With Order No. 184 of April 13, 2023 (“Order”), the Italian Data Protection Authority (“Garante”) sanctioned four companies, Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l., and Arnia Società Cooperativa (jointly the “Companies”), for infringing several provisions of Regulation (EU) 2016/679 (“GDPR”) when processing personal data for telemarketing purposes on behalf of and/or in the interest of third-party companies.
The Order is very interesting. In addition to prohibiting any further processing of personal data, as an ancillary measure for the first time the Garante ordered seizure of databases containing unlawfully collected contact lists.
The roles and activities of each of the Companies in the telemarketing covered under the Order can be described as follows: Mas s.r.l. did marketing work on behalf of Enel Energia (Italian energy company) by using a contact list acquired by Mas s.r.l.s., which, in turn, unlawfully acquired the list from an Italian and Spanish company on Facebook. Then, as a result of the marketing, Mas s.r.l. transferred a large number of contracts executed on behalf of Enel Energia to Sesta Impresa s.r.l., which was in charge of handing over the contracts to Arnia Società Cooperativa. Arnia, which did not have any kind of contractual or data processing relationship with Enel Energia, then uploaded the contracts to Enel Energia’s systems by accessing the systems using credentials assigned to third parties.
In light of this, the Garante sanctioned the Companies for a variety of GDPR infringements, ranging from the absence of a legal basis for processing data subjects’ personal data for marketing purposes (i.e., consent), to failure to comply with transparency obligations and adequately define the data protection roles of the Companies, to failure to keep processing records and implement appropriate security measures.
Notwithstanding the above, the greatest significance of the Order lies in the grounds for the Garante’s ancillary measure ordering seizure of the databases containing the unlawfully collected contact lists.
To justify this unprecedented decision, the Garante relied on two grounds.
Firstly, the Garante noted that from the beginning the Companies’ business activities were formulated in clear disregard of all privacy and data protection principles, thereby amounting to several instances of infringement of the same. This is proof that future processing activities undertaken by the Companies pose significant danger, which warrants the seizure of personal data available to them, at least in part to prevent unlawful use of the personal data by third parties.
Secondly, the Garante stressed that the ancillary measure is adequate to protect the vast array of data subjects who unknowingly “stumble upon the complex unlawful activities” undertaken by the Companies. The Garante noted that at least symbolically this ancillary measure restores for data subjects a sense of adequate protection of their personal data through intervention by a public authority.
The Order is further proof of the Garante’s continued commitment to ensuring that marketing activities are undertaken in compliance with applicable privacy and data protection provisions and opens the door to harsher measures in response to serious infringement of the same.
