The legality of disclosure by transmission of personal data for direct marketing purposes under Italian Data Protection Law

ICT-Insider-cessione-dei-dati

In today’s data driven economy, direct marketing has become increasingly pivotal in companies’ business strategies. This type of marketing includes sending advertising material, commercial communications, direct sales or carrying out customer satisfaction surveys.

Although these marketing practices can prove to be invaluable for a company, their success is highly dependent on whether they comply with the legal requirements incumbent on them. Failure to comply with such requirements generally turns direct marketing into what is commonly known as spam. An example of an unlawful direct marketing practice is when one market player shares the personal data of a data subject with several others not meeting the regulatory requirements.

The following paragraphs have the dual-purpose of (i) clarifying what legal conditions need to be met for personal data to be shared with third parties so that they can process them for their autonomous promotional purposes and (ii) understanding how the third party can correctly launch direct marketing activities once they have acquired the personal data (so-called “lead acquisition”).

 

 

The Italian Data Protection Authority’s (“GPDP”) requirements within the current regulatory framework

The main requirements relating to the activity of transferring personal data to third parties and lead acquisition can be found in the Guidelines on Marketing and against Spam (hereinafter, only “Guidelines”), which are to be interpreted in light of the current legal framework as well as of the most recent decisions issued by the GPDP, which have clarified their scope of application[1]. Particular reference must be made to three particular decisions of the GPDP which have clarified the legality of marketing practices in the context of data protection, namely: decision against Enel Energia S.p.a.; decision against Iren Mercato S.p.A.; lastly, Sky Italia decision.

 

Transfer of data to third parties

According to the Guidelines[2], cross-border data transfers to third parties for direct marketing purposes can only be lawful if the transferor:

 

        1. adequately describes such purpose in its privacy notice;
        2. indicates, within its privacy notice, each of the third party data recipients or, alternatively, the economic or product categories to which they belong (e.g., finance, publishing, clothing, etc.);
        3. acquires specific consent, from the respective data subject, for the disclosure by transmission of personal data to third parties for promotional purposes. It is important to note here that consent for the data transfer is separate from the consent required by the data controller to carry out promotional activities alone;
        4. provides evidence of the consent collected for the transfer of the personal data[3].

 

It is worth noting that the wording of “third party”, under (2), is meant to be defined in both a broad sense and with particular reference to cases where the third-party assignee belongs to the same business group as the assigning data controller. In fact, as repeatedly reiterated by the GPDP[4], entities that belong to the same corporate group must be considered – as a rule – as autonomous and distinct data controllers[5]. In this sense, it would not be sufficient to indicate in the privacy notice that the transferee companies also include companies belonging to the same business group as the transferor company; indeed, it is necessary that the company name or, alternatively, the economic or product categories to which they belong, are indicated also for such entities[6].

Furthermore, under (3), it is important to recall the position of the GPDP that a data subject’s consent to a data controller’s processing his/her personal data (for promotional activities) or transferring it to a third party does not extend to subsequent transfers to further data controllers. This is because such secondary transfers would not be based on the necessary, specific and informed consent of the data subject[7].

 

Lead Acquisition

In order to analyse the obligations required for lead acquisition activities, it must be borne in mind that the focus now turns to the entity receiving the personal data from the transferor (i.e., transferee) and the obligations incumbent on them.

 

Information obligations

In order to carry out a lawful lead acquisition activity, the data subjects, previously informed by the transferor – pursuant to Article 13 GDPR – about transferring data to third parties for their autonomous marketing purposes, must also be informed by the transferee about the subsequent processing operations they will carry out on their data. In fact, recipients will only be allowed to send promotional communications to the data subjects after they have issued their own privacy notice pursuant to Article 14 GDPR. This privacy notice must provide an indication as to the source from which the personal data originates so that each data subject can address (e.g., object to the processing) the data controller who processed and communicated the data in the first place[8].

 

Legal basis

As far as the legal basis on which the transferee’s processing activities relies on is concerned, the GPDP has clarified, in light of the legislation currently in force, the possibility for the transferee to not require additional consent for the performance of direct marketing activities. This possibility, to not obtain additional consent, only applies in situations where the transferee intends to make use of automated tools to carry out direct marketing campaigns such as e-mail, SMS, MMS, etc. Therefore, the transferee is only obligated to obtain additional consent where they send marketing communications via non-automated contact tools such as telephone, paper mail[9].

 

Accountability: the need for ex post assessments

In parallel to the accountability principle, and to prevent an endless “chain” of liabilities in the context of the data processing[10], the GPDP has emphasised that it is necessary for a data controller to provide evidence of the overall assessments carried out on the characteristics of the processing activities, on the related risks and on the effectiveness and adequacy of the measures adopted on a case-by-case basis. Such effectiveness and adequacy cannot be tested and demonstrated without structured and systematic assessment mechanisms.

The transferee is therefore required to adopt safeguards to prove that personal data and related consents have been collected by the transferor in full compliance with the respective data protection provisions, including safeguards that can witness and monitor over time the proper management of consents[11]. Specifically, the transferee must check that the data subjects have correctly received the privacy notice – in accordance with the procedures described above -, given consent to receive promotional communications from third parties (unless those communications are sent via automated means) and that they have not registered any complaints in the “Registro Pubblico delle Opposizioni”[12] or opposed to the processing in question by the data controller. These checks must be carried out by means of special procedures for filtering the contact lists.

Lastly, it is advisable for the transferee to request the sharing of the consents collected by the transferor in order to be able to demonstrate the lawfulness of its processing activities, more specifically, its sending of marketing communications.

 

Conclusion

The interventions of the GPDP referred to in this newsletter allow us to rebuild, in light of the legislation currently in force, the framework of the primary requirements that need to be met in order to share/transfer personal data for direct marketing purposes. Among the most significant measures highlighted by the GPDP, it seems appropriate to single out the following points of attention:

 

      • the transferees may carry out promotional activities without requiring a new consent – in addition to the consent previously obtained from the transferor for the transfer to third parties for their direct marketing purposes – only where they make use of automated tools. Therefore, when carrying out promotional activities via non-automated tools, new consent must be obtained from the data subject;
      • the transferring companies are required to ensure greater transparency about the economic and product categories of the third parties receiving the data, even where these are companies belonging to the same business group.

 

 

 

[1] See in this regard Article 22(4) of Legislative Decree no. 101/2018, whereby as from 25 May 2018, the measures of the GPDP continue to apply, insofar as they are compatible with the Regulation and with the provisions of [the same Legislative Decree 101/2018].

[2] Paragraph 2.4 of the Guidelines.

[3] In decision against Enel Energia S.p.a., the GPDP stated that the principle of accountability – outlined both in a legal perspective (Article 5(2) and Article 24) and in a more modern technological dimension (Article 25) – implies the overcoming of an exclusively formalistic logic of adaptation to the laws, imposing on the data controller to prepare systematic mechanisms of assessment, beforehand and afterwards, of the respect of the regulations in matters of personal data protection by all the subjects involved in the chain of the processing that concern them, which can be ascribable to them or which can bring advantages, also of an economic nature to the controller.

It should also be noted that in Sky Italia decision, the GPDP states that the entire structure of the GDPR is based on the accountability of the data controller. The latter, in view of the circumstance that the personal data of the persons contacted who have subscribed to the promotional offers are destined to be included in corporate databases, should adopt appropriate measures in order to prove that the contracts and activations recorded in its systems originate from contacts made in full compliance with the provisions on the protection of personal data, in particular those of Articles 5, 6 and 7 of the GDPR relating to consent.

[4] In this sense, see by way of example the “Guiding Principles Applying to the Processing of Employees’ Personal Data for the Purpose of Managing Employment Relations in the Private Sector“, the decision on transfer financial information and the decision concerning Controllership of Processing as Vested in the Entities Outsourcing Promotional Activities

[5] Paragraph 2.6.3 of the Guidelines.

[6] In decision against Enel Energia S.p.a., the GPDP specified that a single consent to the disclosure of data for promotional purposes for use by group companies, parent companies, subsidiaries and affiliates and commercial partners of Enel Energia S.p.a. cannot be considered either specific or free and does not constitute an appropriate legal basis for the above-mentioned processing activities, pursuant to Article 6 of the GDPR. Furthermore, in the absence of a clear identification of the recipients, a consent linked to processing operations that can be referred to an indeterminate number of data subjects cannot be considered suitable.

[7] Thus the GPDP, ex multis, in decision against Iren Mercato S.p.A.

[8] See what expressed in Sky Italia decision

[9] See Sky Italia decision

[10] See decision against Enel Energia S.p.a.

[11] See decision against Wind Tre S.p.A.

[12] The “Registro Pubblico delle Opposizioni” is a service designed for the protection of individuals, whose telephone number is listed in a public telephone directory, who wish not to receive unsolicited direct marketing calls and postal mail any longer; at the same time it is a tool to provide the telemarketing operators with a more competitive, dynamic and transparent market – https://www.registrodelleopposizioni.it/en

ICTLC Italy
italy@ictlegalconsulting.com