Door-to-door sales and CRM: errors that cost millions nowadays

The company’s customers, in reporting the unlawful conduct to the Authority, stated that they had only learned of the activation of service after receiving communications from the company confirming the activation or, worse, payment reminders: the relevant documentation contained inaccurate personal data (e.g., email address, billing address, phone number, identification document details, etc.), as well as forged signatures. 

The investigation conducted by the Italian Data Protection Authority identified a series of data protection violations, most of which stemmed from the inadequate procedures governing the activities of the “door-to-door” agents, who had been designated as data processors by the sanctioned company. 

Specifically: although the collection of personal data from potential customers was carried out by the agents based on specific instructions provided by the company in the agency contract and, in particular, in the “AE Code of Ethics” and the “Data Processing Agreement” attached thereto, these instructions did not contain, as of the date of the inspections, detailed guidelines on procedures for verifying the customer’s identity, merely stipulating that the agent was required, upon accepting the contractual proposal in paper form, to “make a copy of the identity document of the account holder” and, upon signing digitally, to “scan the customer’s identity document.” The instructions left the agent a wide margin of discretion regarding the tools and methods to be used to obtain a copy of the data subject’s identity document, which is inconsistent with the controller-processor relationship.

On that occasion, the Italian Data Protection Authority also pointed out that such a procedure does not appear to be in line with the principles of integrity and confidentiality set forth in the GDPR, as it is not suitable for ensuring that the documentation acquired by the agent is transmitted solely to the company’s systems and immediately deleted from the agent’s device. 

With regard to the subsequent stages of the contract formation process, it was also noted that the “Welcome Message” was sent to the customer at the email address provided during contract signing without verifying either the address itself or the actual receipt of the message. Such a process does not provide sufficient certainty regarding the quality of the collected data, its correspondence with the actual user of the account, or the user’s identity, resulting in a high risk of acquiring unsolicited contracts containing inaccurate and outdated personal data.

The inspection findings also revealed that the company had not, at the time, for the purpose of verifying the accuracy of the personal data contained in contracts obtained by agencies—implemented a system to detect when agents uploaded recurring phone numbers, email addresses, and IP addresses into the CRM. Furthermore, the company had not implemented, for these channels, the instant call procedure in place of the OTP measure, which the Italian Data Protection Authority deemed insufficient in any case, as the agent could provide a different contact detail (such as a number at their disposal) to finalize the contract without the customer’s knowledge (who would subsequently dispute the contact detail used for activation).

Finally, the Italian Data Protection Authority found the company to be in breach of regulations for failing to establish a specific audit plan regarding personal data protection with respect to the “door-to-door” network.

The case examined by the Italian Data Protection Authority clearly demonstrates that, when the collection and processing of personal data are not underpinned by clear procedures, adequate technical checks and effective controls, problems arise immediately. Unverified identities, inaccurate contact details, repeated uploads to the CRM and excessive discretion granted to external data processors are no longer considered mere operational anomalies: they are now classified as direct breaches of the principles of accuracy, integrity and confidentiality under the GDPR.

The measures required by the Italian Data Protection Authority in the ruling — detailed instructions to the data controller; specific procedures for identity verification; checks on the acquisition and receipt of the welcome message; systems for detecting recurring contact details and IP addresses in CRM uploads; the adoption of an ‘instant call’ mechanism to confirm number and identity; a dedicated audit plan for the network of data processors — now represent the minimum standard for ensuring the compliance of ‘door-to-door’ sales networks.

The Authority’s message is therefore very clear: the absence of structured and verifiable procedures is no longer compatible with the GDPR.

In all contexts where customer data is collected via intermediaries, agents or external networks, the lack of preventive and subsequent controls inevitably exposes the company to the same risks that emerged in this case: unsolicited activations, complaints, inspections, disputes and, ultimately, significant fines.​

Organisations are therefore called upon to promptly verify whether their processes comply with these conditions: failing to comply today means knowingly taking the risk of replicating a scenario entirely analogous to that sanctioned by the Data Protection Authority.​​