Digital business in Italy: overview
A Q&A guide to digital business in Italy.
The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.
To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.
This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.
Digital business in Italy is regulated by Legislative Decree (LD) No. 70/2003 implementing the Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Electronic Commerce Directive).
LD 70/2003 refers to both business-to-business (B2B) and business-to-consumer (B2C) transactions. The regulation of B2C transactions is also set out by LD No. 206/2005 (Consumer Code).
Further regulations along with the sections of the Italian Civil Code (CC) on agreements in general, are:
Industrial Property Code (IPC) (LD No. 30/2005) and Law No. 633/1941 on copyright (Copyright Law).
Digital Administration Code (CAD) (LD No. 82/2005).
Data Privacy Code (DPC) (LD No. 196/2003).
LD No. 114/1998 on commercial activities.
Some authors also distinguish a third kind of relationship, B2b, which is a relationship between two entrepreneurs, one of which is in a weaker position than the other one. The current legislative framework does not regulate this kind of relationship. While an additional protection to that provided under the CC is provided for the weak party under Law 192/1998, it applies only if the weak party is in a situation of economic dependence on the other party.
Legislation may be passed by either the Italian Parliament or the government.
The Ministry of Economic Development is directly responsible for digital business.
The following authorities supervise the correct enforcement of the relevant regulations:
Digital Italy Agency, which guarantees the achievement of the objectives of the Digital Agenda for Italy in line with Digital Agenda for Europe.
Competition Authority (Autorità Garante della Concorrenza e del Mercato), which oversees the enforcement of consumer rights and acts against unfair or misleading commercial activities.
Data Protection Authority (DPA) (Autorità Garante per la protezione dei dati personali).
Communications Regulatory Authority (AGCOM) (Autorità per le Garanzie nelle Comunicazioni) which supervises the protection of copyright on electronic communication networks.
Setting up a business online
The common steps are:
Incorporation of a company and setting up before the notary.
Registration at the Companies' Register.
Filing of the certificate to start activity (Segnalazione Certificata Inizio Attività) (SCIA) at the municipality, if the operator has its premises in Italy.
Communication to the Tax Agency.
Registration at VAT Information Exchange System (VIES) if the business is engaged in sales to another EU country.
Setting up the e-platform, directly or through contractors.
Domain name registering.
No further authorisation is required unless there are professional requirements for the conduct of specific activities (for example, in case of a jewellery business, the seller must obtain a public security licence).
To develop and distribute an app the following steps should be followed:
Software development agreement. If the developer/distributor is not able to develop an app on his own, it should enter into a software development agreement with a company developing the software.
Technology licence agreement. If the developer/distributor is able to develop an app on its own, it may be necessary to enter into a licence agreement where the app uses licenced technology.
Agreement of supply of services. If the app uses services of third parties (web services), it will be necessary to enter into an agreement of supply of services with the supplier.
Online platform. The developer/distributor must choose a platform where the app will be sold (for example, App Store, Google Play Store, Amazon, Salesforce) and accept the relevant terms and conditions.
Running a business online
Contracts can be formed online. Under the general principles of the Civil Code (CC) on free form of contracts, the form used must make it possible to demonstrate the existence of an agreement and its object.
For B2C contracts, the operator must provide to the customer/consumer the following minimum information (Article 7, LD No. 70/2003):
Before the conclusion of the contract:
operator's name and legal form;
operator's contact details;
companies' Registry, registration number;
tax code and VAT number;
supervisory authority, if any;
clear indication of price and other charges highlighting taxes, delivery costs and further elements;
date by which goods/services will be delivered/performed;
withdrawal conditions and relevant costs;
legal warranty for goods and conditions of post-sale assistance, if any:
technical procedure for contract conclusion;
modality of contract filing and how it can be consulted;
technical means to check and date entry, and correct errors before order confirmation;
applicable codes of conduct, if any, and how they can be electronically consulted;
languages available for the conclusion of the contract in addition to Italian; and
means for disputes resolution.
After the conclusion of the contract, the operator must acknowledge receipt (on a durable medium) of the order including:
a summary of the general and specific conditions applicable;
the main features;
details concerning price, payment methods, withdrawal, delivery costs and taxes.
In case of B2B contracts, the parties can agree different information.
In B2C contracts, the button or the link used for order confirmation must clearly indicate that the order involves the payment obligation. Otherwise, the order will not be binding to consumer.
The consumer can withdraw from the contract within 14 days. The period starts from the contract conclusion in case of services and supply of digital contents, and from the delivery date in case of supply of goods. The 14-day term is extended to one year and 14 days if the operator does not provide information on the right to withdraw.
Unfair clauses under the CC (such as limitation of liability, jurisdiction, tacit renewal and limitation period) must be specifically accepted in writing (this means, double signature is needed). According to some case law, this requires the use of written form or another form that has the same validity (for example, digital signature).
For B2C agreements, the Consumer Code provides for a list of unfair clauses, which will be null and void, even if accepted by the consumer.
The retention of personal data collected and processed via electronic contracting must comply with Italian data privacy law including principles set out by the Privacy Code for data processing (see Question 14), such as lawfulness, fairness, proportionality and necessity of data processing.
Consumers' personal data, related to electronic contracting, can be retained for the time strictly necessary to perform the contractual obligations or to comply with relevant applicable laws.
Specific provisions related to data retention are provided by the Italian Data Protection Authority in relation to some particular business areas (for example, in case of mobile payments).
In general, Articles 1218 and 1453 of the Italian Civil Code deal with breach of contract, including provisions on termination, contract performance and damages.
Concerning B2C contracts, in case of defects in products bought online, a consumer has the right to have the product repaired or replaced. If a reparation or replacement is neither possible nor carried out by the seller, the consumer can ask for a reduction in price or a termination of the agreement. Moreover, Article 140-bis of the Consumer Code sets out the rules on class actions that apply also to electronic contracts.
Moreover, in case the consumer considers that the provider has also committed an unfair commercial practice, the consumer/association of consumers can also file a claim to the Competition Authority, which can apply an administrative fine from EUR5,000 to EUR500,000 (Article 27, Consumer Code)
Italian law recognises e-signatures as legally effective.
E-signatures are required in any transactions with the public bodies while they are used in very few transactions with consumers or other businesses.
E-signatures are regulated in the Digital Administration Code (CAD) (Legislative Decree No. 82/2005) and in Regulation (EU) No. 910/2014 (eIDAS Regulation).
Definition of e-signatures
The CAD lists the following types of e-signatures:
Advanced electronic signature.
Qualified electronic signature.
The CAD only defines the "digital signature" as a particular kind of qualified signature based on a system of interrelated cryptographic keys, which allow the holder and the recipient to elicit evidence of, and to verify, the origin and the integrity of an electronic document.
eIDAS Regulation provides the following definitions:
Electronic signature is data in electronic form which is attached to or logically associated with other electronic data and which is used by the signatory to sign.
Advanced electronic signature is an electronic signature which meets the requirements set out in Article 26 of eIDAS Regulation.
Qualified electronic signature is an advanced electronic signature that is created by a qualified electronic signature device, and based on a qualified certificate for electronic signatures.
Format of e-signatures
Under Article 1 of the Decision of execution (UE) 2015/1506 of the Commission, member states acknowledge advanced signatures in XML, CMS or PDF. Such e-signatures must comply with one of the following ETSI technical specifications:
Base profile XADES: ETSI TS 103171 v. 2.1.1.
Base profile CADES: ETSI TS 103173 v. 2.2.1.
Base profile PADES: ETSI TS 103172 v. 2.2.2.
There are no limitations on the use of e-signature, and the new Article 21 of CAD – (as amended by art. 18 of Legislative Decree 179/2016) expressly gives the value of a simple written signature to the document signed by an electronic signature. However, digital signatures and qualified electronic signatures are required in case of contracts subject to written form under penalty of nullity (see Question 8.).
Implications of running a business online
Cyber security/privacy protection/data protection
Privacy Code regulates collection and use of personal data.
The legislative framework will change in the next two years as the reform of EU data protection rules will enter into force (Regulation (EU) 2016/679, Directive (EU) 2016/680)). The Regulation entered into force on 24 May 2016 and will be applicable from 25 May 2018 (companies have two years to comply), while the Directive 2016/680 enters into force on 5 May 2016 and EU member states must implement it by 6 May 2018.
The Privacy Code (DPC) applies to any processing activity of personal data (as defined in Article 4a). The processing is defined as any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilisation, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether or not the data is contained in a data bank.
Information related to a legal entity is no longer considered a personal data (Law No. 214 of 22 December 2011).
The following types of personal data are regulated:
Identification data: data allowing a data subject to be identified directly (Article 4 c, DPC).
Sensitive data: data including information on racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organisations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life (Article 4 d, DPC).
Judicial data: personal data disclosing the measures referred to criminal proceedings (Article 4 e, DPC).
The following rules must be complied with in terms of personal data:
The processor of personal data must first provide the data subject with specific information concerning the relevant data processing.
Private entities and profit-seeking public entities may only process personal data with the prior data subject's consent, of which proof must be available in writing.
The data subject's consent shall only be deemed to be effective if it is given freely and specifically with regard to a clearly identified processing operation, if it is documented in writing, and if the data subject has been provided with the information above. Specific exemptions are provided by the Privacy Code (DPC) or defined under in Italian Data Protection Authority (DPA) decisions.
The data controllers must implement appropriate technical and organisational measures to ensure an appropriate level of security to minimise the risk of data destruction or loss, whether by accident or not, of unauthorised access to the data or of processing operations that are either unlawful or inconsistent with the purposes for which the data have been collected.
Cloud services involved must comply with specific requirements for data protection and the storage of data, such as:
Appointment of the service provider as a data processor, regulating in details the relevant obligations.
Implementation of adequate security measures in compliance with the highest Italian and European standards.
The data subject must be aware of the location of data centres in which the service provider processes data and of the nationality of the sub-contractors (if appointed). Moreover, if cloud storage systems are located outside the European Union, the security measures must be adopted by the providers under DPC.
In particular, the DPA requested that the data processor must provide a two-level information to users. The information must be displayed on the following:
A suitably-sized banner on screen immediately when the user accesses the home page or any other page of a website.
Another page providing extended information, in which the user can refuse to consent to the installation of cookies.
Consent is not necessary for technical cookies and in some cases, for analytics, however, it must be obtained for other kinds of cookies, such as marketing and profiling cookies. For those cookies it is also necessary to file a notification with the DPA.
Internet providers must take into consideration technological innovations and adopt appropriate technical and organisational measures to ensure an adequate level of security (see Question 16).
The Italian Data Protection Authority (DPA) in its decision of 4 April 2013 suggested the following measures:
To immediately render the data unavailable for further processing, as soon as the activities for which that data is required are over, erase or anonymise that data within a time range technically compatible with the relevant IT procedures. This applies to the databases and processing systems used for the specific processing as well as to backup and disaster recovery systems and media, also by relying on encryption and/or anonymisation technology.
Special care must be taken in respect of portable devices. Specific security measures must be introduced to mitigate the risks related to device portability and to ensure that such devices operate under similar security arrangements compared to other IT devices.
Whenever security of service or personal data makes it necessary to also take measures applying to the network, the provider of a publicly available electronic communications service must adopt those measures jointly with the provider of the public communications network.
If there is a significant risk of a breach of network security, the provider of a publicly available electronic communications service must inform contracting parties and, if possible, users of the risk and the measures to be taken by the provider.
Under Article 15 of the Personal Data Protection Code (Legislative Decree No. 196 of 30 June 2003), whoever causes damage to another as a consequence of the processing of personal data will be liable to pay damages under Section 2050 of the Civil Code. Therefore, the provider is liable to pay damages unless it can prove that it has taken all appropriate measures to avoid the damage.
The use of encryption is considered by the Privacy Code (DPC) and Italian Data Privacy Authority (DPA) as a suitable security measure.
In addition, the DPA refers to encryption as a suitable security measure in specific regulated sectors of data processing (for example, mobile remote payment, telephone and Internet traffic data for justice-related purposes and data processing during criminal investigations).
Government bodies and in particular judicial authorities can ask for access to personal data held by data controller. There are specific procedures to be followed and the inquiry must usually be in the form of an official and specific request.
Under the Privacy Code (DPC), the processing of personal data, carried out by judicial authorities at all levels for the purposes of justice or policing, is not subject to the usual data processing requirements such as:
The duty to inform the data subject as well as any entity from whom personal data is collected (Article 13, DPC).
The necessity of data processing to discharge institutional tasks (for example, Article 19, DPC).
The necessity to meet specific legal authorisations (for example, Article 20, DPC).
Electronic payments are regulated by Legislative Decrees No. 11/2010 and No. 45/2012 (implementing EU Directives 2007/64/CE and 2009/110/CE).
Moreover, Data Protection Authority (DPA) issued the Decision No. 258 of 22 May 2014 on Mobile Payments, which states in particular, that:
During electronic payment transactions, several personal data could be processed, potentially including sensitive data.
The payment provider must inform the data subject under section 13 of the Privacy Code, specifying the reasons for which the data is processed. In particular, the information must specify if the data is processed for the purposes of marketing, market research, profiling of the data subject, transfer or communication to third parties.
The consent of the data subject for data processing for the purpose of a mobile payment is not necessary under the exemption in section 24 b of the Privacy Code.
The consent for data processing for a different purpose than mobile payment must be collected before the data processing.
In addition to security measures under section 31 of the Privacy Code and the technical specifications regarding the minimum security measures (Annex B, section 31), the data processor must provide some additional measures:
data masking, for example by applying a cryptographic mechanism decryption keys available exclusively to the data processor's employees used only for customer care operations;
token-based authentication process and nominal account, for the specific profile "customer care operator" (so-called strong authentication);
"rotation mechanisms" that allow to apply different codification keys, intended to mask the relevant data within the different systems dedicated to profiling activities.
Processed data must be kept for a limited period of time, which is proportionate to the aim of the process. This period includes the process that leads to the purchase of digital content, as well as the management of related activities such as billing, administrative and accounting tasks. The maximum period of storage of personal data is six months.
Children's privacy is a topic of strong interest and it is evolving towards strengthening of the protection of children.
In September 2015, the Data Protection Agency has made public the results of the survey conducted by the Global Privacy Enforcement Network (GPEN) from which several critical issues have emerged, in particular:
Serious oversights in relation to the identification of children.
Lack of transparency in the collection and use of personal data.
Possibility of the redirection of children out of the site or application in use.
Opportunity for the child to proceed directly to the purchase of products or services, and the presence of banner ads.
Children rarely receive adequate information and websites rarely implement tools (such as parental controls) aimed at stopping children from disclosing and communicating personal data, also if by accident.
Finally, the new EU privacy regulation seeks to strengthen the protection of data subject affected by the processing of personal data, especially those of minor age (under section 8 of EU Regulation 679/2016 regarding the direct provision of services by the information society to minors, the processing of personal data is permitted if the child is at least 16 years old. Where the child is under 16 years old, data processing is allowed only if and to the extent to which consent is given by the child's guardian).
Sites or apps targeted at children cannot contain direct prompts to children to buy or to persuade an adult to buy something for them (Article 26, Consumer Code).
The practice of linking, as well as other practices involving the sharing of content via websites such as framing, caching, spidering and the use of metatags, are limited in the guarantee of copyright and related rights.
The approach in Italian case law has been restrictive. The Italian courts have held liable a provider who published material covered under copyright law through links to other websites without the permission of the copyright owner, for breaching the copyright (for example, Court of Rome, 5 May 2016; Court of Catania, 29 June 2004).
The most recent approach of the European Court of Justice has been different. Under the decision in BestWater (C-348/13) and Svensson (C-466/12), the Internet Service Provider (ISP) can link/embed to copyright material on third party websites as long as the material is freely accessible on those websites without infringing any copyright.
In these decisions the European Court of Justice has stated that the communication of a copyright work to the public without the copyright owner's consent is an infringement of copyright only when:
The public reached by the ISP is new (that is, different from the one reached by the copyright owner).
The content has been communicated by specific technical means which are different from the ones used by the copyright owner.
In 2016, the EU Court of Justice stated that the posting on a website of a hyperlink to works protected by copyright and published without the author's consent on another website does not constitute a "communication to the public" when the poster does not seek financial gain and acts without knowledge that those works have been published illegally (C-160/15, decision of 9 August 2016).
Moreover, regarding caching and spidering, the European Court of Justice, in Public Relations Consultants Associations Ltd v The Newspaper Licensing Agency Ltd and others (C-360/13), held that on-screen and cached copies of websites generated by end-users in the course of browsing can be made without the authorisation of copyright holders.
Under Article 22 of the Industrial Property Code, domain names have the same protection as the other distinctive signs (see Question 23). With reference to passing off, domain names are protected under Article 2598 of the Civil Code, which prohibits acts of unfair competition, for example:
The use of names or distinctive signs which can create confusion with names or distinctive signs legitimately used by other competitors.
Broadcasting of information and evaluation of the competitors' products and activities that can determine their disrepute.
A direct or indirect use of any other means that does not comply with the principles of professional fairness and can damage competitor's reputation and/or position.
The use of a business name as a distinctive sign is regulated by Article 22 of the Italian Industrial Property Code. The name is assigned to the company on request of the entrepreneur which can be made once the company has been registered with the Companies' Register.
The following domain names are reserved and can only be assigned to certain entities:
Names corresponding to Italian regions, provinces and municipalities (for example, Lombardia.it).
Names corresponding to certain network services or resources (such as internet.it).
Names corresponding to "unsponsored" ICANN gTLDs (for example, com, .net, .info, .name).
Such names can only be used by Italian local government bodies, Italian government agencies, the Registry and so on.
Domains that identify Italy as a nation can only be assigned to Italian government agencies.
Domain names that correspond to the gTLDs "sponsored" by ICANN (for example, .edu, .gov) can only be assigned as second level domains (for example, gov.it) for entities that are recognised by the Italian Registration Authority as "competent authorities of the state".
The registration of a domain name is governed by the Regulation on Assignment and Management of Domain Names with the ccTLD.it (Regulation No. 7.1 of November 2014) and the related Technical Guidelines and Legal Guidelines.
Domain Registrar is a service provider that operates under contract with the Registration Authority that is responsible for the assignment and management of the domain names within the ccTLD.it. Registrars offer a variety of services from simple registrations of domain names to the creation of websites, the provision of internet connectivity, and the supply of highly specialised services. Registrars are free to set the prices they charge for registering and maintaining an .it domain (Regulation No. 7.1 on Assignation and Management of the Domain Names within the ccTLD.it).
Jurisdiction and governing law
The regulations that determine the jurisdiction in international e-commerce transactions are:
Regulation (EU) No. 1215/2012 (Bruxelles I-bis), on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters.
Law No. 218/1995.
The general criterion in case of disputes concerning e-commerce is the domicile of the defendant and the location of the registered office in case of legal entities.
Further, under Article 7.1 of Regulation No. 1215/2012, a person domiciled in a member state can be sued in another member state in matters related to a contract, in the courts for the place of performance of the obligation. This means that, unless the parties agree otherwise, the relevant court is the court of the place where:
Goods have been or ought to have been delivered.
Services have been or ought to have been provided.
In case of B2C contracts, a consumer can bring proceedings against the other party to a contract either in the courts of the member state where (Article 18, Regulation No. 1215/2012):
That party is domiciled.
The consumer is domiciled.
Proceedings against a consumer can be brought only in the courts of the member state where the consumer is domiciled.
Jurisdiction can also be agreed by the parties.
Under Article 26 of Regulation 1215/2012 a court of a member state before which a defendant enters an appearance has jurisdiction.
Article 57 of Law No. 218/1995 refers to the Convention on the law applicable to contractual obligations. Therefore, the Regulation (EU) No. 593/2008 (so called "Rome I"), on the law applicable to contractual obligations applies.
The main criterion to determine the governing law is the will of the parties. In the absence of an agreement, governing law is identified on the basis of the criteria provided under Regulation No. 593/2008 (Rome I) (Article 3 and following).
Where the consumer agreement is regulated by the law of another EU member state, the consumers who are resident in Italy can enforce the rights granted by the Consumer Code (Article 66-ter).
In the Italian legal system there are various out-of-court settlement procedures.
Regulation (EU) No. 524/2013, on online dispute resolution, introduced an online platform for disputes arising between consumers and professionals who entered into an online agreement. This system has been implemented on 15 February 2016 (www.webgate.ec.europa.eu/odr).
The Consumer Code provides for a voluntary procedure for out-of-court settlement of domestic and cross-border disputes between consumers and professionals residing and established in the EU (Article 141, paragraph 4). Under this procedure, an alternative dispute resolution body offers a solution or brings the parties together to facilitate an amicable settlement.
Legislative Decree No. 28/2010 covers mandatory mediation in disputes related to, among other things:
Family law agreements.
Wills and inheritance.
Compensation in personal injury and medical liability matters.
Banking and finance.
The arbitration is regulated by Italian Civil Procedure Code and cannot be started in the absence of an agreement between the parties.
The following legislation applies to advertising good/ services online:
Legislative Decree No. 145/2007 on misleading advertising.
Legislative Decree No. 70/2003 on the e-commerce.
The Code for the Self-regulation of Commercial Communications (61st edition, effective from 22 March 2016) issued by the Italian Advertising Standards Association.
Under the Consumer Code, commercial communications must:
Be made in a clear and comprehensive manner.
Be clearly identifiable as a commercial communications and identify the sender (Article 22).
Clearly identify any promotional offers and ensure that any applicable conditions to qualify for the offer are easily accessible, and presented clearly and unambiguously (Article 23).
Under Legislative Decree No. 145/2007, advertising must be clear, truthful and fair (Article 1) and any subliminal advertising is prohibited (Article 5).
Under Legislative Decree No. 70/2003 commercial communications must contain specific information and clearly and unequivocally highlight (Article 8):
That it is commercial communication.
The natural or legal person on whose behalf the commercial communication is made.
That it is a promotional offer and stating the conditions of obtaining any discounts, prizes, or gifts.
That, if applicable, it is a promotional offer or a game, and the conditions to participate.
Italian legislation provides for certain restrictions applicable to the advertisement/sale of certain types of products and services which include restrictions to the sale online.
For example, the promotion of medicines and medical devices in Italy is regulated by the Legislative Decree No. 219/2006 (which implemented European Directive 2001/83/EC) and subsequent amendments, which list specific rules concerning the content of the advertising.
Moreover, specific regulations are provided for the advertising of the following products:
Financial services (LD No. 58/1998 and the Regulation No. 16190/2007 of the authority for the regulation of the Italian financial markets (CONSOB)).
Food (Regulation (EU) 1169/2011 on the provision of food information to the consumers).
Food supplements (LD No. 169/2004 which implemented the European Directive 2002/46/CE).
Alcoholic beverages (Law No.125/2001).
Cosmetic products (Regulation (EU) No. 1123/2009).
Another example of specific rules for advertising is the Code for the Self-regulation of Commercial Communications (61st edition, effective from 22 March 2016) issued by the Italian Advertising Standards Association also contains specific rules on advertising of different kinds of products such as:
Alcoholic drinks (Article 22).
Cosmetic products, medicinal treatments and personal hygiene (Article 23).
Food supplements and health foods (Article 23bis).
Medicinal products and curative treatments (Article 25).
The Code for the Self-Regulation of Commercial Communications is binding for agencies, consultants, media, sales houses and others that accept the Code by entering into an agreement or by signing a contract for advertising.
The entities that adhere to the Code typically include an acceptance clause in their contracts or those of their associates asking users to follow the Code and self-regulatory policies. Therefore, the majority of Italian commercial communications is bound by the Code.
Article 130 of the Privacy Code includes the opt-in rule for online commercial communication and advertising. This means that online communications for the purposes of direct marketing can only be made with the recipient's prior consent. However, if a data controller processes, for the purposes of direct sales of its products or services, the e-mail address provided by the data subject concerned in the context of the sale of a product or service, they do not need to collect the prior consent of the data subject for sending further e-mails concerning the same product or service.
Language requirements are established by:
The Consumer Code (Article 5 and following), which provides that:
the information intended for consumers and users must be given in Italian;
information about safety, composition and quality of the products and services are an essential content of the disclosure requirements;
consumer information must be appropriate to the means of communication used and expressed in a clear and understandable manner such as to ensure consumer awareness. The Code also indicates the minimum content of information on consumer product and how to display such information.
Legislative Decree No. 70/2003, which provides:
specific information required for commercial communications (Article 8);
that unsolicited commercial communications (spam) in e-mail must be clearly and unequivocally identifiable from the moment of receipt by the recipient and must indicate that the recipient of the message can refuse receipt in future (Article 9).
Specific language rules also apply for advertising certain goods (such as medicines and financial services).
In principle, online sales made by a foreign company are not subject to taxation in Italy, unless the sales are made through a permanent establishment (PE) in Italy.
Under Italian Income Tax Code (Article 162, paragraph 5), computers and systems enabling collection and transmission of data and information to sell goods and services do not constitute a PE. Article 5 of OECD Model Convention states that a PE of a foreign company in Italy exists if the company has a physical presence in the country that is a fixed place of business through which the business of the company is wholly or partially carried on.
OECD clarified the distinction between "website" and "server" and the situations in which the use of computer equipment in a country could constitute a PE.
A website alone as a combination of software and electronic data cannot be considered a PE as it has no physical location that can constitute a "place of business". A website which is hosted on the server of an Internet Service Provider (ISP) does not constitute a PE.
The server on which the web site is stored and through which it is accessible and which consists of computer equipment that has a physical location can constitute a fixed place of business of the company that operates such server. The server must be located at a certain place for a sufficient period of time to constitute a fixed place of business.
In principle online sales (that is, supplies of goods and services by electronic means) made by a foreign company to Italian customers are subject to VAT in Italy.
To identify whether companies supplying goods and services in Italy are subject to VAT, it is necessary to distinguish between:
Direct e-commerce (online sales). Online sales cover all situations where a commercial transaction (transfer and delivery) takes place only by electronic means, through the sales of virtual and intangible products. From 1 January 2015, online sales are subject to VAT in Italy through the principle of applying VAT-taxation in the state of the customer (customer's place of establishment rule). The liability for VAT for online sales depends on whether the sale is made as:
Business-to-business (B2B). B2B sales are subject to VAT in Italy. The foreign seller is not required to register for VAT purposes in Italy and has no VAT obligations. VAT is settled by the Italian customer (that is, a taxable entity or taxable person) through the reverse-charge mechanism;
Business-to-customer (B2C). B2C sales are subject to VAT in Italy (or another state where the customer has a permanent address or his habitual residence). Foreign sellers are liable for settling Italian VAT and therefore they must register for VAT purposes in Italy to comply with the Italian VAT obligations.
To allow the EU and non-EU sellers to avoid multiple VAT registration in different EU countries where goods and services are sold, a simplified and optional regime (Mini One Stop Shop (MOSS)) has been introduced from 1 January 2015. EU and non-EU sellers can opt in for MOSS which enables them to have all the VAT formal requirements and payments of VAT dealt with in the EU state where they decide to be registered for this purpose, and avoid the seller having a VAT registration in each EU state in which online sales are carried on.
Indirect e-commerce (offline sales). Offline sales consist of sales of tangible goods made by electronic means delivered through traditional channels (for example, postal service, courier, and so on). The liability for VAT for offline sales depends on whether the sale is made as:
B2B. Such sales are subject to VAT in Italy. The foreign seller is not required to register for VAT purposes in Italy and it has no VAT obligations. For goods that are transported from an EU state to Italy, VAT is settled by the Italian customer (that is, a taxable entity or taxable person) through the reverse-charge mechanism (intra-community transactions). For goods that come from a non-EU state, VAT is levied from the customs office together with customs duties (import transactions);
B2C. Sales of goods made to Italian consumers are subject to VAT in Italy only if the total amount of the sales made in a year exceeds the threshold of EUR35,000. In such case, the EU seller must appoint a VAT representative or apply for an Italian VAT registration to fulfil the VAT obligations. If the seller does not exceed the threshold, the EU seller can apply for VAT registration in his state of residence.
Protecting an online business
Liability for content online
The liability of internet service provider is regulated by Legislative Decree No. 70/2003.
The Consumer Code includes specific provisions related to unfair commercial practices. Website operators can be punished for carrying out misleading commercial practices (that is, providing untrue information that mislead the consumers) and aggressive practices (that is, practices that induce consumers to make choices that they would not otherwise make).
Moreover, the legislative framework will change to implement the changes currently under discussion at the EU level (such as EU Commission proposal for a directive on certain aspects concerning contracts for the online and other distance sales of goods, of 9 December 2015 (Com (2015) 635)).
Under Article 7 of the Legislative Decree No. 70/2003, a service provider must render the following information easily, directly and permanently accessible to the recipients of its services and competent authorities:
Name and legal form of the company.
Location of the registered office.
Company's contact details.
The Companies' Registry where the company is registered and the relevant registration number.
Company's tax code and VAT number.
Where the service provider refers to prices, it must display them clearly and unambiguously and it must indicate whether they are inclusive of tax and delivery costs.
The relevant information must be updated when necessary.
The additional requirements for B2C contracts are regulated under Article 49 of Consumer Code.
These requirements include:
The main characteristics of the goods.
The total price of the goods inclusive of taxes.
Payment, delivery, and performance arrangements, the time by which the trader undertakes to deliver the goods and, where applicable, the trader's complaints handling policy.
Where a 14day right of withdrawal exists, the conditions, time limit and procedures for exercising that right of withdrawal, as well as the model withdrawal form attached to the Consumer Rights Directive.
Where applicable, that the consumer will have to bear the cost of returning the goods in case of withdrawal and if the goods, by their nature cannot normally be returned by post, the cost of returning the goods.
Information that a right of withdrawal is not provided by law, where applicable, or the circumstances under which the consumer loses his right of withdrawal (for example, for bespoke or altered items).
Information on the existence of a legal guarantee of conformity of goods.
Where applicable, information on the existence and the conditions of after sale customer assistance, after-sales services and commercial guarantees.
The duration of the agreement, where applicable, or the conditions for withdrawal if the contract is open-ended or automatically renewable.
The minimum duration of the consumer's obligations under the contract, where applicable.
Where applicable, the possibility of an outofcourt complaint and redress mechanism to which the trader is subject.
Under Article 17 of Legislative Decree No 70/2003, service providers do not have a general obligation to monitor all the information, which they store, or a general obligation to investigate facts or circumstances indicating illegal activity. However, under Article 16 the service provider is not considered liable for the information stored at the request of the recipient as long as:
The provider does not have the actual knowledge of the illegal activity or information, and is not aware of facts or circumstances which make clear the illegality of the activity or information.
As soon as it becomes aware of these facts, the provider immediately removes or disables the access to information.
However, the service provider must:
Inform the judicial or administrative authority immediately, as soon as it becomes aware of an alleged illegal activity or information regarding one of its recipients.
Give, as soon as it receives notice from the competent authority, information that makes it possible to identify the recipient of the service.
The service provider bears civil liability for the content of services, when, requested by the judicial authority or the administrative authority, it did not act promptly to block access to the content, or despite being aware of the illegality of the content, did not inform the competent authority.
Legislative Decree No. 70/2003 does not provide explicitly an obligation for internet service providers to undertake preventive monitoring of the information and content that users upload to platforms because they would have to filter all the contents and information uploaded. When requested by the judicial authority or the administrative authority (the Italian Communications Authority (Autorità per le garanzie nelle comunicazioni) (AGCOM)), internet service providers must remove illegal content or information.
Moreover, internet service providers must remove the unlawful information or disable relevant access, when it is requested by:
A competent authority.
Any interested private party.
In accordance with recent Italian case law (Court of Rome, 27 April 2016), to assess the responsibility of the internet service providers regarding the information or content transmitted, it is necessary to consider the activities exercised by the ISP to determine when it takes a purely technical role (passive role) or an active role in the transmission and content selection activities. This follows the opinion of the Advocate General of the European Court of Justice that the competent authority or the interested private party must always specify the concrete measures to be taken by the ISP, to balance the fundamental rights of interested parties. The measures must be appropriate to achieve the aim pursued and cannot be disproportionate. It is not sufficient to request a general injunction.
Liability for products / services supplied online
A set of special liability rules for e-commerce is provided by LD No. 70/2003. For example:
Mere conduit. Under Article 14, the service provider is not liable for the information transmitted, on condition that the provider does not :
initiate the transmission;
select the receiver of the transmission;
select or modify the information contained in the transmission.
Caching. Caching is defined as the transmission in a communication network of information provided by a recipient of the service. Under Article 15, the service provider is not liable for the automatic, intermediate and temporarily storage of information, performed for the sole purpose of increasing efficiency of the information's onward transmission to other recipients of the service on their request, if the provider:
does not modify the information;
complies with conditions on access to the information;
complies with the rules regarding the updating of the information, specified in a manner widely recognised and used in the industry;
does not interfere with the lawful use of technology, widely recognised and used in the industry, to obtain data on the use of the information;
acts expeditiously to remove or to disable access to the information it has stored on obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered the removal or disablement.
Hosting. Hosting is defined as storing information provided by a recipient of the service. Under Article 16, the service provider is not liable for the information stored at the request of a recipient of the service, if:
the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent;
the provider, once obtained knowledge or awareness of the illegal activity, on communication from the competent authority acts expeditiously to remove or to disable access to the information.
Each business online is different and therefore the insurance policy should be tailored specifically to the requirements of the relevant business.
However, the following areas must be addressed by a standard insurance policy for online business:
Business interruption insurance.
On 26 August 2016, the Government approved the LD No 179/2016, which amended the Digital Administration Code which should ensure development of the digital sector. Moreover, there are changes currently under discussion at Community level (see Question 36) that will surely entail changes also in our jurisdiction.
Description. This is a database of the Italian legislation in force maintained by the Istituto Poligrafico e Zecca dello Stato (Institute which publishes the Italian Official Gazette). The legislation is in Italian only.
Agency for Digital Italy (Agenzia per l'Italia Digitale)
Description. Website of the Agency for Digital Italy. The documents available are in Italian only.
Italian Anti-trust Authority (Autorità Garante della Concorrenza e del Mercato)
Description. Website of the Italian Antitrust Authority. It includes some sections in English including legislation (not official translation).
Rucellai & Raffaelli
Professional qualifications. Italy, 1995
Areas of practice. Corporate; commercial; M&A; outsourcing; energy; IT; new technology.
Languages. Italian, English, French
Rucellai & Raffaelli
Professional qualifications. Italy, 2001
Areas of practice. Commercial litigation; domestic and international arbitration; privacy law; copyright law; intellectual property; advertising law.
Languages. Italian, English, German
*The authors would like to thank Paolo Belli for co-ordination activities, and Giorgio Tomasicchio for advice on tax matters.