27 Jun Marketing activities in violation of data protection legislation: the sanction in Italy which may be considered “an exemplary punishment”
Background information
On 15 May 2018 a Special Unit of the Italian police (‘Nucleo Speciale della Guardia di Finanza’), following the claims of two data subjects, notified the company named Vincall S.r.l.s. of violations of articles 13, 23, 161, 162 par. 2-bis, and 167 of the Italian Data Protection Code (Legislative Decree no. 196 of 30 June 2003, hereinafter referred to as “Code”), as the company had not complied with the amendments to the Code which got introduced by Legislative Decree no. 101/2018.
In order to understand the decision of the Special Unit of the Italian police, it is important to acknowledge that Vincall’s core business consists of tele-marketing and tele-selling through a call centre. Green Power s.r.l. (sales agents of Edison Energia S.p.A.) hired Vincall to carry out the aforementioned activity, however, Vincall instructed Tele It (another company) to contact potential customers by telephone and have them sign an electricity contract with Edison.
In carrying out this activity, Tele It extracted the potential customers’ contacts from its own marketing lists, without previously verifying and validating the list, e.g., without verifying that the data subjects had previously received a proper information notice and gave their consent to receive marketing communications. According to the Italian Supervisory Authority, all companies involved should have previously verified and validated that a sample of the list of data subjects have received the privacy policy and given their consent to the marketing communications. However, what really affected Vincall was the fact that it had not been appointed as Data Processor under Art. 28 of European Regulation 2016/679, therefore in processing this data it acted as an autonomous Data Controller.
Main issues
Considering the failure to designate themselves as a Data Processor under Art. 28 of GDPR, Vincall’s privacy role triggered the duty of providing the privacy policy to all data subjects and collect their consent to the marketing communication before starting any processing activities (obligations that fall upon the Data Controller), in order to properly carry out the marketing campaign to the potential customers (the so-called “prospects”). However, none of the above obligations was carried out by Vincall. On the contrary, Tele It, after having contacted the prospects by telephone, used the prospects’ willingness to enter into a contract with Edison to directly fill out the contractual documentation, and even adding a sort of ‘signature’ (on behalf of the data subject). Following this, Tele It sent the pre-filled contract form to Vincall, which in turn checked the existence and the relevance of the customer’s will before sending it to Edison.
The activity carried out as described above led the Special Unit of the Italian police to challenge the legitimacy of the data collection for marketing purposes as well as the failure to obtain the consent of the data subjects for the processing of their data for marketing purposes. Please note that the current legislation deems that the modality of advertising products and /or services is not relevant, from a data protection perspective, since the mere involvement of processing of personal data for marketing purposes is enough for the activity to be considered ‘processing’. In fact, the dispute relating to processing would also absorb the violation relating to the collection, since the overall processing also includes the collection.
Practical implications
Considering the severity of the violation, the intentional or negligent nature of the infringement, the eventual measures implemented to mitigate the damage suffered by the data subjects, and presumed previous infringements, the sanction imposed is almost “exemplary”. Nonetheless, the sanction got reduced when the Special Unit found that Vincall had never received previous sanctions and had halted, in accordance with Green Power, the sending of application forms, therefore limiting the effects of the illegal conduct. It follows that, considering the seriousness, with reference to the elements of the extent of the injury or danger, as well as the intensity of the psychological element, the companies’ conduct was carried out with a clear disregard of the overall legislation on protection of personal data and superficial underestimation of the serious implications arising from the manner of acquiring customers, which relied on informality and unilateral simplification of the framework of formal obligations prescribed by the law”. Considering the previous financial reports, the sanction imposed amounted to € 6.000 for each violation (to be read as per data subject against whom the violation had been committed) of Articles 13 and 161 of the Code (which meant that there was an omission of information or inadequate information), resulting to a total of € 468.000. In addition to that, a sanction of € 10.000 was imposed for each violation of Articles 23 and 162, par. 2-bis of the Code before initiating any processing (concerning the violation on the rules of consent), resulting to a total of € 1.550.000. The total amount of the imposed sanctions amounted to € 2.018.000.
Therefore, the recommendation which emerges from this sanction is to be as careful as possible when processing personal data for marketing purposes, and having the utmost diligence in the application of the current regulation, in order to reduce high-sanctioning risks.