27 May Direct Marketing towards legal persons
Which provisions apply?
When it comes to direct marketing, the attention of lawyers and business professionals is generally focused on natural persons, from whom, as a general rule, specific consent must be requested pursuant to Article 6(1)(a) of Regulation (EU) 2016/679 (“GDPR”) and pursuant to Article 130 paragraphs 1 and 2 of Legislative Decree 196/2003 (“Personal Data Protection Code”).
But what are the necessary requirements for marketing activities directed towards subjects that are not a natural person?
Before delving deeper into the matter, the following considerations should be preceded by a necessary terminological and methodological premise: for the purpose of analysing the question here at stake and for the sole purpose of the present analysis, the expression “legal persons” will be used in a broad and non-technical sense, including all legal persons other than natural persons, regardless of whether or not they are endowed with legal personality; this expression will therefore refer to both recognized entities, such as, for example, joint-stock companies, public bodies and recognized associations, as well as other unrecognized entities.
Beyond the protection of personal data: the protection of ‘contractors’
As it is well known, the provisions of the GDPR apply only to the personal data of “data subjects“, i.e., information relating to an identified or identifiable natural persons, even indirectly (Art. 4(1) of the GDPR), with the exclusion of information attributable to legal persons[1].
In contrast, the Personal Data Protection Code contains provisions that also apply to information concerning legal persons. In particular, these are provisions directly implementing Directive 2002/58/EC (the “ePrivacy Directive”), which is a lex specialis with respect to the GDPR. Reference is made, in particular, to the provisions contained in Title X – “Electronic Communications” (in particular, Chapter 1), which can be applied, as we shall see, also to information concerning legal persons when they fall within the category of “contractors“[2].
Pursuant to Article 121, paragraph 1-bis, letter f) of the Personal Data Protection Code, “contractor” is to be understood as any natural person, legal person, body or association which is party to a contract.
Confirming this approach, in 2012 the Italian Data Protection Authority (“Garante” or “Italian DPA”) commented, stressing that Chapter 1 of Title X of the Personal Data Protection Code continues to apply also to legal persons, entities and associations, regardless of whether they are natural or legal persons, entities and associations; this, it seems, is appropriate to highlight despite the fact that Article 121 of the Personal Data Protection Code, which introduces the aforementioned Chapter 1 of Title X, explicitly mentions “personal data“[3].
The scope of application of the provisions at stake should therefore be defined by paying attention to the subjective categories referred to therein from time to time[4].
Legal persons and direct marketing activities
Among the most relevant provisions in this respect, reference is to be made to Article 130 of the Personal Data Protection Code concerning the sending of direct marketing communications both to the categories of “contractors” and “users“.
Article 130 of the Personal Data Protection Code: is consent of the legal person required for direct marketing activities?
Article 130, paragraphs 1 and 2 of the Personal Data Protection Code provides for the obligation of prior consent for the use of the contact data of “contractors” and “users“[5] for the purpose of sending direct marketing communications[6], whenever automated tools[7] are used. Since, therefore, the definition of “contractors” (Art. 121 of the Personal Data Protection Code) includes not only natural persons but all legal persons other than natural persons, i.e., precisely, legal persons in the non-technical and extensive sense specified above, it is necessary to request their prior consent in this case as well.
If, on the other hand, non-automated tools are used for the same direct marketing purposes – essentially, via telephone with an operator and paper mail – reference is to be made to Article 130, paragraph 3 of the Personal Data Protection Code. This latter provision states that in such cases the use of contact data is permitted pursuant to Articles 6 and 7 of the GDPR as well as pursuant to the provisions of Article 130, paragraph 3-bis of the Personal Data Protection Code.
It should be noted that the reference to Articles 6 and 7 of the GDPR, being exclusively applicable to the processing of data relating to natural persons, does not apply to data relating to legal persons; it follows that, where non-automated tools are used, it will not be necessary to request prior consent from legal persons for the purposes of carrying out direct marketing campaigns.
However, the applicability to legal persons of Article 130, paragraph 3-bis of the Personal Data Protection Code remains unaffected, which provides that the use of non-automated tools for direct marketing purposes is allowed only towards those who have not exercised their right to object, in a simplified manner and also by electronic means, by entering their telephone number (currently, only landline and not mobile) and the other data referred to in Article 129, paragraph 1 of the Personal Data Protection Code in the public opt-out register (Registro Pubblico delle Opposizioni)[8].
The consent of legal persons
As far as the notion of consent in relation to legal persons is concerned, Article 2(f) of the ePrivacy Directive is relevant. This provision, in fact, expressly states that the notion of consent “corresponds to the data subject’s consent in Directive 95/46/EC“[9], regardless of whether the latter is a natural person or a legal person[10].
Therefore, pursuant to Article 130, paragraphs 1 and 2 of the Personal Data Protection Code, the consent to be requested from “contracting” legal persons shall have the same requirements as the consent expressed by the data subjects concerned pursuant to Article 4(11) GDPR. Hence, the consent must be: informed, specific, freely given, prior, unambiguous, as well as revocable; finally, it must be expressed by a natural person capable of binding the legal will of the entity (and therefore, generally, by the in-office legal representative or, in any event, by a person with powers of signature and representation).
With regard to consent, it should also be borne in mind that the Italian DPA issued relevant indications in its Guidelines on Marketing and against Spam, which introduced the so-called ‘single consent’ for marketing purposes[11].
Summing up
As illustrated above, marketing campaigns directed at legal persons are not exempt from Article 130 of the Personal Data Protection Code, which, in paragraphs 1 and 2, requires those who intend to carry out such campaigns to obtain prior consent (also) from legal persons, at least where automated contact tools are used (e.g., SMS, e-mail). On the contrary, as provided for by the following paragraph 3, the use of the telephone with an operator, for the same promotional purposes, remains outside the perimeter of applicability of the above-mentioned mandatory provision. However, according to the following paragraph 3-bis, few restrictions apply. As a matter of fact, the use of telephone and paper mail might be used to contact legal persons whose data are available on public lists, unless they are opposed to receiving such communications and are registered in the public opt-out register (telemarketing operators shall, in fact, periodically consult the PRO to update their lists every 15 or 30 days to record respectively the telephone or postal opposition).
Please note that pursuant to Article 166 of the Personal Data Protection Code, violations of the provisions of Article 130, paragraphs 1 to 5 of the GDPR are subject to the administrative sanction set out in Article 83, paragraph 5 of the GDPR and, therefore, can reach up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Notes:
[1] See Articles 1, 2, 3 and 4(1) no.1) GDPR.
[2] Originally, the definition of “data subject” in the Personal Data Protection Code expressly included legal persons (https://www.gazzettaufficiale.it/atto/serie_generale/caricaDettaglioAtto/originario?atto.dataPubblicazioneGazzetta=2003-07-29&atto.codiceRedazionale=003G0218).
Subsequently, with the reforms introduced by the Decree-Law – so called – “Salva Italia” (D.l. 201/2011) legal persons are no longer considered as ‘data subjects’ for the purposes of processing, and ‘personal data’ can only refer to natural persons. These amendments have affected the legal persons only in their nature as “passive” subjects of the processing, leaving the mandatory nature of the privacy obligations provided for when they operate as “active” subjects unchanged, i.e., as data controllers or data processors.
[3] See Provvedimento in ordine all’applicabilità alle persone giuridiche del Codice in materia di protezione dei dati personali a seguito delle modifiche apportate dal d.l. n. 201/2011 – 20 settembre 2012.
[4] It should be pointed out that the ePrivacy Directive uses the term “subscriber“, which was also transposed into the Personal Data Protection Code. However, in Italy, due to the entry into force of Legislative Decree no. 69/2012, as of 1 June 2012, the term “subscriber” has been replaced by the term “contractor” in the provisions of the Personal Data Protection Code, without, however, altering its meaning and scope. Therefore, when the term “contractor” is used, it will be understood in the same way as the term “subscriber” as identified by the ePrivacy Directive. To further endorse this orientation, as supported by the Garante in its Provvedimento in ordine all’applicabilità alle persone giuridiche del Codice in materia di protezione dei dati personali a seguito delle modifiche apportate dal d.l. n. 201/2011 – 20 settembre 2012, the concept of “subscriber“, and therefore now of “contractor“, is certainly applicable, also on the basis of Community principles, to both natural and legal persons: in this sense, see Recital 12 of the mentioned ePrivacy Directive 2002/58/EC, according to which “[s]ubscribers to a publicly available electronic communications service may be natural or legal persons“.
Among other things, the definition of “subscriber” (now “contractor”), although relevant to the right to data protection, is in fact borrowed from other sectors (first and foremost that of electronic communications), as well as being of obvious, prevalent contractual origin.
It is to be mentioned, in this regard, the Article 1, paragraph 1, let. a) of Legislative Decree no. 1 August 2003, n. 259 (the so-called Code of electronic communications), which recognizes the relative qualification to the natural or legal person who is party to a contract with the provider of electronic communications services accessible to the public, for the provision of such services.
[5] With specific reference to the type of contact data, which are moreover those that are primarily involved in the performance of direct marketing activities, it may be interesting to observe the following. Generally speaking, the contact data of a legal person should be considered non-personal data, referring to the entity as a whole and not in any way associated with an identified or identifiable natural person (e.g., info@ companyx.it; secretary@company.it). On the contrary, the contact data of a natural person is the data that can be associated, even indirectly, to an identified or identifiable natural person, even if the same has the nature of a typical business or professional contact (e.g., mariorossi@companyx.it; m.rossi@company.it).
[6] Taking into account the provisions of Article 130 of the Personal Data Protection Code, direct marketing is commonly understood as the sending of advertising or direct sales material or the carrying out of market research or commercial communications.
[7] Article 130(1) of the Personal Data Protection Code refers to automated calls or call communication systems without the intervention of an operator; the following paragraph of the same article refers to electronic communications made by means of: electronic mail, telefax, MMS (Multimedia Messaging Service) or SMS (Short Message Service) or other types of messages.
[8] See Public opt-out register
[9] Pursuant to Article 94(2) GDPR, “References to the repealed Directive shall be construed as references to […] Regulation“.
[10] See Recital 17 of the ePrivacy Directive.
[11] See Guidelines on Marketing and against Spam – 4 July 2013 [4304228].
