Skip to main content

The Italian Data Protection Authority Limits the Sending of Advertising and Promotional Contents to Fidelity Cards Holders


For the first time, the Italian Data Protection Authority has exercised its power of "warning" provided by the GDPR, through which it has prohibited the unconditional sending of unsolicited advertising contents to fidelity cards holders.

With measure no. 9124420, published in the newsletter no. 456 on 22nd July 2019, the Italian Data Protection Authority (Authority) has determined the unlawfulness of sending advertising and promotional contents to fidelity cards holders, which had not expressed their specific and free consent for the processing of their data for marketing purposes.

The measure was adopted following the alerts reported by some customers of an important electronic store chain (“Company”), who complained about the continuous and unsolicited receipt by e-mail of commercial offers from the Company, after having subscribed to its fidelity card program. Moreover, the data subjects had repeatedly asked the Company, either by telephone or e-mails, to delete their address from the advertising mailing list, without any result.

During the investigation procedure carried out by the Authority with the help of the special privacy unit of “Guardia di Finanza”, the Company justified itself by stating that it had not been able to block the sending of advertising e-mails because of problems related to its databases - containing data of over ten million customers - which, at that time, were subject to a migration procedure to another data processing platform.

The inspection revealed further problems concerning the processing of customer personal data. More specifically, it was found that the consent to data processing for sending commercial communications - acquired through the old forms of subscription to the fidelity program - could not be considered valid, since customers were forced to release it, in order to obtain the services offered by the fidelity card. In fact, it resulted that the consent for the data processing was acquired with a unique flag, including both contractual and advertising purposes (such as: communication to third parties for the purpose of verifying the customer satisfaction and management of awards program).

This implied that the personal data collected by the controller for the supply of certain services, were in fact processed for an additional purpose, namely the sending of promotional messages, in violation, therefore, of the principles of free and specific consent, and lawfulness of data processing.

In addition, the Company's information system was not able to adequately track and manage the requests made by the data subjects to exercise their right to object to data processing for marketing purposes, and to interrupt, as a result, the sending of spam.

It was found, in particular, that the email address contacted by the data subjects in order to exercise their privacy rights, was assigned to an employee whose employment relationship ended in 2014; as a result, the sending of requests to this address, which was found to have been disabled and removed from the computer systems, did not allow the delivery of the object to processing advanced by the data subjects.  

Therefore, the Authority has prescribed measures to comply with the new provisions on the protection of personal data and, exercising for the first time the new corrective powers offered by the GDPR, has "warned" the Company to (i) no longer use, for marketing purposes, the personal data collected through the forms of the fidelity card object of the alerts, and also (ii) to implement adequate organizational and technical measures, in order to guarantee the proper management of the requests submitted by the data subjects.

Through this measure, the Authority has exercised for the first time its powers of "warning" under Article 58, paragraph 2, letter (b) of the GDPR, which provides the possibility for national privacy authorities to "issue reprimands to a controller or a processor where processing operations have infringed provision of the Regulation”. This warning represents a kind of “yellow card” that is preparatory to a possible sanction in case of further violations.


Article provided by: Chiara Agostini (R&P Legal, Italy)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.