customers in order to defend and/or establish a judicial claim involving such customers; the confidentiality obligations undertaken by a bank in connection with its services do not hinder this type of processing, as the obligations in question should not turn into so tight a constraint as to affect the bank's legitimate interests and limit her rights of defence (see section 24(1)f. of the DP Code).
Indeed, customers may not expect the bank to behave in such a manner as to jeopardise the bank's legal interests and rights of defence.
However, only such data as are relevant in order to establish or defend the bank's claim may be used in a judicial proceeding. This means that, for instance, it is unnecessary to produce whole bank statements containing personal data (relating e.g. to third parties) that are irrelevant for the purpose of defending the claim in question.
5.1. Access to Data. Under section 7 of the DP Code, the bank (being the data controller) is required to comply as appropriate with the access requests lodged by data subjects with regard to their personal data.
This includes any personal information related to the bank transactions carried out by the data subjects and/or the recorded phone calls concerning orders issued by them as well as any personal information that is collected by a bank in performing investment orders issued by customers whenever such information can disclose the customers' objectives and risk propensity.
A request for access lodged under sections 7 and 8 of the DP Code entails the obligation for the bank to extract the requested personal data as related to the specific data subject from its own databases and documents, and to communicate those data intelligibly in accordance with section 10 of the DP Code. If necessary, the criteria and standards required to understand the meaning and import of the codes associated with the information concerning a given data subject will have to be also disclosed (see section 10(6) of the DP Code).
If extracting the data at issue proves especially difficult, a bank may comply with the data subject's request by "showing and/or providing a copy of instruments and documents containing the requested personal data" (section 10(4) of the DP code); however, there is no obligation under the law for a data controller to show and/or provide a copy of every single document containing the data subject's personal data.
The right to obtain an intelligible communication of one's personal data does not apply to the personal data related to third parties, which accordingly must be blanked if a copy of the documents containing such data is provided.
The rights set out in section 7 of the DP Code may be exercised free of charge, subject to the provisions of section 10(7) and (8) – whereby the data subject may be charged a fee if "an especially considerable effort is required on account of the complexity and/or scope of the request".
5.2. Access to One's Personal Data under Section 7 of the DP Code vs. Access to Banking Documents under Section 119 of the Consolidated Banking Statute. A distinction should be drawn between the right to access one's personal data under section 7 of the DP code and the right to access banking documents under section 119 of the Consolidated Banking Statute.
Unlike section 7 of the DP Code, the CBS grants every customer, the customer's assigns and/or anyone managing the customer's estate the right to obtain a copy of banking documents and instruments regardless of whether they contain personal data related to the data subject.
The right in question envisages no restrictions on the disclosure of the information contained in the requested documents – including personal data relating to third parties – nor is even a partial blanking of that information provided for. Customers are charged a fee for the exercise of this right.
5.3. Access to the Data Related to A Deceased Person (Section 9 of the DP Code). Under Italy's DP legislation, the right to access the data related to a deceased person may be exercised "by anyone with a vested interest therein, or else acting to protect the data subject, or else on account of family-related reasons deserving to be upheld." (section 9(3) of the DP Code) Therefore, any entity fulfilling any of the above conditions is entitled to exercise the access right to personal data related to a deceased person – including banking and financial information.
This means that a bank is required to provide intelligible information to the entities mentioned in section 9(3) of the DP Code on a deceased person's assets, bank transactions, bearer deposits (including accounts closed by third parties after the person passed away), the date on which closure of an account was ordered and/or the date on which the balance of the relevant account was transferred to another account.
Conversely, any information that is personal data related to third parties (not to the data subject) may not be disclosed (see sections 7 and 9(3) of the DP Code). For instance, it is not allowed to communicate the name of the payee of the balance of the deceased person's account because this information does not relate to the deceased customer, but to a third party – of course, this does not apply if the account was held jointly by the applicant for access and the deceased person. By the same token, it is not permitted to grant a request for access to the personal data relating to a deceased person if the request is aimed at becoming apprised specifically of the name of the person the deceased had entrusted with performing certain banking transactions.
5.4. Access to Personal Data under Section 7 of the DP Code and Bankruptcy Proceedings. The right of access under section 7 of the DP Code may be exercised by a bankrupt where the latter has been disqualified – on account of the bankruptcy declaration – from managing his/her estate. Management of the bankrupt's estate as committed to the receiver does not include personal rights, which may be exercised without the receiver's authorisation and/or interposition.