The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Marketing takeaways from the Douglas measure

On October 20, 2022, the Italian supervisory authority issued a 1.4 million euro fine for personal data processing for marketing purposes that did not comply with the GDPR regulation in multiple respects.   

This articulated measure provides some useful operational rules for the industry that are summarized below.

Decision of October 20, 2022

The Italian authority’s measure is accessible in its original language on the authority’s website (Web doc. No. 9825667). It concerns the management for marketing purposes of personal data of customers and potential customers of a perfume and cosmetic company, an Italian subsidiary of a German parent company. A large amount of personal data that had been collected for the same purposes by three different companies, later merged by incorporation into the Italian subsidiary company, had also flowed into the company’s CRM, along with data from the company’s direct collection.. The company’s policy on the protection of personal data appeared to be influenced by the German parent company, coming to reduce the margins of decision-making power of the Italian subsidiary, which, on certain profiles, was obliged to wait for the implementation of centralized improvement projects, governed directly by the parent company.


The most significant lessons that can be drawn from this decision are summarized below.

  1. The incorporating company must be able to demonstrate the lawfulness of the acquired companies’ processing
  2. The retention, even if inactive, of personal data from acquired companies must be supported by information and adequate legal basis
  3. If the original notice and consent are no longer up-to-date, the acquiring company informs the data subjects (on the website or via e-mail if it has an e-mail address) of the possibility of renewing consent (after adequate notice) within a time frame (e.g., 6 months), specifying that, if they fail to do so, the personal data held will be deleted (this case involved customer and potential customer registries for loyalty program membership)
  4. Retention time of data from acquired companies longer than 10 years should be deleted; for data retained up to a maximum of 10 years, alternatively, they can be pseudonymized but still resorting to the communication and effects mentioned in the previous point
  5. For marketing purposes, it is incorrect to indicate as a criteria for determining the retention time, the withdrawal of the consent given and/or the opposition to the processing; instead, the data controller must make a limited and selective retention regardless of withdrawal or opposition (the 2005 guidelines of the Garante indicate as retention time 24 months for marketing purposes and 12 months for commercial profiling)
  6. The company’s notice must cover only the actual processing and the purposes pursued (excluding discontinued processing or prospective purposes)
  7. Any mismatches between what is stated in the notice and operational practice, makes the notice unsuitable and, as a result, exposes to the challenge of violation of Articles 13 or 14 of the GDPR (e.g., data retained for shorter periods or according to different criteria than those stated in the notice, Art. 13.2(a))
  8. Text message telemarketing and telephone telemarketing require two separate consents from the data subject: the sporadic nature of the activity and the lack of objection in this regard does not remove the possibility of objection to the relevant violation
  9. Online data collection (including via apps) must be transparent, distinguishing between privacy policy, cookie policy, and general terms and conditions; consent for cookies must clearly refer to cookies and not be collected by resorting to unclear or ambiguous expressions (e.g., “ok, I understand and agree”)
  10. The general privacy policy of the website, linked with links to online data collection forms not mentioned therein, does not fulfill the obligation of transparency and invalidates the consent collected: the anticipated decommissioning of the web area where the forms are located and the failure to use the personal data thus collected does not exempt from liability
  11. Proper and timely handling of requests for the exercise of data subjects’ rights can shelter them from fines, in the event of episodic unsatisfied or partial response
  12. The lack of corrective prescriptions by the authority, e.g., because of the sporadic nature of the cases in violation and/or because the transgressions have since ceased, does not prevent the imposition of possible fines
  13. They do not represent, by themselves, charges or exonerations but are elements of evaluation in determining the level of the fine, falling among those residual scenarios of letter k, of Article 83.2): among the aggravating factors, the large number of those involved, the considerable duration of the infringements, the economic relevance of the infringer; while, ascribed as mitigating factors, the sporadic nature of the activities from which the infringement originated, the decision-making conditioning of the parent company, the financial losses suffered in the previous year.