Lessons from recent Italian Data Protection Authority decisions issued against Eni Gas e Luce and TIM
Back to Communications Law Committee publications
Laura Liguori
Portolano Cavallo, Rome
lliguori@portolano.it
Giulio Novellini
Portolano Cavallo, Rome
gnovellini@portolano.it
With two decisions issued on 11 December 2019 (and published on 17 January 2020), the Italian Data Protection Authority (Garante per la protezione dei dati personali – the 'Authority') sanctioned the company Eni Gas e Luce SpA, a major player in the energy sector, for the unlawful processing of personal data in the context of: telemarketing and tele-selling activities, and concluding unsolicited contracts. In another decision, issued on 15 January 2020 (published on 1 February 2020), the Authority also fined the leading Italian telco operator TIM SpA for aggressive telemarketing and multiple breaches of the General Data Protection Regulation (GDPR).
We have examined these decisions closely and believe they offer useful lessons in guiding activities carried out by data controllers, consultants and DPOs offering their services to data controllers and, if appointed, data processors.
More complex and global investigations
The degree of detail and complexity of these types of investigations has certainly increased. The Italian Data Protection Authority undertook both inquiries in response to reports received from data subjects and the investigations looked into:
• the operators’ internal procedures in their entirety;
• the degree of awareness on internal and external flows of personal data processed by the operators;
• effective control exercised over entities qualified as data processors; and
• the existence of documented organisational and technical measures to prove GDPR compliance.
In short, the data controllers’ accountability was under the microscope.
The importance of privacy by design
Both decisions impose sanctions due to, among other things, violation of the provisions regarding processing principles (Article 5 GDPR) and privacy by design (Article 25 GDPR). This highlights the fact that those provisions, which at a first glance appeared to be rules governing principles or even (according to some) mere policy, are for all intents and purposes regulatory obligations. Indeed, failure to comply with these rules can lead to severe consequences for companies, as breaches are punishable by sanctions.
Business procedures by design
Both decisions confirm that it would be a grave error to look at a company privacy programme as one simply based on documents or standard operating procedures. Instead, internal procedures must be created by design. They are not provided by law, they are not strictly required by law, but they are policies needed in relation to the risks connected to businesses run by the company and in order to avoid sanctions. In light of these rulings, it would be unwise for anyone to continue considering privacy compliance as a routine process or a process which only exists on paper.
Permanent limitation of the processing and implementation of appropriate procedures
The Authority ordered processing to be limited permanently and also ordered certain company procedures to be fully reviewed and/or implemented within a term. Indeed, in addition to financial penalties, the real risk in the case of GDPR infringement is that the ability to process personal data and to use a database that represents an investment on the part of the data controller may be curtailed. Additional effects may stem from the requirement to review and/or implement – under the Authority’s supervision and on the schedule it imposes – company procedures needed to process personal data in accordance with GDPR provisions.
Purchase of personal data lists from third parties
When a company purchases personal data lists from third parties, it is not sufficient simply to provide a contractual guarantee that the third party transferring the data has obtained the data subjects’ consent to have their personal data communicated for marketing purposes. Therefore, it is even clearer now that if personal data lists are not purchased from the data controller who obtained consent but instead from an intermediary, it is necessary to ensure that the latter has obtained additional consent for the data to be communicated to third parties. In other words, consent for the communication of personal data to third parties does not cover all subsequent communication, but only covers the first instance of communication.
The opening of unrequested accounts as unlawful personal data processing
Opening accounts in people’s names without their request can also be relevant from a data protection standpoint. This was traditionally sanctioned as unfair commercial practice by the Italian Competition Authority, or Autorità Garante della Concorrenza e del Mercato. Indeed, if such account opening occurs due to a lack of technical and organisational measures, it must be ensured that processing activities are handled properly and the quality of the data meets certain standards. The conduct may also be sanctioned by the Italian Data Protection Authority under GDPR provisions.
Joint controllers
According to the Italian Data Protection Authority, when a processor uses personal data under its own initiative, against the instructions of the controller, the relationship between the controller and the processor can be qualified as joint controllership – as far as the relevant data is concerned. This is because the economic activity is largely joint activity and because it is implausible that in such a situation the controller is not aware of the activity undertaken by the processor under its own initiative.
Consent for marketing and prize draws/promotions
Making data subjects’ participation in prize competitions subject to their granting consent to have their personal data processed for marketing purposes represents infringement of both freedom of consent and free-of-charge participation in prize competitions, as enshrined in the regulatory framework on the subject.
Legitimate interest
Using the data controller’s legitimate interest as legal basis for processing activities must be accompanied by careful balancing of the data subjects’ rights and expectations regarding the processing of their personal data with the data controller’s personal interests. Any such balancing must be adequately documented.
Data breach
Sending personal data such as invoices and phone records to parties other than the owner of a phone line is considered a data breach. The absence of suitable and adequate internal procedures to guarantee that such data is correct and complete shall be sanctioned by the Authority.
Turnover taken into account for the sanctions
The calculation of sanctions took into consideration various aggravating and mitigating circumstances, but it is worth noting that in both cases the maximum sanction was calculated considering the turnover of the company under investigation and without considering the concept of an undertaking, as defined in Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU), provided under Recital 150 of the GDPR. It is worth reiterating that sanctions are not provided by the GDPR, which merely provides that the applicable administrative sanction of up to €20m or, for an undertaking, two to four per cent of total annual worldwide turnover in the preceding financial year, whichever is higher.
The decisions are in line with the investigation plan approved in early 2018, the year in which the Authority’s investigation began. In fact, it was envisaged that the processing of personal data carried out by companies for telemarketing purposes would be subject – among other things – to investigation by the Authority, in light of the numerous reports received. The most recent investigation plan, dated September 2019, cited, among other things, processing carried out by means of whistleblower reporting, loyalty programmes, and the processing of health data carried out by private companies. It will be interesting to see what type of enforcement will follow, especially regarding the amount of sanctions. The absence of guidelines for determining sanction amounts is raising doubts and generates uncertainty among operators.