The Data Protection Authority issued a € 3 million GDPR fine in Italy against an energy company for violations committed with reference to telemarketing activities.
The breach of privacy-related obligations through telemarketing practices was the area on which the highest data protection fines have been issued in Italy.
In this last decision, the Italian data protection authority reiterated what was already provided in previous decisions on the same topic. In particular, it held that “the consent, initially given to a data controller also for promotional activities of third parties, if it can be suitable for the communication of the data to the latter, cannot instead extend its effectiveness to subsequent transfers to other data controllers, since the same cannot be said to be supported by the necessary consent, specific and informed of the person concerned“. This position heavily affects the so-called data brokers since the GDPR consent to marketing activities shall specifically refer to the third party that will be the actual beneficiary of the given consent or its category of ownership.
In its defense, the energy company defined the position of the Garante as “innovative” and, in fact, is not aware of a similar position being taken by other European privacy authorities. Moreover, the same Italian data protection authority in its guidelines on anti-spam of 2013 had allowed that third parties could be identified based on the “categories (economic or commodity) to which they belonged“, considering that in that case, consent was to be understood as sufficiently specific.
Also relevant is the analysis of the limits in which legitimate interest can be relied upon and the need to prove this legal basis through a balancing test, also known as legitimate interest assessment. Companies do not perform these tests in some cases, while it can be decidedly relevant, especially during investigations or challenges. Indeed, legitimate interest is often abused by companies.
Finally, unfortunately, the Italian data protection authority also, in this case, did not provide detailed guidance on the criteria for calculating the GDPR fine in this telemarketing-related case. The amount is based on the same percentage provided for the previous fines on telemarketing. But it would be useful to have more detailed calculation criteria, such as those adopted by the German and Dutch privacy authorities.
On a similar topic, you can read the article “€ 114 M GDPR fines issued according to DLA Piper Data Breach Survey 2020“.
Photo by Petr Macháček on Unsplash