The final draft of the code of conduct for telemarketing and teleselling activities – after July 21, 2022- was submitted for public consultation and, thereafter, submitted to the Italian Data Protection Authority (Garante) for approval, who approved it with Order No. 70 of March 9, 2023 (Web Doc. No. 9868813). For the entry into force, it will be necessary to wait for the accreditation of the Monitoring Body by the Garante and, thereafter, the period of 15 days from the publication of the code in the Official Gazette.
The code addresses the critical topic of advertising activities through the telephone and brings together, in a systematic way, the rules expressed in the Authority’s pronouncements in recent years, during its commitment to fight against different and persistent non-compliant activities by subjects operating in this industry, at different levels.
Codes of conduct
Codes of conduct (“cdc”) are regulated by Articles 40 and 41 of the GDPR and they represent one of the voluntary discipline and accountability tools covered by the regulation.
Through such codes, representatives and industry associations, having awareness of the specificities of their environments, can establish specific data protection rules for data controllers and processors in compliance with the GDPR; thus, they have the opportunity to define what are the most appropriate behaviors – of legal and ethical nature – in the concerned industry.
Purposes of the codes of conduct
Codes of conduct provide an opportunity for specific sectors to address common issues with regard to data processing and to accept more practical and operational data protection rules tailored to the relevant framework that meet the needs of the sector and the requirements of the GDPR. In this way, the codes can help create greater harmonization in sectoral areas and close harmonization gaps that may exist between member states in the application of data protection regulations.
Codes of conduct can also be a kind of safeguard for personal data flows to non-EU countries that lack a protection system deemed comparable to that of the EU, as provided for in Article 40(3) of the GDPR.
National and European codes of conduct
“National” codes of conduct are those that concern the processing activities of data controllers and/or processors which take place within a single member state.
Conversely, there are “transnational” codes of conduct when these are adopted by a national association in one member state but concern processing activities by its members with effects in several member states, without necessarily involving a cross-border flow of personal data within the Union.
Relevance of the codes of conduct
Adherence to a code does not in itself guarantee compliance with the GDPR or immunity for controllers/managers from the fines or liabilities under the GDPR.
Unlike the ethics rules introduced by the revised Italian Privacy Code (Article 2-quater), the requirements of GDPR codes of conduct are not conditions for lawful processing. Nevertheless, compliance with them affects in various ways the compliance assessment of the operations of controllers or managers who adhere to them; compliance with an approved code of conduct will be a factor taken into account by supervisory authorities when
- assessing security aspects [Art. 32(3)]
- assessing the impact of processing in the process of a DPIA [art. 35(8)]
- determining the amount of an administrative fine [Art. 83(2)(j)].