Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Unlawful telemarketing activities: the Italian Authority strikes another blow

published on 28 November 2023 | reading time approx. 7 minutes

On 12 October 2023, as a result of a preliminary investigation procedure conducted as a direct consequence of a number of complaints presented during the year 2022, the Italian Data Protection Authority (hereinafter, "Authority") sanctioned a company engaged in the production of coffee (hereinafter, "Company") for a total amount of 70,000 Euro.

With reference to the provisions of Regulation (EU) 2016/679 (hereinafter, "GDPR"), the Authority has stated the unlawfulness of the processing of personal data conducted by the Company in the context of its telemarketing activity. Within this scenario, the Company would have promoted and advertised – through unsolicited telephone calls addressed, in particular, to users registered in the Public Register of Oppositions (hereinafter, "RPO") – its own coffee brand.

Let’s review together the main aspects to provide some operational hints on the proper management of telemarketing activities.

In the light of the complaints received, the Authority made two preliminary requests for information to the Company, namely on 22 November 2022 and 24 February 2023. As a result, it was found that:

the Company had allegedly contacted the data subjects on the basis of a mere “random typing error”, declaring to not hold the personal data within its database;
the telemarketing activity would be carried out manually towards contacts collected by word of mouth of customers and sponsored links, as well as by means of lead generation processes (i.e. that activity on the basis of which a company, in order to promote its products, acquires from third parties lists of personal data for marketing purposes);
among the channels for collecting the contact data of the interested parties, the Company would also exploit its own advertisers and so-called list providers - i.e. third parties who, in advertising the coffee brand through advertisements on their websites, collect and transmit, in exchange for a fee, the personal data of the users to the Company for its promotional campaign;
the telemarketing activity was allegedly carried out through caller numbers in the Company's name and, at the same time, through users who were not duly registered in the Register of Communication Operators (hereinafter, "RCO"), allegedly created ad hoc through telephone spoofing techniques.

With reference to the collection of personal data from data subjects contacted for promotional purposes, the Authority pointed out that - in compliance with the provisions of the GDPR and the principles of the privacy legislation - the data controller is always required to provide the privacy policy and to obtain the prior consent of the data subject receiving the promotional contact, net of the application of the aforementioned RPO.

On the basis of this premise, and with reference to the data collection channels declared by the Company, the Authority ruled that:

word-of-mouth is not a valid and lawful way of acquiring personal data, since the person who provides it is not (as a rule) entitled to provide valid consent on behalf of the recipient of the promotional communication;
the purchase order form filled in by the telephone operator in the context of the inbound channel, through which the data subject contacts the Company in order to purchase one of its products, cannot constitute evidence of express consent to the processing of data for promotional purposes. This form, in fact, is only valid in the contractual sales relationship established between the parties and can never represent a guarantee in terms of the lawfulness of the processing of the data subjects’ personal data;
no documentation was requested or verified concerning the origin of the data and the lawfulness of the legal basis used for marketing purposes, with reference to the personal data acquired from the list providers, in respect of which the Company would merely rely on the contractual guarantees provided for and the good relations of collaboration in place. Moreover, subsequent to the acquisition, the Company did not even "match" the list of personal data with those registered with the RPO, failing to verify the tracking of the oppositions made by the data subjects for marketing contacts. In this regard, the Company unsuccessfully attempted to justify himself by pointing out to the Authority certain technical problems connected with the RPO that would have prevented the Company's proper registration. However, the Authority stated that the registration in the list of operators authorized to consult the RPO is a pre-condition for the lawfulness of personal data processing for telemarketing purposes.

With regard to the accountability profiles, the Company would not have adequately responded to the requests of some data subjects, with particular reference to the requests for opposition relating to telemarketing contacts. In particular, the Company would have just ascribe the unlawfulness of its conduct to the random dialing of the telephone numbers, verbally assuring the data subjects that their respective contact details would be included in a “wrong list” as evidence of the opposition made. However, as pointed out by the Authority, the Company did not provide a copy of this "wrong list" nor, further, of the "black list" mentioned during the hearing; for these reasons, the Authority was not able to verify the correct tracing of the modality and the timing of the acquisition, as well as the revocation, of the consents given, therefore having to confirm the violation of Articles 12, 15 and 21 of the GDPR.

Not even under the aspect of so-called "chain controls" does the Company appear to have implemented appropriate technical and organizational measures. This is the conclusion reached by the Authority with respect to some telephone contacts made through telephone utilities registered in the Company's name which, according to its statements, were unduly carried out by one of its former partners – who, after the collaboration had ended, would have illicitly subtract the personal data from the Company’s database.

According to the Authority, the Company should have implemented adequate security measures to protect its name from being unduly spent by abusive third parties. Instead, the Company would have merely limited itself to warning such former partner not to use personal data coming from its database, without taking any further initiatives (among which, the Authority recommend, for example, the filing of a regular complaint with the competent Authorities).

Taking into account all the analyzed elements and in line with the guidelines of the Authority, it is possible to recommend certain measures and fulfilments that companies should take into consideration in order to make their telemarketing activities lawful. In particular:

the telemarketing activity must always be preceded by the acquisition of the consent to receive the call and by the provision of appropriate privacy policy, which should includes telemarketing purposes; in the case of marketing processing carried out within inbound channels, the order form filled out by the telephone operator, in itself, is valid only and exclusively to conclude the contract with the customer and never to represent consent for telemarketing purposes;
"word of mouth" is not a valid channel for the collection of personal data. The "random dialing" of numbers it is not an activity which exempt the data controller from respect the GDPR compliance;
it is the responsibility of the data controller to provide evidence regarding: (i) the consent acquired, (ii) the consent acquisition's date, (iii) the identity of the data subject. This documentation activity should take place through evidence of the relevant logs and through a so-called double opt-in process, whereby, by sending a confirmation email to the data subject once consent has been acquired, the data controller is able to document the actual willingness to receive promotional calls;
the telephone operator should be instructed as to the proper way to carry out the telemarketing activity, which cannot disregard the preparation of an adequate call script containing appropriate information (to be rendered to the data subject before proceeding with the promotional activity);
in the event of the acquisition of personal data subject to telephone contact by so-called list providers, the data controller should verify, prior to the acquisition, (i) the origin of the data, (ii) the legal basis underlying the processing of the data for marketing purposes, (iii) the proper provision, by the list provider, of a privacy policy containing the purpose of the transfer of personal data for marketing purposes, (iv) the proper acquisition of the consent of the data subject to the transfer of the data by the list provider to a third company. Once the data have been acquired, it is then necessary to check with the Public Register of Oppositions in order to avoid promotional contacts to those data subjects who have correctly formulated their opposition;
the exercise of rights by data subjects must always be managed in accordance with Articles 15-22 of the GDPR and the "telemarketing chain" must be constantly monitored in order to avoid "abusive" operations, in compliance with the GDPR principle of accountability. In this regard, it is recommended to adopt internal procedures to keep track of the processing activity carried out by the supply chain in order to avoid promotional contacts that are not supported by an adequate legal basis.