The Italian Data Protection Authority decides against “social spam”


Background information/Scenario

On 29 November 2017, the Italian Data Protection Authority (the “Garante”) once again decided against the malpractice of so-called “social spam”. In its last newsletter, the Garante clarified that email addresses available on a social networks cannot be used for marketing activities in absence of an explicit and specific consent of the data subject for the mentioned commercial purpose.


Main issues

The decision, dated 21 September, arises from the report of a financial advisory company which denounced the reception by some of its promoters (physical persons) of several marketing emails in absence of their prior consent.

From the investigations carried out by the Garante it emerged that in the last two years around 100,000 advertising emails were sent and that the email addresses of the recipients had been collected mostly on Linkedin, Facebook and other social networks.

The Garante once again underlined that the fact that an email address is available on social networks, and generally online, does not mean that it can be freely used for whichever purpose. In fact, according to the Garante, the thesis supported by the defendant company, according to which the registration to a social network implied a sort of implicit consent to the use of personal data for marketing activities, had no legal basis.

For these reasons in the case at stake, the Garante considered the processing of e-mail addresses to be unlawful, pursuant to “Guidelines on Marketing and against Spam” and underlined that marketing purposes are not compatible with the functions of social networks, whose only aim is to share information and help users develop professional contacts and as a result a prior specific consent is undoubtedly required.


Practical actions/implications

Companies that collect data on social networks for marketing activities have to take into consideration that the processing shall be deemed unlawful unless the sender can provide evidence of the recipient’s prior, specific, and free consent, pursuant to Section 130(1) and (2) of the Italian Data Protection Code.

In particular, companies which intend to send commercial proposals shall:

  • provide a prior information notice in which the processing of personal data for marketing purposes is clearly specified;
  • require a specific, free and prior consent;
  • guarantee the data subjects the right to object to such processing.
, ,