New legal requirements have been introduced as part of the Italian Data Protection Authority (IDPA) guidelines on the processing of personal data by call centers based outside the European Union.
One of the most significant changes is that companies wishing to operate their customer care services via call centres based outside the European Union will now be required to notify the IDPA in advance.
The new guidelines have been put in place in order to establish specific rules to manage the use of call centers, which have become increasingly popular with companies in the past few years, primarily because of their perceived efficiency and cost-savings advantages.
Many companies have adopted the call center approach for their customer service operations, which necessitates the transfer, processing and storage of personal data. When the call centre is based, and its operations are carried out, outside the European Union, there is an increased risk to the security of this data.
For this reason, the guidelines require that the Data Controller, i.e., the company based in Italy that is operating its customer services through a call centre outside Italy,
- Adopts at least one of the mandatory approaches to legally transferring personal data outside the European Union, e.g., Safe Harbor, Standard EU Commission Clauses or binding corporate rules
- Implements specific security measures to prevent the risk of loss, theft or unlawful processing of personal data.
The guidelines outline specific structures and features for customer services management systems and provide detailed precautions to be applied to communications equipment used by call centre personnel.
Once the guidelines have been published in the Italian Official Gazette, any company wishing to locate its customer care or call centre services outside Italy will be required to file a notification with the IDPA. The IDPA might prescribe specific requirements with which the company will have to comply in order to obtain permission, or give recommendations aimed at ensuring ongoing compliance. There will be a specific procedure and paperwork for applying for permission and complying with the IDPA’s requirements.
Companies that already operate customer services through call centres based outside the European Union will be required to notify the IDPA within 30 days of the publication of the guidelines in the Italian Official Gazette.