The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Personal data for marketing purposes and others -2

We resume and complete the analysis of the Italian Data Protection Authorithy’s decisions announced in the June 28, 2023 newsletter (web doc no. 9903191) full of insights not only in the marketing field but also as an opportunity to reiterate or clarify general rules applicable in several operational contexts.

In the previous article of July 6, 2023, the methods of the authority’s supervisory intervention were examined, from on-site inspection to documentary verification, the waiting time between investigation and notification of the details of the alleged violation, and the collection of data, which is not very respectful of the principle of minimization.

On this occasion, we will address the following issues: 

  • inconsistency of the content of documents issued by the controller in relation to the GDPR compliance system  
  • scope of application of the withdrawal of the marketing consent  
  • detailed regulation of automated marketing communications
  • issue of sources of data acquisition for marketing processing.

Measures of the Italian Authority

There are three decisions of the Italian Authority released through the newsletter of June 28, 2023 that are related to each other in some way:

Inconsistency between documents and facts

The frequent absence of a centralized document system to respond to GDPR compliance and requirements or the lack of an adequate management of its contents causes inconsistencies between the representations contained in these documents.

In the Benetton decision, for example, the Authority notes that “contrary to what is indicated in the processing log and in the privacy notice issued to the customer for joining loyalty programs (according to which the data retention time indicated would be limited to 2 years in relation to both marketing and profiling), in the management systems used by the company, personal data of customers, holders of the fidelity card, were found to be present along with information on purchases as of the year 2015.”

Documents for GDPR compliance must be the subject of an appropriate document system. This documentation is heterogeneous, encompassing contracts, notices and consent-gathering forms, records, operating procedures, attestations, risk assessments, adequacy assessments, designations and instructions, task assignments, lists and lists, and more.

The system, in order to be defined as such and to be reliable, requires a proper structural setup, the identification of one or more individuals responsible for its maintenance, the monitoring of its contents in terms of consistency and updating, and the definition of management rules to be disseminated within the organization.

The document system that meets these requirements will provide adequate guarantees of comprehensiveness and evidentiary reliability of corporate compliance.