The Italian Data Protection Authority issued detailed rules for the processing of personal data by call centers located outside the EU, which operate on behalf of Italian data controllers to provide customer care or for marketing purposes.
According to Directive 95/46/EC the transfer of personal data to third countries not ensuring an adequate level of protection can only take place pursuant to Articles 42-45 Italian Privacy Code (which among other provide for a prior authorization by the Italian Data Protection Authority).
Regulation 444 contains many specific suggestions to ensure data controllers maintain control on the data that are transferred to call centers. For example in case a EU based data controller uses a EU call center service which, in turn, subcontracts to a third party located outside the EU, the Authority suggests that 1) the data controller and the subcontractor should be the two parties executing the standard contractual clauses; 2) the data controller grants the data processor with the power to sign the standard contractual clauses on controller’s behalf; 3) ad hoc agreements are executed between the data controller and the third party providing the same level of safeguard as the standard contractual clauses.
The Italian Authority imposes the following requirements on data controllers (public or private) subject to Italian privacy law which directly or indirectly use a call center in a non-EU country:
“a) at the beginning of the call, specify to the data subject making or receiving the call where the call center operator is located and in case the data subject is making the call, adopt procedures that would allow the data subject to choose to opt for an operator located in the same country of the data subject;
b) inform the Data Authority of the intention to perform the call center activity outside the EU using the specific form published at www.garanteprivacy.it;
c) within 30 days from the publication of this Regulation on the Official Gazette, send the written communication described in letter (b) above, which shall be made also in case a processing of data outside of the EU by a call center is already in process”.
See http://www.garanteprivacy…