Italian Authority strikes again on marketing data retention period

The measure is interesting insofar as the Authority, among the various profiles touched upon, dwells in particular on the issue related to the retention period of personal data collected for marketing and profiling activities in order to recall the importance and relevance of the indications provided in the measure “Fidelity card e garanzie per i consumatori. Le regole del Garante per i programmi di fidelizzazione” (hereinafter, the “Fidelity guidelines”) of 24th February 2005.

 The retention period of 24 months for personal data processed during promotional campaigns and the retention period of 12 months for personal data processed for profiling purposes would still seem to be diriment.

In particular, the Authority's eye focused was on the Company’s subscription form provided for the subscriptions to the local public transport service. The Company, in fact, allegedly failed to clearly describe the purposes of the processing of data subsequent to the signing of the form – in particular with regard to the identification and distinction of the purposes of the service provided – and also failed to clearly inform the user of the processing activities related to marketing campaigns, customer satisfaction surveys (such as, for example, market research and surveys on the satisfaction of the transport service) and SMS messages sending concerning the status of the transport service provided by the Company. Moreover, the privacy notice referred to at the bottom of the aforementioned form did not contain all the elements required by Article 13 of the GDPR.

Starting from the objections made with reference to the processing of personal data for promotional purposes, the Authority contested the Company's lack of transparency concerning the collection of the consent necessary to carry out the processing activities related to marketing, customer satisfaction, and the SMS messages sending to update the customer on any strikes or particular planned changes to the transport service provided. In fact, according to what emerged from the preliminary investigation conducted, the Company would have indicated, in a misleading and unclear manner, that “failure to consent to the processing of data for the activities indicated in letters b and c of this privacy notice will result in the impossibility for the Company to carry out these activities and therefore the impossibility to access the services indicated above”.

The Authority objected to the fact that the wording relating to the “services referred to above”, which, moreover, turned out to be a definition relating to processing activities linked to customer satisfaction and to the sending of information text messages on the status of any strikes or scheduled changes to the travel itinerary, would have left the data subjects concerned with the impression that giving consent to the processing of personal data was necessary in order to obtain the travel card and subscribe to the transport service. Such an ambiguous expression, in essence, could have led the data subject to believe that consent to the processing was necessary in order to obtain the card and benefit from the transport services, and not – on the contrary – coinciding with the choice to benefit from the promotional and informative activities.

Secondly, the Company had also failed to indicate, both in the contractual form for requesting the travel card and in the attached privacy notice, the right of the data subject to revoke the consent given at any time, without such revocation affecting the lawfulness of the processing based on the consent originally given. Moreover, not even the reference to the data subject's right to object to the processing of his or her personal data for direct marketing purposes was brought to his or her attention in the privacy notice, since the Company merely quoted the text of the now repealed Article 7 of Legislative Decree 196/2003 (better known as the Privacy Code).

Not even the purpose of the processing linked to the possibility for subscribers to receive, on an optional basis, text messages informing them of the existence of possible strikes or planned changes to their travel itinerary had been correctly and exhaustively described in the privacy notice provided: according to the Authority, in the privacy notice the Company failed to indicate in a precise and accurate manner the actual circumstances in which the data subjects could have received such text messages, with the consequent impairment of the possibility for them to understand the purposes of the processing (given, in particular, the highly generic description).

On the personal data retention topic, which probably represents the most interesting passage of the measure, the Authority challenged the Company for having adopted a disproportionate and unjustified term for the retention of personal data necessary for the pursuit of marketing and customer satisfaction activities. The Company, in fact, would have identified a data retention period of 10 years from the collection of the data, which turned out to be the same as that indicated for the retention of the data necessary for the performance of the transport agreement and the relative service.

The Authority has criticised this approach, considering the choice of such data retention to be inconsistent with the purpose pursued, and has in particular referred to the Fidelity guidelines: in order to define the retention periods for personal data subject to marketing and profiling activities, the data retention period of 24 months for data relating to marketing and 12 months for data relating to profiling are still valid. In fact, in the opinion of the Authority, “one certainly cannot come to the conclusion that a data controller, on the basis of this principle (cf. of accountability) – which needs to be balanced with the other fundamental principles provided for by the GDPR – can deviate excessively from the aforementioned provisions, without being able to incur the breach of the principle of limitation of storage of the GDPR”. Even the mere indication of a generic retention period (“until the date of revocation of consent”) cannot be considered compliant with the requirements of the GDPR, since the data subject may never change his or her wishes or keep them unchanged sine die.

On the other hand, with specific reference to the privacy notice provided, the Authority would have ascertained the absence of:

In conclusion, it is key for data controllers to bear in mind the regulatory obligation to adopt a clear and intelligible privacy notice that is particularly transparent with respect to all the purposes pursued. In doing so, and with specific reference to cases of processing related to the performance of promotional activities, it is necessary to make sure that consent is obtained in accordance with the principles established by the GDPR, that the rights of the data subjects are exhaustively described and concretely protected, and that data retention periods are adopted in accordance with the provisions of the Fidelity Guidelines, which the Authority still considers fundamental.​