Garante per la protezione dei dati personali (Italy) - 10086536
Garante per la protezione dei dati personali - 10086536 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5 GDPR Article 5(2) GDPR Article 6 GDPR Article 7 GDPR Article 24 GDPR Article 28 GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 13.11.2024 |
Published: | |
Fine: | 678,897 EUR |
Parties: | Illumia |
National Case Number/Name: | 10086536 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante (in IT) |
Initial Contributor: | elu |
The DPA fined Illumia, an energy provider, €678,897 for its aggressive telemarketing operations which lacked a valid legal basis. Moreover, Illumia fully outsourced the activity to processors without having a processing agreement.
English Summary
Facts
Two complaints were advanced by two data subjects against the energy supply company Illumia, the controller.
The first data subject claimed to have been contacted for telemarketing purposes on their telephone number, without a relevant legal basis and although he was listed in the “Opposition Register” (in Italian “Registro delle Opposizioni”), a register where consumers can express their preference not to be contacted for telemarketing purposes.
The second data subject, who was already a client of the controller, claimed that she was called on her son´s contact number (the contact number put down for energy supplies exchanges) from an operator from the commercial office of the controller. During the conversation, this operator claimed that the controller was aware of the intention of the data subject to switch to another operator for energy and gas supplies. They also considered that the contract switch that the data subject requested would not be feasible and then the data subject would need to conclude a new contract with the controller.
The DPA decided to start investigating on this matter and advanced two information requests, asking the controller to prove that its telemarketing activities complied with data protection rules.
The controller replied that, before contacting data subjects, all agencies belonging to their commercial sphere were required to check the numbers that they are going to contact. The controller considered that neither the number of the operator from the commercial office nor the data subjects´ numbers were present in the controller´s registers. The controller also submitted that they already advanced a complaint against an unknown party to the Postal Police due to these circumstances.
Holding
The DPA concluded its investigation and found the following violations.
Violation of Articles 5, 6 and 7 of the GDPR
The DPA started its analysis by stating that, in relation to the second complaint, it is clear that the operator was aware of some personal information that, used jointly, could have only came from the controller, without the data subject´s consent to being contacted.
Thus, the DPA found a violation of Article 5, Article 6 and Article 7 GDPR.
Violation of Articles 5(2), 24, and 28 of the GDPR
The DPA continued its analysis by stating that the obligations of the controller as per Article 24 and Article 28 GDPR were not fully respected. More specifically, the fact that the controller fully outsourced its telemarketing activities is particularly problematic as this decision was not followed by any additional safeguard.
When selecting the firms to outsource telemarketing activities, the “Disciplinare tecnico Acquisizione Agenzie” was the relevant policy. This policy completely disregarded any type of necessary privacy checklist, and merely considered size and economic reliability of these firms.
A privacy check-list was only implemented on 1 January 2024 but only six out of the seventeen agencies were put under contract in 2024, meaning that the “older” agencies continue to process persona data without complying with Article 28 GDPR.
The DPA continues its analysis by considering that, under the accountability principle, as laid out under Article 5(2) GDPR. According to the DPA, the principle of accountability gives the data controller a wide freedom of choice with respect to the implementation of its data protection governance to which is related a complex concept of accountability.
The obligations to which the controller is subject under Article 28 GDPR cannot be deemed to be fulfilled through the imposition of an ex-post privacy check list.
Thus, the DPA found a violation of Article 5(2), Article 24 and Article 28 GDPR.
Violation of Articles 5, 25 and 32 of the GDPR
The DPA further finds a violation of Article 5, Article 25 and Article 32 GDPR, as the principle of integrity, principle of data protection by design and default and the security of the processing were not respected. More specifically, the controller did not provide any element indicating that they are adopting measures to avoid the further conclusion of contract stemming from an illegal contact. The DPA considered that, as Illumia is able to retrace the contract to the operator that inserted the contract in the firm´s database, it should be able to implement measures that restrict the access to the contact information in the first place, and it failed to do so.
Imposition of the fine
Due to the amount of the occurred violations, the DPA found it appropriate to impose a fine of €678,897.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. n. 10086536] Provision of 13 November 2024 Register of provisions n. 672 of 13 November 2024 GUARANTEE FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”); HAVING SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the “Code”); HAVING SEEN the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000, adopted with resolution of 28 June 2000; REPORTER Prof. Pasquale Stanzione; 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT 1.1. Introduction With deed no. 54793 of 6 May 2024 (notified on the same date by certified electronic mail), which must be considered fully referred to here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a proceeding for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation against Illumia S.p.A., (hereinafter “Illumia” or the “Company” or the “Data Controller”), in the person of its legal representative pro-tempore, with registered office in Bologna (BO), Via de Carracci n. 69/2, VAT number 02356770988. The proceeding originates from an investigation initiated by the Authority following the receipt of two separate complaints lodged against the Company regarding the processing of personal data for telemarketing purposes. More specifically, with complaint n. 345203 the interested party complained of having been contacted, in the name and on behalf of Illumia, for promotional purposes on his mobile number, in the absence of an appropriate legal basis and in the course of registration in the Public Register of Oppositions (hereinafter also “RPO”). With complaint no. 352673, however, the interested party claimed to have been contacted on her son’s mobile number, usually provided as a reference contact for managing supplies for her home, by an operator who had described himself as the “contact person for the commercial office” of Illumia. During the telephone conversation, it emerged that the interlocutor was already aware of the request for the so-called switch to XX (hereinafter also “XX”) actually signed by the complainant in relation to her electricity and gas utilities. On the same occasion, the telephone operator also informed the complainant that the activations stipulated with XX could not be successful and that therefore it was necessary to conclude a new contract with Illumia. In both cases at issue, the calling number was not registered in the Register of Communication Operators (hereinafter “ROC”). 1.2. Requests for information formulated by the Authority The Office, having examined both complaints, with two different requests for information formulated pursuant to art. 157 of the Code, invited Illumia to provide its observations on the incident and to illustrate the measures adopted in order to ensure that the telemarketing and teleselling activities carried out in the name and on behalf of the Company were carried out in compliance with the legislation in force on the protection of personal data (see Prot. nos. 33832 and 33842 of 18 March 2024). With two feedback notes sent on 5 April 2024 (see Prot. nos. 43333 and 43317 of 8 April 2024), Illumia preliminarily pointed out that all agencies belonging to its sales network, before the start of each commercial campaign, are contractually obliged to submit the numbers they intend to contact to the Fondazione Ugo Bordoni (hereinafter also “FUB”) for verification. With specific reference to the complaints reported in the complaint documents, the Company stated that the names of the complainants were not present in the company information systems and that the calling numbers indicated were not among those used by its commercial partners, nor had they been the subject of other reports. Furthermore, following specific requests sent via certified email to its agencies, no elements emerged that could connect the contacts reported in the complaints to Illumia. For these reasons, the Company had filed a complaint against unknown persons with the Postal Police. With regard to teleselling activities, Illumia clarified that it uses agencies operating via telephone and web channels. The agency selection process is formalized in a "Technical Specification", divided into the following three phases: - preventive analysis using a specific checklist; - signing of the contract with the provision of a six-month trial period, aimed at monitoring the agency's productivity; - mapping of the agency and the numbers used to carry out telemarketing activities on company systems, including operators dedicated to the Illumia order and any sub-agencies; In addition, from 1 January 2024, agencies are also given a “GDPR Checklist”, in order to verify the adoption of adequate safeguards in terms of personal data protection. In the event that the aforementioned verification reveals discrepancies, the agency is granted a period until the end of the trial period to demonstrate any remediation actions undertaken. Illumia has also declared that it periodically organizes webinars and training sessions on personal data protection and teleselling aimed at its commercial partners. With the conclusion of the contract, the agencies are also appointed as Data Processors pursuant to art. 28 of the Regulation, which expressly provides for prior communication of any sub-processors in order to provide for their identification and mapping. In this latter case, the Processor is also required to enter into a specific contract with the sub-processor, with the effect of making the same obligations assumed by the Processor towards the Data Controller fall on the latter party. The agency contract includes an express termination clause that allows Illumia to terminate the contract in the event of violation of the legislation on the protection of personal data. The agency contract also includes the “Procedures for controlling the personal data sources used for marketing campaigns”, the “Declaration of lawfulness of the personal data lists” and the “Operating instructions for the correct use of the personal data used during teleselling campaigns”. The process of contractualizing customers through the teleselling channel requires that the Agencies contact the users who have given their consent and that, in the event of interest in concluding the contract, the vocal order is recorded. Subsequently, the customer receives the contractual documentation and a check call for verification and confirmation via ordinary or electronic mail. The supply is not activated if the customer does not confirm during the check call that he/she wishes to enter into the contract or if he/she is unavailable after five unsuccessful contact attempts. For Agencies operating through the web channel and for a single agency operating through the telephone channel, the Company has adopted a contractualization process that involves the use of a One Time Password (OTP) received via SMS. After the agencies have entered the contracts on the Illumia platform, they are subjected to the following checks: automatic pre-check check on the consistency of the tax data and supply data present on the Integrated Information System (SII), check of the customer's creditworthiness, re-listening to the Vocal Order and detection of recurring numbers and email addresses (implemented from January 2024). With reference to the system of supervision of the agencies' operations, Illumia stated that it carries out bimonthly monitoring of disavowals, on-site visits when a predetermined threshold of reports is exceeded, compatibility checks between the disavowal rate and a predetermined threshold of criticality. Furthermore, in the event of disavowal of a contract due to fraudulent conduct by third parties and following the acceptance of the complaint, the Company segregates the relevant customer data, eliminates any previous consent to the processing of personal data for marketing purposes and inserts the customer into the internal blacklist. Illumia also carries out internal audits and random checks of contact lists, which may lead to the detection of "Observations" and "Non-conformities". Finally, the Company stated that currently "some feasibility assessments are underway regarding the following organizational and security measures: tracking of access to the portal (...) for the insertion of contracts; increase in on-site audits; extension of the check call to all contracts acquired by WEB Agencies». 1.3. Joint handling of complaints. Considering that the complaints in files nos. 345203 and 352673 are addressed to the same owner and concern issues of the same nature, in order to promote their organic examination and implement the principles of economy and speed referred to in art. 9 of internal regulation no. 1/2019 (in www.gpdp.it, web doc. no. 9107633), it was deemed appropriate to handle the complaints jointly pursuant to and for the purposes of the subsequent art. 10 of the same regulation. In this specific case, furthermore, joint proceedings appeared more suitable to guarantee the right of defense and the need not to aggravate the proceedings, also in terms of the lower expenditure of time and resources that it entails for the data controller. 1.4. Contestation of violations The Office, following the investigation, adopted the aforementioned contestation act no. 54793/24 in which, first of all, it was observed that all the circumstances represented by Illumia in the response notes were undoubtedly of a documentary nature and that, however, the Company had not intended to produce any proof of such documentation, with the exception of two reports-complaints dating back to a date subsequent to the receipt of the requests for information from this Authority. Likewise, the clarifications regarding the chain of controls and measures implemented with respect to its commercial partners appeared generic and contradictory, such as not to provide a complete and coherent picture of corporate governance in terms of data protection. In the opinion of the Office, these elements were sufficient to integrate the extremes of the violation of the principle of accountability established by Articles 5, par. 2 and 24 of the Regulation, in the part in which they provide that the burden of demonstrating that the personal data processing operations are conducted in compliance with the legislation in force on the matter falls on the owner. For the same reasons, the Office believed that the documentation in the proceedings seemed to confirm the violation of Articles 5, 6 and 7 of the Regulation and of Article 130 of the Code, as complained through the complaints brought to the attention of the Authority in relation to the receipt of promotional calls, made in the name and on behalf of Illumia, in the absence of an appropriate legal basis and using numbers not registered in the Register of Communication Operators (ROC). With the same complaint, the Office also noted numerous critical issues in relation to the selection and monitoring process of the agencies responsible for carrying out teleselling activities in the name and on behalf of the Company with specific reference to the obligations placed on the data controller pursuant to art. 28 of the Regulation (so-called culpa in eligendo and culpa in vigilando). More specifically, the circumstance that the Company proceeded with the contractualization of the agencies, even in the presence of any misalignments with the legislation on the protection of personal data, granting time until the end of the trial period to implement any remediation actions, did not appear to be entirely consistent with the regulatory provisions. Moreover, according to the statements made by Illumia, specific controls on the protection of personal data had been implemented only starting from January 2024 and therefore with a significant delay compared to the date of entry into force of the Regulation. The practice just illustrated, in the opinion of the Office, was not acceptable for two reasons, given that art. 28 of the Regulation requires the data controller to use only data processors who present sufficient guarantees to implement adequate technical and organizational measures so that the processing satisfies, from the outset, the requirements of the Regulation and guarantees the protection of the rights of the data subject. Furthermore, the termination of the contract for failure to pass the test did not prevent telephone contacts from being made in the meantime in the absence of an appropriate legal basis and the collection of the emoluments for any activations that may have resulted from them. On the other hand, even the operating instructions on the use of the personal data allegedly given to the agencies did not seem to be entirely in line with the provisions contained in the Presidential Decree no. 26/2022 on the establishment of the Public Register of Oppositions (RPO). The Company, in fact, had declared that it used agencies operating through the web and telephone channels, however it required partners to consult «monthly, and in any case before the start of each promotional campaign, the Public Register of Oppositions». This indication seemed to conflict with the letter of art. 8 of the aforementioned decree in the part in which it provides that «The consultation of the register by each operator is effective for fifteen days for data processing for the purposes of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of the telephone, with or without an operator, and for thirty days for data processing for the same purposes through the use of paper mail». Again with reference to the control and monitoring activities carried out by the Company with respect to the agencies and the contact lists, the absence of any documentary or probative index, in the opinion of the Office, led to doubts as to the actual performance of audits or on-site visits and the suitability of the criteria used to identify the agencies to be audited. Furthermore, the findings provided showed that the Company had failed to implement suitable measures to prevent the activation of contracts uploaded to the company systems following illicit contacts and to inform the interested party. Finally, the notice of dispute also highlighted further critical issues in relation to the principles of integrity, security and confidentiality established by Articles 5, 25 and 32 of the Regulation, given that the Company had declared that some feasibility assessments were underway regarding the implementation of a system for tracking access to the portal for entering contracts. The failure to implement this basic and indispensable safeguard, in fact, led to the belief, on the one hand, that the processing operations were not carried out in such a way as to guarantee adequate security of personal data, including protection from unauthorized or unlawful processing and adequate security from accidental loss, destruction or damage. On the other hand, this serious gap denoted the absence of safeguards aimed at averting the risk that contracts deriving from wild telemarketing activities could enter the systems, thus fueling the induced effect of the so-called "undergrowth" of telemarketing. The Office, therefore, contested Illumia for the violation of Articles 5, 6, 7, 24, 25, 28 and 32 of the Regulation, as well as Article 130 of the Code, for having carried out the above-described processing of personal data of users and contractors in the energy sector in conflict with the principles of lawfulness and accountability, in the absence of an appropriate legal basis and by implementing inadequate technical and organizational measures to ensure, from the design stage, and to be able to demonstrate, that the processing is carried out in accordance with the Regulation. 2. THE DEFENSE OF THE DATA CONTROLLER 2.1 The preliminary requests for defense With a request dated 21 May 2024 (see Prot. no. 61857 of 22 May 2024), Illumia requested an extension of thirty days of the deadline granted for the purposes of transmitting the defensive briefs referred to in art. 166, paragraph 6 of the Code, representing the need for this «(…) on the basis of the particular complexity of the issues underlying the Proceedings, as well as the numerous legal assessments formulated (…)». The Company also highlighted that granting an extension was also appropriate in consideration of Illumia's operational and dimensional characteristics "(...) in order to allow the undersigned Company to provide this Authority with a complete, detailed and exhaustive information and documentation framework in relation to the findings formulated (...) Illumia, together with the holding company Tremagi Energia S.r.l., has approximately 200 employees, operating in various departments, as well as a network of over 20 agencies for teleselling and telemarketing services that operate throughout the national territory". With a subsequent request dated 24 May 2024 (see Prot. no. 63829 of 27 May 2024), the Company requested to view and extract a copy of the reports received by the Authority, to which the Office had merely referred in the body of the dispute pursuant to art. 166, paragraph 5, of the Code. With a note dated 29 May 2024 (see Prot. no. 65145/24) the Office responded to the aforementioned request for extension and, in recalling the provisions contained in articles 166, paragraph 6, of the Code and in articles 12 and 13 of internal regulation no. 1/2019, noted that « (…) the investigation is purely documentary in nature and focuses on objectively limited issues (i.e. processing of personal data carried out in the field of telemarketing and tele-selling), therefore the granting of an extension of 30 days does not appear to meet the aforementioned proportionality criteria. Therefore, considering the aforementioned regulatory framework and the practice consistently followed by the Office in entirely similar proceedings as well as the needs of cost-effectiveness and reasonable duration of the proceedings, an extension of 15 days is granted (…)». With a subsequent note dated 11 June 2024 (see Prot. no. 70643/24), taking into account that «the reports brought to the attention of the Authority against Illumia S.p.A. are not the subject of the joint investigation on files nos. 345203-352673 referred to in the communication of initiation of the proceeding of 6 May 2024 (see Prot. no. 54793/24) and that therefore the company is not called upon to submit observations in relation to these complaints», the Office rejected the request for access «due to the lack of direct, concrete and current interest related to the documentation requested to be disclosed». In the field of telemarketing, in relation to which the Authority receives thousands of complaints every year, the existence of reports received against a data controller, as occurred in the case in question, proves to be a useful indicator for distinguishing cases of isolated complaints and therefore attributable to physiological phenomena, from those symptomatic of a widespread and pathological phenomenon. In the case in question, taking into account that pursuant to art. 19 of internal regulation no. 1/2019 «(…) the Authority may use the information indicated in any reports that come from an unidentified subject, if it deems it necessary to initiate checks on cases in which it identifies the risk of serious harm or retaliation against subjects affected by the processing, or in any case there is a case of particular gravity. The report may be examined by the Authority, but does not entail the necessary adoption of a measure (…)», also considering the homogeneity of the issues that are the subject of the complaint and that the investigation of the individual reports would not have allowed compliance with the deadlines for the conclusion of the procedure for the complaints that had originally been investigated individually, it was deemed appropriate to proceed with the specific investigation of the complaints only. 2.2 The exercise of the right of defense pursuant to art. 166, paragraph 6 of the Code With defense briefs transmitted on 20 June 2024 pursuant to art. 166, paragraph 6 of the Code, Illumia preliminarily highlighted that it had «(…) interpreted the communications of this Authority as a simple request for information, a case that art. 157 of the Privacy Code distinguishes from the request for the production of documents» and therefore to provide for the filing of all documentation useful for demonstrating what was stated. The Company then declared that it employs over 200 employees and a commercial network composed of agencies operating throughout the national territory and that for the management of this network of agencies, it has implemented a complex procedural system based on the so-called Technical Disciplinary. Furthermore, from 1 July 2024, the Company was awarded the Gradual Protection Service for Non-Vulnerable Domestic Customers provided by Arera and therefore deemed it appropriate to avoid expanding its network of Agencies, also in order to consolidate the control and monitoring procedures for the partners already contracted. With specific reference to complaint no. 345203, the Company, in reiterating the observations previously put forward through the note of response to the request for information pursuant to art. 157 of the Code, to be considered fully recalled (see par. 1.2 of this provision), highlighted that following further investigation it emerged that the complainant was registered with the RPO on 7 February 2024, i.e. the day before receiving the unwanted communication that is the subject of the complaint. In the opinion of the Company «it is therefore clear that, even if the call had been made on behalf of Illumia, the short period of time between the call and the registration with the RPO would not have led to a violation of Presidential Decree no. 26/2022, given that pursuant to art. 8 “(..) the consultation of the Register by each operator is effective for fifteen days for data processing for the purposes of sending advertising material and direct sales (…)”». As for file no. 352673, the Company preliminarily raised the irregularity of the complaint, since the telephone number to which the unwanted promotional contact was made belongs to the complainant's son and that consequently the complaint appears to have been presented by a person other than the interested party. Illumia then observed that the complainant's statements regarding her habit of using her son's telephone number in the context of contractual relationships relating to electricity and gas utilities highlight a "(...) macroscopic misalignment between the owner of the mobile phone number and the actual contractor (...)" and that the circumstance that the complainant's son works for a company in the Energy sector does not exclude a priori the possibility that the complainant's data were provided by her son, or that the call was actually addressed to the latter. Then, in reiterating the deductions already provided previously, the Company further highlighted that following additional investigations it emerged that the telephone number used by the complainant was registered with the RPO on 15 March 2024 and therefore dates back to a time after the receipt of the telephone contact that is the subject of the complaint. In addition, the circumstance that both complainants did not provide any reply in relation to what was represented in the notes of 5 April 2024, in the opinion of the Company, is worth demonstrating the correct management of the facts that were reported. With regard to the complaints against unknown persons filed by the Company with the competent Police authorities, Illumia observed that the Guardia di Finanza deemed it appropriate to hear the internal lawyer as a person informed of the facts and that this “unusual approach” taken by the Authorities is worth proving that the Company represents the injured party with respect to the contested conduct. With reference to telemarketing and teleselling activities, Illumia declared that it uses ten agencies and sub-agencies for the telephone channel and seventeen agencies and sub-agencies operating in the web channel. In order to ensure that its sales network operates in compliance with the legislation on the protection of personal data, the Company first prepared a Technical Regulation for Agency Acquisition that identifies the minimum requirements to be respected during the recruiting, acquisition and coding phase of a new agency. This regulation, in force since 2018, has also been subjected to two audits by independent bodies that concluded with positive results. Illumia then clarified that it carries out a series of preliminary checks - both from a contractual and regulatory perspective - preliminary to the signing of the agreement for the performance of teleselling activities. More specifically, the Technical Regulations (see chapter 4) provide that with the involvement of the Company's top structures, a series of information and documentation are first acquired, including the registration in the Register of Communication Operators and then the compilation of a checklist is requested. Through this checklist, preliminary information is collected regarding the methods of acquisition of the lists and their suppliers, the assets and IT tools used and the level of training of the staff. Furthermore, starting from 1 January 2024, Illumia has implemented an additional control checklist regarding the protection of personal data. In support of the briefs pursuant to art. 166, paragraph 6 of the Code, Illumia has also produced a sample of contracts signed with certain agencies containing detailed clauses on the obligations regarding data protection and the attached forms. In relation to the trial period provided for in the aforementioned contracts, the Company declared that the purpose of this clause «(…) is not so much to reserve a tool to terminate the contractual relationship in the event of non-compliance with the provisions regarding tele-selling and data protection (situations for which, instead, an express termination clause formulated ad hoc is provided), but rather to provide the parties with a tool to “verify the mutual convenience of making stable or terminating the contractual bond (…)». Illumia then illustrated the characteristics of the IT systems used for the management of the sales force, in particular those for mapping the personal data of agencies, sub-agencies and operators and for calculating commissions and described the system used for uploading contracts by agencies and sub-agencies, subject to authorization both at the level of the legal person and the individual operator. A special password-protected account is created for each operator. The company systems also map the numbers used by partners to carry out telemarketing activities. Furthermore, following a provision issued by the Guarantor against another operator in the same sector, the Company has also implemented a system for "verifying any anomalies connected to the insertion of recurring telephone numbers and emails for contracts uploaded to the agency portal". The Company then reiterated that at least every six months the Legal Affairs Department organizes mandatory training sessions aimed at the sales force. With regard to checks on the contact lists used by commercial partners, Illumia has declared that it carries out checks on a quarterly basis before the start of a new campaign, during and at the end of the same. More specifically, these checks are carried out on a sample basis against an agency chosen on the basis of a risk-based approach, using the number of contracts finalized and any disavowals received as a reference index. Following these checks, a summary report is drawn up. Following the control activities, Illumia may raise Observations and Non-Conformities, or indicate to the agency remedial actions to be taken. In the latter case, the Company also carries out subsequent audits aimed at verifying compliance. The Company has declared that it also carries out monitoring activities on contracts acquired through the agency. On this point, the Technical Regulations and company procedures provide that the verification activity is divided into two phases: formal verification of the contracts and confirmation call. The latter is carried out on all contracts acquired via the telephone channel, using a predefined script and in the event of a negative outcome, the supply is not activated. Compared to contracts concluded via the web channel, however, the confirmation call is currently carried out on a sample basis, but it is the Company's intention to extend it to all agreements. Illumia has set up a special section of the site that allows users to check whether the calling number is among those used by its sales network, which may also involve the application of the Procedure for complaints of non-clear numbers. With regard to monitoring activities on the sales network, the data controller has highlighted that it has set up a Sales Quality Monitoring Committee, composed of top company figures, with the function of "monitoring the quality of the Illumia sales network and compliance with sector regulations of the contractualization processes and related documentation" and with the task of "analyzing the sales processes of the outbound networks, verifying the defectiveness of the contracts and the number and seriousness of the complaints received". This committee also has "the power to order audits at the agencies and initiate sanctioning proceedings against the less virtuous commercial partners which may end, in the most serious cases, with the termination of the agency contracts". To manage reports from interested parties, the Company has made various channels available to users and implemented a specific procedure (Procedure for the management of the exercise of rights regarding the protection of personal data). In the event that an interested party complains about receiving an unwanted call for promotional purposes, the relevant contact details are included in a black list, then shared with the Agencies on a weekly basis. If the negative results of the confirmation call and the reports from users reach a predetermined critical threshold, the Company is entitled to take certain measures ranging from a simple warning, to an on-site visit and even to the termination of the contract. Furthermore, the numbers reported are subject to further control, so that if they are among those in use by the sales network, they lead to the implementation of the ex post sales monitoring procedure just described, otherwise the Company proceeds to file a complaint with the Postal Police. Illumia has declared that it also carries out on-site audits on selected Agencies based on the risk-based principle, which considers the number of contracts concluded and the results of the monitoring activities. The audits, conducted using a specific checklist, are intended to verify the state of compliance of the agencies with the legislation on the protection of personal data. Finally, the Company stated that it had undertaken a project to obtain ISO 9001 certification and to adhere to the Code of Conduct on telemarketing and teleselling. The owner did not submit a request for a hearing before the Authority pursuant to Articles 166, paragraph 6, of the Code and Article 13 of Internal Regulation No. 1/2019. 3. ASSESSMENTS BY THE AUTHORITY It should be noted first of all that, contrary to what the Company claimed, the requests for information formulated by the Authority did not leave any room for interpretation regarding the content of the feedback requested. The aforementioned requests, in fact, were formulated pursuant to Article 157 of the Code and this regulatory reference was contained both in the subject and in the body of the communication. Furthermore, taking into account that the same heading and the letter of Article 157 of the Code also make textual reference to the exhibition of documents and that based on the combined provisions of Articles 5, paragraph 2 and 24 of the Regulation, for the principle of accountability the burden of demonstrating that the personal data processing operations are conducted in compliance with the legislation in force on the matter falls on the owner, it does not appear likely that the Company could have incurred any misunderstanding or blameless error of interpretation. Secondly, the exceptions advanced with specific reference to the complaints that are the subject of the proceedings cannot be accepted either. In relation to complaint no. 345203, the Company observed that the interested party would have registered with the RPO only on 7 February 2024, i.e. the day before receiving the unwanted communication. However, given that it is not possible to ascertain from the documentation produced by Illumia whether this is a first registration or a renewal and that the interested party himself declared in the complaint, under his own responsibility, to have joined the RPO "on 27/7, then at the beginning of January, and subsequently yesterday 7/02/2024", this exception cannot be accepted. Illumia then contested the regularity of complaint no. 352673 for violation of art. 77 of the Regulation, arguing that the complaint should have been presented directly by the complainant's son in his capacity as the owner of the user receiving the unwanted call and that it cannot be excluded a priori that the contact was intended to reach the latter. On this point, it is worth highlighting that the complainant complained that the telephone operator was aware of the switch request actually made by the same for the electricity and gas utilities of her home and even of the chosen operator. Therefore, considering the content of the phone call and that the interested party declared that she habitually uses her son's number as a reference contact, there is no doubt that the phone call was addressed specifically to the complainant and that for the caller that telephone number constituted useful information to uniquely identify the interested party, regardless of the actual ownership of the telephone user. The concept of personal data, in fact, as established by the Regulation, does not so much and only hinge on the nature of the data itself, but rather on its identifying power, understood as the actual possibility of uniquely revealing the identity of the interested party. So much so that art. 4 point 1) of the Regulation defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" and that recital no. 26 clarifies that "It is desirable to apply the principles of data protection to all information relating to an identified or identifiable natural person. Pseudonymised personal data which could be attributed to a natural person through the use of additional information should be considered as information on an identifiable natural person. In order to establish the identifiability of a natural person, it is appropriate to consider all means, such as identification, which the controller or a third party might reasonably use to identify that natural person directly or indirectly. In order to determine whether the means to identify the natural person are reasonably likely to be used, all objective factors should be taken into account, including the costs and time required for identification, taking into account both the technologies available at the time of processing and technological developments (…)». Applying these principles to the case in question, it is extremely clear that, based on the statements made in the complaint, the operator was in possession of a series of information (address, telephone number, switch request, chosen operator) which, used together, were exclusively attributable to the complainant; it follows that the complaint appears to contain all the formal and substantive requirements set out in Article 77 of the Regulation. It should be added that the recipient of protection in data processing for telemarketing purposes is not only the "contractor" of a telephone service supply relationship, but also the "user", understood as "any natural person who uses an electronic communication service accessible to the public, for private or commercial reasons, without necessarily being a subscriber", as specified by art. 121, paragraph 1-bis, letter g) of the Code. In relation to complaint no. 352673, then, the observations made by the Companies regarding the registration to the RPO appear completely irrelevant, since the complainant did not complain about receiving a promotional call to a registered number, but about having received a promotional phone call in the absence of a suitable legal basis made by an operator illegitimately in possession of a series of information referable to her person. The owner's belief that the failure to submit observations by the complainants is sufficient to demonstrate "the correct management of the incident" cannot be shared either, as it is a mere faculty granted to the interested parties, the failure to exercise which certainly does not amount to a waiver of the request, nor to acquiescence with respect to the feedback provided by the Company. With reference to the obligations incumbent on the data controller pursuant to art. 28 of the Regulation and the security measures implemented by the Company, the examination of the documentation and the allegations transmitted as a whole reveals a privacy governance framework that is not completely compliant and updated with respect to the current legislation. Moreover, this finding takes on particular gravity if considered in light of the circumstance that the teleselling activity, by the Company's own admission, is entirely outsourced to a large group of agencies and sub-agencies. This is certainly not to say that outsourcing or the number of partners are in themselves an indication of violation, but rather that the choice to entrust a branch of one's business to a series of external parties should also be accompanied by the implementation of adequate measures to avoid the risk of illegitimate activities. With respect to teleselling activities, corporate compliance in terms of personal data protection is based on the Technical Regulations for Agency Acquisition, which were last updated on 3 April 2020. The examination of this regulation and the related procedures fully confirm the culpa in eligendo and the objections raised in relation to the supplier selection process. With the exception of the acquisition of documentation proving registration with the ROC and an isolated reference to the purchase of “faked” lists, until December 2023 the only requirements assessed by the Company in the agency recruiting phase in application of the specifications and through the use of the Agency Acquisition Checklist, in fact concerned merely dimensional characteristics and the economic reliability of the Company. In fact, by Illumia's own admission, a specific Privacy Checklist was also implemented only from January 1, 2024. Moreover, only some of the current agencies – six agencies out of seventeen – were contracted in 2024, so that the remaining ones were selected and continue to process personal data in the absence of a prior and careful assessment pursuant to art. 28 of the Regulation. Moreover, this omission cannot even be compensated for by the provision of a trial period and express termination clauses in the event of violations of the legislation on the protection of personal data. The letter and the content of the clause inserted in the contractual forms on the trial period (see art. 10.2 of the agency contract "In order to verify the mutual convenience of making stable or terminating this contractual obligation, the Parties agree to agree on a trial period of six months. This period will start from the first month following the transmission by the Agent of 50 ILLUMIA contracts and, during this period and from the date of signing this contract, each of the parties may, at any time, withdraw from the relationship ad nutum without any obligation to give notice or compensation in lieu. In the event of expiry of the trial period in the last quarter of the year, the expiry of the trial period is automatically extended to 15 January of the following year"), clearly and exclusively refer to a concept of economic convenience. But even if we wanted to accept a broader interpretation, such a clause could in no way be used to fulfill the obligation on the owner to use only qualified subjects in the privacy field, since it is clearly unsuitable to avoid the risk that personal data processing carried out in the name and on behalf of Illumia is carried out in the meantime by subjects who do not possess adequate skills and who have not implemented suitable security measures. Likewise, the fact that in 2023 alone the application of the aforementioned clause led to the termination of five contracts is a symptomatic indicator of the inadequacy of the supplier selection and evaluation process. With specific reference to the disputes relating to the obligation to supervise and monitor the work of data controllers (so-called culpa in vigilando), the Company illustrated the contractual obligations imposed on the agencies and declared that it will carry out random on-site audits and documentary checks. But for the reasons that will be discussed in detail below, the measures, although meritoriously adopted, do not appear to be fully compliant with the current regulatory framework, nor sufficient in relation to the risks to the rights and freedoms of the interested parties. First of all, on this topic it is necessary to observe that the mere formal provision of operating instructions, obligations and indemnity clauses cannot be considered as fulfillment of the obligations incumbent on the data controller, when it is not accompanied by periodic and effective supervisory and verification initiatives. Furthermore, the choice to carry out monitoring activities using criteria that result in the identification of an excessively limited number of subjects or related to the mere occurrence of anomalies and reports does not appear to be acceptable. With the entry into force of the European Regulation, the concept of accountability was introduced into the Italian legal system, a principle with multiple implications and in many ways disruptive. This principle, which is undoubtedly influenced by common law, is completely innovative. In fact, with the Italian legislator, citizens are used to knowing exactly the scope of the obligations and prohibitions imposed by law. On the contrary, the principle of accountability gives the data controller a wide freedom of choice with respect to the implementation of their own governance in terms of data protection, to which a complex concept of responsibility is closely related. Proof of this innovative vision of the matter is the very formulation of the rules on security, which no longer list the minimum measures to be adopted, but require the data controller to evaluate and identify the appropriate measures in relation to the context, the state of the art and the risks. In the context of this new conception of the role of the data controller itself, the principle of accountability must necessarily be considered as a common thread that informs the interpretation and application of all the rules and principles contained within the Regulation and therefore an essential hermeneutic canon. As a result, the obligations incumbent on the data controller pursuant to art. 28 of the Regulation, if interpreted in light of the principle of accountability, cannot be considered effectively fulfilled by the mere provision of style clauses or by interventions carried out only ex post when an anomaly occurs, but require a quid pluris, namely the effective governability of the processing chain and the periodic updating of the same technical and organizational measures implemented to achieve it. Moreover, without prejudice to the validity of the use of a risk-based approach, in this case the criteria used to identify the sample of subjects to be subjected to scrutiny appear reprehensible. Considering that only a small portion of the interested parties are usually inclined to send reports and that the interested party may not realize that they have entered into a contract based on an illicit contact, in fact the criteria used by Illumia prove ineffective and misleading, since they lead to identifying an excessively limited number of subjects to be subjected to scrutiny. Even Illumia's choice to take action only when a predetermined threshold of anomalies is not entirely acceptable. The illustrated obligations and responsibilities of the data controller require, in fact, to take action even in the presence of a single anomalous episode or an isolated report. On the other hand, the obligations and instructions given to the data controllers also confirm an incomplete assimilation of the obligations imposed by current legislation and that certain teleselling activities are carried out in the absence of an appropriate legal basis and the conditions provided for by law. The instructions attached to the agency contract in the part where they provide that «(…) The Agent has the obligation to consult the Register of Oppositions on a monthly basis, and in any case before the start of each promotional campaign, and to update its lists, verifying that the personal data to be contacted have not entered their telephone contact(s) in the same, established with the Presidential Decree no. 178 of 2010, and also extended to mobile numbers with Law no. 5/2018, in order to avoid making offers to anyone who is present in the Register itself; The Agent acknowledges and accepts that the consultation of the Register of Oppositions referred to above is effective for fifteen days (…)», are contradictory and in any case do not take into account the different temporal value of the consultations at the RPO provided for by law depending on the means used to carry out the marketing activities (i.e. telephone, email, paper mail, etc.). Likewise, the Procedures for controlling the sources of personal data used for marketing campaigns have the declared purpose of "ensuring that each telephone number present in the contact list purchased by the Agent refers to a person who has validly consented to the communication of their contact details and their subsequent use for commercial and marketing purposes" and, on the one hand, do not make any distinction between prospects, customers and former customers and, on the other, do not contemplate the case of data coming from public registers (see articles 129 and 130 of the Code and art. 1 of Law no. 5/2018). Finally, from the documentation and information acquired overall, it also appears clear that the principles of integrity, security and confidentiality established in articles 5, 25 and 32 of the Regulation have been violated. While the proceduralization of a system for uploading contracts based on the creation of personalized profiles managed by individual operators and protected by password is worthy of praise, the Company has not provided any suitable element to prove the adoption of measures aimed at averting the risk of activating contracts originating from an illicit contact. More specifically, while it is true that Illumia appears to be able to trace the contract back to the operator who entered it into the company systems, at the same time it has failed to implement measures and precautions that prevent its entry at the source (e.g. instructions on password management, measures aimed at preventing the simultaneous use of the account by multiple subjects, measures suitable for revealing anomalous accesses by time, number or geographical area, etc.). In this regard, the Company itself has declared that some feasibility assessments are underway regarding the implementation of a system for tracking access to the portal for entering contracts. But taking into account the peculiarities of Illumia's sales chain and in light of the current historical-social context, the state of the art and the principles constantly established through the provisions approved by the Guarantor, the failure to implement this basic and indispensable safeguard, is to confirm that the processing operations are not carried out in such a way as to guarantee adequate security of personal data, including protection from unauthorized or illicit processing, accidental loss, destruction or damage. For the reasons widely illustrated, ultimately, Illumia's liability must be confirmed with regard to the violations contested through the communication of the initiation of the procedure pursuant to art. 166, paragraph 5 of the Code. 4. CONCLUSIONS In light of the above, Illumia is deemed to be liable for the following violations: a) Articles 5, par. 2 and 24 of the Regulation for not having fully fulfilled, in the preliminary investigation of these proceedings, the burden of demonstrating that the processing operations are conducted in compliance with the legislation on the protection of personal data; b) Articles 5, 6 and 7 of the Regulation, as well as 130 of the Code, for having carried out the promotional contacts that are the subject of the complaint in the absence of an appropriate legal basis; d) Articles 5, par. 2, 24 and 28 of the Regulation for failure to implement suitable measures and procedures to ensure that, in the event of outsourcing of processing, only subjects are selected who present sufficient guarantees to implement appropriate technical and organizational measures in such a way that the processing satisfies the requirements of this Regulation and guarantees the protection of the rights of the data subject (so-called culpa in eligendo); e) art. 5, par. 2, 24 and 28 of the Regulation for failure to implement instructions, measures and procedures that fully comply with the applicable discipline and are suitable and to guarantee effective supervision of the work of the Data Processors (so-called culpa in vigilando); f) art. 5, 25 and 32 of the Regulation for failure to implement suitable technical and organizational security measures to prevent the risk of the activation of contracts originating from an illicit contact, as well as access to company systems by unauthorized persons. Having also ascertained the unlawfulness of the Company's conduct with reference to the processing operations under examination, it is necessary to: - issue a warning to Illumia pursuant to art. 58, par. 2, letter b) for not having fully fulfilled, in the preliminary investigation of these proceedings, the burden of demonstrating that the processing operations are conducted in compliance with the legislation on the protection of personal data; - impose on Illumia, pursuant to art. 58, par. 2, letter f) of the Regulation, a ban on any further processing of the data belonging to the complainants; - order Illumia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt suitable technical and organizational measures to ensure full compliance with the obligations incumbent on the data controller pursuant to art. 28 of the Regulation; - order Illumia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt technical and organizational measures suitable for avoiding the risk of activation of contracts originating from an illicit contact and access to company systems by unauthorized persons; - adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application against Illumia of the administrative pecuniary sanction provided for by art. 83, par. 3 and 5, of the Regulation. 5. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION The violations indicated above require the adoption of an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application to Illumia of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous financial year, if higher). To determine the maximum amount of the pecuniary sanction, it is therefore necessary to refer to Illumia's turnover, as obtained from the latest available financial statement (March 2023) in accordance with the previous provisions adopted by the Authority, and therefore this maximum amount is determined, in the case in question, at € 27,155,872.00. To determine the amount of the sanction, it is necessary to take into account the elements indicated in art. 83, paragraph 2, of the Regulation; In the case in question, the following are relevant: 1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purposes of the data processed, attributable to the overall phenomenon of telemarketing, in relation to which the Authority has adopted, in particular in the last three years, numerous provisions that have fully examined the multiple critical elements, providing the data controllers with numerous indications to adapt the processing to the legislation in force and to mitigate the impact of nuisance calls on the data subjects; 2) as a mitigating factor, pursuant to art. 83, par. 2, letter d), the technical and organizational measures already implemented by the data controller pursuant to art. 25 and 32 of the Regulation, such as, for example, the use from 1 January 2024 of a specific privacy checklist for the selection of agencies, the implementation of a system of random checks on the lists used and on the contracts, the creation of personal and password-protected accounts for access to the systems by third parties. Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of €678,897.00, equal to 2.5% of the maximum sanction, should be applied to Illumia. In the case in question, it is believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, taking into account the nature of the processing and conduct of the Company, as well as the elements of risk for the rights and freedoms of the interested parties. In implementation of the principles set out in art. 83 of the Regulation, the imposition of this accessory sanction appears reasonable and proportionate in relation to the seriousness and particular disvalue of the conduct subject to criticism with specific reference to the duration of the violations ascertained and the number of subjects involved. The implementation of a supplier selection procedure that also includes the issue of personal data protection with a significant delay compared to the issuance of the Regulation, which also granted two additional years to the owners for the purposes of compliance, reveals a culpable and persistent insensitivity to the matter. Furthermore, given the duration of the violations, the large number of agencies used by the Company to carry out telemarketing activities, as well as their widespread distribution throughout the national territory, the range of subjects involved in various capacities in the violation appears particularly large. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. CONSIDERING ALL THE ABOVE, THE GUARANTOR a) addresses Illumia a warning pursuant to art. 58, par. 2, letter b) for not having fully fulfilled, in the preliminary investigation of these proceedings, the burden of demonstrating that the processing operations are conducted in compliance with the legislation on the protection of personal data; b) imposes on Illumia, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of any further processing of the data belonging to the complainants; c) orders Illumia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt suitable technical and organizational measures to ensure full compliance with the obligations incumbent on the data controller pursuant to art. 28 of the Regulation; d) orders Illumia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt suitable technical and organizational measures to prevent the risk of the activation of contracts originating from an illicit contact and access to company systems by unauthorized persons; e) orders Illumia, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measure imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation; ORDERS Illumia S.p.A., in the person of its legal representative pro-tempore, with registered office in Bologna (BO), Via de Carracci 69/2, VAT number 02356770988, to pay the sum of Euro 678,897.00 (six hundred and seventy thousand,897/00) as an administrative pecuniary sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the power to settle the dispute, with the fulfillment of the instructions given and the payment, within thirty days, of an amount equal to half of the penalty imposed. ORDERS the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 678,897.00 (six hundred and seventy thousand eight hundred and ninety-nine ... 166, paragraph 7 of the Code and 16 of the Regulation of the Guarantor no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, par. 1, letter u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to the violations and measures adopted in compliance with art. 58, par. 2, of the Regulation itself. The publication of this provision pursuant to Articles 154-bis of the Code and 37 of the aforementioned Regulation no. 1/2019. Pursuant to Articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within thirty days of the date of communication of the provision itself. Rome, 13 November 2024 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei [web doc. no. 10086536] Provision of 13 November 2024 Register of provisions no. 672 of 13 November 2024 GUARANTEE FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "Regulation"); HAVING SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the “Code”); HAVING SEEN the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000, adopted with resolution of 28 June 2000; REPORTER Prof. Pasquale Stanzione; 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT 1.1. Introduction With deed no. 54793 of 6 May 2024 (notified on the same date by certified electronic mail), which must be considered fully referred to here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a proceeding for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation against Illumia S.p.A., (hereinafter “Illumia” or the “Company” or the “Data Controller”), in the person of its legal representative pro-tempore, with registered office in Bologna (BO), Via de Carracci n. 69/2, VAT number 02356770988. The proceeding originates from an investigation initiated by the Authority following the receipt of two separate complaints lodged against the Company regarding the processing of personal data for telemarketing purposes. More specifically, with complaint n. 345203 the interested party complained of having been contacted, in the name and on behalf of Illumia, for promotional purposes on his mobile number, in the absence of an appropriate legal basis and in the course of registration in the Public Register of Oppositions (hereinafter also “RPO”). With complaint no. 352673, however, the interested party claimed to have been contacted on her son’s mobile number, usually provided as a reference contact for managing supplies for her home, by an operator who had described himself as the “contact person for the commercial office” of Illumia. During the telephone conversation, it emerged that the interlocutor was already aware of the request for the so-called switch to XX (hereinafter also “XX”) actually signed by the complainant in relation to her electricity and gas utilities. On the same occasion, the telephone operator also informed the complainant that the activations stipulated with XX could not be successful and that therefore it was necessary to conclude a new contract with Illumia. In both cases at issue, the calling number was not registered in the Register of Communication Operators (hereinafter “ROC”). 1.2. Requests for information formulated by the Authority The Office, having examined both complaint documents, with two different requests for information formulated pursuant to art. 157 of the Code, invited Illumia to provide its observations on the incident and to illustrate the measures adopted in order to ensure that the telemarketing and teleselling activities carried out in the name and on behalf of the Company were carried out in compliance with the legislation in force on the protection of personal data (see Prot. nos. 33832 and 33842 of 18 March 2024). With two feedback notes sent on 5 April 2024 (see Prot. nos. 43333 and 43317 of 8 April 2024), Illumia preliminarily pointed out that all agencies belonging to its sales network, before the start of each commercial campaign, are contractually obliged to submit the numbers they intend to contact to the Fondazione Ugo Bordoni (hereinafter also “FUB”) for verification. With specific reference to the complaints reported in the complaint documents, the Company stated that the names of the complainants were not present in the company information systems and that the calling numbers indicated were not among those used by its commercial partners, nor had they been the subject of other reports. Furthermore, following specific requests sent via certified email to its agencies, no elements emerged that could connect the contacts reported in the complaints to Illumia. For these reasons, the Company had filed a complaint against unknown persons with the Postal Police. With regard to teleselling activities, Illumia clarified that it uses agencies operating via telephone and web channels. The agency selection process is formalized in a "Technical Specification", divided into the following three phases: - preventive analysis using a specific checklist; - signing of the contract with the provision of a six-month trial period, aimed at monitoring the agency's productivity; - mapping of the agency and the numbers used to carry out telemarketing activities on company systems, including operators dedicated to the Illumia order and any sub-agencies; In addition, from 1 January 2024, agencies are also given a “GDPR Checklist”, in order to verify the adoption of adequate safeguards in terms of personal data protection. In the event that the aforementioned verification reveals discrepancies, the agency is granted a period until the end of the trial period to demonstrate any remediation actions undertaken. Illumia has also declared that it periodically organizes webinars and training sessions on personal data protection and teleselling aimed at its commercial partners. With the conclusion of the contract, the agencies are also appointed as Data Processors pursuant to art. 28 of the Regulation, which expressly provides for prior communication of any sub-processors in order to provide for their identification and mapping. In this latter case, the Processor is also required to enter into a specific contract with the sub-processor, with the effect of making the same obligations assumed by the Processor towards the Data Controller fall on the latter party. The agency contract includes an express termination clause that allows Illumia to terminate the contract in the event of violation of the legislation on the protection of personal data. The agency contract also includes the “Procedures for controlling the personal data sources used for marketing campaigns”, the “Declaration of lawfulness of the personal data lists” and the “Operating instructions for the correct use of the personal data used during teleselling campaigns”. The process of contractualizing customers through the teleselling channel requires that the Agencies contact the users who have given their consent and that, in the event of interest in concluding the contract, the vocal order is recorded. Subsequently, the customer receives the contractual documentation and a check call for verification and confirmation via ordinary or electronic mail. The supply is not activated if the customer does not confirm during the check call that he/she wishes to enter into the contract or if he/she is unavailable after five unsuccessful contact attempts. For Agencies operating through the web channel and for a single agency operating through the telephone channel, the Company has adopted a contractualization process that involves the use of a One Time Password (OTP) received via SMS. After the agencies have entered the contracts on the Illumia platform, they are subjected to the following checks: automatic pre-check check on the consistency of the tax data and supply data present on the Integrated Information System (SII), check of the customer's creditworthiness, re-listening to the Vocal Order and detection of recurring numbers and email addresses (implemented from January 2024). With reference to the system of supervision of the agencies' operations, Illumia stated that it carries out bimonthly monitoring of disavowals, on-site visits when a predetermined threshold of reports is exceeded, compatibility checks between the disavowal rate and a predetermined threshold of criticality. Furthermore, in the event of disavowal of a contract due to fraudulent conduct by third parties and following acceptance of the complaint, the Company segregates the relevant customer data, eliminates any previous consent to the processing of personal data for marketing purposes and includes the person in the internal blacklist. Illumia also carries out internal audits and random checks of contact lists, which may lead to the detection of “Observations” and “Non-conformities”. Finally, the Company stated that “some feasibility assessments are currently underway regarding the following organizational and security measures: tracking of access to the portal (…) for entering contracts; increase in on-site audits; extension of the check call to all contracts acquired by WEB Agencies”. 1.3. Joint handling of complaints. Considering that the complaints referred to in files no. 345203 and 352673 are addressed to the same owner and concern issues of the same nature, in order to promote their organic examination and implement the principles of economy and speed referred to in art. 9 of internal regulation no. 1/2019 (in www.gpdp.it, web doc. no. 9107633), it was deemed appropriate to jointly handle complaints pursuant to and for the purposes of the subsequent art. 10 of the same regulation. In this case, moreover, joint handling appeared more suitable to guarantee the right of defense and the need not to aggravate the proceedings, also in terms of the lower expenditure of time and resources that it entails for the data controller. 1.4. Contestation of violations The Office, following the investigation, adopted the aforementioned contestation notice no. 54793/24 in which, first of all, it was observed that all the circumstances represented by Illumia in the feedback notes were undoubtedly of a documentary nature and that, however, the Company had not intended to produce any proof of such documentation, with the exception of two reports-complaints dating back to a date subsequent to the receipt of the requests for information from this Authority. Likewise, the clarifications relating to the chain of controls and measures implemented against its commercial partners appeared generic and contradictory, such as not to provide a complete and coherent picture of corporate governance in terms of data protection. In the opinion of the Office, these elements were sufficient to integrate the extremes of the violation of the principle of accountability established by Articles 5, paragraph 2 and 24 of the Regulation, in the part in which they provide that the burden of demonstrating that the personal data processing operations are conducted in compliance with the legislation in force on the matter falls on the owner. For the same reasons, the Office considered that the documentation in the proceedings seemed to confirm the violation of Articles 5, 6 and 7 of the Regulation and Article 130 of the Code, as reported in the complaints brought to the attention of the Authority in relation to the receipt of promotional calls, made in the name and on behalf of Illumia, in the absence of an appropriate legal basis and using numbers not registered in the Register of Communication Operators (ROC). With the same objection, the Office also noted numerous critical issues in relation to the selection and monitoring process of the agencies responsible for carrying out teleselling activities in the name and on behalf of the Company with specific reference to the obligations placed on the data controller pursuant to Article 28 of the Regulation (so-called culpa in eligendo and culpa in vigilando). More specifically, the circumstance that the Company proceeded with the contractualization of the agencies, even in the presence of any misalignments with the legislation on the protection of personal data, granting time until the end of the trial period to implement any remediation actions, did not appear to be entirely consistent with the regulatory provision. Moreover, according to the statements made by Illumia, specific controls on the protection of personal data had been implemented only starting from January 2024 and therefore with a significant delay compared to the date of entry into force of the Regulation. The practice just illustrated, in the opinion of the Office, was not acceptable for two reasons, given that art. 28 of the Regulation requires the data controller to use only data processors who present sufficient guarantees to implement appropriate technical and organizational measures in such a way that the processing meets, from the outset, the requirements of the Regulation and guarantees the protection of the rights of the data subject. Furthermore, the termination of the contract for failure to pass the test did not prevent telephone contacts from being made in the meantime in the absence of an appropriate legal basis and the collection of the emoluments for any activations that may have resulted from them. On the other hand, even the operating instructions on the use of the personal data allegedly given to the agencies did not seem to be entirely in line with the provisions contained in the Presidential Decree no. 26/2022 on the establishment of the Public Register of Oppositions (RPO). The Company, in fact, had declared that it used agencies operating through the web and the telephone channel, however it required partners to consult «monthly, and in any case before the start of each promotional campaign, the Public Register of Oppositions». This indication seemed to conflict with the letter of art. 8 of the aforementioned decree in the part where it provides that «Consultation of the register by each operator is effective for fifteen days for data processing for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communication, through the use of the telephone, with or without an operator, and for thirty days for data processing for the same purposes through the use of paper mail». Also with reference to the control and monitoring activities carried out by the Company with respect to the agencies and on the contact lists, the absence of any documentary or probative index, in the opinion of the Office, led to doubts as to the actual performance of audits or on-site visits and the suitability of the criteria used to identify the agencies to be audited. Furthermore, from the findings provided, it emerged that the Company had failed to implement suitable measures to prevent the activation of contracts uploaded to the company systems following illicit contacts and to inform the interested party. Finally, the notice of dispute also highlighted further critical issues in relation to the principles of integrity, security and confidentiality established by Articles 5, 25 and 32 of the Regulation, given that the Company had declared that some feasibility assessments were underway regarding the implementation of a system for tracking access to the portal for entering contracts. The failure to implement this basic and indispensable safeguard, in fact, led to the belief on the one hand that the processing operations were not carried out in such a way as to guarantee adequate security of personal data, including protection from unauthorized or illicit processing and adequate security from accidental loss, destruction or damage. On the other hand, this serious gap denoted the absence of safeguards aimed at averting the risk that contracts deriving from wild telemarketing activities could enter the systems, thus fueling the induced effect of the so-called "undergrowth" of telemarketing. The Office, therefore, contested Illumia’s violation of Articles 5, 6, 7, 24, 25, 28 and 32 of the Regulation, as well as Article 130 of the Code, for having carried out the above-described processing of personal data of users and contractors in the energy sector in conflict with the principles of lawfulness and accountability, in the absence of an appropriate legal basis and by implementing inadequate technical and organizational measures to guarantee, from the design stage, and to be able to demonstrate, that the processing is carried out in accordance with the Regulation. 2. THE DEFENSE OF THE DATA CONTROLLER 2.1 The preliminary requests for the defense With a request dated 21 May 2024 (see Prot. no. 61857 of 22 May 2024), Illumia requested an extension of thirty days of the deadline granted for the purposes of transmitting the defensive briefs referred to in Article. 166, paragraph 6 of the Code, representing the need for it «(…) on the basis of the particular complexity of the issues underlying the Proceedings, as well as the numerous legal assessments formulated (…)». The Company also highlighted that granting an extension was also appropriate in consideration of the operational and dimensional characteristics of Illumia «(…) in order to allow the undersigned Company to provide this Authority with a complete, detailed and exhaustive information and documentation framework in relation to the observations formulated (…) Illumia, together with the holding company Tremagi Energia S.r.l., has approximately 200 employees, operating in various departments, as well as a network of over 20 agencies for teleselling and telemarketing services that operate throughout the national territory». With a subsequent request dated 24 May 2024 (see Prot. no. 63829 of 27 May 2024), the Company requested to view and extract a copy of the reports received by the Authority, to which the Office had merely referred in the body of the complaint pursuant to art. 166, paragraph 5, of the Code. With a note dated 29 May 2024 (see Prot. no. 65145/24) the Office provided feedback to the aforementioned request for extension and in recalling the provisions contained in art. 166, paragraph 6, of the Code and in art. 12 and 13 of internal regulation no. 1/2019, noted that « (…) the investigation is of a purely documentary nature and focuses on objectively limited issues (i.e. processing of personal data carried out in the field of telemarketing and tele-selling), therefore the granting of an extension of 30 days does not appear to meet the aforementioned proportionality criteria. Therefore, considering the aforementioned regulatory framework and the practice consistently followed by the Office in entirely similar proceedings as well as the needs of cost-effectiveness and reasonable duration of the proceedings, an extension of 15 days is granted (…)». With a subsequent note dated 11 June 2024 (see Prot. no. 70643/24), taking into account that «the reports brought to the attention of the Authority against Illumia S.p.A. are not the subject of the joint investigation on files nos. 345203-352673 referred to in the communication of initiation of the proceeding of 6 May 2024 (see Prot. no. 54793/24) and that therefore the company is not called upon to submit observations in relation to these complaints», the Office rejected the request for access «due to the lack of direct, concrete and current interest related to the documentation requested to be exhibited». In the field of telemarketing, in relation to which the Authority receives thousands of complaints every year, the existence of reports received against a data controller, as occurred in the case in question, proves to be a useful indicator for distinguishing cases of isolated complaints and therefore attributable to physiological phenomena, from those symptomatic of a widespread and pathological phenomenon. In the case in question, taking into account that pursuant to art. 19 of internal regulation no. 1/2019 «(…) the Authority may use the information indicated in any reports that come from an unidentified subject, if it deems it necessary to initiate checks on cases in which it identifies the risk of serious harm or retaliation against subjects affected by the processing, or in any case there is a case of particular gravity. The report may be examined by the Authority, but does not entail the necessary adoption of a measure (…)», also considering the homogeneity of the issues that are the subject of the complaint and that the investigation of the individual reports would not have allowed compliance with the deadlines for the conclusion of the procedure for the complaints that had originally been investigated individually, it was deemed appropriate to proceed with the specific investigation of the complaints only. 2.2 The exercise of the right of defense pursuant to art. 166, paragraph 6 of the Code With defense briefs transmitted on 20 June 2024 pursuant to art. 166, paragraph 6 of the Code, Illumia preliminarily highlighted that it had «(…) interpreted the communications of this Authority as a simple request for information, a case that art. 157 of the Privacy Code distinguishes from the request for the exhibition of documents» and therefore to provide for the filing of all documentation useful for demonstrating what was stated. The Company then declared that it employs over 200 employees and a commercial network composed of agencies operating throughout the national territory and that for the management of this network of agencies, it has implemented a complex procedural system based on the so-called Technical Disciplinary. Furthermore, from 1 July 2024 the Company was awarded the Gradual Protection Service for Non-Vulnerable Domestic Customers provided by Arera and therefore deemed it appropriate to avoid expanding its network of Agencies, also in order to consolidate the control and monitoring procedures for the partners already contracted. With specific reference to complaint no. 345203, the Company, in reiterating the observations previously put forward through the note of response to the request for information pursuant to art. 157 of the Code, to be considered fully recalled (see par. 1.2 of this provision), highlighted that following further investigation it emerged that the complainant was registered with the RPO on 7 February 2024, i.e. the day before receiving the unwanted communication that is the subject of the complaint. In the opinion of the Company «it is therefore clear that, even if the call had been made on behalf of Illumia, the short period of time between the call and the registration with the RPO would not have led to a violation of Presidential Decree no. 26/2022, given that pursuant to art. 8 “(..) the consultation of the Register by each operator is effective for fifteen days for data processing for the purposes of sending advertising material and direct sales (…)”». As for file no. 352673, the Company preliminarily raised the irregularity of the complaint, since the telephone number to which the unwanted promotional contact was made belongs to the complainant's son and that consequently the complaint appears to have been presented by a person other than the interested party. Illumia then observed that the complainant's statements regarding her habit of using her son's telephone number in the context of contractual relationships relating to electricity and gas utilities highlight a "(...) macroscopic misalignment between the owner of the mobile phone number and the actual contractor (...)" and that the circumstance that the complainant's son works for a company in the Energy sector does not exclude a priori the possibility that the complainant's data were provided by her son, or that the call was actually addressed to the latter. Then, in reiterating the deductions already provided previously, the Company further highlighted that following additional investigations it emerged that the telephone number used by the complainant was registered with the RPO on 15 March 2024 and therefore dates back to a time after the receipt of the telephone contact that is the subject of the complaint. In addition, the circumstance that both complainants did not provide any reply in relation to what was represented in the notes of 5 April 2024, in the opinion of the Company, is worth demonstrating the correct management of the facts that were reported. With regard to the complaints against unknown persons filed by the Company with the competent Police authorities, Illumia observed that the Guardia di Finanza deemed it appropriate to hear the internal lawyer as a person informed of the facts and that this “unusual approach” taken by the Authorities is worth proving that the Company represents the injured party with respect to the contested conduct. With reference to telemarketing and teleselling activities, Illumia declared that it uses ten agencies and sub-agencies for the telephone channel and seventeen agencies and sub-agencies operating in the web channel. In order to ensure that its sales network operates in compliance with the legislation on the protection of personal data, the Company first prepared a Technical Regulation for Agency Acquisition that identifies the minimum requirements to be respected during the recruiting, acquisition and coding phase of a new agency. This regulation, in force since 2018, has also been subjected to two audits by independent bodies that concluded with positive results. Illumia then clarified that it carries out a series of preliminary checks - both from a contractual and regulatory perspective - preliminary to the signing of the agreement for the performance of teleselling activities. More specifically, the Technical Regulations (see chapter 4) provide that with the involvement of the Company's top structures, a series of information and documentation are first acquired, including the registration in the Register of Communication Operators and then the compilation of a checklist is requested. Through this checklist, preliminary information is collected regarding the methods of acquisition of the lists and their suppliers, the assets and IT tools used and the level of training of the staff. Furthermore, starting from 1 January 2024, Illumia has implemented an additional control checklist regarding the protection of personal data. In support of the briefs pursuant to art. 166, paragraph 6 of the Code, Illumia has also produced a sample of contracts signed with certain agencies containing detailed clauses on the obligations regarding data protection and the attached forms. In relation to the trial period provided for in the aforementioned contracts, the Company declared that the purpose of this clause «(…) is not so much to reserve a tool to terminate the contractual relationship in the event of non-compliance with the provisions regarding tele-selling and data protection (situations for which, instead, an express termination clause formulated ad hoc is provided), but rather to provide the parties with a tool to “verify the mutual convenience of making stable or terminating the contractual bond (…)». Illumia then illustrated the characteristics of the IT systems used for the management of the sales force, in particular those for mapping the personal data of agencies, sub-agencies and operators and for calculating commissions and described the system used for uploading contracts by agencies and sub-agencies, subject to authorization both at the level of the legal person and the individual operator. A special password-protected account is created for each operator. The company systems also map the numbers used by partners to carry out telemarketing activities. Furthermore, following a provision issued by the Guarantor against another operator in the same sector, the Company has also implemented a system for "verifying any anomalies connected to the insertion of recurring telephone numbers and emails for contracts uploaded to the agency portal". The Company then reiterated that at least every six months the Legal Affairs Department organizes mandatory training sessions aimed at the sales force. With regard to checks on the contact lists used by commercial partners, Illumia has declared that it carries out checks on a quarterly basis before the start of a new campaign, during and at the end of the same. More specifically, these checks are carried out on a sample basis against an agency chosen on the basis of a risk-based approach, using the number of contracts finalized and any disavowals received as a reference index. Following these checks, a summary report is drawn up. Following the control activities, Illumia may raise Observations and Non-Conformities, or indicate to the agency remedial actions to be taken. In the latter case, the Company also carries out subsequent audits aimed at verifying compliance. The Company has declared that it also carries out monitoring activities on contracts acquired through the agency. On this point, the Technical Regulations and company procedures provide that the verification activity is divided into two phases: formal verification of the contracts and confirmation call. The latter is carried out on all contracts acquired through the telephone channel, using a predefined script and in the event of a negative outcome, the supply is not activated. Compared to contracts concluded through the web channel, however, the confirmation call is currently carried out on a sample basis, but it is the Company's intention to extend it to all agreements. Illumia has set up a special section of the site that allows users to check whether the calling number is among those used by its sales network, which may also involve the application of the Procedure for complaints of non-clear numbers. With regard to monitoring activities on the sales network, the data controller has highlighted that it has set up a Sales Quality Monitoring Committee, composed of top company figures, with the function of "monitoring the quality of the Illumia sales network and compliance with sector regulations of the contractualization processes and related documentation" and with the task of "analyzing the sales processes of the outbound networks, verifying the defectiveness of the contracts and the number and seriousness of the complaints received". This committee also has "the power to order audits at the agencies and initiate sanctioning proceedings against the less virtuous commercial partners which may end, in the most serious cases, with the termination of the agency contracts". To manage reports from interested parties, the Company has made various channels available to users and implemented a specific procedure (Procedure for the management of the exercise of rights regarding the protection of personal data). In the event that an interested party complains about receiving an unwanted call for promotional purposes, the relevant contact details are included in a black list, which is then shared with the Agencies on a weekly basis. If the negative results of the confirmation call and the reports from users reach a predetermined critical threshold, the Company is entitled to take certain measures ranging from a simple warning, to an on-site visit and even to the termination of the contract. Furthermore, the numbers reported are subject to further control, so that if they are among those in use by the sales network, they lead to the implementation of the ex post sales monitoring Procedure just described, otherwise the Company proceeds to file a complaint with the Postal Police. Illumia stated that it also carries out on-site audits on selected Agencies based on the risk-based principle, which considers the number of contracts concluded and the results of monitoring activities. The audits, conducted using a specific checklist, are intended to verify the compliance status of the agencies with the legislation on personal data protection. Finally, the Company stated that it has undertaken a project to obtain ISO 9001 certification and to adhere to the Code of Conduct on telemarketing and teleselling. The owner has not submitted a request for a hearing before the Authority pursuant to Articles 166, paragraph 6, of the Code and Article 13 of Internal Regulation No. 1/2019. 3. ASSESSMENTS BY THE AUTHORITY It should be noted first of all that, contrary to what the Company claimed, the requests for information formulated by the Authority did not leave any room for interpretation regarding the content of the requested feedback. The aforementioned requests, in fact, were formulated pursuant to art. 157 of the Code and this regulatory reference was contained both in the subject and in the body of the communication. Furthermore, taking into account that the same heading and the letter of art. 157 of the Code also make textual reference to the exhibition of documents and that on the basis of the combined provisions of art. 5, par. 2 and 24 of the Regulation, due to the principle of accountability, the burden of demonstrating that the personal data processing operations are conducted in compliance with the legislation in force on the matter falls on the owner, it does not appear likely that the Company could have incurred any misunderstanding or blameless error of interpretation. Secondly, the exceptions advanced with specific reference to the complaints that are the subject of the proceedings cannot be accepted either. In relation to complaint no. 345203, the Company observed that the interested party would have registered with the RPO only on 7 February 2024, i.e. the day before receiving the unwanted communication. However, given that it is not possible to ascertain from the documentation produced by Illumia whether this is a first registration or a renewal and that the interested party himself declared in the complaint, under his own responsibility, to have joined the RPO "on 27/7, then at the beginning of January, and subsequently yesterday 7/02/2024", this exception cannot be accepted. Illumia then contested the regularity of complaint no. 352673 for violation of art. 77 of the Regulation, arguing that the complaint should have been presented directly by the complainant's son in his capacity as the owner of the user receiving the unwanted call and that it cannot be excluded a priori that the contact was intended to reach the latter. On this point, it is worth highlighting that the complainant complained that the telephone operator was aware of the switch request actually made by the same for the electricity and gas utilities of her home and even of the chosen operator. Therefore, considering the content of the phone call and that the interested party declared that she habitually uses her son's number as a reference contact, there is no doubt that the phone call was addressed specifically to the complainant and that for the caller that telephone number constituted useful information to uniquely identify the interested party, regardless of the actual ownership of the telephone user. The concept of personal data, in fact, as established by the Regulation, does not so much and only hinge on the nature of the data itself, but rather on its identifying power, understood as the actual possibility of uniquely revealing the identity of the interested party. So much so that art. 4 point 1) of the Regulation defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" and that recital no. 26 clarifies that "It is desirable to apply the principles of data protection to all information relating to an identified or identifiable natural person. Pseudonymised personal data which could be attributed to a natural person through the use of additional information should be considered as information on an identifiable natural person. In order to establish the identifiability of a natural person, it is appropriate to consider all means, such as identification, which the controller or a third party might reasonably use to identify that natural person directly or indirectly. In order to determine whether the means to identify the natural person are reasonably likely to be used, all objective factors should be taken into account, including the costs and time required for identification, taking into account both the technologies available at the time of processing and technological developments (…)». Applying these principles to the case in question, it is extremely clear that, based on the statements made in the complaint, the operator was in possession of a series of information (address, telephone number, switch request, chosen operator) which, used together, were exclusively attributable to the complainant; it follows that the complaint appears to contain all the formal and substantive requirements set out in Article 77 of the Regulation. It should be added that the recipient of protection in data processing for telemarketing purposes is not only the "contractor" of a telephone service supply relationship, but also the "user", understood as "any natural person who uses an electronic communication service accessible to the public, for private or commercial reasons, without necessarily being a subscriber", as specified by art. 121, paragraph 1-bis, letter g) of the Code. In relation to complaint no. 352673, then, the observations made by the Companies regarding the registration to the RPO appear completely irrelevant, since the complainant did not complain about receiving a promotional call to a registered number, but about having received a promotional phone call in the absence of a suitable legal basis made by an operator illegitimately in possession of a series of information referable to her person. Nor can the owner's belief be shared regarding the circumstance that the failure to submit observations by the complainants is sufficient to demonstrate "the correct management of the incident", since this is merely a faculty granted to the interested parties, the failure to exercise which certainly does not amount to a waiver of the request, nor to acquiescence with respect to the findings provided by the Company. With reference to the obligations imposed on the data controller pursuant to art. 28 of the Regulation and the security measures implemented by the Company, the examination of the documentation and the attachments transmitted as a whole reveals a picture of privacy governance that is not completely compliant and updated with respect to the current legislation. Moreover, this finding takes on particular gravity if considered in light of the circumstance that the teleselling activity, by the Company's own admission, is entirely outsourced to a large group of agencies and sub-agencies. This is certainly not to imply that outsourcing or the number of partners constitute in themselves an indication of violation, but rather that the choice to entrust a branch of one's business to a series of external parties should also be accompanied by the implementation of adequate measures to avoid the risk of illegitimate activities. With respect to teleselling activities, corporate compliance in terms of personal data protection is based on the Technical Regulations for Agency Acquisition, which were last updated on 3 April 2020. The examination of this regulation and the related procedures fully confirm the culpa in eligendo and the objections raised in relation to the supplier selection process. With the exception of the acquisition of documentation proving registration with the ROC and an isolated reference to the purchase of “faked” lists, until December 2023 the only requirements assessed by the Company in the agency recruiting phase in application of the regulation and through the use of the Agency Acquisition Checklist, in fact concerned merely dimensional characteristics and the economic reliability of the Company. In fact, by Illumia's own admission, a specific Privacy Checklist was also implemented only from 1 January 2024. Moreover, only some of the current agencies – six agencies out of seventeen – were contracted in 2024, so that the remaining ones were selected and continue to process personal data in the absence of a prior and careful assessment pursuant to art. 28 of the Regulation. Moreover, this omission cannot even be compensated for by the provision of a trial period and express termination clauses in the event of violations of the legislation on the protection of personal data. The letter and the content of the clause inserted in the contractual forms on the trial period (see art. 10.2 of the agency contract "In order to verify the mutual convenience of making stable or terminating this contractual obligation, the Parties agree to agree on a trial period of six months. This period will start from the first month following the transmission by the Agent of 50 ILLUMIA contracts and, during this period and from the date of signing this contract, each of the parties may, at any time, withdraw from the relationship ad nutum without any obligation to give notice or compensation in lieu. In the event of expiry of the trial period in the last quarter of the year, the expiry of the trial period is automatically extended to 15 January of the following year"), clearly and exclusively refer to a concept of economic convenience. But even if we wanted to accept a broader interpretation, such a clause could in no way be used to fulfill the obligation on the owner to use only qualified subjects in the privacy field, since it is clearly unsuitable to avoid the risk that personal data processing carried out in the name and on behalf of Illumia is carried out in the meantime by subjects who do not possess adequate skills and who have not implemented suitable security measures. Likewise, the fact that in 2023 alone the application of the aforementioned clause led to the termination of five contracts is a symptomatic indicator of the inadequacy of the supplier selection and evaluation process. With specific reference to the disputes relating to the obligation to supervise and monitor the work of data controllers (so-called culpa in vigilando), the Company illustrated the contractual obligations imposed on the agencies and declared that it will carry out random on-site audits and documentary checks. But for the reasons that will be discussed in detail below, the measures, although meritoriously adopted, do not appear to be fully compliant with the current regulatory framework, nor sufficient in relation to the risks to the rights and freedoms of the interested parties. First of all, on this topic it is necessary to observe that the mere formal provision of operating instructions, obligations and indemnity clauses cannot be considered as fulfillment of the obligations incumbent on the data controller, when it is not accompanied by periodic and effective supervisory and verification initiatives. Furthermore, the choice to carry out monitoring activities using criteria that result in the identification of an excessively limited number of subjects or related to the mere occurrence of anomalies and reports does not appear to be acceptable. With the entry into force of the European Regulation, the concept of accountability was introduced into the Italian legal system, a principle with multiple implications and in many ways disruptive. This principle, which is undoubtedly influenced by common law, is completely innovative. In fact, with the Italian legislator, citizens are used to knowing exactly the scope of the obligations and prohibitions imposed by law. On the contrary, the principle of accountability gives the data controller a wide freedom of choice with respect to the implementation of their own governance in terms of data protection, to which a complex concept of responsibility is closely related. Proof of this innovative vision of the matter is the very formulation of the rules on security, which no longer list the minimum measures to be adopted, but require the data controller to evaluate and identify the appropriate measures in relation to the context, the state of the art and the risks. In the context of this new conception of the role of the data controller itself, the principle of accountability must necessarily be considered as a common thread that informs the interpretation and application of all the rules and principles contained within the Regulation and therefore an essential hermeneutic canon. As a result, the obligations incumbent on the data controller pursuant to art. 28 of the Regulation, if interpreted in light of the principle of accountability, cannot be considered effectively fulfilled by the mere provision of style clauses or by interventions carried out only ex post when an anomaly occurs, but require a quid pluris, namely the effective governability of the processing chain and the periodic updating of the same technical and organizational measures implemented to achieve it. Moreover, without prejudice to the validity of the use of a risk-based approach, in this case the criteria used to identify the sample of subjects to be subjected to scrutiny appear reprehensible. Considering that only a small portion of the interested parties are usually inclined to send reports and that the interested party may not realize that they have entered into a contract based on an illicit contact, in fact the criteria used by Illumia prove ineffective and misleading, since they lead to identifying an excessively limited number of subjects to be subjected to scrutiny. Even Illumia's choice to take action only when a predetermined threshold of anomalies is not entirely acceptable. The illustrated obligations and responsibilities of the data controller require, in fact, to take action even in the presence of a single anomalous episode or an isolated report. On the other hand, the obligations and instructions given to the data controllers also confirm an incomplete assimilation of the obligations imposed by current legislation and that certain teleselling activities are carried out in the absence of an appropriate legal basis and the conditions provided for by law. The instructions attached to the agency contract in the part where they provide that «(…) The Agent has the obligation to consult the Register of Oppositions on a monthly basis, and in any case before the start of each promotional campaign, and to update its lists, verifying that the personal data to be contacted have not entered their telephone contact(s) in the same, established with the Presidential Decree no. 178 of 2010, and also extended to mobile numbers with Law no. 5/2018, in order to avoid making offers to anyone who is present in the Register itself; The Agent acknowledges and accepts that the consultation of the Register of Oppositions referred to above is effective for fifteen days (…)», are contradictory and in any case do not take into account the different temporal value of the consultations at the RPO provided for by law depending on the means used to carry out the marketing activities (i.e. telephone, email, paper mail, etc.). Likewise, the Procedures for controlling the sources of personal data used for marketing campaigns have the declared purpose of "ensuring that each telephone number present in the contact list purchased by the Agent refers to a person who has validly consented to the communication of his/her contact data and its subsequent use for commercial and marketing purposes" and, on the one hand, do not make any distinction between prospects, customers and former customers and, on the other, do not contemplate the case of data coming from public registers (see articles 129 and 130 of the Code and art. 1 of Law no. 5/2018). From the documentation and information acquired overall, it also appears clear that the principles of integrity, security and confidentiality established in Articles 5, 25 and 32 of the Regulation have been violated. Although the proceduralization of a system for uploading contracts based on the creation of personalized profiles managed by individual operators and protected by passwords is worthy of praise, the Company has not provided any suitable element to prove the adoption of measures aimed at avoiding the risk of activating contracts originating from an illicit contact. More specifically, while it is true that Il-lumia appears to be able to trace the contract back to the operator who entered it into the company systems, at the same time it has failed to implement measures and precautions that prevent its entry from the outset (e.g. instructions on password management, measures to prevent the simultaneous use of the account by multiple individuals, measures suitable for revealing anomalous accesses by time, number or geographical area, etc.). In this regard, the Company itself has declared that some feasibility assessments are underway regarding the implementation of a system for tracking access to the portal for entering contracts. But taking into account the peculiarities of Illumia's sales chain and in light of the current historical-social context, the state of the art and the principles constantly established through the provisions approved by the Guarantor, the failure to implement this basic and indispensable safeguard, is to confirm that the processing operations are not carried out in such a way as to guarantee adequate security of personal data, including protection from unauthorized or illicit processing, accidental loss, destruction or damage. For the reasons widely illustrated, ultimately, Illumia's liability must be confirmed with regard to the violations contested through the communication of the initiation of the procedure pursuant to art. 166, paragraph 5 of the Code. 4. CONCLUSIONS For the above reasons, Illumia's liability is deemed to be established with regard to the following violations: a) art. 5, par. 2 and 24 of the Regulation for not having fully fulfilled, in the preliminary investigation of this proceeding, the burden of demonstrating that the processing operations are conducted in compliance with the legislation on the protection of personal data; b) arts. 5, 6 and 7 of the Regulation, as well as 130 of the Code, for having carried out the promotional contacts that are the subject of the complaint in the absence of an appropriate legal basis; d) arts. 5, par. 2, 24 and 28 of the Regulation for the failure to implement suitable measures and procedures to ensure that, in the event of outsourcing of processing, only subjects are selected who present sufficient guarantees to implement adequate technical and organizational measures in such a way that the processing meets the requirements of this Regulation and guarantees the protection of the rights of the data subject (so-called culpa in eligendo); e) arts. 5, par. 2, 24 and 28 of the Regulation for failure to implement instructions, measures and procedures that are fully compliant with the applicable legislation and suitable and to ensure effective supervision of the work of the Data Processors (so-called culpa in vigilando); f) articles 5, 25 and 32 of the Regulation for failure to implement technical and organizational security measures suitable for preventing the risk of activating contracts originating from an illicit contact, as well as access to company systems by unauthorized persons. Having also ascertained the unlawfulness of the Company's conduct with reference to the processing under examination, it is necessary to: - send Illumia a warning pursuant to art. 58, par. 2, letter b) for not having fully fulfilled, in the preliminary investigation of these proceedings, the burden of demonstrating that the processing operations are conducted in compliance with the legislation on the protection of personal data; - impose on Illumia, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of any further processing of the data belonging to the complainants; - order Illumia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt suitable technical and organizational measures to ensure full compliance with the obligations incumbent on the data controller pursuant to art. 28 of the Regulation; - order Illumia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt suitable technical and organizational measures to prevent the risk of the activation of contracts originating from an illicit contact and access to company systems by unauthorized persons; - adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application to Illumia of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation. 5. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION The violations indicated above require the adoption of an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application to Illumia of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous financial year, if higher). To determine the maximum fine of the pecuniary sanction, it is therefore necessary to refer to Illumia's turnover, as obtained from the latest available financial statement (March 2023) in accordance with the previous provisions adopted by the Authority, and therefore this maximum fine is determined, in the case in question, at €27,155,872.00. To determine the amount of the sanction, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation; In the case in question, the following are relevant: 1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purposes of the data processed, attributable to the overall phenomenon of telemarketing, in relation to which the Authority has adopted, in particular in the last three years, numerous provisions that have fully examined the multiple critical elements, providing the data controllers with numerous indications to adapt the processing to the legislation in force and to mitigate the impact of nuisance calls on the data subjects; 2) as a mitigating factor, pursuant to art. 83, par. 2, letter d), the technical and organizational measures already implemented by the data controller pursuant to art. 25 and 32 of the Regulation, such as, for example, the use from 1 January 2024 of a specific privacy checklist for the selection of agencies, the implementation of a system of random checks on the lists used and on the contracts, the creation of personal and password-protected accounts for access to the systems by third parties. Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of €678,897.00, equal to 2.5% of the maximum sanction, should be applied to Illumia. In the case in question, it is believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, taking into account the nature of the processing and conduct of the Company, as well as the elements of risk for the rights and freedoms of the interested parties. In implementation of the principles set out in art. 83 of the Regulation, the imposition of this accessory sanction appears reasonable and proportionate in relation to the seriousness and particular disvalue of the conduct subject to criticism with specific reference to the duration of the violations ascertained and the number of subjects involved. The implementation of a supplier selection procedure that also includes the issue of personal data protection with a significant delay compared to the issuance of the Regulation, which also granted two additional years to the owners for the purposes of compliance, reveals a culpable and persistent insensitivity to the matter. Furthermore, given the duration of the violations, the large number of agencies used by the Company to carry out telemarketing activities, as well as their widespread distribution throughout the national territory, the range of subjects involved in various capacities in the violation appears particularly large. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. CONSIDERING ALL THE ABOVE, THE GUARANTOR a) addresses Illumia a warning pursuant to art. 58, par. 2, letter b) for not having fully fulfilled, in the preliminary investigation of these proceedings, the burden of demonstrating that the processing operations are conducted in compliance with the legislation on the protection of personal data; b) imposes on Illumia, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of any further processing of the data belonging to the complainants; c) orders Illumia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt suitable technical and organizational measures to ensure full compliance with the obligations incumbent on the data controller pursuant to art. 28 of the Regulation; d) orders Illumia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt suitable technical and organizational measures to prevent the risk of the activation of contracts originating from an illicit contact and access to company systems by unauthorized persons; e) orders Illumia, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measure imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation; ORDERS Illumia S.p.A., in the person of its legal representative pro-tempore, with registered office in Bologna (BO), Via de Carracci 69/2, VAT number 02356770988, to pay the sum of Euro 678,897.00 (six hundred and seventy thousand,897/00) as an administrative pecuniary sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the power to settle the dispute by complying with the instructions given and paying, within thirty days, an amount equal to half of the fine imposed. ORDERS the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 678,897.00 (six hundred and seventy thousand,897/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. ORDERS The application of the accessory sanction of the publication on the website of the Guarantor of the injunction order pursuant to art. 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, paragraph 1, letter. u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor - relating to violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself. The publication of this provision pursuant to art. 154-bis of the Code and 37 of the aforementioned Regulation no. 1/2019. Pursuant to art. 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within thirty days of the date of communication of the provision itself. Rome, 13 November 2024 THE PRESIDENT Stanzione THE RAPPORTEUR Stanzione THE SECRETARY GENERAL Mattei