1. Governing Texts

1.1. Legislation

• The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). For requirements under the GDPR, please see our EU - Vendor Privacy Contracts Guidance Note, or select 'EU' within the Comparison tool
• Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('the Code')

1.2. Regulatory authority guidance

The European Data Protection Board ('EDPB') has released:

• Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) (12 July 2019); and
• Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (version under public consultation).

The Italian data protection authority ('Garante') has issued the following guidance:

• Guidance on data controllers, processors, and third parties (only available in Italian here);
• Cloud Computing, a Mini-vademecum for Businesses and Public Bodies;
• Authorisation To Use Standard Contractual Clauses - EU Data Controllers to Non-EU Data Processors and Non-EU Data Processors to Non-EU Sub-Processors;
• Standard Contractual Clauses and Cross-Border Data Transfers Via a Data Processor Established in the EU;
• Code of conduct on the processing of personal data for commercial information purposes (only available in Italian here) ('the Code of Conduct on Commercial Information Processing'). Please note that the Code of Conduct identifies adequate guarantees and methods for data controllers and processors in the commercial information and credit management sector;
• Code of conduct on credit risk analysis for private informative systems (only available in Italian here) ('the Code of Conduct on Credit Risk Analysis'); and
• General Prescriptions on the Sharing of Personal Information in the Banking Context and on the Traceability of Banking Transactions (only available in Italian here) ('the Guidelines on Banks'), issued on 12 May 2011 and clarified by guidance issued by the Garante on 18 July 2013 (only available in Italian here).

1.3. Regulatory authority templates

The European Commission has released the following decisions on standard contractual clauses ('SCC') for transfers of personal data to jurisdictions outside of the EU/EEA:

• Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council;
• Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries; and
• Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC).

The Article 29 Working Party ('WP29') released the following documents, which have been endorsed by the EDPB:

• Recommendation on the Standard Application form for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data | WP 264 rev.01 (18 April 2018);
• Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data | WP 265 rev.01 (18 April 2018);
• Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules | WP 256 rev.01 (9 February 2018); and
• Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules | WP 257 rev.01 (9 February 2018).

2. Definitions

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Banking sector

When a bank or another subject as specified in Section 1.2 of the Guidelines on Banks outsources the management of the informative system containing personal data of its clients to an external subject, the latter must be considered and appointed as data processor if the bank is the only subject having the following powers (Section 3.2 of the Guidelines on Banks):

• taking decisions in relation to the purpose of the processing;
• providing the outsourcer with instructions and binding indications; and
• supervising and controlling the operations of the outsourcer.

3.2. What content should be included?

There are no national variations.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

There are no national variations. For further information see Italy - Data Subject Rights.

For further information on data subject rights under the GDPR see EU-GDPR Data Subjects Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

There are no national variations.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Commercial information and credit management

In relation to the provision of commercial information services, the supplier may make use of a data processor that presents adequate guarantees in accordance with Article 28 of the GDPR. In addition, the supplier must contractually bind the processor to the conditions of the Code of Conduct on Commercial Information Processing itself, where the same is applicable to the processing activities carried out by the processor (Article 11(4) of the Code of Conduct on Commercial Information Processing).

In addition, the supplier and the controller, where existent, identify the designated natural persons acting under their authority in accordance with Article 29 of the GDPR and Section 2-o of the Code, further determining adequate confidentiality obligations and instructions in accordance with the Code of Conduct on Commercial Information Processing (Article 11(5) of the Code of Conduct on Commercial Information Processing).

Credit Risk Analysis

The manager of the credit information system and the participant of the same, as defined in Articles 2(b) and (c) of the Code of Conduct on Credit Risk Analysis, must ensure that their data processors adopt technical and organisational measures adequate to guarantee a security level appropriate to the risk from the beginning of the project and by default. In particular, the above measures include, among others (Article 12(3) of the Code of Conduct on Credit Risk Analysis):

• pseudonymisation and encryption of personal data;
• capacity to ensuring permanently the confidentiality, integrity, availability and resilience of systems and processing services;
• capacity to restore the availability and access of personal data in case of a physical or technical incident; and
• a procedure to test, verify, and assess regularly the efficiency of the technical and organisational measures, in order to guarantee the security of the processing.

In addition, the manager of the credit information system must adopt and must guarantee that his processors adopt adequate security measures in order to ensure the functioning of the credit information system and the control of accesses (Article 12(4) of the Code of Conduct on Credit Risk Analysis).

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

There are no national variations. For further information see Italy - Data Breach.

For further information on breach notifications under the GDPR, see: EU – GDPR – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

There are no national variations.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

There are no national variations. For further information see Italy - Data Transfers.

Following the publication of the CJEU's judgment C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems ('Schrems II') on 16 July 2020, which generally validated the SCCs while invalidating the EU-US Privacy Shield data transfer certification mechanism, the EDPB has released its Recommendations on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, as well as complementary Recommendations on the European Essential Guarantees for Surveillance Measures, aimed to assist controllers and processors to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'

For further information on data transfers under the GDPR, see: EU – GDPR – Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

There are no national variations.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Data Protection Officer ('DPO')

There are no national variations. For further information see Italy - Data Protection Officer Appointment.

For further information on DPOs under the GDPR, see EU - Data Protection Officer Appointment Guidance Note

Representative

There are no national variations.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

There are no national variations.

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.