Almost two years after the full applicability of the GDPR, the Italian Data Protection Authority has sanctioned two operators, Eni Gas e Luce and TIM. The fines were raised in connection to absence or inadequacy of business operating procedures concerning the processing of clients’ data for marketing purposes.
The wait is over. More than a year after the General Data Protection Regulation (GDPR) went into effect, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) has finally issued the first significant sanctions. The sanctions were levied against two utility companies: Eni Gas e Luce (energy) and Tim (telco).
We’ve looked closely at these two decisions, and we believe they offer lessons useful in guiding the activities carried out by data controllers, consultants, and DPOs offering their services to data controllers (and, if appointed, data processors):
The degree of detail and complexity of these types of investigations has certainly increased. The Italian Data Protection Authority undertook both inquiries in response to reports received from data subjects, and the investigations looked into: (i) the operators’ internal procedures in their entirety, (ii) the degree of awareness on internal and external flows of the personal data processed by the operators, (iii) effective control exercised over entities qualified as data processors, and (iv) the existence of documented organizational and technical measures proving GDPR compliance. In short, the accountability of the data controllers was under the microscope.
Both decisions levy sanctions due to, among other things, violation of the provisions regarding processing principles (Article 5 GDPR) and privacy by design (Article 25 GDPR). This highlights the fact that those provisions, which at a first glance appeared to be rules governing principles or even (according to some) mere policy, are for all intents and purposes regulatory obligations. Indeed, failure to comply with said rules can lead to extremely severe consequences for companies, since they are supported by sanctions.
Both decisions confirm that it would be a grave error to look at a company privacy program as simply a program based on documents or standard operating procedures. Instead, internal procedures must be created by design: they are not provided by law, they are not strictly required by law, but they are policies needed in relation to the risks connected business run by the company and in order to avoid sanctions. In light of these rulings, it would be unwise for anyone to continue to consider privacy compliance a rote process or a process that exists only on paper.
The authority ordered processing to be limited permanently and also ordered that certain company procedures be fully reviewed and/or implemented within a term. Indeed, in addition to financial penalties, the real risk in the case of GDPR infringement is that the ability to process personal data and to use a database that represents an investment on the part of the data controller may be curtailed. Additional impact may stem from the obligation to review and/or implement—under the authority’s oversight and on the schedule it imposes—company procedures needed to process personal data in accordance with the provisions of the GDPR.
When a company purchases personal data lists from third parties, it is not sufficient simply to provide a contractual guarantee that the third party transferring the data has obtained the data subjects’ consent to have their personal data communicated to third parties for marketing purposes. Therefore, it is even clearer now that if personal data lists are not purchased from the data controller that obtained consent but instead from an intermediary, it is necessary to ensure that the latter has obtained additional consent for the data to be communicated to third parties. In other words, consent for the communication of personal data to third parties does not cover all subsequent communication, but instead covers only the first instance of communication.
Opening accounts in people’s names without their request (traditionally sanctioned as unfair commercial practice by the Italian Competition Authority, or Autorità Garante della Concorrenza e del Mercato) can also be relevant from a data protection standpoint. Indeed, if that occurs due to a lack of technical and organizational measures to ensure that processing activities are handled properly and the quality of the data meets certain standards, the conduct may also be sanctioned by the Italian Data Protection Authority under GDPR provisions.
According to the Italian Data Protection Authority, when a processor uses personal data under its own initiative and against the instructions of the controller, the relationship between the controller and the processor can be qualified as joint controllership — as far as the relevant data is concerned. This is because the economic activity is largely joint activity, and because it is implausible that in such a situation the controller is not aware of the activity undertaken by the processor under its own initiative.
Making data subjects’ participation in prize competitions subject to their granting consent to have their personal data processed for marketing purposes represents infringement of both freedom of consent and free-of-charge participation in prize competitions (as enshrined in the regulatory framework on the subject).
Using the data controller’s legitimate interest as legal basis for processing activities must be accompanied by careful balancing of the data subjects’ rights and expectations regarding the processing of their personal data with the data controller’s personal interests; this balancing must be adequately documented.
Sending personal data (such as invoices and phone records) to parties other than the owner of a telephone line is considered a data breach: the absence of suitable and adequate internal procedures to guarantee that such data is correct and complete shall be sanctioned by the Italian authority.
The calculation of the sanctions took into consideration the various aggravating and mitigating circumstances, but it is worth noting that in both cases the maximum sanction (which, to reiterate, is not provided by the GDPR, which merely provides that the applicable administrative sanction is up to €20 million or, for an undertaking, 2% to 4% of total annual worldwide turnover in the preceding financial year, whichever is higher) was calculated considering the turnover of the company under investigation and without considering the concept of an undertaking, as defined in Articles 101 and 102 of the TFEU, provided under Recital 150 of the GDPR.
The decisions are in line with the investigation plan approved in early 2018 (when the authority’s investigation began): in fact, it was envisaged that the processing of personal data carried out by companies for telemarketing purposes would be subject—among other things—to investigation by the Italian authority, in light of the numerous reports received. The most recent investigation plan, dated September 2019, cited, among other things, processing carried out by means of whistleblower reporting, loyalty programs, and the processing of health data carried out by private companies. It will be interesting to see what kind of enforcement comes next, especially regarding the amount of the sanctions. The absence of guidelines for determining sanction amounts is raising doubts and generating uncertainty among operators.