You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Internal
Global
Contatto
it
Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |
In tutto il mondo
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Mondiale
Algeria
Angola
Arabia Saudita
Argentina
Australia
Austria
Azerbaigian
Bahrain
Belgio
Bielorussia
Bosnia ed Erzegovina
Botswana
Brasile
Bulgaria
Cambogia
Canada
Cile
Cina
Cipro
Colombia
Corea del Sud
Costa Rica
Croazia
Danimarca
Ecuador
Egitto
Emirati Arabi Uniti
Estonia
Etiopia
Finlandia
Flippine
Francia
Georgia
Germania
Ghana
Giappone
Grecia
Hong Kong
India
Indonesia
Irlanda
Italia
Kazakistan
Kenya
Kuwait
Lettonia
Libia
Liechtenstein
Lituania
Lussemburgo
Macedonia del Nord
Malesia
Marocco
Mauritius
Messico
Moldavia
Mongolia
Mozambico
Myanmar
Namibia
Nigeria
Norvegia
Nuova Zelanda
Oman
Paesi Bassi
Pakistan
Perù
Polonia
Portogallo
Qatar
Regno Unito
Repubblica Ceca
Romania
Serbia
Singapore
Slovacchia
Slovenia
Spagna
Sudafrica
Svezia
Svizzera
Taiwan
Tanzania
Thailandia
Tunisia
Turchia
Ucraina
Uganda
Ungheria
Uruguay
USA
Uzbekistan
Vietnam
Zambia
I nostri uffici Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(I colori appaiono al passaggio del mouse)
Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra
Cookie Policy
.
Approfondimenti
Servizi
Whistleblowing
Data Protection
Servizi legali
Servizi fiscali
Servizi multipractice
Industry
Revisione contabile
Formazione
Professionisti
Media
Rödl E-Book
RÖDL REPLAY - I NOSTRI WEBINAR
Newsletter
Legal Newsletter
Tax Newsletter
Data Protection Bites
Comunicati stampa
Comunicati operazioni
Rödl E-Book
Rödl & Partner sulla stampa online
Eventi
Su di noi
Currently selected
E-Book INTERNATIONAL VAT GUIDELINES
Uno studio internazionale
Uno studio internazionale
Le nostre sedi
Impegno sociale
Whistleblowing
Codice Etico
Modello 231
Sostenibilità
Carriera
Media
Pubblicazioni
Newsletter
Data Protection Bites
Data Protection Bites 3/2020
Recent telemarketing sanctions in Italy
Recent
Italian (Italy)
Currently selected
Consulenza legale, Consulenza fiscale, Audit, Servizi in outsourcing
Approfondimenti
Carriera
Cookie Policy
Cookie Policy
Eventi
Home
Informativa Privacy
Media
Privacy Policy
Professionisti
Servizi
Uno studio internazionale
BPO - Business Process Outsourcing
no-it-version-available
Profile
Error 404!
Error 401!
Recent telemarketing sanctions in Italy
Page Content
The Italian Data Protection Authority has heavily sanctioned abusive telemarketing practices, in particular with two very recent measures, one of December 11, 2019 to Eni Gas e Luce (EGL) with a penalty of 11.5 million euros and the other to TIM S.p.A. with a penalty of 28 million euros on January 15, 2020.
With reference to the sanctions imposed on Eni Gas and Luce (Egl), for a total of 11.5 million euros, concerning respectively:
1. unlawful processing of personal data as part of promotional activities (in particular for telemarketing and teleselling activities);
2. activation of unsolicited contracts.
The Data Protection Authority has found unlawful conduct regarding the "unlawful processing of personal data in the context of promotional activities", such as:
the acquisition of potential customers' data from subjects (list providers) who had not acquired consent for the communication of such data: the Data Protection Authority did not consider lawful the transfer of prospect contacts to EGL by C4b S.r.l., which in turn had acquired them from Facile.it (the subject who had originally collected the consent of the prospects to be contacted by third parties for marketing purposes). By recognizing this, the aim is to avoid that an infinite series of steps can propagate from a single consent. This approach of the Authority appears to suggest that from now on a new legal basis will have to be found that justifies the transition from the original data controller to the new data controller, as it can no longer rely on the third party marketing consent issued by the data subject in the first place;
delays in updating the status of consents: events of misalignment of the CRM and the blacklist and delays by EGL in handling requests from some data subjects who had expressed their wish not to be contacted;
lack of audit list providers: the personal data present in the lists acquired by EGL through the list providers are not subject to checks, even on a sample basis, that prove compliance in the data collection with the provisions relating to the provision of the information notice, the consent acquisition, and checks on the Public Opposition Register;
lack of justification for telephone contacts connected to alleged "caring" activities: the Data Protection Authority has established that such caring activities do not amount to teleselling and telemarketing, rather do apply whenever a customer contact is made for the solution of administrative problems, or for the need to update the data of the same customer, or if the customer has contacted the call center for at least three times in the last five days.
Considering such findings, the Data Protection Authority therefore required EGL:
to implement mechanisms of data flow automation from CRM to black-list;
to implement procedures and systems (also through access to dedicated areas of the list providers' and publishers' databases or the use of control tools) in order to verify, also through a relevant sample, before the start of the promotional campaign, the status of the consent of the data subjects included in the acquired contact lists.
With reference to Measure no. 7 of 15 January 2020, the Data Protection Authority has imposed on Tim S.p.A. a sanction of 28 million euros for numerous unlawful processing of data related to marketing activities.
In particular, the following unlawful conducts were detected:
commercial contacts made during promotional campaigns aimed at "prospect" parties, without the consent of the parties concerned, despite the registration of telephone users in the Public Opposition Register, or made in the context of service contacts or without promptly incorporating the exercise of the right of opposition into their systems;
lack of control by the Company TIM on the work of its partners during the execution of the commercial campaigns: on the one hand, this consists in an inadequate implementation by TIM of shared management procedures, which would allow an adequate control by the Company itself as buyer and also as supplier of contact lists on the overall management of the processing for promotional purposes, and, on the other hand, the related obligation to account for its activities in line with the principle of accountability. In addition, the events in question revealed flaws in the functioning of the automated system of exclusion from the contact lists, confirmed by various anomalies in the systems that did not guarantee a correct and consistent representation of the negative will of the data subjects;
incorrect management of the exclusion lists from commercial campaigns (so-called "blacklists"): failure to update the black-lists on the basis of the denials expressed by the data subjects during the commercial telephone contact, which led to gaps in the accuracy and quality of the data in the company's information systems and inconsistencies of the data on TIM's black-lists with those of its partners;
promotional telephone calls to phone numbers, not present in the contact lists (so-called outliers), made by business partners without the consent of the data subjects or other appropriate legal basis. TIM has assumed that these "have been independently found by the Partners with the lead and reference mechanism, and therefore used for the purposes of commercial contact on the basis of the consent provided by the data subject itself or the balance of interest existing for the referrals", but has not provided any further information, nor has it documented this assumption, as required by the principle of accountability;
cases of storage, in the CRM (Customer Relationship Management) of the Company, of data relating to customers of other Operators, to whom TIM provides the mere network and infrastructure service (OLO-Other Licensed Operator), for a time exceeding the limits set by law (10 years) and with visibility by customer care operators beyond the time limits established by the company policies (5 years). The conduct described, the Data Protection Authority goes on to say, denotes unlawful processing as it is carried out in the absence of appropriate consent by the data subjects as well as against the principles of storage limitation and the obligation to guarantee and prove compliance with data protection regulations in compliance with the principle of accountability.
Moreover, the management of the data breach has proved unsuitable, both with regard to the timeliness of the notification to the Authority and with regard to the measures put in place to reduce the risks to the rights and freedoms of the persons concerned, in particular, notes the Authority:
in some case the Company was late in identifying and correctly managing the episodes of violation that occurred, activating the DPO only a few months after the problem was detected, as well as making the communications to this Authority required by current legislation;
systems that process personal customer data frequently encounter "misalignments", "anomalies" and "wrong associations".
In addition, incorrect and non-transparent information on data processing has been provided in the management of some apps and programs, aimed at customers, and invalid consent forms have been adopted. In some cases, paper forms were used with a request for a single consent for different purposes, including marketing.
In addition to the sanction, the Authority has imposed 20 corrective measures, including prohibitions and prescriptions, prohibiting TIM:
the use of the data for marketing purposes of those who had expressed to call centers their refusal to receive promotional calls; those on the blacklist; "non-customers" who had not given their consent;
the use of customer data collected through the apps "My Tim", "Tim Personal" and "Tim Smart Kid" for purposes other than the provision of services without a free and specific consent.
Among the prescriptions, the Authority ordered Tim to:
check the consistency of the blacklists used;
promptly acquire those formed by call centers to put them on the blacklist;
review the “Tim Party” program and allow customers access to discounts and sweepstakes by eliminating mandatory marketing consent;
check the procedure for the activation of all the apps, always specifying, in clear and comprehensible language, the processing carried out with an indication of the purposes pursued and the processing methods used, as well as obtaining valid consent;
implement the technical and organisational measures relating to the management of requests to exercise the rights of data subjects and strengthen the measures aimed at ensuring the quality, accuracy and timely updating of personal data processed by the different systems of the company.
In this context, it appears that both ENI and TIM have violated, in several respects, the principle of privacy by design, since “taking into account the state of the art and the cost of implementation, as well as the nature, scope, context and purpose of the processing operations, and the risks of varying degrees of probability and gravity to the rights and freedoms of natural persons represented by the processing operations”, it appears that both ENI and TIM have not put in place adequate 'appropriate technical and organisational measures to incorporate in the processing operations the necessary safeguards in order to meet the requirements of the GDPR and protect the rights of data subjects' and, from a different point of view, neither of the two companies appears to have had sufficient account and ability to account for various fundamental aspects of the processing carried out directly or through third parties, thus showing an inadequate ability to prove the exact compliance with the relevant regulations, thus not complying with the fundamental principle of accountability.
As a result of these first two very severe pronouncements, there are several points of attention for the business, which will therefore have to be taken into account:
privacy by design;
data breach;
technical and organisational measures on systems;
app operation;
if applicable, validity of prospect consents acquired through list providers (are there chains of consents that the company acquires from prospect list providers? Are the acquired contacts verified correctly with the Public Opposition Register?);
if applicable, audit procedure of lists and suppliers: subject matter, frequency, sample, results;
if applicable, mechanism of blacklists by call center operators;
if applicable, functioning of data subjects rights management process (in particular, in the purchase of lists);
if applicable, contact policy, in order to avoid excessive calls.
CONTACT
Nadia Martini
Avvocato
Partner
+39 02 6328 841
Invia richiesta
Profilo
RÖDL & PARTNER ITALY
Discover more about our offices in Italy.
Read more »
DATA PROTECTION BITES
Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR.
Read all releases »
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
