The code of conduct (“cdc”) for telemarketing and teleselling approved by the Italian Data Protection Authority with Decision No. 70 of March 9, 2023 (Web Doc. No. 9868813) awaits, for its entry into force, the accreditation of the Monitoring Body by the authority and, thereafter, the lapse of 15 days from the publication of the code in the Official Gazette.
We are coming back to this topic, which we initially addressed in the April 6, 2023 Bulletin, to examine the obligations prescribed by this code that bind those who will adhere to it. In any case, what is stated therein constitutes a reference point of best practices to be implemented by all actors involved in telemarketing and teleselling operations.
Obligations
Section II of the Code, headed “Obligations of the Parties,” distinguishes between:
- Obligations of the controller (Art. 5)
- Obligations that apply to relations between clients and list providers (Art. 6)
- Obligations that apply specifically to contact providers (e.g., call centers; Art. 7)
- Obligations common to all parties (art. 8).
Obligations of the controller
It was seen above that the client of a promotional campaign conducted through the telephone is a data controller of personal data characterized by telemarketing and teleselling operations [Art. 2(2)(f), cdc]. In addition, the “list provider” or “publisher” who acquires, for the purpose of communicating them to third parties, personal data for promotional telephone contacts [Art. 2(2)(g), cdc] is also a data controller.
The obligations under the cdc with respect to controllers of processing for telemarketing and teleselling purposes are contained in several parts of the document.
Article 5 of the cdc sets out a number of obligations distinguishing them between:
- Obligations on anyone who is the controller (i.e., principal or list provider)
- Specific obligations on the client
- Specific obligations on the list provider.
Article 6, following, outlines the obligations of these controllers ( client and list provider) in the context of the relations between them.
Article 8 highlights other obligations that are common to all cdc adherents, thus, also for data controllers.
Finally, Section III (” Safeguards in processing”) and Section IV (“Measures to ensure the proper processing of the “supply chain”) contain additional obligations on data controllers. Section III addresses the issues of:
- Processing of special categories of data (art. 9)
- Script availability and determination of contact methods (Art. 10)
- Privacy notice and consent (arts. 11 and 12)
- Transmission of data to third parties (art. 13).
Section IV, on the other hand, addresses issues related to safeguards for the proper functioning of the constituent parts of the telemarketing and teleselling supply chain, specifically:
- data quality verification operations (Art. 15)
- the control of the origin of the contract (art. 16)
- the management of multi-firm suppliers (Art. 17).