Respect for privacy is one of the most sensitive profiles in software development. For the users of a program, the ability to comply with data protection regulations depends largely on the choices made at the various stages of the software development lifecycle, such as the design and implementation of privacy by design and by default principles and the fulfilment of data security obligations.
In this scenario, the Italian Data Protection Authority (“Garante Privacy”) has finally approved the Code of Conduct for the processing of personal data carried out by management software development and production companies (published in the Official Gazette of 27 November 2024, general series of 278).
The detailed guidance provided by the Code will guide the complex tasks required of these operators, on an ongoing basis, to ensure compliance with the ever-evolving regulatory framework for the protection of personal data.
Among the many aspects addressed, the qualification and obligations related to the subjective “privacy roles” (controller, processor, sub-processor and persons authorised to process) and the different levels of obligations necessary to ensure privacy by design and by default, are highlighted, in the development, installation, service and maintenance activities.
Development firms that adhere to the Code will be facilitated in demonstrating their accountability obligations, both to supervisory authorities and to their current and potential clients (who they are required by law to use only products and services that allow full respect for privacy).
