In its newsletter of June 28, 2023 (web doc. no. 9903191) the Italian Supervisory Authority’s mentioned a number of decisions adopted by the Authority that are rich in insights not only in the area of marketing but also as an opportunity to reiterate or specify general rules applicable in several operational contexts.
A reading of these decisions offers multiple evidences of non-compliant behaviors, sometimes even fraudulent, provides recommendations for corrective actions and recommended practices to remedy the shortcomings recorded; in the watermark, one recognizes circumstances or attitudes widespread in everyday reality, which represent clear sensors of violations in progress.
Recognizing their presence in the weaving of an organization’s processes is an essential condition of awareness capable of triggering relevant remedial plans.
Therefore, retracing these contentious cases has the dual purpose of deepening the meaning of the relevant legal prescriptions and treasuring others‘ erroneous conduct or operational choices.
Decisions of the Italian Supervisory Authority
There are three decisions of the Italian Authority released through the newsletter of June 28, 2023 that are related to each other in some way:
- Decision of April 27, 2023 (web doc no. 9902472) (Benetton) on timing of breach notification, consent, withdrawal and retention of data for marketing purposes, cookies, adequacy of security measures
- Decision of May 17, 2023 (web doc no. 9899880) (Grizzaffi Management) regarding data sources for marketing purposes, e-mail marketing, legal value of unsubscribe link
- Decision of May 17, 2023 (web doc. no. 9903067) (Trovanumeri.com) with reference to controller’s anonymity, non-functioning erasure form and ways to make it easy to exercise rights, creation of an online telephone directory, entry of personal data to be published on the web without identity verification, web scraping.
Inspection plan and on-site assessment
In this regard, the conduct of the inspections carried out by the Authority in the Benetton case deserves some interest. Initially, the activity fell within the scope of the inspections planned by the Italian Authority and concerned the processing of personal data for marketing and profiling purposes; this first step was carried out first with on-site visits to the company’s premises and, subsequently, with in-depth papers-based investigations. The latter focused in particular on cookie management.