Garante per la protezione dei dati personali (Italy) - 9971433
Garante per la protezione dei dati personali - 9971433 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 15 GDPR Article 31 GDPR Article 130 Codice Privacy Article 157 Codice Privacy |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 30.11.2023 |
Published: | |
Fine: | 60,000 EUR |
Parties: | Limit Call S.r.l.s. |
National Case Number/Name: | 9971433 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | GARANTE PER LA PROTEZIONE DEI DATI PERSONALI (in IT) |
Initial Contributor: | Luca Brocca |
Following an on-site inspection, the Italian DPA fined Limit Call €60,000. The controller was found to have conducted promotional calls without the informed consent of the data subjects, breaching Article 5(1)(a) GDPR, Article 6(1)(a) GDPR, Article 7 GDPR, and without informing the data subjects of all the essential information required by Article 13 GDPR and Article 14 GDPR.
English Summary
Facts
Limit Call S.r.l.s. (the controller) came under the scrutiny of the Italian DPA following a complaint alleging the reception of unsolicited telephone calls without the necessary consent of a complainant.
In a previous decision, the DPA had already imposed an administrative fine of €10,000 on the controller for a breach of Article 157 of the Italian privacy code, as the controller failed to cooperate with the DPA in the context of the same facts.
To investigate further, the DPA conducted an on-site inspection at the controller's registered office on 23 and 24 May 2023. The primary objectives were to determine the origin of the complainants' personal data and evaluate the legal basis for the contested telephone calls.
The controller, operating as a call center in the teleselling sector for electricity contracts, asserted that it obtained the complainants' contacts from a list provider in Moldova, from which it obtained a total of 100,000 contacts. Notably, no specific contract was signed with this list provider, prompting questions about the legitimacy of data acquisition.
Holding
Following the investigation, the Italian DPA found the controller liable for multiple GDPR violations.
Firstly, the call script used by the controller during promotional contacts lacked all the essential information required by Article 13 GDPR and Article 14 GDPR, violating data subjects’ rights.
The DPA further found that the controller conducted these promotional contacts without the informed consent of the data subjects. Indeed, the controller failed to provide suitable documentation demonstrating the lawfulness of the acquisition of registry lists from the third party. Therefore, the controller breached Article 5(1)(a) GDPR, Article 6(1)(a) GDPR, Article 7 GDPR, and Article 130 of the Italian privacy code, since the controller neglected to exercise proper control over the acquired lists, and failed to ensure compliance with legal processing requirements.
Additionally, the DPA found that the certified email address provided by the controller for processing rights requests was inactive, hindering data subjects' rights and control over their information and, therefore, violating Article 12(2) GDPR, Article 12(3) GDPR, and Article 15 GDPR.
Therefore, due to the lack of a legal basis for the processing, not only concerning the specific complaint but in the overall processing conducted by the controller, the Italian DPA fined the controller €60,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Newsletter of 19 January 2024 [doc. web no. 9971433] Provision of 30 November 2023 Register of measures n. 561 of 30 November 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”); HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter "Code"); HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000; SPEAKER Prof. Pasquale Stanzione; PREMISE 1. THE INVESTIGATORY ACTIVITY On 20 October 2022, provision no. was adopted. 350 with which Limit Call S.r.l.s. was imposed. (hereinafter «Limit Call» and «Company») the administrative fine of €10,000.00 for the violation of the art. 157 of the Code (in www.gpdp.it, web doc. n. 9832544), as the Company did not provide a response to the request for information dated 10 February 2022 (prot. ref. n. 9268/22) in relation to a proposed complaint to the Authority relating to the reception of unwanted telephone calls in the absence of the interested party's consent. Therefore, in order to acquire a complete picture of information regarding the processing carried out by the Company, the Office, on the dates of 23 and 24 May 2023, carried out an inspection at the registered office of Limit Call aimed at verifying, in particular , the origin of the complainant's personal data, as well as the legal basis that would have legitimized the complained phone calls. As a result of this investigation, the following emerged. Limit Call, a call center active in the teleselling sector for electricity contracts, claimed to have acquired the complainant's contact from a list provider - XX - based in Moldova (hereinafter "XX" and "supplier"). From this supplier, 3 registry lists were acquired "for a total of 100,000 contacts" from which 32,651 phone calls would have resulted which produced 294 contracts (see dissolution of reservations of 12 June 2023). No specific contract was signed with this list provider but the commercial relationship with the latter was certified by an accounting document, produced during the inspection, which indicates "the payment methods and summary characteristics of the list provided" together with an annex, called "Terms and conditions", which contains an indication of the "privacy roles [...] and [the] operational instructions on the use of the personal data". The Company also declared that it had not had relations with XX indicated by the list provider "as the person who would have originally acquired the complainant's contact data" and then transferred it to XX who, in turn, would have provided it to Limit Call. The Company represented that it was not able to provide further information regarding the processing of the complainant's personal data, having not carried out checks regarding the fulfillment of the information (presuming that it was issued by the list provider) and consent. Furthermore, "in response to numerous requests from limitcall, the list provider interrupted all relationships and made himself unavailable". The only checks implemented by the Company concerned the matching of the users provided by the list provider in the Public Register of Oppositions (so-called RPO), with use of the same data for 15 days (see minutes of 23 May 2023 page 3). Finally, with reference to the requests to exercise the rights made by the interested parties, Limit Call claimed to have made available, for their processing, the company certified email address (limitcallsrls@legalmail.it) which, however, following the checks carried out in site of inspection, was no longer active. 2. DISPUTE OF VIOLATIONS On 7 September 2023, the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation. With this communication (prot. n. 125354/23) the alleged violations of the following provisions were attributed to Limit Call: articles 12, 13 and 14 of the Regulation, for not having provided the information during promotional contacts; articles 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation and art. 130 of the Code, for having made promotional telephone calls without the informed consent of the interested parties; articles 12, par. 2 and 3, 15 et seq. of the Regulation, for not having adopted adequate measures to allow the requests to exercise the rights of the interested parties to be responded to, as the email channel responsible for the relevant processing is not functioning; art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3, of the Code, for having carried out telemarketing activities without having consulted the Public Register of Oppositions before the promotional campaign; art. 31 of the Regulation (Cooperation with the Supervisory Authority), for having offered insufficient collaboration to the Supervisory Authority, since it was necessary to carry out an inspection at the Company's registered office to obtain the information originally requested regarding the processing of the personal data of interested parties. 3. LEGAL ASSESSMENTS The Company did not present defense briefs nor did it request to be heard by the Authority. Therefore, with reference to the factual profiles highlighted above, also on the basis of the statements made during the inspection, for which the declarant is responsible pursuant to art. 168 of the Code, the violations referred to in point 2 of this provision are confirmed and, consequently, the following legal assessments are formulated. Limit Call did not provide suitable documentation to demonstrate the lawfulness of the acquisition of the registry lists from third parties (in this specific case from the list provider - XX). Nonetheless, the documents that would prove the commercial relationship with the list provider, produced during the inspection (see Attachment 1 to the minutes of 24 May 2023, p. 1), are nothing other than the invoices issued in favor of two different companies attributable to the "XX" brand - XX and XX - thus not allowing the Office to clearly understand the actual ownership of the database transferred to Limit Call. This duly noted, beyond the ownership of the database, it is represented that the Company did not exercise a power of control over the acquired lists that went beyond the functional discussions of the commercial agreement. In fact, it does not appear that Limit Call has requested from its commercial partner the documentation proving the existence of the requirements of lawfulness of the processing, such as the origin of the data, the information provided and the consents acquired from the interested parties receiving the promotional campaign, nor that it has carried out such checks in another way (see minutes of 23 May 2023, p. 3). Added to this is the fact that there was no confirmation in the documents of the complainant's user account in the RPO already during the first contact, therefore confirming the violation of the art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3 of the Code. Furthermore, from the examination of the document signed with the list provider, under the heading "Terms and conditions", the Company is clearly indicated as the independent data controller of the data acquired from the list provider (see p. 2 "Terms and conditions"), with consequent enrichment of the company database to be used in the exclusive interest of Limit Call (see p. 3). The Company, according to the agreement, "undertakes not to disclose", to transfer and to make available to third parties, the personal data thus acquired (see p. 4). Regardless of the formal data - from the role played by the Company in the processing of personal data provided by the list provider (independent owner in the acquisition of registry lists from third parties or responsible in cases of use of the same on behalf of clients) - liability cannot be excluded Limit Call is responsible for verifying the legality of the data collected; this is because the collection and storage of data acquired from third parties pertains to a phase of processing prior to and independent of any promotion of services and products of clients and consisting of an activity carried out by the Company in full autonomy. Having said this, there is no evidence of the information requirement for Limit Call pursuant to the articles. 13 and 14 of the Regulation. The call script used during promotional contacts, produced before the inspection assessment in the conversation with the complainant (see e-mail of 10/12/2021) and proposed again during the inspection together with the audio files acquired in format digital on computer support, was found to be devoid of all the information required by the art. 13 of the Regulation; the same script, in fact, concerns exclusively the request to the user for a recontact if interested in the Company's "energy consultancy services" which is not even mentioned during the phone calls. Furthermore, Limit Call has not verified and, therefore, proven, the release of the list provider's information to interested parties, pursuant to art. 14 of the Regulation; so, moreover, it was not possible to ascertain whether the same information provided for the communication of personal data to third parties. Similarly, specific consent for communication to third parties (including Limit Call) for marketing purposes has not been proven. Therefore, it is deemed necessary to confirm the violation of the articles. 12, 13 and 14 of the Regulation, emerging from the above findings is the absence of information to be provided during promotional contacts. In addition, the violation of the articles must be considered integrated. 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation and art. 130 of the Code, since the processing described gave rise to the making of promotional telephone calls without the informed consent of the interested parties as the Company did not produce any evidential evidence capable of documenting the acquisition. Ultimately, the processing in question appears to have been carried out in the absence of the conditions of legitimacy of the promotional activity, not only in relation to the case referred to in the complaint, but in the overall processing carried out by Limit Call. With reference to the circumstance described in the introduction concerning the failure of the PEC address responsible for processing the requests of the interested parties to function, it is noted that this impediment is in conflict with the owner's obligation to facilitate, with appropriate measures, the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without delay, the relevant requests; furthermore, this would not have allowed the same interested parties full control of their data and the processing connected to them, thus violating the art. 12 par. 2 and 3, as well as articles. 15 et seq. of the Regulation. Finally, there was insufficient collaboration with the Authority since the Company's inertia (in the face of a specific request from the Office which entails the application of administrative sanctions if not found, and even after the adoption of the sanctioning measure) has led to a burden of the investigation and a slowdown of the administrative action, deeming it necessary to carry out the inspection at the registered office and acquire all the elements useful for an assessment of merit. Therefore, the violation of the art is considered complete. 31 of the Regulation. 4. CONCLUSIONS For the above, Limit Call's liability for the following violations of the Regulations is deemed to be established: - art. 5 par. 1, letter. to); - art. 6 par. 1, letter. to); - art. 7; - art. 12; - art. 13; - art. 14; - art. 15; - art. 31; as well as art. 130 of the Code. Having ascertained the illicit nature of the Company's conduct described above, it is necessary to: a) prohibit the processing of personal data for which the provision of adequate information to the interested parties has not been proven and consent free from defects has been acquired (pursuant to articles 6, 7, 12 and 14 of the Regulation, as well as 130 of the Code ); b) order the deletion of said data without delay, without prejudice to that which is necessary to retain for the fulfillment of legal obligations or for any contractual reasons; c) order, in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties: - to provide transparent and suitable information to interested parties, pursuant to articles. 12 and 13 of the Regulation; - to adopt suitable procedures aimed at constantly verifying, also through adequate random checks, that personal data are processed in full compliance with the relevant provisions (prior acquisition of free, specific, unequivocal, documented, as well as informed consent from the interested parties for sending commercial communications, as well as replying to telephone numbers in the RPO), pursuant to articles. 6, 7, 12, 13 and 14 of the Regulation as well as art. 130 of the Code; - to guarantee the exercise of the rights of the interested parties through the correct monitoring of the communication channels and, in particular, of the certified e-mail address responsible for the relevant processing, pursuant to the articles. 12 and 15 of the Regulation; - to adopt adequate procedures aimed at keeping track of processing activities also within the supply chain and proving compliance with the rules on the protection of personal data (articles 5, paragraph 2, and 24 of the Regulation); d) with regard to the processing already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation, to be applied in addition to that 5. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION Based on the above, various provisions of the Regulation and the Code have been violated in relation to related processing carried out by Limit Call, for which the art. 83, par. 3, of the Regulation, according to which "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation", with consequent application of only the sanction provided for by the art. 83, par. 5, of the Regulation. To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation. Which circumstances to take into consideration in the specific case must be considered, from the point of view of aggravating circumstances: 1. the seriousness of the violations detected, since the processing, although not supported by the necessary guarantees, involved very numerous telephone users (100,000 contacts from which 32,651 telephone calls would have resulted which produced 294 contracts) (art. 83, par. 2 , letter a, of the Regulation); 2. the at least seriously negligent nature of the conduct, since the rules for the protection of personal data were completely ignored and were not taken into consideration even after the intervention of the Guarantor (art. 83, par. 2, letter b, of the Regulation); 3. the total absence of measures aimed at mitigating the damage for the interested parties, despite the objections raised by the Authority and even after the sanctioning provision of 20 October 2022 (art. 83, par. 2, letter c, of the Regulation); 4. the discrepancy in the Company's conduct with respect to the consistent regulatory activity of the Authority regarding marketing, with particular reference to information and consent (art. 83, par. 2, letter k, of the Regulation). Taking into account the fine of 10,000 euros already imposed with the provision of 20 October 2022, the only mitigating element to be taken into consideration is the overall assessment of the economic capacity of the Company, taking into account the latest available corporate turnover (667,613 euros, as resulting from the 2022 VAT return relating to the tax period for the year 2021) (art. 83, par. 2, letter k, of the Regulation). Therefore, it is believed that the administrative sanction of the payment of a sum equal to 60,000.00 euros (sixty thousand/00) should be applied to Limit Call, equal to 0.3% of the statutory maximum of 20 million euros and, due to the aggravating elements detected, the additional sanction of the entire publication of this provision on the Guarantor's website as required by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor's regulation no. 1/2019. Please remember that, pursuant to art. 170 of the Code, anyone who, being obliged, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e) of the Regulation. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation. ALL THE WHEREAS, THE GUARANTOR pursuant to art. 57, par. 1, letter. f) of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by Limit Call S.r.l.s., with registered office in Via Tertulliano, 70 – 20137 Milan, VAT number 11508000962, and consequently: a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibits the processing of personal data for which the provision of adequate information to the interested parties has not been proven and consent free from defects has been acquired (pursuant to articles 6, 7, 12 and 14 of the Regulation, as well as 130 of the Code); b) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders the deletion of said data without delay, without prejudice to that which is necessary to retain for the fulfillment of legal obligations or for any contractual reasons; c) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders, in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties: - to provide transparent and suitable information to interested parties, pursuant to articles. 12 and 13 of the Regulation; - to adopt suitable procedures aimed at constantly verifying, also through adequate random checks, that personal data are processed in full compliance with the relevant provisions (prior acquisition of free, specific, unequivocal, documented, as well as informed consent from the interested parties for sending commercial communications, as well as replying to telephone numbers in the RPO), pursuant to articles. 6, 7, 12, 13 and 14 of the Regulation as well as art. 130 of the Code; - to guarantee the exercise of the rights of the interested parties through the correct monitoring of the communication channels and, in particular, of the certified e-mail address responsible for the relevant processing, pursuant to the articles. 12 and 15 of the Regulation; - to adopt adequate procedures aimed at keeping track of processing activities also within the supply chain and proving compliance with the rules on the protection of personal data (articles 5, paragraph 2, and 24 of the Regulation); d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation. ORDER pursuant to art. 58, par. 2, letter. i) of the Regulation, to Limit Call S.r.l.s., in the person of its legal representative, to pay the sum of €60,000.00 (sixty thousand/00), as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed; ORDERS to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €60,000.00 (sixty thousand/00) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981; HAS such as accessory sanctions, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website as well as, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted. Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 30 November 2023 PRESIDENT Stantion THE SPEAKER Stantion THE GENERAL SECRETARY Mattei SEE ALSO Newsletter of 19 January 2024 [doc. web no. 9971433] Provision of 30 November 2023 Register of measures n. 561 of 30 November 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”); HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter "Code"); HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000; SPEAKER Prof. Pasquale Stanzione; PREMISE 1. THE INVESTIGATORY ACTIVITY On 20 October 2022, provision no. was adopted. 350 with which Limit Call S.r.l.s. was imposed. (hereinafter «Limit Call» and «Company») the administrative fine of €10,000.00 for the violation of the art. 157 of the Code (in www.gpdp.it, web doc. n. 9832544), as the Company did not provide a response to the request for information dated 10 February 2022 (prot. ref. n. 9268/22) in relation to a proposed complaint to the Authority relating to the reception of unwanted telephone calls in the absence of the interested party's consent. Therefore, in order to acquire a complete picture of information regarding the processing carried out by the Company, the Office, on the dates of 23 and 24 May 2023, carried out an inspection at the registered office of Limit Call aimed at verifying, in particular , the origin of the complainant's personal data, as well as the legal basis that would have legitimized the complained phone calls. As a result of this investigation, the following emerged. Limit Call, a call center active in the teleselling sector for electricity contracts, claimed to have acquired the complainant's contact from a list provider - XX - based in Moldova (hereinafter "XX" and "supplier"). From this supplier, 3 registry lists were acquired "for a total of 100,000 contacts" from which 32,651 phone calls would have resulted which produced 294 contracts (see dissolution of reservations of 12 June 2023). No specific contract was signed with this list provider but the commercial relationship with the latter was certified by an accounting document, produced during the inspection, which indicates "the payment methods and summary characteristics of the list provided" together with an annex, called "Terms and conditions", which contains an indication of the "privacy roles [...] and [the] operational instructions on the use of the personal data". The Company also declared that it had not had relations with XX indicated by the list provider "as the person who would have originally acquired the complainant's contact data" and then transferred it to XX who, in turn, would have provided it to Limit Call. The Company represented that it was not able to provide further information regarding the processing of the complainant's personal data, having not carried out checks regarding the fulfillment of the information (presuming that it was issued by the list provider) and consent. Furthermore, "in response to numerous requests from limitcall, the list provider interrupted all relationships and made himself unavailable". The only checks implemented by the Company concerned the matching of the users provided by the list provider in the Public Register of Oppositions (so-called RPO), with use of the same data for 15 days (see minutes of 23 May 2023 page 3). Finally, with reference to the requests to exercise the rights made by the interested parties, Limit Call claimed to have made available, for their processing, the company certified email address (limitcallsrls@legalmail.it) which, however, following the checks carried out in site of inspection, was no longer active. 2. DISPUTE OF VIOLATIONS On 7 September 2023, the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation. With this communication (prot. n. 125354/23) the alleged violations of the following provisions were attributed to Limit Call: articles 12, 13 and 14 of the Regulation, for not having provided the information during promotional contacts; articles 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation and art. 130 of the Code, for having made promotional telephone calls without the informed consent of the interested parties; articles 12, par. 2 and 3, 15 et seq. of the Regulation, for not having adopted adequate measures to allow the requests to exercise the rights of the interested parties to be responded to, as the email channel responsible for the relevant processing is not functioning; art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3, of the Code, for having carried out telemarketing activities without having consulted the Public Register of Oppositions before the promotional campaign; art. 31 of the Regulation (Cooperation with the Supervisory Authority), for having offered insufficient collaboration to the Supervisory Authority, since it was necessary to carry out an inspection at the Company's registered office to obtain the information originally requested regarding the processing of the personal data of interested parties. 3. LEGAL ASSESSMENTS The Company did not present defense briefs nor did it request to be heard by the Authority. Therefore, with reference to the factual profiles highlighted above, also on the basis of the statements made during the inspection, for which the declarant is responsible pursuant to art. 168 of the Code, the violations referred to in point 2 of this provision are confirmed and, consequently, the following legal assessments are formulated. Limit Call did not provide suitable documentation to demonstrate the lawfulness of the acquisition of the registry lists from third parties (in this specific case from the list provider - XX). Nonetheless, the documents that would prove the commercial relationship with the list provider, produced during the inspection (see Attachment 1 to the minutes of 24 May 2023, p. 1), are nothing other than the invoices issued in favor of two different companies attributable to the "XX" brand - XX and XX - thus not allowing the Office to clearly understand the actual ownership of the database transferred to Limit Call. This duly noted, beyond the ownership of the database, it is represented that the Company did not exercise a power of control over the acquired lists that went beyond the functional discussions of the commercial agreement. In fact, it does not appear that Limit Call has requested from its commercial partner the documentation proving the existence of the requirements of lawfulness of the processing, such as the origin of the data, the information provided and the consents acquired from the interested parties receiving the promotional campaign, nor that it has carried out such checks in another way (see minutes of 23 May 2023, p. 3). Added to this is the fact that there was no confirmation in the documents of the complainant's user in the RPO already at the first contact, therefore confirming the violation of the art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3 of the Code. Furthermore, from the examination of the document signed with the list provider, under the heading "Terms and conditions", the Company is clearly indicated as the independent data controller of the data acquired from the list provider (see p. 2 "Terms and conditions"), with consequent enrichment of the company database to be used in the exclusive interest of Limit Call (see p. 3). The Company, according to the agreement, "undertakes not to disclose", to transfer and to make available to third parties, the personal data thus acquired (see p. 4). Regardless of the formal data - from the role played by the Company in the processing of personal data provided by the list provider (independent owner in the acquisition of registry lists from third parties or responsible in cases of use of the same on behalf of clients) - liability cannot be excluded Limit Call is responsible for verifying the legality of the data collected; this is because the collection and storage of data acquired from third parties pertains to a phase of processing prior to and independent of any promotion of services and products of clients and consisting of an activity carried out by the Company in full autonomy. Having said this, there is no evidence of the information requirement for Limit Call pursuant to the articles. 13 and 14 of the Regulation. The call script used during promotional contacts, produced before the inspection assessment in the conversation with the complainant (see e-mail of 10/12/2021) and proposed again during the inspection together with the audio files acquired in format digital on computer support, was found to be devoid of all the information required by the art. 13 of the Regulation; the same script, in fact, concerns exclusively the request to the user for a recontact if interested in the Company's "energy consultancy services" which is not even mentioned during the phone calls. Furthermore, Limit Call has not verified and, therefore, proven, the release of the list provider's information to interested parties, pursuant to art. 14 of the Regulation; so, moreover, it was not possible to ascertain whether the same information provided for the communication of personal data to third parties. Similarly, specific consent for communication to third parties (including Limit Call) for marketing purposes has not been proven. Therefore, it is deemed necessary to confirm the violation of the articles. 12, 13 and 14 of the Regulation, emerging from the above findings is the absence of information to be provided during promotional contacts. In addition, the violation of the articles must be considered integrated. 5, par. 1, letter. a), 6, par. 1, letter. a), 7 of the Regulation and art. 130 of the Code, since the processing described gave rise to the making of promotional telephone calls without the informed consent of the interested parties as the Company did not produce any evidential evidence capable of documenting the acquisition. Ultimately, the processing in question appears to have been carried out in the absence of the conditions of legitimacy of the promotional activity, not only in relation to the case referred to in the complaint, but in the overall processing carried out by Limit Call. With reference to the circumstance described in the introduction concerning the failure of the PEC address responsible for processing the requests of the interested parties to function, it is noted that this impediment is in conflict with the owner's obligation to facilitate, with appropriate measures, the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without delay, the relevant requests; furthermore, this would not have allowed the same interested parties full control of their data and the processing connected to them, thus violating the art. 12 par. 2 and 3, as well as articles. 15 et seq. of the Regulation. Finally, there was insufficient collaboration with the Authority since the Company's inertia (in the face of a specific request from the Office which entails the application of administrative sanctions if not found, and even after the adoption of the sanctioning measure) has led to a burden of the investigation and a slowdown of the administrative action, deeming it necessary to carry out the inspection at the registered office and acquire all the elements useful for an assessment of merit. Therefore, the violation of the art is considered complete. 31 of the Regulation. 4. CONCLUSIONS For the above, Limit Call's liability for the following violations of the Regulations is deemed to be established: - art. 5 par. 1, letter. to); - art. 6 par. 1, letter. to); - art. 7; - art. 12; - art. 13; - art. 14; - art. 15; - art. 31; as well as art. 130 of the Code. Having ascertained the illicit nature of the Company's conduct described above, it is necessary to: a) prohibit the processing of personal data for which the provision of adequate information to the interested parties has not been proven and consent free from defects has been acquired (pursuant to articles 6, 7, 12 and 14 of the Regulation, as well as 130 of the Code ); b) order the deletion of said data without delay, without prejudice to that which is necessary to retain for the fulfillment of legal obligations or for any contractual reasons; c) order, in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties: - to provide transparent and suitable information to interested parties, pursuant to articles. 12 and 13 of the Regulation; - to adopt suitable procedures aimed at constantly verifying, also through adequate random checks, that personal data are processed in full compliance with the relevant provisions (prior acquisition of free, specific, unequivocal, documented, as well as informed consent from the interested parties for sending commercial communications, as well as replying to telephone numbers in the RPO), pursuant to articles. 6, 7, 12, 13 and 14 of the Regulation as well as art. 130 of the Code; - to guarantee the exercise of the rights of the interested parties through the correct monitoring of the communication channels and, in particular, of the certified e-mail address responsible for the relevant processing, pursuant to the articles. 12 and 15 of the Regulation; - to adopt adequate procedures aimed at keeping track of processing activities also within the supply chain and proving compliance with the rules on the protection of personal data (articles 5, paragraph 2, and 24 of the Regulation); d) with regard to the processing already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation, to be applied in addition to that 5. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION Based on the above, various provisions of the Regulation and the Code have been violated in relation to related processing carried out by Limit Call, for which the art. 83, par. 3, of the Regulation, according to which "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation", with consequent application of only the sanction provided for by the art. 83, par. 5, of the Regulation. To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation. Which circumstances to take into consideration in the specific case must be considered, from the point of view of aggravating circumstances: 1. the seriousness of the violations detected, since the processing, despite not being supported by the necessary guarantees, involved numerous telephone users (100,000 contacts from which 32,651 telephone calls would have resulted which produced 294 contracts) (art. 83, par. 2 , letter a, of the Regulation); 2. the at least seriously negligent nature of the conduct, since the rules for the protection of personal data were completely ignored and were not taken into consideration even after the intervention of the Guarantor (art. 83, par. 2, letter b, of the Regulation); 3. the total absence of measures aimed at mitigating the damage for the interested parties, despite the objections raised by the Authority and even after the sanctioning provision of 20 October 2022 (art. 83, par. 2, letter c, of the Regulation); 4. the discrepancy in the Company's conduct with respect to the consistent regulatory activity of the Authority regarding marketing, with particular reference to information and consent (art. 83, par. 2, letter k, of the Regulation). Taking into account the fine of 10,000 euros already imposed with the provision of 20 October 2022, the only mitigating element to be taken into consideration is the overall assessment of the economic capacity of the Company, taking into account the latest available corporate turnover (667,613 euros, as resulting from the 2022 VAT return relating to the tax period of 2021) (art. 83, par. 2, letter k, of the Regulation). Therefore, it is believed that the administrative sanction of the payment of a sum equal to 60,000.00 euros (sixty thousand/00) should be applied to Limit Call, equal to 0.3% of the statutory maximum of 20 million euros and, due to the aggravating elements detected, the additional sanction of the entire publication of this provision on the Guarantor's website as required by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor's regulation no. 1/2019. Please remember that, pursuant to art. 170 of the Code, anyone who, being obliged, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e) of the Regulation. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation. ALL THE WHEREAS, THE GUARANTOR pursuant to art. 57, par. 1, letter. f) of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by Limit Call S.r.l.s., with registered office in Via Tertulliano, 70 – 20137 Milan, VAT number 11508000962, and consequently: a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibits the processing of personal data for which the provision of adequate information to the interested parties has not been proven and consent free from defects has been acquired (pursuant to articles 6, 7, 12 and 14 of the Regulation, as well as 130 of the Code); b) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders the deletion of said data without delay, without prejudice to that which is necessary to retain for the fulfillment of legal obligations or for any contractual reasons; c) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders, in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties: - to provide transparent and suitable information to interested parties, pursuant to articles. 12 and 13 of the Regulation; - to adopt suitable procedures aimed at constantly verifying, also through adequate random checks, that personal data are processed in full compliance with the relevant provisions (prior acquisition of free, specific, unequivocal, documented, as well as informed consent from the interested parties for sending commercial communications, as well as replying to telephone numbers in the RPO), pursuant to articles. 6, 7, 12, 13 and 14 of the Regulation as well as art. 130 of the Code; - to guarantee the exercise of the rights of the interested parties through the correct monitoring of the communication channels and, in particular, of the certified e-mail address responsible for the relevant processing, pursuant to the articles. 12 and 15 of the Regulation; - to adopt adequate procedures aimed at keeping track of processing activities also within the supply chain and proving compliance with the rules on the protection of personal data (articles 5, paragraph 2, and 24 of the Regulation); d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation. ORDER pursuant to art. 58, par. 2, letter. i) of the Regulation, to Limit Call S.r.l.s., in the person of its legal representative, to pay the sum of €60,000.00 (sixty thousand/00), as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed; ORDERS to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €60,000.00 (sixty thousand/00) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981; HAS such as accessory sanctions, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website as well as, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted. Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 30 November 2023 PRESIDENT Stantion THE SPEAKER Stantion THE GENERAL SECRETARY Mattei