The condition of privacy in Italy

www.dataprotection.it

"Sed quis custodiet ipsos custodes?"
Giovenale (circa 60-130 d. C.), Satire, 6, 347

 

 

 

CODE OF CONDUCT AND PROFESSIONAL PRACTICE APPLYING TO INFORMATION SYSTEMS MANAGED BY PRIVATE ENTITIES WITH REGARD TO CONSUMER CREDIT, RELIABILITY, AND TIMELINESS OF PAYMENTS

 

Preamble

We, the undersigned private entities, adopt this Code of conduct and professional practice on the assumption that:

1) processing of personal data within the framework of information systems controlled by private entities that are used for the purposes of consumer credit and/or concern reliability and timeliness of payments shall have to be performed by respecting data subjects' rights, fundamental freedoms, and dignity, with particular regard to the right to personal data protection, confidentiality, and personal identity;

2) this code sets forth adequate safeguards and processing mechanisms to protect data subjects' rights, which shall have to be abided by for the purposes of protecting credit and limiting the relevant risks in order to also facilitate access to consumer credit and reduce the risk of excess indebtment by data subjects;

3) adoption of this code is encouraged by the Garante per la protezione dei dati personali within the framework of representative associations for the relevant industry sector in pursuance of Sections 12 and 117 of the Personal Data Protection Code (legislative decree no. 196/2003 of June 30, 2003);

4) whoever uses personal data for the aforementioned purposes shall have to abide by the rules of conduct set out herein as a fundamental prerequisite for the processing to be lawful and fair;

5) industry operators are also required to comply with the safeguards set out in the data protection Code, with particular regard to obtaining consent and other lawfulness preconditions;

6) this code does not apply to the information systems controlled by public bodies, in particular it does not apply to the centralised risk service managed by Banca d'Italia (as per Sections 13, 53(1), letter b), 60(1), 64, 67(1), letter b), 106, 107, 144, and 145 of legislative decree no. 385 of September 1, 1993, being the Consolidated Statute on Banking and Credit; the CICR's resolution of March 29, 1994; the Banca d'Italia's provision of August 10, 1995; and the Banca d'Italia's circular letter of February 11, 1991 as subsequently updated). The centralised system for low-level risk assessment set up under CICR's resolution of May 3, 1999 as published in the Official Journal no. 158 of July 8, 1999 shall be regulated by some principles set forth herein concerning the provision of information to data subjects and exercise of data subjects' rights insofar as they are compatible with the specifically applicable provisions (see, in particular, Banca d'Italia instructions as published in the Official Journal no. 272 of November 21, 2000).

 

Article 1. Definitions
1. For the purposes of this code of conduct and professional practice, the definitions listed in the Personal Data Protection Code (hereinafter referred to as the "Code") shall apply (see Section 4 of legislative decree no. 196/2003). For the same purposes, moreover,

a) "credit application/relationship" shall mean any application or relationship concerning the granting of credit in the exercise of commercial and/or professional activities, in the form of a payment extension, a loan, or any other similar financial support as per the Consolidated Statute on Banking and Credit (legislative decree no. 385 of September 1, 1995);

b) "remedying of defaults" shall mean to extinguish the defaults on money obligations due either to defaults on payments or payment delays without losses and/or balance receivables also in the form of interests and charges, as well as to extinguish said obligations by means other than the relevant performance, in particular following settlement and/or composition;

c) "credit information system" shall mean any database concerning credit applications/relationships that is managed in a centralised fashion by a legal person, an organisation, an association and/or another private body and can only be accessed by the entities communicating the information recorded therein and participating in the relevant information system. The system may contain, in particular,

  1. negative credit information, only concerning credit relationships affected by defaults;
  2. positive and negative credit information concerning credit applications/relationships irrespective of the existence of defaults as recorded in the system at the time they occurred;

d) "manager" shall mean any private entity acting as controller of the processing of the personal data recorded in a credit information system and managing said system by setting out the mechanisms applying to its operation and use;

e) "participant" shall mean any private entity that acts as a controller of the processing of the personal data that are collected in connection with credit applications/relationships, participates in the relevant credit information system based on an agreement and/or contract with the manager, and can use the data contained in the system, being under the obligation to notify the manager systematically of said personal data as related to credit applications/relationships within the framework of mutual data exchanges with other participants. Except for the entities providing credit-factoring services, a participant may be

  1. a bank,
  2. a financial broker,
  3. any other private entity that, in the exercise of commercial and/or professional activities, grants an extension for the payment related to the supply of goods and/or services;

f) "consumer" shall mean a natural person who, in connection with a credit application/relationship, acts for purposes that cannot be related to his/her professional and/or business activity, if any;

g) "data retention period" shall mean the period during which the personal data related to credit applications/relationships are retained in a credit information system and can be used by participants for the purposes referred to in this code;

h) "automated credit scoring techniques and/or systems" shall mean the mechanisms to organise, aggregate, compare and/or process personal data related to credit applications/relationships as consisting in the use of automated systems based on statistical methods or models with a view to assessing credit risk, whose results are expressed in the form of summary judgments, figures and/or a score that is/are associated with a given data subject and aim at providing the predictive and/or probability-based description of said data subject's risk profile, reliability and/or timeliness of payment.

 

Article 2. Purposes of the Processing
1. The personal data contained in a credit information system may only be processed by the manager and participants for the purpose of protecting credit and limiting the relevant risks, and in particular, to assess data subjects' financial status and creditworthiness or anyhow their reliability and timeliness of payment.

2. No other purposes may be pursued, especially in connection with market surveys and/or the promotion, advertising and/or direct selling of products or services.

 

Article 3. Data Quality and Categories
1. Processing within the framework of a credit information system may only concern data related to the entity that either applies for or is a party to a credit relationship with a participant as well as the data related to any surety, including a joint surety, whose position is clearly separate from that of the principal debtor.

2. Processing may not concern sensitive or judicial data, and shall concern objective personal data that are closely relevant and not excessive in respect of the purposes sought and relate to a credit application/relationship as well as to any event occurring on whatever ground and for whatever purpose until remedying of the relevant defaults in compliance with the retention periods set out in Article 6.

3. The following data categories may be processed in connection with each credit application/relationship reported to a credit information system, and said categories shall have to be specified by the manager in a list that is to be made easily available on the manager's own website on the communications network as well as being communicated in detail to any data subject that so requests:

a) census register data, taxation ID, and/or VAT register number;

b) data related to the credit application/relationship concerning, in particular, the type of contract, the amount of credit, the repayment mechanisms, and the status of the application and/or contract performance;

c) accounting data related to payments, time pattern of payments, indebtment including residual debt, and condensed information on accounting status of the given relationship;

d) data related to credit factoring and/or litigations, assignment of credit, and/or exceptional events affecting assets and liabilities and/or status of corporations, legal persons and/or other entities.

4. Any and all codes and criteria used to record the data in a credit information system and to facilitate their processing shall only be aimed at providing the objective, accurate representation of said data as well as of any events occurring in connection with the relevant credit relationship. The aforementioned criteria and codes shall be used in conjunction with detailed information as to their meaning, to be provided by the manager, complied with by participants, and made easily available by both, also at the data subjects' request.

5. The identification data concerning the participant that has communicated the personal data related to a credit application/relationship shall be recorded in the credit information system. Said identification data shall be accessible to both the manager and the data subjects, whilst they may not be accessed by other participants.

 

Article 4. Data Collection and Recording
1. Subject to the provisions made in paragraph 5, a manager shall acquire the personal data to be recorded in the credit information system exclusively from participants.

2. Each participant shall take appropriate measures to verify and ensure that the data communicated to the manager may be lawfully used in the system and are accurate and fair.

3. Upon receiving the data, the manager shall verify their congruence by means of logic and formal controls; if the data are found to be incomplete and/or incongruous, the manager shall send them back to the participant that has communicated them for the necessary amendments and/or additions to be made. After performing said controls and such amendments or additions as may be necessary, the data shall be recorded in the credit information system and made available to all participants.

4. Each participant shall carefully verify the data it processes and comply promptly with any verification requests made by a manager, also following exercise of a right by data subjects.

5. Any data recorded in a credit information system shall be deleted, supplemented and/or amended either directly by the participant that has communicated said data, where this is technically feasible, or by the manager at the request of or else in agreement with the relevant participant, also following exercise of a right by data subjects, or in pursuance of an order issued by judicial authorities and/or the Garante.

6. The data related to the first payment delay in a credit relationship shall be used and made available to other participants in compliance with the terms below:

a) in negative credit information systems, after at least one hundred and twenty days as of the relevant payment deadline, or in case the debtor defaulted on at least four monthly instalments and these were not remedied;

b) in positive and negative credit information systems,

  1. if the data subject is a consumer, after sixty days of the monthly update referred to in paragraph 8, or in case he/she defaulted on at least two consecutive monthly instalments, or if the delay has to do with either the last or the last but one instalment. In the second case referred to above, the data shall be made available after the monthly update concerning the second consecutive default;
  2. in all other cases, after at least thirty days following the monthly update referred to in paragraph 8, or in case the debtor defaults on one instalment.

7. In case of payment delays, the participant shall inform the data subject, also at the time reminders or other notices are sent, that his/her data will be shortly recorded in one or more credit information systems. The data concerning the first delay as per paragraph 6 may be made available to participants after at least fifteen days as of sending the aforementioned information to the data subject.

8. Subject to the provisions made in paragraph 6, the data recorded in a credit information system shall be updated regularly at monthly intervals by the participant that has communicated them.

 

Article 5. Information Notice
1. At the time of collecting the personal data related to credit applications/relationships, a participant shall inform the data subject pursuant to Section 13 of the Code also with regard to the processing of personal data that is performed within the framework of a credit information system.

2. The information referred to in paragraph 1 shall include clear-cut, accurate details concerning, within the framework of the description of the purposes and mechanisms of the processing as well as of the other elements referred to in Section 13 of the Code,

a) identification data concerning both the credit information systems the personal data are communicated to and the respective managers;

b) the categories of participant accessing said systems;

c) the data retention periods in the credit information systems such data are communicated to;

d) arrangements applying to organisation, comparison and processing of the data and the use, if any, of automated credit scoring techniques and/or systems;

e) mechanisms for data subjects to exercise the rights referred to in Section 7 of the Code.

3. The information referred to in paragraph 2 shall be provided to data subjects in writing according to the model notice that is attached to the decision whereby compliance of this code with the law is certified. If the information notice is included in a form used by the participant, it shall be appropriately highlighted and placed as a separate, unified item within sections and/or boxes other than those related to different purposes of the processing carried out by said participant.

4. The information to be provided on account of updates and/or changes concerning the data pursuant to paragraph 2 shall be made available via regular communications as well as on one or more Internet web sites and/or if a data subject so requests, also with regard to changes in the manager's registered office and/or name.

5. More detailed information shall be provided by the manager via additional dissemination mechanisms, including the use of electronic networks, to supplement the information notice provided by participants to the individual data subjects.

6. If the credit application is not granted, the participant shall inform the data subject as to whether it has consulted personal data related to negative credit information in one or more systems with a view to dealing with the credit application, and it shall provide said data subject with the details required to identify both the system used as the source of the information and the respective manager.

7. The participant shall provide the data subject with the additional information referred to in Articles 9(1), letter d), and 10(1), letter c).

 

Article 6. Data Retention and Updating
1. The personal data related to credit applications as communicated by participants may be retained in a credit information system for as long as necessary in order to deal with said applications and at all events for no longer than one hundred and eighty days as of the date of submission of the aforementioned applications. If the credit application is not granted, or if it is waived, the participant shall inform the manager thereof in connection with the monthly update referred to in Article 4(8). In the latter case, the personal data related to the application that has been waived by the data subject and/or rejected may be retained in the system for no longer than thirty days as of their update.

2. Negative credit information related to payment delays that are subsequently remedied may be retained in a credit information system

a) for up to twelve months as of the recording of the data concerning remedying of delays not in excess of two instalments/two months; or

b) for up to twenty-four months as of the recording of the data concerning remedying of delays in excess of two instalments/two months.

3. Upon expiry of the terms referred to in paragraph 2, the data shall be removed from the credit information system if no data concerning further delays and/or defaults is recorded during said terms.

4. Participant and manager shall promptly update the data concerning remedying of defaults of which they are aware, where such remedying takes place after the participant's assignment of its credit to an entity that does not participate in the relevant system, also if the data subject so requests by submitting either a statement rendered by the credit assignee or any other suitable instrument.

5. Negative credit information related to defaults that are not subsequently remedied may be retained in a credit information system for no longer than thirty-six months as of the expiry of the relevant contractual agreement; if other events occur that are material to the payment, said information may be retained for no longer than thirty-six months as of the date on which the information had last to be updated or the relevant relationship was terminated.

6. Positive credit information related to a relationship that was concluded by extinguishing all monetary obligations may be retained in a system for no longer than twenty-four months as of the date of termination and/or expiry of the relevant contractual agreement, or else as of the first update performed in the month following the aforementioned dates. In light of the requirement whereby the data should be complete in respect of the purposes to be achieved (see Section 11(1), letter d), of the Code), the aforementioned positive credit information may be retained further in the system if the latter contains negative credit information related to delays and/or defaults that have not been remedied with regard to other credit relationships concerning the same data subject. In the latter case, the positive credit information shall be removed from the system upon expiry of the term set out in paragraph 5 as to retention of the negative information recorded in the system in respect of any other credit relationships concerning said data subject.

7. If the consumer concerned notifies a participant that he/she is withdrawing his/her consent to the processing of positive information within the framework of a credit information system, the participant shall inform the manager thereof in connection with the monthly update referred to in Article 4(8). In the latter case as well as in case withdrawal of consent is communicated directly by a data subject, the manager shall record this news in the system and remove the information by no later than ninety days as of said update and/or communication.

8. Prior to removing the data from a credit information system in accordance with the specifications set out in the above paragraphs, a manager may transfer the data to another medium in order to retain them exclusively for as long as necessary with a view to defending a legal claim, or else in order to process the data in anonymous format for statistical purposes.

9. The provisions of this Article shall not apply to retention by a participant, for internal use, of contractual and/or accounting records containing the personal data related to a credit application/relationship.

 

Article 7. Use of Data
1. A participant may access a credit information system also by consulting a copy of the respective database with regard to data that fall justifiably within its scope of interest and may only concern:

a) consumers that apply for and/or are parties to a credit relationship with said participant as well as any surety, including joint sureties,

b) entities acting in the context of their business and/or professional activities, in respect of which investigations have been started in order to set up a credit relationship or undertake a credit risk, as well as entities that are already parties to a credit relationship with said participant,

c) entities that are legally related to those referred to in letter b) above, in particular because they act as joint sureties or else belong to corporate groups, providing the personal data to be accessed by the participant are factually necessary in order to assess financial status and creditworthiness of the entities referred to in said letter b).

2. A credit information system may be accessed by a participant and/or a manager exclusively via a limited number of data processors and persons in charge of the processing, to be specified in writing, as well as by having regard only to such data as are absolutely necessary, relevant and not excessive in respect of the purposes set out in Article 2, in connection with the specific requirements resulting either from the investigations performed following a credit application or from the management of a credit relationship, which must be verifiable in concrete on the basis of the information available to said participant(s). The system may also be accessed by banks and financial brokers that are members of the participant's banking group in compliance with the aforementioned limitations and mechanisms, exclusively with a view to dealing with the investigations required either to set up a credit relationship with the relevant data subject or anyhow to undertake the relevant risk.

3. Participants shall access the credit information system via the mechanisms and tools, including electronic tools, that have been set out in writing jointly with the manager in compliance with personal data protection legislation. The personal data related to credit applications/relationships recorded in a credit information system may be consulted via stepwise, selective access mechanisms that shall envisage one or more consultation levels providing summary and/or condensed information in respect of the data subject prior to allowing access to detailed information, which shall also apply to the data concerning sureties and/or related entities as per paragraph 1. It shall not be feasible, also from a technical standpoint, to access the data in a manner allowing bulk queries and/or acquisition of lists of data regarding credit applications/relationships in respect of entities other than those applying for and/or participating in a credit relationship with the relevant participant.

4. Furthermore, it shall not be allowed for third parties to access a credit information system except for the requests made by judicial and police authorities for purposes of justice, or else by other public institutions, authorities, administrative agencies and bodies exclusively in the cases referred to in laws, regulations and/or Community legislation as well as in compliance with the relevant provisions.

 

Article 8. Access and Exercise of Other Rights by Data Subjects
1. With regard to the personal data recorded in a credit information system, data subjects shall be entitled to exercise their rights in accordance with the mechanisms set out in the Code both in respect of the manager and in respect of the participants that have communicated said data. The latter entities shall be responsible for dealing promptly and in full with the relevant requests, also by taking suitable organisational and technical measures.

2. In the request made to exercise his/her rights, a data subject shall also specify, if possible, his/her taxation ID and/or VAT Register number in order to facilitate searching the data concerning him/her in the credit information system.

3. Any third party that is empowered by the data subject in writing to act as an attorney or delegated entity in order to exercise the relevant rights may only process the personal data acquired from a credit information system for the purpose of protecting the data subject's rights, any other purpose sought by said third party and/or entities related to the latter being ruled out.

4. Any participant receiving a request whereby any of the rights referred to in Section 7 of the Code is exercised in respect of the credit information recorded in a system shall answer directly under the terms set out in Section 146(2) and (3) of the Code and shall have the data amended as required in pursuance of Article 4(5). If the request is lodged with the manager, the latter shall also answer directly under the same terms and consult with the participant if necessary.

5. Where it is necessary to carry out additional and/or specific controls with the participant, the manager shall inform the data subject thereof within the fifteen-day term provided for in the Code and set another term for the relevant answer, which may not be in excess of fifteen additional days. During the period required to carry out the additional controls with the participant, the manager:

a) shall keep track of the performance of the aforementioned controls in the credit information system throughout the initial fifteen-day term, by means of a specific code and/or an ad-hoc message to be posted with the data that are the subject of the request made by the data subject, and

b) shall suspend display of the data that are being controlled in the credit information system throughout the additional fifteen-day term.

6. If the request referred to in paragraph 4 concerns a complaint for non-performance against the seller/provider of the goods or services that are the subject of the contract underlying the credit relationship, the manager shall promptly record a notice to that effect in the credit information system at the request of either the data subject or the participant, or else by informing the latter, via a specific code to be posted with the data related to the credit relationship in question.

 

Article 9. Use of Automated Credit Scoring Techniques and Systems
1. Where the personal data contained in a credit information system are also processed by means of automated credit scoring techniques and systems, the manager and participants shall be responsible for ensuring compliance with the following principles:

a) the techniques or systems made available by the manager, or else implemented on the participants' behalf, may only be used for investigating a credit application and/or managing the credit relationships already set up;

b) the data concerning judgments, markers and/or scoring associated with a given data subject shall be processed and communicated by the manager only to the participant that either has received the relevant credit application from the data subject or previously communicated data related to the relevant credit application; at all events, the data may not be retained in the credit information system pursuant to Article 6 of this code, nor may they be made available to the other participants;

c) statistical models and/or factors as well as the algorhythms used to calculate judgments, markers and/or scoring shall be verified regularly at least on an annual basis and updated as a function of the outcome of said verification;

d) where a credit application is not granted, the participant shall inform the data subject as to whether it has consulted data related to negative judgments, markers and/or scoring that have been obtained by means of automated credit scoring techniques and systems, in order to investigate said credit application; if the data subject so requests, the participant shall provide him or her with the data in question and explain both the logic underlying operation of the systems implemented and the main factors that have been taken into account in processing the application.

 

Article 10. Processing Data from Public Sources
1. If the manager of a credit information system processes, whether directly or by the agency of subsidiary and/or related companies, personal data from public registers, lists, records or publicly available documents, in whatever manner, or if it provides participants with services to access the data from said sources, manager and participants shall be responsible for ensuring compliance with the principles reported below subject to the limitations and arrangements set out in the law as for availability and publicity of the data in question as well as to the provisions referred to in Section 61(1) of the Code:

a) the personal data from public registers, lists, records or publicly available documents, if recorded, must be contained in personal data banks that are separate from and not connected with the credit information system;

b) if a participant accesses personal data contained both in a credit information system and in any of the data banks referred to in letter a), the manager shall take suitable technical and organisational measures to ensure that the data from the credit information system can be separated and distinguished from those originating from other data banks, also by adding appropriate notices, so as to do away with any and all ambiguities as to the different nature and sources of the accessed data;

c) if a credit application is not granted, the participant shall inform the data subject as to whether it has also consulted negative data contained in the data banks as per letter a) in order to investigate the credit application, and it shall specify the public source(s) of said data at the data subject's request.

 

Article 11. Data Security Measures
1. Any personal data that is processed within the framework of a credit information system shall be confidential information and may not be disclosed to third parties except for the cases envisaged both in the Code and in the above articles.

2. The natural persons that have been appointed by either the manager or the participants as data processors or persons in charge of the processing may access the credit information system, shall keep confidential the personal data acquired, and shall be liable for any breach of confidentiality resulting from use of the data and/or disclosure of the data to third parties for purposes other than or incompatible with those referred to in article 2 hereof, or anyhow for unlawful purposes.

3. Manager and participants shall take suitable technical, logical, informational, procedural, physical, and organisational measures to ensure security, integrity, and confidentiality of personal data and electronic communications in line with personal data protection legislation.

4. The manager shall take adequate security measures to ensure proper functioning of the credit information system as well as access control. Accesses shall be recorded and stored in the information system by the manager as well as by all participants in the possession of a copy of the relevant database.

5. As for compliance with the security, confidentiality, and secrecy obligations referred to herein, manager and participants shall issue specific instructions in writing to the respective data processors and persons in charge of the processing and shall ensure that said instructions are fully abided by also by means of verifications carried out by suitable supervisory bodies.

 

Article 12. Sanctions
1. Without prejudice to such sanctions as are provided for by the administrative, civil, and criminal laws in force, managers and participants shall jointly lay down, also by the agency of the associations underwriting this code, suitable mechanisms to impose sanctions that are proportionate to the seriousness of the relevant breaches, in particular as regards the trade associations underwriting this code as well as the body referred to in Article 13(7), after informing the Garante thereof. Such measures shall include an official warning, suspension or withdrawal of the authorisation to access the credit information system, and – in the most serious cases – publication of the news concerning the breach(es) in one or more dailies or magazines with nationwide circulation at the offender's expense.

 

Article 13. Transitional and Final Provisions
1. The measures required to implement this code of conduct and professional practice shall be adopted by the entities required to abide by it within and no later than April 30, 2005.

2. Within the term set out in paragraph 1, the manager of the centralised system for low-level risk assessment as set up by CICR's resolution of May 3, 1999 (published in the Official Journal no. 158 of July 8, 1999) as well as the respective participants shall take the necessary measures to implement Articles 5 and 8, paragraphs 1, 2, 3, 4, and 5, first sentence, of this code concerning provision of an information notice to data subjects and exercise of rights, which shall supplement the requirements laid down in point 3 of the Banca d'Italia's instructions (published in the Official Journal no. 272 of November 21, 2000).

3. Within three months as of the term referred to in paragraph 1, participants shall provide the information referred to in Article 5(1) and (2) of this code in the context of the regular communications sent to customers, where said information is not included in the information notices previously made available to any data subject whose personal data are already recorded in a credit information system

4. In the initial implementing phase of the provisions referred to in Article 6(6), managers shall reduce the retention period of personal data related to positive credit information to no longer than thirty-six months, by June 30, 2005. The body referred to in Article 7 shall evaluate, by means of a reasoned instrument, whether the experience gathered up to that time and the impact of the measures envisaged in this code on data subjects' rights are such as to justify the continued application of the said thirty-six month term. The latter shall be regarded as applicable further unless the Garante provides otherwise either at the request of said body or of its own motion. By January 31, 2006, the Garante shall order publication in the Official Journal either of its own provision or of a notice specifying the term to be complied with.

5. In order to allow verifying implementation of the provisions set out in this code, each manager shall provide the Garante, by no later than two months as of expiry of the term referred to in paragraph 1, in accordance with the arrangements referred to therein,

a) with a general description of the operation of the credit information system and the mechanisms for the participants' access thereto, in addition to its own identification data and contact details, so as to allow assessing adequacy of the measures, including technical and organisational measures, that have been taken to implement this code;

b) with the model contracts, agreements, conventions, regulations and/or instructions applying to participants' participation in and access to the credit information system, as regards the components that are relevant to personal data protection and the implementation of this code, as well as with the documentation concerning the measures that have been taken regarding data security, confidentiality, and secrecy;

c) with the documents referred to in Articles 3(3) and (4), 5(4) and (5), and in paragraph 7 below.

6. The communications referred to in paragraph 4 shall be sent to the Garante, also after expiry of the aforementioned term, by any data controller acting in the capacity as manager of a credit information system where said data controller intends to proceed with the processing of personal data falling under the scope of application of this code. Managers shall notify the Garante of any changes in previously sent communications and documents by no later than the end of the year in which said changes took place.

7. The manager shall regularly verify, at least at yearly intervals, that the processing is lawful and fair by checking that the data related to a suitable number of credit applications/relationships selected on a sample basis are accurate and complete. Said controls shall be carried out by a body including at least a representative from the manager, a representative from the participants to be appointed on a rotational basis, and a representative from consumer associations to be appointed by the National Consumers' and Users' Council. The minutes of the aforementioned controls shall be transmitted to the Garante.

8. In order to supervise over compliance with the provisions set out herein, subject to the powers provided for by the Code concerning investigations and controls, the Garante may agree with the manager on performance of additional regular verifications at the premises where the personal data are processed, including accesses – also on a sample basis – to the credit information system. The Garante may carry out similar verifications to be agreed upon jointly in respect of the accesses by participants.

9. The trade associations undersigning this code as well as the managers shall start co-operation initiatives with consumer associations and the Garante in order to devise both operational solutions to foster compliance with this code and alternative mechanisms to solve any disputes resulting from the application of this code.

10. The Garante shall encourage regular reviews and upgrades of this code in the light of technological developments, the experience gathered in its application, and regulatory changes, also if so requested by the trade associations undersigning this code.

 

Article 14. Entry into Force
1. This code shall apply as of January 1, 2005.( information from : http://www.garanteprivacy.it )