Garante per la protezione dei dati personali (Italy) - 9921112

From GDPRhub
Garante per la protezione dei dati personali - 9921112
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Article 17 GDPR
Article 21(2) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 25(1) GDPR
Article 130 of the Codice in Materia di Protezione dei Dati Personali
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.07.2023
Published: 18.07.2023
Fine: 40,000 EUR
Parties: n/a
Compara Facile S.r.l.
National Case Number/Name: 9921112
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Il Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA fined €40,000 Compara Facile s.r.l. for having performed marketing phone calls in without collecting informed consent from the data subjects.

English Summary

Facts

On 15 December 2022, the data subject complained with the DPA that, in the absence of his prior informed consent, they received repeated unsolicited phone calls from the controller Compara Facile s.r.l. This occurred regardless of the fact that his user account was registered in the public register of oppositions. The data subject further added that these calls persisted even after they requested the erasure of their data and objected to further processing during the phone calls. They also complained about the lack of response to their request to exercise their rights under Article 15, Article 17 and Article 21 GDPR.

Therefore, the data subject lodged a complaint with the Italian DPA.

During the DPA's investigation, it became clear that the controller acquired the data subject’s personal data from a company based in Moldova. In particular, the data subject, when participating to a lottery, allegedly gave consent to the disclosure of their data to third parties for promotional purposes. The Moldovan company's database was licenced for use by the controller for a period of 90 days in order to duplicate and extract data required to make targeted telephone calls.

Compara Facile s.r.l. claimed to be only processor on behalf of the Moldovan company. In particular, they would have only checked the quality of data collected by the latter, in order to avoid fraud.

Holding

The DPA determined that the controller was an autonomous data controller in terms of the processing of the data obtained from the Moldovan company, because the data extraction and duplication activities were actually aimed at carrying out promotional campaigns for Compara Facile products and services and resulted in the enrichment of its database. Therefore, the controller concretely determined the purpose for which the processing was carried out and their essential means.

Once controllership was ascertained, the DPA found the controller infringed several GDPR provisions:

  • Articles 12, 13 and 14 GDPR, for not having properly informed the data subject on the use of their personal data during the promotional phone call.
  • Article 5(1)(a), Article 6(1)(a) and Article 7 GDPR, for having carried out promotional telephone calls without the informed consent of the data subject concerned, and for having failed to produce appropriate documentation to prove the reception of such consent. As a matter of fact, consent collected by the Moldovan company - a separate controller - did not concern marketing communications.
  • Articles 12(2) and (3), 15, 17 and Article 21(2) GDPR, for failing to reply to the data subject’s request to the exercise of their rights and for failing to promptly register the dara subject's objection to be further contacted.

Therefore, pursuant to Article 58(2)(f) GDPR, the DPA prohibited the controller from processing the personal data collected in the absence of appropriate consent of the data subjects. The DPA also ordered the controller to delete the personal data at issue, without delay. Finally, the DPA ordered the controller to put in place all the necessaty measures to ensure compliance with the provisions of the GDPR, such as the improvement of the privacy policy, including the specification of the legal basis for processing, and the adoption of appropriate procedures to keep track of the processing activities within its data supply chain.

Pursuant to Article 83 GDPR the DPA imposed a €40,000 fine to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9921112]

Provision of 18 July 2023

Register of measures
n. 322 of 18 July 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;

SPEAKER the lawyer. Guido Scorza;

PREMISE

1. THE INVESTIGATORY ACTIVITY

With the complaint dated 15 December 2022, presented to this Authority pursuant to art. 77 of the Regulation, Mr. XX complained about the "almost daily" receipt of unwanted phone calls from Compara Facile S.r.l. (hereinafter also «Company» or «Comparafacile») on your user registered in the Public Registry of Oppositions (so-called «RPO»), in the absence of prior informed consent. The complainant, in representing that the aforementioned contacts would have continued even after the requests for cancellation of data and opposition to further processing made during the telephone calls, complained about the lack of response to the request to exercise the rights referred to in the articles. 15, 17 and 21 of the Regulation, forwarded via e-mail on 9 November 2022 to the addresses indicated in the Company's privacy policy (found at the link https://www.comparafacile.biz/privacy-policy/) and renewed on the dates of 14 November and 7 December 2022. Furthermore, even after this request, the complainant would have received a further unwanted promotional phone call from Comparafacile (see email dated 11/14/2022).

Following an initial response provided on 13 January 2023 to the request for information dated 22 December 2022, the Office - in order to clarify some aspects and acquire useful elements for a complete assessment of the profiles linked to the lawfulness of the processing - formulated a new request for information, pursuant to art. 157 of the Code, to which the Company responded on 18 February 2023 in the following terms, confirming much of the contents expressed previously.

The personal data of the complainant, not subjected by the Company to the necessary verification at the Public Registry of Oppositions for reasons related to obtaining authorizations for consultation, were acquired from a data provider based in Moldova – XX (hereinafter «XX» ) – to which the interested party would have given consent to the communication of the same data to third parties for promotional purposes. The database acquired by the Provider was licensed for use to the Company for a period of 90 days during which it was able to proceed, as data controller, with duplication and extraction activities of data "necessary to make telephone contact [aimed] at providing commercial information" of Comparafacile (see p. 2.4. of the Private agreement between Comparafacile and XX). For the licensing of 40,000 records, the Company agreed upon a fee to XX of 2,600 euros (see p. 5.1. "Payment methods" - Private agreement cited).

Furthermore, in the response in question, the Company underlined that it was relieved by XX from the obligation to verify the validity of the acquired lists, since, in the agreement signed between the parties on 10/27/2022 and produced in support of the response of 18 February 2023, a specific indemnity is provided for Comparafacile "from the analysis of the consent given by the individual contacts included in the database granted for temporary use" (see page 7 of the response of 18 February 2023; p. 3.3. “Obligations and guarantees of the XX” of the Private Agreement cit.). “The users present in the database”, he specified, “are contacted by the Company to verify the correctness of the data and to gather any availability for commercial recontact” (see p. 2.6. of the response dated 18 February 2022). In particular, the contact in question is aimed at "gathering specific consent [...] to receive commercial information relating to the Company's activity [...] and, only in the case of authorization from the person contacted, a text message is sent to the person's mobile phone in which there is a link to a CD. landing page in which the freely selectable consents are listed in a granular manner", resulting in the recording of the personal data thus acquired in the Comparafacile information systems (see pages 2 and 3 of the response dated 30 January 2023; see p. 2.3. of the response dated 18 February 2023).

With reference to the information provided at the time of the first telephone contact, the Company, in producing the call script used for promotional telephone calls, stated that it sends, upon request of the user, if interested, an SMS containing the link to the so-called. “landing page” by accessing which it is possible to consult the privacy information.

2. DISPUTE OF VIOLATIONS

With a note dated 19 April 2023 (prot. no. 65411/23), the Company was informed of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation, and, first of all, Comparafacile's role as independent owner with respect to the processing of the lists acquired by XX was recognized as the data extraction and duplication activities appear aimed at carrying out promotional campaigns of its products and services, with consequent enrichment of the company database. Furthermore, the use of the data provided by XX in the processing in question entailed - as declared by the Company - the "subscription of n. 1686 contracts".

Therefore, Comparafacile was charged with the alleged violations of the following provisions:

2.1. articles 12, 13 and 14 of the Regulation for not having provided the information during promotional contacts, making its viewing subordinate, by sending a text message, to the users' expression of interest in Comparafacile's services;

2.2. articles 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation and art. 130 of the Code, for having made promotional telephone calls without the informed consent of the interested parties, having not produced suitable documentation to prove the acquisition both by the XX provider and by itself;

2.3. articles 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation for having processed the personal data collected through the so-called “landing page” in the absence of free and specific consent for the different processing purposes. In this regard, the Office observed that, when registering user data to the so-called “landing page”, a generic consent is required (1. “for the purposes expressed in the Privacy Policy”) which does not facilitate the understanding of the processing to which it refers; in fact, while for marketing and communication of data to third parties specific consent is required (2. "for marketing purposes"; 3. "to receive commercial communications from Comparafacile partners, by sharing data with third parties"), for the profiling (referred to in point E of the aforementioned information) no authorization is required for the processing of personal data, therefore being able to believe that the aforementioned generic consent can combine, in a unitary and inseparable formula, the different contractual purpose (provision of services referred to in point A of the privacy information) with the further purpose of profiling, therefore determining a coercion of the will of the interested party. Furthermore, the wording referred to in point 3 (cit. "I consent to receive commercial communications from Comparafacile partners, by sharing data with third parties") does not clarify whether the personal data thus collected are used for promotional activities of third parties (to whom they are communicated) or in the interest of Comparafacile itself (which acquires them). Even in the privacy information, the two distinct processing purposes (communication to third parties and promotional activities of the Company) appear to coexist (see point D of the aforementioned information).

2.4. articles 12, par. 2 and 3, 15, 17 and 21, par. 2, of the Regulation for not having found the request to exercise the rights formulated by the interested party and for not having promptly registered the relevant opposition;

2.5. art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3, of the Code, for having carried out telemarketing activities without having consulted the Register of Oppositions on a monthly basis or in any case before each promotional campaign;

2.6. articles 5, par. 2, 24, par. 1 and 2, and 25 of the Regulation for not having adopted adequate organizational measures aimed at keeping track of processing activities and proving compliance with the rules.

Furthermore, with the same communication dated 19 April 2023, the Company was invited to communicate how many personal details were registered in the company systems following the completion of the aforementioned online registration form on the "landing page".

3. DEFENSIVE OBSERVATIONS AND EVALUATIONS OF THE AUTHORITY

3.1. Defensive memory

The Company, in exercising its right of defence, sent a brief dated 19 May 2023 and was heard by the Authority on 14 June 2023, producing, on that occasion, further supplementary documentation, with which it requested the dismissal of the proceedings initiated against him or, alternatively, the application of the sanction for minor infringement as identified in EDPB guidelines 4/2022. From the defense arguments, of which full reference is made, the following emerged.

3.1.1. The complainant's data was acquired when registering on an online data collection form - https://www.listeprofilate.com/it/tr_iphone/privacy.html - associated with a prize competition attributable to XX, as of the data controller. In the information provided by XX the interested party was expressly informed that his personal data "will be used by the Data Controller for the exclusive purpose of ascertaining the identity of the User [...] thus avoiding possible scams or abuse and contacting [the same user] for service reasons only". In relation to this processing, specific consent was acquired from the complainant, of which evidence was produced, together with the screenshot of the formulations used for this purpose. In addition, the Company specified that XX was authorized to process the data through third parties, whether they are responsible (as in the case of Comparafacile in the data recontact and verification activity) or independent data controllers for their own purposes.

Therefore, Comparafacile has disavowed the role of owner in the processing of data acquired by XX having carried out, as responsible, exclusively "data quality" activities, aimed at a qualitative review of the lists provided and not at the enrichment of the company database, nor at carrying out promotional campaigns for its services. To confirm this, "no marketing campaign was carried out in the context of the first contact and only when the user expressed interest in possible recontact activities was he directed to the Company's landing page".

Having therefore not acted as owner, the Company would not have been entitled to fulfill the obligations inherent to the ex ante information obligations nor to the control of users in the Public Registry of Objections, also due to the indemnity granted to it by the Provider.

In any case, Comparafacile's information was provided at the time of sending the text message containing the link to the "landing page", a link that was sent by the Company following the expression of interest from users in receiving commercial offers from the same for which consent had already been given to XX. It was not possible for Comparafacile to fulfill the information obligation at a time prior to the first contact (given the vast audience of recipients of the contacts) and "the consents collected with the subsequent activity of redirecting the user to the company's landing page enabled this last to carry out de facto treatments".

Finally, the Company announced that it had collected 1,100 records via the online registration form on the "landing page" which generated a small turnover of €79,200.00.

3.1.2. With reference to the dispute referred to in point 2.5 of this provision, the Company, in confirming the difficulties encountered in accessing the public Register of Oppositions before contact with the complainant, represented that the registration of the interested party's user in the aforementioned Registro, only intervened on 15 December 2022, therefore following the contacts made by Comparafacile and complained of in the complaint.

3.1.3. Regarding the failure to respond to the interested party's request to exercise the rights, the Company declared that it acted in good faith and in the absence of malice.

3.1.4. Regarding the processing of data carried out via the website and the consent not correctly requested for profiling, the Company specified that "the only purpose indicated in the information and for which consent was expressly provided in addition to that collected on the landing page was related to the profiling activity that […] the Company does not carry out”.

Furthermore, the Company objected to the point raised by the Authority regarding the acquisition of a consent which tends to combine two distinct purposes (comparafacile promotional activity and communication to third parties), arguing that for such processing two specific authorizations are required (one for marketing activities – consent no. 2 – and the other for communication to third party partners other than the Company – consent no. 3). Furthermore, the Company specified that it has "never communicated and does not communicate the data collected to third parties".

3.2. Legal assessments

With reference to the factual profiles highlighted above, also based on the Company's statements, for which the declarant is responsible pursuant to art. 168 of the Code, the following legal assessments are formulated.

3.2.1. The main argument put forward by the Company in defense of its position through the reference to the exclusive data quality activity carried out as responsible for the processing of data acquired by XX cannot be considered acceptable as it does not correspond to the concrete execution of the conduct.

From the analysis of the information provided by XX upon registration on the online form (https://www.listeprofilate.com/it/tr_iphone/privacy.html), it emerged, first of all, that the activity of contacting the users participating in the prize competition, in order to verify their identity, would not be envisaged by third parties (such as Comparafacile) to whom the data may be communicated, but can be carried out by the owner (Provider) "for the sole service reasons". Furthermore, in point 2 of the aforementioned information, entitled "Further processing purposes: communication of data to the Data Controller's Partners", the person who receives the data from XX to carry out its own marketing activities is clearly indicated as an independent data controller, specifying that "A once the transfer has taken place, it will be the responsibility of the Owner's Partner to provide Users [...] with all the information required by the same art. 14 of the Regulation".

Therefore, the aforementioned data quality activity cannot be invoked by the Company as the records have become available to the latter in exchange for a compensation to the Provider and the telephone contacts are preliminary to the carrying out of Comparafacile(1) promotional campaigns and not instead to verify the accuracy of XX's data for participation in the prize competition, with consequent enrichment of its database (as demonstrated by the above-mentioned 1,686 contracts signed following telephone contacts).

In this context, XX, owner of the database, would have acted as an independent owner, since the activities carried out by the same Provider (collection, storage and transmission of data to third parties) are previous and completely independent from the processing carried out by Comparafacile. It follows that the Company - having concretely determined the purpose for which the processing was carried out (the promotion of its services), the channel used for this purpose, thereby also defining the essential means, and having selected the subject supplier of the lists - is to be considered the data controller, pursuant to art. 4 of the Regulation (see provision dated 26 October 2017, web doc. no. 7320903; provision dated 15 January 2020, web doc no. 9256486; provision dated 25 November 2021, web doc. no. 9736961; provision dated 25 November 2021, web doc. no. 9737185; provision 2 December 2021, web doc. no. 9731682; provision 2 December 2021, web doc. no. 9731664; provision 16 December 2021, web doc. no. 9742704).

Comparafacile is therefore directly attributable to both the obligations imposed by the legislation on the protection of personal data and the responsibility for the alleged violations found, both due to the already highlighted legal role of data controller that the Company has assumed, and because the contractual provision of indemnity clauses which the same Company resorted to in the response dated 18 February 2023 is irrelevant and which has value only with regard to the contractual relationships between the parties and not with respect to the guarantees to be given to the interested party in relation to the processing of your data, nor even with reference to the distribution of responsibilities in the context of the processing.

Having said this, there was no evidence of the Company's obligation to provide information on the occasion of the first contact, pursuant to art. 14 of the Regulation, since having read the privacy information was subject to the users' expression of interest in Comparafacile's services. Furthermore, a mechanism that forces the user to declare an interest in the Company's services in order to acquire all the information required by art. cannot be considered suitable and therefore legitimate. 13 of the Regulation, thus also contravening the requirement of easy usability of the information underlying the art. 12 of the Regulation, in the broader context of the basic principle of transparency (see provision dated 27 May 2021, web doc. no. 9689375; see provisional cit. provision 15 January 2020).

Therefore, it is deemed necessary to confirm what was observed in the document initiating the procedure regarding the existence of the violation of the articles. 12, 13 and 14 of the Regulation for the absence of the release of suitable information during promotional contacts, not only in relation to the case referred to in the complaint but in the overall processing carried out by Comparafacile.

It follows that in the absence of information on the processing even the expression of will of the interested party is irremediably flawed and unsuitable for constituting a condition of lawfulness for the processing itself. Therefore, the consent for promotional purposes requested on the occasion of the first telephone call to the interested party, not being informed, cannot be considered a valid prerequisite for the Company's marketing activity. Nor would it appear that the Company, at the time of contact with the interested party, verified the original consent acquired by XX to the receipt of commercial offers from third parties to whom the data would have been communicated, since the request for recontact for the carrying out marketing activities by Comparafacile would not be justified if there was prior express authorization in this regard. Furthermore, from the examination of the private agreement completed with XX, it emerged that the burden of verifying the validity of the list made available to it and the related consents acquired during the registration phase does not fall on Comparafacile. This would confirm the implementation of the described processing without the Company having ascertained the necessary legal basis for the commercial activity. Also in this case it must be noted that the indemnity clause with which XX intended to exempt Comparafacile from the activity of verifying the correct acquisition of consent is irrelevant. Comparafacile's responsibility for the violation of the articles must therefore be confirmed. 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation as well as art. 130 of the Code.

3.2.2. With reference to the registration of the interested party's users in the Public Register of Objections - which the Company claims only took place on 15 December 2022, therefore after the contacts complained of - it is preliminarily stated that, from timely checks carried out by the Office, the numbering of the complainant was registered from 2 August 2022 and renewed several times until 15 December 2022. This duly clarified, even if at the time of the complained contacts the registration of the interested party's user was temporarily suspended, the Company should have submitted the list of personal details now passed into its availability for confirmation from the Public Register of Oppositions and exclude from the list of contactable subjects those who had correctly formulated their opposition.

However, it appears that the response to the RPO was not carried out and the fact that this lack of response was due to technical problems connected to the registration of the Company in the list of operators who are allowed to consult the Register or that the The objection to the processing of the complainant's user was not registered at that time. In fact, registration with the RPO and consultation of the same must be considered as pre-conditions for being able to correctly carry out telemarketing activities and the technical impossibility of accessing the Register can only determine the impossibility of starting any promotional campaign for which it is the use of the telephone is expected.

The existence of the violation of the art. must therefore be confirmed. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3, of the Code.

3.2.3. As described in point 1 of this provision, the Company would have carried out telephone activities in an insistent and concentrated manner towards the same user, registered with the RPO, even after the formal warning from the complainant dated 9 November 2022, requested several times (on the dates 14 November and 7 December 2022). Therefore, the Company does not appear to have promptly registered the opposition expressed by the interested party nor to have found the requests to exercise the rights referred to in the articles. 15, 17 and 21 of the Regulation - formulated by the same - within the terms established by the art. 12, par. 3 of the Regulation, nor has it yet provided explanations for the lack of response. Comparafacile processed the requests made only after being requested to do so by the Authority with a note dated 22 December 2022.

What emerges, therefore, is an omissive conduct which is not consistent with the owner's obligation to facilitate, with appropriate measures, the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without delay, the relevant requests, including the right to object which can be advanced "at any time" (see provision no. 431 of 15 December 2022, web doc. no. 9856345). It is therefore believed that it is necessary to confirm the violation of the art. 12 par. 2 and 3, as well as articles. 15, 17 and 21, par. 2, of the Regulation.

3.2.4. Based on what was declared by the Company, in its defence, the profiling and communication activities of data to third parties, although indicated in the privacy policy, have not been concretely carried out. For this reason, there would be no violation relating to the failure to collect specific consent for the aforementioned activities.

In this regard, it must be preliminarily observed that the disconnect between the formal plan - relating to the aforementioned information on the website - and the factual plan of the activities is likely to generate reasonable doubt about the actual processing carried out by Comparafacile.

The Guarantor has repeatedly declined the principle of transparency as easy comprehensibility of the information message, with specific regard to the methods and purposes of the processing corresponding not only with the consent requested but, even before that, with the purposes actually pursued. There is a need for correspondence between information pursuant to art. 13 of the Regulation and effectiveness of the treatments implemented, in order to fully implement the art. 12 of the Regulation, i.e. precisely to the principle of transparency, which presents itself as a fundamental and innovative criterion of legitimacy of the treatments themselves (see provision cit. n. 7 of 15 January 2020; see provision cit. n. 431 of 15 December 2022).

Added to this is that, in any case, the collection of personal data for a specific purpose represents a processing operation even where this purpose has not yet been concretely pursued and, even for mere conservation, it is therefore necessary to acquire a suitable consent.

From the examination of the documents and the defense observations of the party it emerges that the Company has not acquired specific consent for the profiling purpose. Therefore, in light of the above, the existence of the disputed violation of the articles is confirmed. 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation, with reference to the processing of personal data aimed at carrying out profiling activities, for which the collection of the data itself was in any case carried out.

4. CONCLUSIONS

For the above, Comparafacile's responsibility for the following violations of the Regulation is deemed to be established:

- art. 5, par. 1, letter. a) and 2

- art. 6

- art. 7

- art. 12

- art. 13

- art. 14

- art. 15

- art. 17

- art. 21, par. 2

- art. 24, par. 1 and 2

- art. 25, par. 1

as well as art. 130 of the Code.

Having ascertained the illicit nature of the Company's conduct described above, it is necessary to:

a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibit the processing of personal data collected via the website in the absence of suitable consent of the interested parties in the profiling activity, pursuant to articles. 6, 7 and 12 of the Regulation, as well as 130 of the Code, since this purpose, even if it was not actually pursued by the Company, resulted in the collection of personal data without consent;

b) pursuant to art. 58, par. 2, letter. d) of the Regulation, order Comparafacile to delete said data without delay, without prejudice to that which is necessary to keep for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unambiguous consent from the interested party;

c) in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties, prescribe, pursuant to art. 58, par. 2, letter. d), of the Regulation, to implement all the necessary measures to ensure that they comply with the provisions on the protection of personal data, i.e., among others:

- provide suitable information to interested parties, providing all the elements required by the articles. 12 and 13 of the Regulation;

- identify a suitable legal basis for the processing in question which, at present, appears to be feasible in the acquisition of informed, free, specific, documented and unequivocal consent for each of the purposes concretely pursued (articles 6 and 7 of the Regulation);

- implement all necessary organizational measures in order to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the relevant requests, including the right of opposition which can be advanced "in any time” by the interested party (art. 21, par. 2, of the Regulation);

- adopt suitable procedures aimed at keeping track of processing activities within the supply chain and proving compliance with the rules on the protection of personal data, with particular reference to those applicable to the sending of commercial communications (articles 6, 7, 13, 14 of the Regulation and 130 of the Code);

d) with regard to the processing already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation.

5. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations confirmed above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Comparafacile of the pecuniary administrative sanction provided for by the art. 83, par. 4 and 5 of the Regulation. However, since various provisions of the Regulation and the Code have been violated in relation to related processing carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the less serious violations. Specifically, the aforementioned violations - also having as their object the exercise of the rights of the interested parties - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in the art. 83, par. 5, of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation.

Which circumstances to take into consideration in the specific case must be considered, from the point of view of aggravating circumstances:

1. the high number of subjects involved in the contested processing: 40,000 records acquired by XX; 1,686 contracts signed with the aforementioned records communicated by the Provider with respect to which the Company does not appear to have verified the legal conditions that would legitimize the processing; 1,100 details registered on the online form on the "landing page" and which include data for which no specific consent to profiling has been acquired nor, according to the Company, any processing is in progress (art. 83, par. 2 , letter a);

2. the seriousness of the violations detected with particular reference to the absence of random checks of the contact numbers provided by the partner, the inadequate management of the right of opposition of the interested parties, as well as the unsuitability of the information provided on the website and the lack of the same during promotional telephone calls (art. 83, par. 2, letter a);

3. the negligent nature of the conduct given that the Company's presence on the market for many years should have allowed it to acquire a sufficient wealth of experience and competence to adopt fundamental choices that are more in line with the regulatory provisions (art. 83, par. 2 , letter b);

4. the dissimilarity of the Company's conduct with respect to the consistent regulatory activity of the Authority in the field of marketing with particular reference to information and consent (art. 83, par. 2 letter k);

5. the overall assessment of the economic capacity of the Company, taking into consideration the latest available company turnover (art. 83, par. 2 letter k).

As mitigating elements, it is believed that the following should be taken into account:

1. the absence of previous proceedings initiated against the Company (art. 83, par. 2 letter e);

2. the degree of cooperation in interaction with the Supervisory Authority such as to facilitate the carrying out of investigation activities (art. 83, par. 2, letter f).

Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company, it is believed that it should apply to Comparafacile - also taking into consideration other similar cases - the administrative sanction of payment of a sum of 40,000.00 (forty thousand/00) euros, equal to 0.2% of the statutory maximum.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, i.e. the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous provisions both of a general nature and directed at certain data controllers and on which the attention of the 'user.

Please remember that pursuant to art. 170 of the Code, anyone who, being obliged, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e) of the Regulation.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the notation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.

ALL THE WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by Compara Facile S.r.l., with registered office in Via Tivoli 8, 00156 Rome, VAT number 15474891007, and consequently:

a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibits the processing of personal data collected via the website in the absence of suitable consent of the interested parties in the profiling activity, pursuant to articles. 6, 7 and 12 of the Regulation, as well as 130 of the Code, since this purpose, even if it was not actually pursued by the Company, resulted in the collection of personal data without consent;

b) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders Comparafacile to delete said data without delay, without prejudice to that which is necessary to keep for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unambiguous consent from the interested party;

c) in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties, it prescribes, pursuant to art. 58, par. 2, letter. d), of the Regulation, to implement all the necessary measures to ensure that they comply with the provisions on the protection of personal data, i.e., among others:

- provide suitable information to interested parties, providing all the elements required by the articles. 12 and 13 of the Regulation;

- identify a suitable legal basis for the processing in question which, at present, appears to be feasible in the acquisition of informed, free, specific, documented and unequivocal consent for each of the purposes concretely pursued (articles 6 and 7 of the Regulation);

- implement all necessary organizational measures in order to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the relevant requests, including the right of opposition which can be advanced "in any time” by the interested party (art. 21, par. 2, of the Regulation);

- adopt suitable procedures aimed at keeping track of processing activities within the supply chain and proving compliance with the rules on the protection of personal data, with particular reference to those applicable to the sending of commercial communications (articles 6, 7, 13, 14 of the Regulation and 130 of the Code);

d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, letter. i), of the Regulation, to Compara Facile S.r.l., in the person of its legal representative, to pay the sum of €40,000.00 (forty thousand/00), as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €40,000.00 (forty thousand/00) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 18 July 2023

PRESIDENT
Stanzione

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

___

(1) Regarding the telephone contact aimed at registering the contractor's interest or otherwise in the commercial offer, the Guarantor has on several occasions specified that this type of telephone call, aimed at obtaining consent for marketing activities, is to be considered « commercial communication", as established by the jurisprudence of legitimacy (Cass. Civ., Section I, ord. 26 April 2021, n. 11019) which - in confirming the validity of the Authority's provision of 22 June 2016 n. 275 (web doc. 5255159) on the illicit nature of telephone calls for the "recovery of consent" of interested parties - highlighted that "The purpose to which the consent requested for the processing is indispensably linked cannot fail to contribute to qualifying the processing itself, reason why the processing of the data subject's data to request consent for marketing purposes is itself processing for marketing purposes" (see in the same sense, the Guidelines on promotional activities and combating spam - 4 July 2013, web doc. no. 2542348).

[doc. web no. 9921112]

Provision of 18 July 2023

Register of measures
n. 322 of 18 July 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;

SPEAKER the lawyer. Guido Scorza;

PREMISE

1. THE INVESTIGATORY ACTIVITY

With the complaint dated 15 December 2022, presented to this Authority pursuant to art. 77 of the Regulation, Mr. XX complained about the "almost daily" receipt of unwanted phone calls from Compara Facile S.r.l. (hereinafter also «Company» or «Comparafacile») on your user registered in the Public Registry of Oppositions (so-called «RPO»), in the absence of prior informed consent. The complainant, in representing that the aforementioned contacts would have continued even after the requests for cancellation of data and opposition to further processing made during the telephone calls, complained about the lack of response to the request to exercise the rights referred to in the articles. 15, 17 and 21 of the Regulation, forwarded via e-mail on 9 November 2022 to the addresses indicated in the Company's privacy policy (found at the link https://www.comparafacile.biz/privacy-policy/) and renewed on the dates of 14 November and 7 December 2022. Furthermore, even after this request, the complainant would have received a further unwanted promotional phone call from Comparafacile (see email dated 11/14/2022).

Following an initial response provided on 13 January 2023 to the request for information dated 22 December 2022, the Office - in order to clarify some aspects and acquire useful elements for a complete assessment of the profiles linked to the lawfulness of the processing - formulated a new request for information, pursuant to art. 157 of the Code, to which the Company responded on 18 February 2023 in the following terms, confirming much of the contents expressed previously.

The personal data of the complainant, not subjected by the Company to the necessary verification at the Public Registry of Oppositions for reasons related to obtaining authorizations for consultation, were acquired from a data provider based in Moldova – XX (hereinafter «XX» ) – to which the interested party would have given consent to the communication of the same data to third parties for promotional purposes. The database acquired by the Provider was licensed for use to the Company for a period of 90 days during which it was able to proceed, as data controller, with duplication and extraction activities of data "necessary to make telephone contact [aimed] at providing commercial information" of Comparafacile (see p. 2.4. of the Private agreement between Comparafacile and XX). For the licensing of 40,000 records, the Company agreed upon a fee to XX of 2,600 euros (see p. 5.1. "Payment methods" - Private agreement cited).

Furthermore, in the response in question, the Company underlined that it was relieved by XX from the obligation to verify the validity of the acquired lists, since, in the agreement signed between the parties on 10/27/2022 and produced in support of the response of 18 February 2023, a specific indemnity is provided for Comparafacile "from the analysis of the consent given by the individual contacts included in the database granted for temporary use" (see page 7 of the response of 18 February 2023; p. 3.3. “Obligations and guarantees of the XX” of the Private Agreement cit.). “The users present in the database”, he specified, “are contacted by the Company to verify the correctness of the data and to gather any availability for commercial recontact” (see p. 2.6. of the response dated 18 February 2022). In particular, the contact in question is aimed at "gathering specific consent [...] to receive commercial information relating to the Company's activity [...] and, only in the case of authorization from the person contacted, a text message is sent to the person's mobile phone in which there is a link to a CD. landing page in which the freely selectable consents are listed in a granular manner", resulting in the recording of the personal data thus acquired in the Comparafacile information systems (see pages 2 and 3 of the response dated 30 January 2023; see p. 2.3. of the response dated 18 February 2023).

With reference to the information provided at the time of the first telephone contact, the Company, in producing the call script used for promotional telephone calls, stated that it sends, upon request of the user, if interested, an SMS containing the link to the so-called. “landing page” by accessing which it is possible to consult the privacy information.

2. DISPUTE OF VIOLATIONS

With a note dated 19 April 2023 (prot. no. 65411/23), the Company was informed of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation, and, first of all, Comparafacile's role as independent owner with respect to the processing of the lists acquired by XX was recognized as the data extraction and duplication activities appear aimed at carrying out promotional campaigns of its products and services, with consequent enrichment of the company database. Furthermore, the use of the data provided by XX in the processing in question entailed - as declared by the Company - the "subscription of n. 1686 contracts".

Therefore, Comparafacile was charged with the alleged violations of the following provisions:

2.1. articles 12, 13 and 14 of the Regulation for not having provided the information during promotional contacts, making its viewing subordinate, by sending a text message, to the users' expression of interest in Comparafacile's services;

2.2. articles 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation and art. 130 of the Code, for having made promotional telephone calls without the informed consent of the interested parties, having not produced suitable documentation to prove the acquisition both by the XX provider and by itself;

2.3. articles 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation for having processed the personal data collected through the so-called “landing page” in the absence of free and specific consent for the different processing purposes. In this regard, the Office observed that, when registering user data to the so-called “landing page”, a generic consent is required (1. “for the purposes expressed in the Privacy Policy”) which does not facilitate the understanding of the processing to which it refers; in fact, while for marketing and communication of data to third parties specific consent is required (2. "for marketing purposes"; 3. "to receive commercial communications from Comparafacile partners, by sharing data with third parties"), for the profiling (referred to in point E of the aforementioned information) no authorization is required for the processing of personal data, therefore being able to believe that the aforementioned generic consent can combine, in a unitary and inseparable formula, the different contractual purpose (provision of services referred to in point A of the privacy information) with the further purpose of profiling, therefore determining a coercion of the will of the interested party. Furthermore, the wording referred to in point 3 (cit. "I consent to receive commercial communications from Comparafacile partners, by sharing data with third parties") does not clarify whether the personal data thus collected are used for promotional activities of third parties (to whom they are communicated) or in the interest of Comparafacile itself (which acquires them). Even in the privacy information, the two distinct processing purposes (communication to third parties and promotional activities of the Company) appear to coexist (see point D of the aforementioned information).

2.4. articles 12, par. 2 and 3, 15, 17 and 21, par. 2, of the Regulation for not having found the request to exercise the rights formulated by the interested party and for not having promptly registered the relevant opposition;

2.5. art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3, of the Code, for having carried out telemarketing activities without having consulted the Register of Oppositions on a monthly basis or in any case before each promotional campaign;

2.6. articles 5, par. 2, 24, par. 1 and 2, and 25 of the Regulation for not having adopted adequate organizational measures aimed at keeping track of processing activities and proving compliance with the rules.

Furthermore, with the same communication dated 19 April 2023, the Company was invited to communicate how many personal details were registered in the company systems following the completion of the aforementioned online registration form on the "landing page".

3. DEFENSIVE OBSERVATIONS AND EVALUATIONS OF THE AUTHORITY

3.1. Defensive memory

The Company, in exercising its right of defence, sent a brief dated 19 May 2023 and was heard by the Authority on 14 June 2023, producing, on that occasion, further supplementary documentation, with which it requested the dismissal of the proceedings initiated against him or, alternatively, the application of the sanction for minor infringement as identified in EDPB guidelines 4/2022. From the defense arguments, of which full reference is made, the following emerged.

3.1.1. The complainant's data was acquired when registering on an online data collection form - https://www.listeprofilate.com/it/tr_iphone/privacy.html - associated with a prize competition attributable to XX, as of the data controller. In the information provided by XX the interested party was expressly informed that his personal data "will be used by the Data Controller for the exclusive purpose of ascertaining the identity of the User [...] thus avoiding possible scams or abuse and contacting [the same user] for service reasons only". In relation to this processing, specific consent was acquired from the complainant, of which evidence was produced, together with the screenshot of the formulations used for this purpose. In addition, the Company specified that XX was authorized to process the data through third parties, be they responsible (as in the case of Comparafacile in the data recontact and verification activity) or independent data controllers for their own purposes.

Therefore, Comparafacile has disavowed the role of owner in the processing of data acquired by XX having carried out, as responsible, exclusively "data quality" activities, aimed at a qualitative review of the lists provided and not at the enrichment of the company database, nor at carrying out promotional campaigns for its services. To confirm this, "no marketing campaign was carried out in the context of the first contact and only when the user expressed interest in possible recontact activities was he directed to the Company's landing page".

Having therefore not acted as owner, the Company would not have been entitled to fulfill the obligations inherent to the ex ante information obligations nor to the control of users in the Public Registry of Objections, also due to the indemnity granted to it by the Provider.

In any case, Comparafacile's information was provided at the time of sending the text message containing the link to the "landing page", a link that was sent by the Company following the expression of interest from users in receiving commercial offers from the same for which consent had already been given to XX. It was not possible for Comparafacile to fulfill the information obligation at a time prior to the first contact (given the vast audience of recipients of the contacts) and "the consents collected with the subsequent activity of redirecting the user to the company's landing page enabled this last to carry out de facto treatments".

Finally, the Company announced that it had collected 1,100 records via the online registration form on the "landing page" which generated a small turnover of €79,200.00.

3.1.2. With reference to the dispute referred to in point 2.5 of this provision, the Company, in confirming the difficulties encountered in accessing the public Register of Oppositions before contact with the complainant, represented that the registration of the interested party's user in the aforementioned Registro, only intervened on 15 December 2022, therefore following the contacts made by Comparafacile and complained of in the complaint.

3.1.3. Regarding the failure to respond to the interested party's request to exercise the rights, the Company declared that it acted in good faith and in the absence of malice.

3.1.4. Regarding the processing of data carried out via the website and the consent not correctly requested for profiling, the Company specified that "the only purpose indicated in the information and for which consent was expressly provided in addition to that collected on the landing page was related to the profiling activity that […] the Company does not carry out”.

Furthermore, the Company objected to the point raised by the Authority regarding the acquisition of a consent which tends to combine two distinct purposes (comparafacile promotional activity and communication to third parties), arguing that for such processing two specific authorizations are required (one for marketing activities – consent no. 2 – and the other for communication to third party partners other than the Company – consent no. 3). Furthermore, the Company specified that it has "never communicated and does not communicate the data collected to third parties".

3.2. Legal assessments

With reference to the factual profiles highlighted above, also based on the Company's statements, for which the declarant is responsible pursuant to art. 168 of the Code, the following legal assessments are formulated.

3.2.1. The main argument put forward by the Company in defense of its position through the reference to the exclusive data quality activity carried out as responsible for the processing of data acquired by XX cannot be considered acceptable as it does not correspond to the concrete execution of the conduct.

From the analysis of the information provided by XX upon registration on the online form (https://www.listeprofilate.com/it/tr_iphone/privacy.html), it emerged, first of all, that the activity of contacting the users participating in the prize competition, in order to verify their identity, would not be envisaged by third parties (such as Comparafacile) to whom the data may be communicated, but can be carried out by the owner (Provider) "for the sole service reasons". Furthermore, in point 2 of the aforementioned information, entitled "Further processing purposes: communication of data to the Data Controller's Partners", the person who receives the data from XX to carry out its own marketing activities is clearly indicated as an independent data controller, specifying that "A once the transfer has taken place, it will be the responsibility of the Owner's Partner to provide Users [...] with all the information required by the same art. 14 of the Regulation".

Therefore, the aforementioned data quality activity cannot be invoked by the Company as the records have become available to the latter in exchange for a compensation to the Provider and the telephone contacts are preliminary to the carrying out of Comparafacile(1) promotional campaigns and not instead to verify the accuracy of XX's data for participation in the prize competition, with consequent enrichment of its database (as demonstrated by the above-mentioned 1,686 contracts signed following telephone contacts).

In this context, XX, owner of the database, would have acted as an independent owner, since the activities carried out by the same Provider (collection, storage and transmission of data to third parties) are previous and completely independent from the processing carried out by Comparafacile. It follows that the Company - having concretely determined the purpose for which the processing was carried out (the promotion of its services), the channel used for this purpose, thereby also defining the essential means, and having selected the subject supplier of the lists - is to be considered the data controller, pursuant to art. 4 of the Regulation (see provision dated 26 October 2017, web doc. no. 7320903; provision dated 15 January 2020, web doc no. 9256486; provision dated 25 November 2021, web doc. no. 9736961; provision dated 25 November 2021, web doc. no. 9737185; provision 2 December 2021, web doc. no. 9731682; provision 2 December 2021, web doc. no. 9731664; provision 16 December 2021, web doc. no. 9742704).

Comparafacile is therefore directly attributable to both the obligations imposed by the legislation on the protection of personal data and the responsibility for the alleged violations found, both due to the already highlighted legal role of data controller that the Company has assumed, and because the contractual provision of indemnity clauses which the same Company resorted to in the response dated 18 February 2023 is irrelevant and which has value only with regard to the contractual relationships between the parties and not with respect to the guarantees to be given to the interested party in relation to the processing of your data, nor even with reference to the distribution of responsibilities in the context of the processing.

Having said this, there was no evidence of the Company's obligation to provide information on the occasion of the first contact, pursuant to art. 14 of the Regulation, since having read the privacy information was subject to the users' expression of interest in Comparafacile's services. Furthermore, a mechanism that forces the user to declare an interest in the Company's services in order to acquire all the information required by art. cannot be considered suitable and therefore legitimate. 13 of the Regulation, thus also contravening the requirement of easy usability of the information underlying the art. 12 of the Regulation, in the broader context of the basic principle of transparency (see provision dated 27 May 2021, web doc. no. 9689375; see provisional cit. provision 15 January 2020).

Therefore, it is deemed necessary to confirm what was observed in the document initiating the procedure regarding the existence of the violation of the articles. 12, 13 and 14 of the Regulation for the absence of the release of suitable information during promotional contacts, not only in relation to the case referred to in the complaint but in the overall processing carried out by Comparafacile.

It follows that in the absence of information on the processing even the expression of will of the interested party is irremediably flawed and unsuitable for constituting a condition of lawfulness for the processing itself. Therefore, the consent for promotional purposes requested on the occasion of the first telephone call to the interested party, not being informed, cannot be considered a valid prerequisite for the Company's marketing activity. Nor would it appear that the Company, at the time of contact with the interested party, verified the original consent acquired by XX to the receipt of commercial offers from third parties to whom the data would have been communicated, since the request for recontact for the carrying out Comparafacile's marketing activities would not be justified if there was prior express authorization to this effect. Furthermore, from the examination of the private agreement completed with XX, it emerged that the burden of verifying the validity of the list made available to it and the related consents acquired during the registration phase does not fall on Comparafacile. This would confirm the implementation of the described processing without the Company having ascertained the necessary legal basis for the commercial activity. Also in this case it must be noted that the indemnity clause with which XX intended to exempt Comparafacile from the activity of verifying the correct acquisition of consent is irrelevant. Comparafacile's responsibility for the violation of the articles must therefore be confirmed. 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation as well as art. 130 of the Code.

3.2.2. With reference to the registration of the interested party's users in the Public Register of Objections - which the Company claims only took place on 15 December 2022, therefore after the contacts complained of - it is preliminarily stated that, from timely checks carried out by the Office, the numbering of the complainant was registered from 2 August 2022 and renewed several times until 15 December 2022. This duly clarified, even if at the time of the complained contacts the registration of the interested party's user was temporarily suspended, the Company should have submitted the list of personal details now passed into its availability for confirmation from the Public Register of Oppositions and exclude from the list of contactable subjects those who had correctly formulated their opposition.

However, it appears that the response to the RPO was not carried out and the fact that this lack of response was due to technical problems connected to the registration of the Company in the list of operators who are allowed to consult the Register or that the The objection to the processing of the complainant's user was not registered at that time. In fact, registration with the RPO and consultation of the same must be considered as pre-conditions for being able to correctly carry out telemarketing activities and the technical impossibility of accessing the Register can only determine the impossibility of starting any promotional campaign for which it is the use of the telephone is expected.

The existence of the violation of the art. must therefore be confirmed. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3, of the Code.

3.2.3. As described in point 1 of this provision, the Company would have carried out telephone activities in an insistent and concentrated manner towards the same user, registered with the RPO, even after the formal warning from the complainant dated 9 November 2022, requested several times (on the dates 14 November and 7 December 2022). Therefore, the Company does not appear to have promptly registered the opposition expressed by the interested party nor to have found the requests to exercise the rights referred to in the articles. 15, 17 and 21 of the Regulation - formulated by the same - within the terms established by the art. 12, par. 3 of the Regulation, nor has it yet provided explanations for the lack of response. Comparafacile processed the requests made only after being requested to do so by the Authority with a note dated 22 December 2022.

What emerges, therefore, is an omissive conduct which is not consistent with the owner's obligation to facilitate, with appropriate measures, the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without delay, the relevant requests, including the right to object which can be advanced "at any time" (see provision no. 431 of 15 December 2022, web doc. no. 9856345). It is therefore believed that it is necessary to confirm the violation of the art. 12 par. 2 and 3, as well as articles. 15, 17 and 21, par. 2, of the Regulation.

3.2.4. Based on what was declared by the Company, in its defence, the profiling and communication activities of data to third parties, although indicated in the privacy policy, have not been concretely carried out. For this reason, there would be no violation relating to the failure to collect specific consent for the aforementioned activities.

In this regard, it must be preliminarily observed that the disconnect between the formal plan - relating to the aforementioned information on the website - and the factual plan of the activities is likely to generate reasonable doubt about the actual processing carried out by Comparafacile.

The Guarantor has repeatedly declined the principle of transparency as easy comprehensibility of the information message, with specific regard to the methods and purposes of the processing corresponding not only with the consent requested but, even before that, with the purposes actually pursued. There is a need for correspondence between information pursuant to art. 13 of the Regulation and effectiveness of the treatments implemented, in order to fully implement the art. 12 of the Regulation, i.e. precisely to the principle of transparency, which presents itself as a fundamental and innovative criterion of legitimacy of the treatments themselves (see provision cit. n. 7 of 15 January 2020; see provision cit. n. 431 of 15 December 2022).

Added to this is that, in any case, the collection of personal data for a specific purpose represents a processing operation even where this purpose has not yet been concretely pursued and, even for mere conservation, it is therefore necessary to acquire a suitable consent.

From the examination of the documents and the defense observations of the party it emerges that the Company has not acquired specific consent for the profiling purpose. Therefore, in light of the above, the existence of the disputed violation of the articles is confirmed. 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation, with reference to the processing of personal data aimed at carrying out profiling activities, for which the collection of the data itself was in any case carried out.

4. CONCLUSIONS

For the above, Comparafacile's responsibility for the following violations of the Regulation is deemed to be established:

- art. 5, par. 1, letter. a) and 2

- art. 6

- art. 7

- art. 12

- art. 13

- art. 14

- art. 15

- art. 17

- art. 21, par. 2

- art. 24, par. 1 and 2

- art. 25, par. 1

as well as art. 130 of the Code.

Having ascertained the illicit nature of the Company's conduct described above, it is necessary to:

a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibit the processing of personal data collected via the website in the absence of suitable consent of the interested parties in the profiling activity, pursuant to articles. 6, 7 and 12 of the Regulation, as well as 130 of the Code, since this purpose, even if it was not actually pursued by the Company, resulted in the collection of personal data without consent;

b) pursuant to art. 58, par. 2, letter. d) of the Regulation, order Comparafacile to delete said data without delay, without prejudice to data that is necessary to keep for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unambiguous consent from the interested party;

c) in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties, prescribe, pursuant to art. 58, par. 2, letter. d), of the Regulation, to implement all the necessary measures to ensure that they comply with the provisions on the protection of personal data, i.e., among others:

- provide suitable information to interested parties, providing all the elements required by the articles. 12 and 13 of the Regulation;

- identify a suitable legal basis for the processing in question which, at present, appears to be feasible in the acquisition of informed, free, specific, documented and unequivocal consent for each of the purposes concretely pursued (articles 6 and 7 of the Regulation);

- implement all necessary organizational measures in order to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the relevant requests, including the right of opposition which can be advanced "in any time” by the interested party (art. 21, par. 2, of the Regulation);

- adopt suitable procedures aimed at keeping track of processing activities within the supply chain and proving compliance with the rules on the protection of personal data, with particular reference to those applicable to the sending of commercial communications (articles 6, 7, 13, 14 of the Regulation and 130 of the Code);

d) with regard to the processing already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation.

5. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations confirmed above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Comparafacile of the pecuniary administrative sanction provided for by the art. 83, par. 4 and 5 of the Regulation. However, since various provisions of the Regulation and the Code have been violated in relation to related processing carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the less serious violations. Specifically, the aforementioned violations - also having as their object the exercise of the rights of the interested parties - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in the art. 83, par. 5, of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation.

Which circumstances to take into consideration in the specific case must be considered, from the point of view of aggravating circumstances:

1. the high number of subjects involved in the contested processing: 40,000 records acquired by XX; 1,686 contracts signed with the aforementioned records communicated by the Provider with respect to which the Company does not appear to have verified the legal conditions that would legitimize the processing; 1,100 details registered on the online form on the "landing page" and which include data for which no specific consent to profiling has been acquired nor, according to the Company, any processing is in progress (art. 83, par. 2 , letter a);

2. the seriousness of the violations detected with particular reference to the absence of random checks of the contact numbers provided by the partner, the inadequate management of the right of opposition of the interested parties, as well as the unsuitability of the information provided on the website and the lack of the same during promotional telephone calls (art. 83, par. 2, letter a);

3. the negligent nature of the conduct given that the Company's presence on the market for many years should have allowed it to acquire a sufficient wealth of experience and competence to adopt fundamental choices that are more in line with the regulatory provisions (art. 83, par. 2 , letter b);

4. the dissimilarity of the Company's conduct with respect to the consistent regulatory activity of the Authority in the field of marketing with particular reference to information and consent (art. 83, par. 2 letter k);

5. the overall assessment of the economic capacity of the Company, taking into consideration the latest available company turnover (art. 83, par. 2 letter k).

As mitigating elements, it is believed that the following should be taken into account:

1. the absence of previous proceedings initiated against the Company (art. 83, par. 2 letter e);

2. the degree of cooperation in interaction with the Supervisory Authority such as to facilitate the carrying out of investigation activities (art. 83, par. 2, letter f).

Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company, it is believed that it should apply to Comparafacile - also taking into consideration other similar cases - the administrative sanction of payment of a sum of 40,000.00 (forty thousand/00) euros, equal to 0.2% of the statutory maximum.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, i.e. the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous provisions both of a general nature and directed at certain data controllers and on which the attention of the 'user.

Please remember that pursuant to art. 170 of the Code, anyone who, being obliged, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e) of the Regulation.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the notation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.

ALL THE WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by Compara Facile S.r.l., with registered office in Via Tivoli 8, 00156 Rome, VAT number 15474891007, and consequently:

a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibits the processing of personal data collected via the website in the absence of suitable consent of the interested parties in the profiling activity, pursuant to articles. 6, 7 and 12 of the Regulation, as well as 130 of the Code, since this purpose, even if it was not actually pursued by the Company, resulted in the collection of personal data without consent;

b) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders Comparafacile to delete said data without delay, without prejudice to that which is necessary to keep for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unambiguous consent from the interested party;

c) in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties, it prescribes, pursuant to art. 58, par. 2, letter. d), of the Regulation, to implement all the necessary measures to ensure that they comply with the provisions on the protection of personal data, i.e., among others:

- provide suitable information to interested parties, providing all the elements required by the articles. 12 and 13 of the Regulation;

- identify a suitable legal basis for the processing in question which, at present, appears to be feasible in the acquisition of informed, free, specific, documented and unequivocal consent for each of the purposes concretely pursued (articles 6 and 7 of the Regulation);

- implement all necessary organizational measures in order to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the relevant requests, including the right of opposition which can be advanced "in any time” by the interested party (art. 21, par. 2, of the Regulation);

- adopt suitable procedures aimed at keeping track of processing activities within the supply chain and proving compliance with the rules on the protection of personal data, with particular reference to those applicable to the sending of commercial communications (articles 6, 7, 13, 14 of the Regulation and 130 of the Code);

d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, letter. i), of the Regulation, to Compara Facile S.r.l., in the person of its legal representative, to pay the sum of €40,000.00 (forty thousand/00), as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €40,000.00 (forty thousand/00) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 18 July 2023

PRESIDENT
Stanzione

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

___

(1) Regarding the telephone contact aimed at registering the contractor's interest or otherwise in the commercial offer, the Guarantor has on several occasions specified that this type of telephone call, aimed at obtaining consent for marketing activities, is to be considered « commercial communication", as established by the jurisprudence of legitimacy (Cass. Civ., Section I, ord. 26 April 2021, n. 11019) which - in confirming the validity of the Authority's provision of 22 June 2016 n. 275 (web doc. 5255159) on the illicit nature of telephone calls for the "recovery of consent" of interested parties - highlighted that "The purpose to which the consent requested for the processing is indispensably linked cannot fail to contribute to qualifying the processing itself, reason why the processing of the data subject's data to request consent for marketing purposes is itself processing for marketing purposes" (see in the same sense, the Guidelines on promotional activities and combating spam - 4 July 2013, web doc. no. 2542348).