By Rocco Panetta
As a general principle, Italy’s Data Protection Authority (Garante) has established that a bank cannot process personal data for debt collection purposes by means of pre-recorded telephone messages, unless the same bank is able to ensure that the communications in question are only available to either the data subject or persons duly authorized by the latter. The Garante has ruled in favor of a citizen—holder of a loan agreement with a bank—that had received pre-recorded telephone calls from the bank, as payment reminder, that could have been heard by other persons who did not have the right to know information about the loan.
The DPA has verified that the system used by the bank for the debt collection was not able to ensure the correct identification of the person who answers the phone. Therefore, it has forbidden such unlawful data processing, by establishing that whoever processes personal data for debt collection purposes shall not “disclose information concerning the data subject's default to third parties; e.g., family members, cohabiters, colleagues, neighbors, without any justification.”
In order to lawfully process personal data for the purposes in question, the Garante has ordered the bank to implement more stringent security measures, such as the use of a specific code known only by the data subject.
Rocco Panetta is an Italian lawyer and partner of Panetta & Associati Studio Legale in Rome. He is the former head of legal at the Italian Data Protection Authority and a member of the IAPP Europe Advisory Board.