The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Duration of the consent to data processing

Two recent decisions of the Italian Data Protection Authority, against Comparafacile (web doc. no. 9921112) and Tiscali (web doc. no. 9920942), offer the cue to resume the systematic analysis of consent as a legal basis for data processing, in general, and for processing for marketing purposes, in particular.

More specifically, today we will focus in detail on the profile of the duration of “marketing consent.”

Marketing consent

The consent of the data subject is, in principle, the legal basis underlying the processing of personal data for marketing and commercial profiling purposes. The other legal basis that can be used for processing for marketing purposes, that of legitimate interest, has residual application in this area.

Consent must be prior to the processing of the data and, consequently, to the promoting company’s commercial contact with the data subject.

Consent may be collected by direct or indirect means:

  • Consent is obtained directly when the data controller has direct contact with the data subject and collects his or her specific consent from him or her, after issuing appropriate privacy notice that specifies the purposes of the processing.
  • Consent is obtained indirectly when the principal of a promotional campaign (data controller) acquires from a provider (list provider) a list of master data relating to individuals who, having been adequately informed, have expressed their consent to be contacted by third parties (identified by category or by name) for their own commercial purposes.

When the acquisition of master data is indirect, it is the responsibility of the acquiring organization to verify that, with regard to the list of contact data, the legal requirements have been properly met; that is:

  • providing the data subject with an adequate privacy notice
  • collection of a valid consent for the communication of data to identified third parties and for the processing of data by them, for their own marketing purposes.

If the identification of the third party is by product category, the purchaser must provide its own individual privacy notice in accordance with Article 14 of the GDPR, within one month or at the first marketing contact.


If the contact data contains phone numbers aimed at telemarketing activities, the data controller will also have to match its list with the “Do-not-call” Register, in order to remove (i.e., not to use for marketing purposes) those phone numbers found to be registered with the Register.
This operation is generally known as “normalization” and must be carried out prior to marketing contact, constituting a condition of lawfulness: failure to tally with the “Do-not-call” Register and/or failure to comply with the requirements of the specific regulations, makes the data processing for telemarketing purposes unlawful.