Italian data protection regulator: factual role performed by the parties as a key factor in data controllership assessment

The Garante received a complaint from a telephone subscriber who, despite being on the register for telemarketing (which entered into force on January 31, 2011 and lists the details of telephone subscribers who do not want their numbers to be used for telemarketing purposes), received unsolicited phone calls for marketing purposes.

The company who made the unsolicited phone calls argued that the subscriber’s personal data have been purchased from another company (“Supplier”) by virtue of a supply agreement, which expressly qualified the Supplier as data controller for the data processing carried out by the company for its own marketing purposes.

Moreover, the company maintained that the subscriber’s consent for processing his data for marketing purposes has been obtained by the Supplier at the moment of collection of the subscriber’s personal data by means of an online survey via the Motorola’s website.

Firstly, the Garante found controllership on the Supplier. In the Garante’s view, the Supplier has carried out an unlawful data processing, since:

• it has not provided the subscriber with a proper information notice pursuant to Section 13 of the Data Protection Code (Legislative Decree no. 196/2003), and
•  has not obtained a valid consent from the subscriber.

In particular, the Garante held that the check-box for the subscriber’s consent to communication of his data to third parties was characterized by a too generic wording, since it referred to “communication of data” without any further specification, neither such specification was laid down into the information notice, which invited the subscriber to find the parties to whom data could be communicated at the Supplier’s premises.

Then, with reference to the company’s role in the processing of the subscriber’s data, the Garante found that, despite the contractual terms agreed between the parties qualified only the Supplier as data controller and provided the Supplier’s duty to appoint the company’s telesellers as data processors, the company met the criteria to qualify as data controller, as, among others:

• it was perceived by the subscriber as the data controller;
•  it determined in details the means and modality of the data processing (i.e., the telemarketing activity);
• it provided the technological platform to allow the Supplier the communication to the telesellers of the relevant data;
•  it acknowledged that it promptly erased the subscriber’s data from its databases upon receipt of request of information from the Garante (thus confirming that the company has processed the relevant personal data and had control on the same).

Further, the Garante gave relevance to the fact that the supply agreement provided that the company could not assume any liability with respect to the processing of data provided by the Supplier. In the Garante’s view, this provision implied that the company was fully aware of the possibility to be found liable in connection with processing of the aforementioned data for telemarketing purposes.

In light of the above significant factors, the Garante considered irrelevant the attribution of the controllership solely to the Supplier, and found also the company liable for breaches of the Data Protection Code, and, in particular, of the failure to check and verify if the subscriber’s consent for the telemarketing activities was validly provided.

Indeed, as clarified in the Garante’s guidelines on how to lawfully email advertising messages (Resolution of May 29, 2003), companies who purchase databases from third parties should assure that each data subject has given his/her consent to the communication of his/her email address and to its further use for marketing purposes. In the Garante’s view the same principle must apply in case of marketing activities carried out by the use of phone calls.

Therefore, the Garante:

• declared unlawful and prohibited the processing by the Supplier of the subscriber’s data, as well as of the data of any other data subject who filed the same online questionnaire via the Motorola’s website;
•  declared unlawful the company’s data processing for purposes of telemarketing without the subscriber’s valid consent.

The Garante’s resolution follows a resolution issued on June 15, 2011 on controllership for companies that use agents for promotional and marketing activities, which clarified the concepts of “data controller” and “data processor”.

The Garante’s resolution under comment shows that the factual role performed by the parties weighs heavily in favor of a finding of data controllership, despite of any contractual qualification.