PRESIDENTIAL DECREE no. 178 dated 7 September 2010 ' Regulations on setting up and management of the public register of subscribers opting out of ...
[doc. web n. 1788873]
PRESIDENTIAL DECREE no. 178 dated 7 September 2010 – Regulations on setting up and management of the public register of subscribers opting out of the use of their phone numbers for the purposes of commercial selling and/or promotions
(as published in Italy's Official Journal no. 256 dated 2 November 2010)
THE PRESIDENT OF THE REPUBLIC
Having regard to Article 87 of the Constitution;
Having regard to Article 17(2) of Act no. 400 dated 23 August 1988;
Having regard to Section 130(3-bis) of the Personal data protection Code as per legislative decree no. 196 dated 30 June 2003, including subsequent amendments thereof;
Having regard to Section 20-bis of the decree no. 135 dated 25 September 2009 as converted, with amendments, into Act no. 166 dated 20 November 2009;
Having regard to Section 55 of the Electronic Communications Code as per legislative decree no. 259 dated 1 August 2003, including subsequent amendments thereof;
Having regard to the preliminary resolution adopted by the Council of Ministers in the course of its meeting of 16 April 2010;
Having obtained the opinion by the Authority for Communications Safeguards;
Having consulted with the Italian data protection authority pursuant to Section 154(4) of legislative decree no. 196 dated 30 June 2003;
Having heard the opinion rendered by the Council of State – Consultative Division for Regulatory Instruments in the course of the sitting held on 17 May 2010;
Considering that he cannot endorse the opinions rendered by the competent Parliamentary Committees insofar as they envisage application of an interim regime, whereas the mechanisms currently in force in Italy are the only ones that may be enforced pending implementation of the new regulatory framework as well as being the only ones in line with European legislation;
Having regard to the resolution adopted by the Council of Ministers in the course of its meeting of 9 July 2010;
Acting on the proposal submitted by the Prime Minister, being the interim Minister for Economic Development, jointly with the Minister for Public Administration and Innovation;
The following Regulations:
1. For the purposes of these Regulations,
a. "Code" shall mean the personal data protection Code as approved by legislative decree no. 196 dated 30 June 2003, including subsequent amendments thereof;
b. "subscriber" shall mean any natural or legal person, body or association that is party to a contract with the provider of publicly available telephone services for the supply of such services, or is anyhow the recipient of such services also by means of pre-paid cards, and whose number is contained in the directories mentioned in Section 129 of the Code;
c. "operator" shall mean any natural or legal person that plans to process the data mentioned in Section 129(1) of the Code in its capacity as data controller under the terms of Section 4(1)f. of the Code for the purpose of sending advertising and/or direct selling materials, or for the performance of market surveys and/or commercial communications, by using telephones;
d. "register" shall mean the public opt-out register referred to in Section 130(3-bis) of the Code;
e. "subscriber directories" shall mean the directories referred to in Section 129 of the Code;
f. "Ministry for Economic Development" shall mean the Communications Department at the Ministry for Economic Development;
g. "registrar" shall mean the Ministry for Economic Development or any third party that may be tasked with implementing and managing the service.
1. These Regulations shall apply to the opt-out register referred to in Section 130(3-bis) of the Code.
2. These Regulations shall only apply to the phone numbers contained in subscriber directories as per Section 129 of the Code.
3. These Regulations shall not apply to processing operations performed for the purposes referred to in Section 7(4)b. of the Code in respect of data that is not taken from publicly available subscriber directories and has been lawfully collected by data controllers from either data subjects or third parties in compliance with the right to object mentioned in Section 7(4)b. and Sections 13, 23, and 24 of the Code.
Creation of the Register
1. The Ministry for Economic Development shall set up a public opt-out register in pursuance of Section 130(3-bis) of the Code as well as in compliance with the provisions set forth in Article 4 hereof.
2. Without prejudice to their right to object to processing operations performed by individual entities under the terms of Section 7(4)b. of the Code, any data subject whose phone number is contained in the subscriber directories mentioned in Article 2(2) hereof may object to processing of the said phone number as performed by using telephones for the purposes of sending advertising and/or direct selling materials or else for the performance of market surveys and/or commercial communications.
Implementation and Management of the Register
1. The Ministry for Economic Development shall undertake to implement and manage the register also by committing such implementation and management to third parties, which shall bear any and all financial and organizational costs, by way of a contract for the provision of services in accordance with the Code for Public Contracts Relating to Works, Services and Supplies as contained in legislative decree no. 163 dated 12 April 2006. If implementation and management of the register are committed to third parties, the said contract shall lay down the following in compliance with both the Code and these Regulations, after hearing the Italian data protection authority with regard to such matters as fall within the relevant scope of competence and by also taking account of the supervisory and control functions referred to in Article 12(1) hereof:
a. The general terms applying to effective and efficient performance of the service, duration of the contractual relationship, and the obligations vested in the contractor;
b. The parameters for calculating the consideration due, subject to any measures falling under the Ministry's scope of competence, which shall take account of the actual costs for operating and keeping the register;
c. Duration of the contract, grounds for withdrawal from, suspension and termination of contract, the guarantees to be provided and the liability vested in the contractor along with any penalties for non-performance;
d. The obligation for the contractor to ensure service continuity and transfer of all the data in case and until a new contractor takes over;
e. The obligation to allow supervisory and control activities by the Ministry for Economic Development regarding compliance with the contract for the provision of services.
2. Implementation and operation of the register shall have to be ensured factually within ninety days as from publication of these Regulations, also in case they are committed to third parties. To that end, the Ministry for Economic Development or the contractor, as the case may be, shall
a. Hear and consult with the main operators within thirty days of the said initial deadline;
b. Arrange for and implement the technical and operational mechanisms applying to functioning of the register and access by the operators within sixty days of the said initial deadline, partly following the outcome of the consultation procedure mentioned under a.;
c. Arrange for and implement the technical and operational mechanisms for subscribers to sign up to the register within ninety days of the said initial deadline.
3. Under Section 20-bis(2) of decree no. 135 dated 25 September 2009 as converted, with amendments, into Act no. 166 dated 20 November 2009, the Register shall be set up once all the steps in the procedure described in paragraph 2 have been completed.
Entities Obliged to Access the Register and Mechanisms for Signing up
1. In order to process data for sending advertising and/or direct selling materials or else for the performance of market surveys and/or commercial communications by means of the telephone, each operator shall lodge an application with the registrar including
a. Documents certifying the operator's identity; where the latter is a natural person, a valid ID shall be enclosed, whilst an ID of the interim legal representative along with the relevant articles and memorandum of association shall be submitted by legal persons and bodies whether incorporated or not;
b. A statement to the effect that the calling line identification system mentioned in Article 9 hereof has been implemented; alternatively, the information identifying every entity that will be in charge of getting in touch with subscribers shall be included if third parties are entrusted with making the phone calls and/or sending materials;
c. The updated, publicly available subscriber directory/-ies making up the source(s) of the personal data to be processed by the given operator.
2. Within fifteen days of receiving the said application, the registrar shall allocate authentication credentials and authorization profiles to the operator and publish the operator's identifying information – including the relevant contact details – in an ad-hoc list that shall be available on the public register's website for no longer than twelve months as from the date the register was last accessed by the operator. The operator shall notify the registrar without delay of any changes in the data communicated at the time the access application was lodged. Validity of the registration shall expire after twelve months from the date the register was last accessed.
1. The operators required to access the register shall pay the registrar the relevant access fees at yearly intervals or else for such shorter periods as may be necessary to the individual operator subject to the limitations set forth by the registrar. Where the registrar is other than the Ministry for Economic Development, it shall draft a yearly plan of operational and management costs for the register including a proposal on the fees to be applied in the subsequent year; the said plan shall be notified to the Ministry for Economic Development by the 30th of November and approved by the Ministry via the decree mentioned in Section 130(3-ter)b. of the Code.
Any and all revenues from the register access fees shall only be relied upon with a view to management of the register; they may not be increased by the registrar for purposes of gain. The Ministry for Economic Development shall autonomously lay down the yearly plan of costs along with the applicable fees in connection with the first implementation and starting up of the register – including such items as may be prove to be necessary for the purpose of the information campaign referred to in article 11 hereof – and shall verify the yearly plan drafted subsequently by the registrar.
2. If the register is managed directly by the Ministry for Economic Development, the revenues from payment of the access fees shall be paid into the State balance and then re-allocated to the corresponding chapters of expenditure of the Ministry for Economic Development. The Ministry for Economic Development shall undertake to manage the register by relying on such human and material resources as are available pursuant to the legislation in force.
Mechanisms and Timeframe for Subscribers to Sign up to the Public Register
1. Each subscriber may request the registrar to include the respective phone number – as contained in the directories referred to in Article 2(2) hereof – in the register, free of charge, according to at least the following mechanisms:
a. By filling in an ad-hoc electronic form on the registrar's website; in this case, the subscriber shall provide identification information including his/her Tax ID along with an e-mail address, and the number to be included in the register;
b. By calling the toll-free number made available for this purpose by the registrar from the telephone line whose number corresponds to the one that is to be included in the register, in which case the same information as per letter a. above shall have to be provided; this system will have to operate via automated call response, however it must be possible for the subscriber to obtain non-automated telephone assistance in case of sign-up difficulties and/or problems or if the information is to be modified or erased;
c. By sending a registered letter or a fax to the registrar's address and enclosing a copy of a valid ID; in the latter case, the date on which the letter or fax is actually received by the registrar shall be taken into account for the purposes of Article 8 hereof;
d. By sending an email.
2. Where several phone numbers have been allocated to the same subscriber, all of them may be included in the register providing any of the mechanisms described under letters a., b., c. and d. above is used. Confirmation of registration shall always be provided to the subscriber.
3. Where a subscriber has signed up to the register, no processing of his/her data shall be allowed for the purposes of sending advertising or direct selling materials and/or for the performance of market surveys or commercial communications by means of the telephone, irrespective of the industry sector or commodity concerned. The fact that a subscriber has signed up to the register shall not prevent processing of that subscriber's data for the said purposes by any entity that has collected or is collecting the data in question from sources other than the directories mentioned in Article 2(2) hereof – providing this was or is done in compliance with Sections 7(4)b. , 13, 23 and 24 of the Code.
4. Each data subject may update or modify the respective data or sign out of the register according to the same mechanisms followed for signing up. Each subscriber may sign up to or out of the register, or sign up again to the register, without any limitations whatsoever.
5. Any subscriber that has signed up to the register shall be included therein for an indefinite amount of time unless he/she signs out or is struck off the register in pursuance of paragraph 6 below. A subscriber may only record his/her preference in the public register for the phone number(s) specified by and allocated to him/her; no preference may be recorded in respect of numbers allocated to other subscribers.
6. The preference recorded with the register shall be struck off automatically whenever the given number is allocated to a different subscriber or is no longer active; to that end, the register shall have to be updated automatically at least at 10-day intervals on the basis of the information contained in the unified subscriber database referred to in resolution no. 36/02/CONS by the Authority for Communications Safeguards as published in Italy's Official Journal no. 72 dated 26 March 2002.
To that end, the registrar shall become a party to the framework agreements mentioned in resolution no. 36/02/CONS by the Authority for Communications Safeguards, which regulate provision of the services referred to in Section 55 of legislative decree no. 259 dated 1 August 2003, or else acquire the data contained in the said unified subscriber database, and shall regularly update the information it holds.
7. Subscribers may sign up to the public register at any time, including holidays, at least with regard to the automated sign-up mechanisms. The registrar shall keep the logs of the accesses to the sign-up, update and sign-out systems along with logs of the sign-up, update and sign-out operations performed by subscribers for twelve months as from the date of their generation - including the sending of any correspondence and the respective attachments – by ensuring their completeness, integrity, non-modifiability and verifiability. The said logs shall be protected by the registrar against unauthorized access so as to allow them to be only accessed for inspection by the Italian data protection authority and/or judicial authorities.
Technical Mechanisms Applying to Operation of the Register and Access by Operators
1. Each operator shall adapt its own technological infrastructure intended to interface with the public register to the technological and operational standards set forth by the registrar upon consultation with the main telephone operators. Operators may only access the register in order to fulfill the obligations arising from paragraphs 3-bis, 3-ter, and 3-quater of Section 130 of the Code.
2. The registrar shall record the subscriber's preferences and strike such record off the register, as the case may be, as expeditiously as possible and anyhow by the workday following the day on which the subscriber's application was received. No operator shall be required to access the register at intervals of fewer than 15 days.
3. Consultation of the register shall not allow transferring the personal data contained therein. Automated systems must be in place to enable the registrar to receive the operator's electronic list, match it with the data contained in the register, update it as necessary, and return it to the operator in an ad-hoc section of the website; alternatively, the updated list may be emailed to the operator without the latter in any way being in a position to extract the data contained in the register. The registrar shall enable the individual operators' queries within 24 hours.
4. The registrar shall determine the electronic format for transmitting the lists lawfully held by operators with a view to matching them with the public register and updating them as appropriate; to that end, account shall also be taken of technological developments.
5. Logs of access, updating, and operator disconnection events shall be kept by the registrar for twenty-four months as from their generation in respect of each operation performed by the operators in accessing the system and updating the lists based on the data contained in the public register; completeness, integrity, inalterability and verifiability standards shall be complied with in this regard. The said logs shall be protected by the registrar against unauthorized access so as to allow them to be only inspected either by the Italian data protection authority for personal data protection purposes or by judicial authorities.
Calling Line Identification Presentation Requirements
1. Any operator processing data in pursuance of these Regulations shall be required to ensure presentation of calling line identification whenever they call subscribers, without in any way modifying this feature.
1. Regardless of a specific request made by the data subject, the operators and/or the respective data processors or persons in charge of the processing shall accurately inform data subjects, at the time of calling them, that their personal data were taken from subscribers' directories; they shall also provide them with the details required in order for them to record their preferences in the opt-out register. Simplified mechanisms may be implemented to provide the said information.
Information Campaign for Consumers
1. Under section 4 of legislative decree no. 206 dated 6 September 2005 and within the framework of the resources available for the relevant purposes as per the Fund referred to in section 148 of Act no. 388 dated 23 December 2000, the Ministry for Economic Development and the Prime Minister's Office shall implement and foster, in co-operation with the National Consumers' and Users' Council, an information campaign targeted at subscribers, which shall have to be put in place within the initial six months of operation of the register as from the date on which the latter is actually implemented. The said campaign shall be such as to foster full awareness of consumers' rights along with the mechanisms to object to the processing of their data for the purposes of sending advertising materials and/or direct selling and/or for the performance of market surveys or commercial communications by means of the telephone. For the aforementioned purposes, all the operators authorized to provide publicly available telephone services shall make available similar awareness-raising tools to their subscribers with regard to their right to opt-out; to that end, they may also include specific information notices in billing records/documents.
Supervision by the Italian Data Protection Authority and Penalties
1. The registrar shall ensure that the register may be accessed by the Italian data protection authority to perform checks on organization and operation of the register as well as to perform any other checks or inspections that are found to be necessary in pursuance of the Code.
2. The penalty set forth in Section 162(2-quater) of the Code shall be imposed in case of breach of the right to opt-out under the terms laid down in these Regulations.
Protection of Subscribers
1. The remedies available in Part III of the Code shall be relied upon by subscribers in case of breach of any provisions contained in these Regulations.
1. Should the 90-day period referred to in Article 4(2) hereof expire to no avail, and pending implementation of the register, any data subject whose personal data is contained in the subscriber directories mentioned in Section 129 of the Code may exercise their right to object via the operator they have entered into a contract with for the provision of telephone services; to that end, the subscriber's objection to processing of the data for the purposes referred to in section 7(4)b. of the Code shall be recorded in an ad-hoc textual field linked to the number that is allocated to the said subscriber in the current unified database – pursuant to the resolutions no. 36/02/CONS and 180/02/CONS by the Authority for Communications Safeguards.
2. For the purposes of paragraph 1 above, the rules set forth in Articles 5, 7, 8 and 10 hereof shall apply as related to security measures, access to and consultation of the data, information obligations vested in operators, simplified, free-of-charge recording of subscribers' preferences and keeping of records and access logs. The Italian data protection authority shall be allowed to access the unified database in order to perform such checks and controls as may be found necessary in pursuance of the Code. Operators shall be enabled to look up the preferences recorded by data subjects, under non-discriminatory conditions, also following an update of publicly available online subscriber directories; such update shall be performed by adding a notice to the said directories and/or to a section thereof where the subscriber's objection shall be recorded.
This decree, bearing the State's official seal, shall be added to the Official Collection of Regulatory Instruments of the Italian Republic. Everyone shall have to abide by it and ensure that it is abided by.