The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Sanction for telemarketing and more

The Italian authority intervened once again regarding telemarketing activities that did not comply with the applicable regulations, imposing one of the largest fines of 26.5 million euros. The measure – which also regarded violations of a different nature – was issued at the end of a detailed investigation launched following numerous complaints and reports from users.

 

Italian “Do not call”

Almost at the same time, the approval process for the new regulation for the Public Register of Oppositions (RPO), the Italian equivalent of the “Do not call” solutions of other countries both European and non-EU, came to an end. The Council of Ministers on January 21 approved the final text that will be adopted by Presidential Decree, replacing Presidential Decree no. 178/2010, as provided for by Law no. 5/2018. The reform work took exactly four years.

The reformed RPO will allow all registered users (with regard to the relevant national fixed or mobile or so-called “reserved” users) to oppose any type of commercial telephone call (whether automated or by an operator) as well as the use of their address published in the telephone directory for sending paper mail for the distribution of advertising material or for direct sales, for carrying out market research or commercial communications. We will focus later on the important innovations contained in the new regulation.

 

Preliminary investigation

The measure did not concern a single event but multiple circumstances that formed the subject, by the Authority, of an overall investigation, adopting an “analytical approach of a systemic and global type to the problem” of telemarketing, with regard to the methods followed by the company concerned. In fact, Regulation 1/2019 of the Garante, allows the authority “to carry out the preliminary investigation precisely in relation to multiple complaints and reports having the same object or relating to the same owner or controller, or to data processing related to each other.”

“Therefore, the activity of the Garante was conducted primarily through unitary investigations and [four separate] requests for information,” during the December 2018 – July 2020 time frame.

The continuation of this phase over a long period of time led the company to believe that the relevant authority files had been archived or that any administrative sanctions were time-barred.

Lesson learned

This case demonstrates that an organization subject to requests for information or even an investigation by the Authority should not limit its attention to what is being requested or investigated from time to time, but should broaden its horizon of analysis to the entire phenomenon of which that single request is possibly an expression. Put differently, for example, if the response to the exercise of a privacy right leads to a complaint or a report, it is not enough to ascertain what, if anything, went wrong in that specific circumstance. It is necessary to go deeper and determine whether the causes are attributable to a defect in the overall internal process (e.g., a poorly drafted or unsupported procedure, untrained or uncoordinated staff, an uncoordinated or unsystematic approach, such as the provision of an email address for privacy notices, which is incorrect or not properly maintained).

The considerable amount of time that has elapsed could lead the organization involved to the mistaken belief that the authority’s initial investigations have not yielded any results and that the case can be considered implicitly archived. Leaving aside the fact that any decision in this regard is notified to the organization under investigation, it should be considered that the time between the request for information and the final accusation can be very long, depending on the complexity of the circumstances of the investigation. According to established case law of the Supreme Court, in fact, the starting date for identifying the deadline for notification of the details of the violation, should not be identified in the specific dates referable to each response provided to the authority, but at the time when the same authority acquires “full knowledge of the illegal conduct, so as to assess the consistency to the effects of the correct formulation of the dispute” (Civil Cassation no. 31635/2018). In other words, for this purpose, it is not possible to proceed to the mere formal counting of the days following the receipt of feedback to the various requests of the authority, but it is necessary to take into account the “time necessary for the evaluation of the data acquired and relating to the elements (objective and subjective) of the infringement”.

 

Charges

The charges raised against the company related to the following violations:

  • Failure to cooperate with the authority
  • Lack of accountability and approach by design
  • Making unsolicited commercial phone calls (without prior consent or despite subscribing the user to the RPO)
  • Improper use of soft-spam for email marketing without legal requirements
  • Invalidity of the consent collected
  • Late response to the exercise of rights
  • Sending of invoices and other personal data to third parties.