The adoption of the measures no. 232 of 11 December 2019 and no. 7 of 15 January 2020, against Eni Gas e Luce and Tim, amounting, respectively, to 8 million euros and 27.8 million euros, is in line with the inspection plan of the Italian DPA approved at the beginning of 2018 (period in which began the investigation activities of the Authority). The decision of the Italian DPA to focus his investigation on data processing for telemarketing activities was due to several reports received by the Authority from data subjects complaining unsolicited calls for marketing purposes.
As above said, the main object of the sanctioning measures is the telemarketing activity carried out by both companies in violation of the prescriptions provided by the GDPR regarding the consent of the data subject that represents the proper legal basis for this type of data processing.
During the investigation carried out by the Italian DPA, particularly, it emerged that these companies made, also through data processors to whom the service had been outsourced, telephone calls for marketing purposes:
1. to data subjects who had not given or had revoked their consent for this kind of processing; or
2. to users who had entered their telephone number in the Opt-out register (ROC), whose function is to give the chance to registered people to remove their telephone numbers from the contact-lists used by companies for telemarketing purposes, in order to not be contacted again
in breach with the provisions of articles 6 and 7 of GDPR, concerning consent and the possibility of withdrawing it.
According to the Italian DPA, this unlawful data processing was essentially linked to the inadequacy of the technical security measures implemented by data controllers for ensuring the constant updating of their contact lists or the ones used by their data processors, with
the withdrawals of consent made by data subjects or
the enrolment of the contacts registered in their contact lists in the ROC,
thus in violation of the principle of privacy by design provided by art. 25 of GDPR.
A further principle being abused by the data controllers was the one regarding the accountability, as art. 24 of GDPR states that, for the right implementation of appropriate technical and organizational measures, data controllers must take into account the nature, scope, context and purposes of processing, while the privacy policies adopted by the data controllers were not effective for their specific business reality.
It follows that data controllers must implement privacy policies that are not only in compliance with the general provisions of the GDPR but that are also customized to the specific business reality in which they are applied and to the different needs arising from the types of data processing activities carried out by data controllers.
In order to process personal data in compliance with GDPR, in conclusion, companies need to adopt a dynamic approach, aimed at continuous improvement of the company's internal privacy management system, that must be customized and effective on the basis of the single data processing activities carried out by the data controller.
Article provided by: Chiara Agostini (R&P Legal, Italy)