Skip to main content

Italian data protection authority against the unlawful data processing through telemarketing activities


The Italian Data protection Authority (Italian DPA) issued two fines against Tim and Eni Gas e Luce, for a total amount of almost 36 million euros, due to data processing for telemarketing purposes carried out without the data subjects’ consent.

The adoption of the measures no. 232 of 11 December 2019 and no. 7 of 15 January 2020, against Eni Gas e Luce and Tim, amounting, respectively, to 8 million euros and 27.8 million euros, is in line with the inspection plan of the Italian DPA approved at the beginning of 2018 (period in which began the investigation activities of the Authority). The decision of the Italian DPA to focus his investigation on data processing for telemarketing activities was due to several reports received by the Authority from data subjects complaining unsolicited calls for marketing purposes.

As above said, the main object of the sanctioning measures is the telemarketing activity carried out by both companies in violation of the prescriptions provided by the GDPR regarding the consent of the data subject that represents the proper legal basis for this type of data processing.

During the investigation carried out by the Italian DPA, particularly, it emerged that these companies made, also through data processors to whom the service had been outsourced, telephone calls for marketing purposes:

1. to data subjects who had not given or had revoked their consent for this kind of processing; or
2. to users who had entered their telephone number in the Opt-out register (ROC), whose function is to give the chance to registered people to remove their telephone numbers from the contact-lists used by companies for telemarketing purposes, in order to not be contacted again

in breach with the provisions of articles 6 and 7 of GDPR, concerning consent and the possibility of withdrawing it.

According to the Italian DPA, this unlawful data processing was essentially linked to the inadequacy of the technical security measures implemented by data controllers for ensuring the constant updating of their contact lists or the ones used by their data processors, with


  • the withdrawals of consent made by data subjects or

  • the enrolment of the contacts registered in their contact lists in the ROC,

thus in violation of the principle of privacy by design provided by art. 25 of GDPR.

A further principle being abused by the data controllers was the one regarding the accountability, as art. 24 of GDPR states that, for the right implementation of appropriate technical and organizational measures, data controllers must take into account the nature, scope, context and purposes of processing, while the privacy policies adopted by the data controllers were not effective for their specific business reality.

It follows that data controllers must implement privacy policies that are not only in compliance with the general provisions of the GDPR but that are also customized to the specific business reality in which they are applied and to the different needs arising from the types of data processing activities carried out by data controllers.

In order to process personal data in compliance with GDPR, in conclusion, companies need to adopt a dynamic approach, aimed at continuous improvement of the company's internal privacy management system, that must be customized and effective on the basis of the single data processing activities carried out by the data controller.

Article provided by: Chiara Agostini (R&P Legal, Italy)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.