The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Personal data for marketing purposes and others -1

In its newsletter of June 28, 2023 (web doc. no. 9903191)  the Italian Supervisory Authority’s mentioned a number of decisions adopted by the Authority that are rich in insights not only in the area of marketing but also as an opportunity to reiterate or specify general rules applicable in several operational contexts 

A reading of these decisions offers multiple evidences of non-compliant behaviors, sometimes even fraudulent, provides recommendations for corrective actions and recommended practices to remedy the shortcomings recorded; in the watermark, one recognizes circumstances or attitudes widespread in everyday reality, which represent clear sensors of violations in progress.

Recognizing their presence in the weaving of an organization’s processes is an essential condition of awareness capable of triggering relevant remedial plans.

Therefore, retracing these contentious cases has the dual purpose of deepening the meaning of the relevant legal prescriptions and treasuring otherserroneous conduct or operational choices.

Decisions of the Italian Supervisory Authority

There are three decisions of the Italian Authority released through the newsletter of June 28, 2023 that are related to each other in some way:

Inspection plan and on-site assessment

The underlying events of the Benetton decision provide insights into the triggers and the execution methods of inspection activities by the Authority. It is not uncommon for the entrepreneur to request information from the consultant regarding the possibility of inspections directed toward the organization. What, in general, are the circumstances for which the company or entity may be subject to inspection; what are the presumed areas of the inspection.
Understandably, the response has no legal basis and aims only to describe to the interlocutor what the main trigger categories of the Authority’s inspection activity are: complaints or alerts, scheduled inspection plans, information acquired in other circumstances and worthy of further investigation (e.g., press reports, data breach notifications, further investigations with third parties).

In this regard, the conduct of the inspections carried out by the Authority in the Benetton case deserves some interest. Initially, the activity fell within the scope of the inspections planned by the Italian Authority and concerned the processing of personal data for marketing and profiling purposes; this first step was carried out first with on-site visits to the company’s premises and, subsequently, with in-depth papers-based investigations. The latter focused in particular on cookie management.

Subsequently, “in order to verify the concrete implementation of some measures envisaged by the Company with the statement of defense (…), as well as for the purpose of an investigation, also of a technical nature, on the corporate systems and databases and more broadly on the processing for marketing and profiling purposes,” the Authority carried out a second on-site investigation at the company’s headquarters. In this circumstance, on the one hand it took “direct knowledge of the measures implemented by the Company, noting the achieved compliance” with regard to the initial charges related to the management of cookies, but on the other hand, “[i]n the basis of the overall examination of the verifications carried out, as well as the clarifications provided by the Company in the same circumstance, however, emerged” new possible violations duly notified to the controller company.
Therefore, the scope of the initial investigation, which focused on the management of tracking cookies, had a favorable outcome for the company, as the Supervisory Authority noted “the corrective intervention -systematic and radical- made by the Company in the review of said processings,” thus, proceeding to the filing of the first objection. Conversely, the second inspection – carried out to further investigate certain aspects found in the previous one – revealed new shortcomings in relation to the processing for marketing purposes carried out by the Company, in relation to which the Supervisory Authority notified the Company of an alleged violation, which subsequently led to the order to impose a fine.