Garante per la protezione dei dati personali (Italy) - 10040382

From GDPRhub
Revision as of 14:12, 13 August 2024 by Fb (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 10040382
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12(1) GDPR
Article 12(3) GDPR
Article 13 GDPR
Art. 1(5) legge 5/2018
Art. 1(6) legge 5/2018
Art. 130(3-bis) d.lgs. 196/2003
Art. 130(4) d.lgs. 196/2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.06.2024
Published:
Fine: 1,000,000 EUR
Parties: Fastweb S.p.A.
National Case Number/Name: 10040382
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The DPA fined a telecommunication provider €1,000,000 after it contacted data subjects for marketing purposes without valid consent. The DPA held that a controller cannot rely on legitimate interest to perform marketing phone calls to its clients.

English Summary

Facts

The DPA received several complaints and informal reports about unsolicited phone calls made by Fastweb, a telecommunication provider, to data subjects.

Moreover, an investigation carried out by the DPA showed that 7,75% of the phone calls were made to data subjects who had signed up for the Italian opt-out registry (Registro Pubblico delle Opposizioni – RPO). The RPO is an Italian registry extended to all national phone numbers, which allows citizens to opt-out of unwanted telemarketing calls. According to Article 1(5) of Law 5/2018, when a data subject signs up for the RPO, this has the effect of revoking their previous consent given for marketing purposes. However, pursuant to the same article, consent is deemed valid if it was given in the context of a contract which is still in place.

The controller classified its phone calls in 3 categories:

  • “inbound” calls, made by the data subject to the controller’s customer service;
  • “websales” calls, made by the controller to the data subject after acquiring their specific consent through a comparison website or after the data subject entered their phone number because they wanted to be called back. In the case the data subject had signed up to the RPO, this consent would however be valid since it was given after the registration pursuant to to Article 1(6) of Law 5/2018;
  • “outbound” calls, made by the controller (or its processor) to the data subject. As for this type, the controller pointed out that if the call is directed to a non-client, it always relies on consent acquired in a legitimate way. On the other hand, if it is directed to a client, the legal basis is the legitimate interest to propose better offers to the data subject.


Finally, data subjects complained about the fact that they were provided with a form that had pre-ticked consent boxes as for the retention of data up to 24 months after the termination of the contract.

The controller argued that it did not need to implement an “opt-in” mechanism since the legal basis for this retention was the legitimate interest to send commercial communication even after the termination of the contract. The controller stressed the fact that Article 130(4) of the Italian Data Protection Code states that consent is not necessary to send marketing emails to clients.

Holding

First, the DPA noted that it had already issued several decisions against the controller in the previous years.

Secondly, the DPA analysed the lawfulness of the marketing calls. As for the so-called “inbound calls”, the DPA found no violation. It held that, by making themselves a phone call to the controller, these data subjects expressed their consent. The DPA recalled that Article 1(6) of Law 5/2018 foresees that consent given after the registration to the RPO is not impacted by that registration.

On the other hand, as for the “websales” calls, the DPA noted that there is a period of time (lasting from some hours to some days) between the moment in which the data subject inserts their number in the website and the moment in which they are called back. Therefore, the controller needs to check whether, in the meantime, the data subject has signed up in the RPO. If this is the case, the consent is deemed to be revoked. The DPA held that the controller has not proved to have implemented measures to verify this. Therefore, the DPA found a violation of Article 130 of the Italian Data Protection Code.

As for the “outbound” calls, the DPA noted that the controller made marketing calls also to 9 data subjects who did not give their consent for marketing purposes. The DPA did not uphold the controller’s argument about the fact that, in this case, consent would not be necessary. On the contrary, it recalled that, for marketing calls, consent is always necessary.

Also, the DPA noted that the privacy policy was not clearly differentiating between the legal basis regarding clients and the one regarding non-clients, even if the controller relied on such a differentiation. Therefore, the DPA found a violation of Article 12(1) GDPR in combination with Article 13 GDPR.

The DPA also noted that the controller failed to promptly act on rectification requests under Article 17 GDPR and on objections under Article 21 GDPR. Therefore, the DPA found a violation of Article 12(3) GDPR.

On these grounds, the DPA fined the controller €1,000,000 and imposed a ban on the processing of phone numbers acquired with the “websales” mechanism.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10040382]

Provision of 20 June 2024

Register of provisions
no. 401 of 20 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018, no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter “Code”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the regulation of the Guarantor no. 1/2000, adopted with resolution of 28 June 2000;

REPORTER Prof. Pasquale Stanzione;

1) THE INVESTIGATIVE ACTIVITY CARRIED OUT

Introduction.

With notes no. 139761/133009 of 12 October 2023 and no. 25538/133009 of 29 February 2024 (notified on the same dates of adoption by certified email), which must be considered fully referenced and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5 of the Code, two proceedings for the adoption of the provisions referred to in art. 58, paragraph 2 and the administrative pecuniary sanctions referred to in art. 83, paragraphs 4 and 5 of the Regulation against Fastweb S.p.A., (hereinafter “Fastweb” or “the Company”), in the person of its legal representative pro-tempore, with registered office in Milan, Piazza Adriano Olivetti n. 1, C.F. 12878470157.

These proceedings were initiated following the receipt, by the Office, of multiple reports and complaints.

In particular, the first of the two proceedings, n. 139761/133009, concerns several promotional telephone contacts made by Fastweb and its sales network to acquire new subscriptions to fixed-line, mobile and internet services. It also contains hypotheses of violations relating to possible shortcomings in the management of former customers' data, in terms of the security of the collection and storage systems, and the failure to respond to requests for access, cancellation, rectification and exercise of other rights of the interested party.

The second contested act no. 25538/133009 also stems from reports of the latter type described, i.e. incomplete processing of requests for information on the exercise of rights, which the Office received after 12 October 2023, the date of notification of the first act initiating the procedure.

The latter also includes hypotheses of violations arising from two reports (nos. 316604 and 331661) relating to the retention of customer contact data for the sending of promotional communications, even after termination of the contract and for a further 24 months.

1.1.1) Proceeding no. 0139761/133009. The request for information of 2 December 2022 and the response provided by Fastweb.

As mentioned, following 58 reports and complaints, the Authority, with note ref. prot. 75428 of 2 December 2022, sent Fastweb a cumulative request for information for several files relating to the period from 1 October 2021 to 31 October 2022, relating to the area of unwanted phone calls (49 files), as well as additional profiles regarding: communications sent by mistake to subjects other than customers (2 files); insufficient response to requests to exercise the rights of interested parties (1 file); poor management of customer data in terms of security (6 files).

With a note dated 20 January 2023, the Company provided an analytical response from which it emerges that:

- approximately 80% of the reports relating to unwanted contacts would be attributable to calls made from numbers not registered in the Register of Communication Operators (ROC) or in any case not belonging to the Company's official sales network;

- in this regard, the Company highlighted that it had reported such abusive conduct by third parties to the Postal Police of Milan;

- for other cases (5 files), it stated, in a documented manner, that the calling numbers were correctly registered in the ROC by some authorised partners such as Supermoney S.p.A. or Accueil s.r.l., which allegedly collected the contact details of the whistleblowers during their own initiatives conveyed via the web, in which the interested parties had given their specific consent to the processing of personal data for marketing purposes;

- in one case, the promotional call occurred following a request for recontact by the whistleblower.

With regard to the exercise of the rights of the interested parties pursuant to articles 15-22 of Regulation (EU) 2016/679, the Company represented, in the only case that led to the start of an investigation, that "unlike what was indicated in the report, during the period indicated, the [whistleblower, editor's note] had interactions with the Fastweb customer service which then led to the closure of the case in June 2022 with the reimbursement of the amount due" and that, therefore, "no shortcomings were found in the exercise of the rights of the interested parties".

With regard to the reported critical issues in the security of the personal data of the interested parties receiving promotional calls for XX products and/or services, he first specified that the whistleblowers had been – or were, at the time of the checks – Fastweb customers, for example on ADSL_WS technology. This type of technology requires that the telecommunications company providing the service, in the case in question Fastweb, uses the physical infrastructure owned – or managed – by another telecommunications operator for the customer's users. Therefore, any intervention on the network, for activation or support (selection of faults or requests for assistance), requires the necessary involvement of the entity managing or owning the network. Consequently, it is necessary that, in such situations, the data of the user on whom the intervention is necessary be communicated to the owner or manager of the network. This sharing is carried out via the portal made available by the operator, whose security standards have been the subject of specific interventions at the request of AGCOM (see files nos. 175615; 1795557; 183763); in the context of these operations, the interested parties complain of having received promotional communications not only from the network operator but also from other companies. Furthermore, from in-depth investigations conducted by Fastweb on the personal data of other whistleblowers, it emerged that these had been accessed and viewed by its own employees other than the personnel assigned to this purpose. Fastweb therefore proceeded with disciplinary action against the personnel whose responsibilities it ascertained.

Furthermore, the Company added (producing the relevant documentation) that the facts in question were reported to the Judicial Authority, so that the latter could ascertain the possible involvement of outsiders also in other cases, hypothetically, more serious than those dealt with internally (see e.g. file nos. 175615; 1795557; 183763).

1.1.2) The subsequent request for documents of 31 March 2023 and Fastweb's response of 30 April 2023.

In light of the above, the Office with subsequent note prot. no. 1492653 of 31 March 2023 focused the investigation on the contacts made by four partner agencies that acquire personal data lists from their own list providers, inviting the owner, pursuant to art. 157 of the Code, to clarify, specifically:

- the methods of acquisition, by the partner agencies, of consent for commercial purposes as well as the methods of communication to third parties of the personal data thus collected;

- whether in collecting the consents they acted as owners or as data controllers;

- what checks the Company carries out on the personal data lists thus acquired from its partners;

- in particular whether the version of the personal data lists, once transmitted to Fastweb, is the definitive one, or whether even after transmission the partner agency can continue to modify it.

In addition, a request was made for the list of promotional contacts made in the period between 1 October 2021 and 31 October 2022 using the lists thus acquired, as well as the number of contracts and activations carried out following the aforementioned contracts.

Finally, the Authority requested information:

- on the "order blocking" system, requesting to quantify the contacts blocked in the thirteen months selected and to specify the reason for each block (numbering out of the list, outgoing numbering not registered with the ROC or not authorized), also illustrating what measures the operator would have faced.

- on the status of decommissioning of the agency outbound call channel, as per the project shared with the Authority during the investigation of the previous provision no. 112 of 2021 (in www.gpdp.it. web doc. no. 9570997);

- to produce a list of purchase proposals (PDA) from its sales network that led to the activation of electronic communication services in the period from 6 March 2023 to 13 March 2023 inclusive (hereinafter also “sample week”), divided between “consumer” and “business”, in order to verify the correctness of the promotional contact.

The Company provided feedback with a note dated 30 April 2023 (ref. prot. 0070466/23) – for the truthfulness of which it is responsible pursuant to art. 168 of the Privacy Code – producing, upon request (accepted) for an extension of the terms, the list of PDAs perfected in the sample week and also representing that:

- some partners of the sales network who carry out outbound contacts in various capacities (and in particular, those remaining following the divestment activity started during the proceedings culminating with the injunction order no. 112 of 2021) have received authorization from the Company to collect contact data through their own portals or social initiatives, or to purchase personal data lists relating to business customers, for promotional processing exclusively attributable to Fastweb and in compliance with the instructions given by the same Company. This last faculty is reserved for those particular so-called Business Partner Agencies that deal with the promotion of Fastweb services towards business customers only. The lists that can be purchased in this way are in any case only those containing contacts whose source is the General Telephone Directory (ETG);

- on the contrary, "with a view to guaranteeing the best standards regarding/controls carried out on outbound contacts and the legitimacy with respect to the processing of personal data", Fastweb partners are not authorised in any case to directly purchase contact lists relating to residential customers.

And in fact, as represented following provision no. 112/2021, this last activity is carried out in a centralized manner exclusively by Fastweb alone. The lead collection activities, i.e. the so-called "Initiatives", in any case, must be previously authorized by the Company, and said authorizations are based on the presence of all compliance factors with current legislation;

- in cases where a Fastweb partner has been authorized to collect and use leads through its own web portal rather than a social initiative or its own lists of business customers, these are subject to verification by Fastweb both prior and subsequent.

The process with which the so-called "Initiatives" or the own lists of business customers are managed requires that, before the contacts are made, Fastweb is made aware of the details in order to carry out the appropriate checks and authorize the collection and use of the lists. Only if these are successful can the partner start collecting leads, which are then brought to the attention of Fastweb by uploading them to the dedicated XX portal. At this point, it is possible to start contact activities on the numbers in the uploaded list, on which, it should be noted, control activities are also carried out (so-called mystery calls);

- the aforementioned contact details are uploaded to the XX portal, through which the following are carried out:

i. deduplication activities with respect to Fastweb blacklists;

ii. overlap management to prevent the same contact details from being assigned to multiple partners during the same planning, which makes the controls carried out more effective;

iii. assignment to the partner to carry out the outbound contact; with reference to the innovations introduced with regard to the Public Register of Oppositions (hereinafter also “RPO”), the Company represents that the contacts made on the same day in which the contact details are collected are to all intents and purposes lawful even in the absence of prior verification at the RPO. Otherwise, when the contact occurs after the consent collection date, it is always preceded by the verification of the same at the RPO, which is a condition of legitimacy of the processing.

- As a further measure, the company has then provided that the compensation for the sale made is paid to the partner with the constraint that the number used to subscribe to the same belongs to assigned lists. For further control, Fastweb carries out, through the third-party company XX, the so-called "PDA Validation" activity, according to which the number assigned to the partner is contacted via the XX platform, on which a sale has been declared, and it is verified that the call is answered precisely by the contract holder uploaded in the Order Entry system, as well as that the sales experience has followed the correct course.

- At the state of the art, over 50% of the contracts entered are verified and, of these, 100% confirm the subscription and the contract holder.

- The adoption of the so-called “order blocking” system allows you to prevent the insertion and consequently the activation of contracts that do not comply with the policies adopted by Fastweb for the protection of personal data. The Order Entry platform checks before entering personal data that: i) the telephone number called has been assigned by XX to that partner before the contact; ii) the partner has entered a sales declaration on XX with the CF/P.IVA of the contact called. If these conditions occur, the Agency can enter the contract; alternatively, the system generates a “KO” and the contract cannot be entered.

Everything is further verified also by cross-referencing by the Tool Log on which the LOGs of the outbound contacts carried out by the partners are loaded. That said, in the period from 1 October 2021 to 31 October 2022 this order blocking system generated 3324 KOs relating to attempts to enter contracts resulting from outbound contacts.

- Where the system blocks an order entered, Fastweb first requests the necessary clarifications from the Agency that attempted to enter it in contempt of one of the imposed rules. If such clarifications are not sufficient and it is therefore a case outside the list or outside the range or the use of an unregistered calling number, the matter is brought to the attention of the Sales Privacy Committee, the independent corporate body responsible for this.

- As regards the customer, the latter is informed of the incident in order to collect in a traceable manner the intention to continue with the activation.

1.1.3) Verification with the register of objections managed by the Ugo Bordoni Foundation.

In order to carry out the necessary checks on the correctness of the aforementioned telemarketing activities, on 28 September 2023 the Office sent to the Ugo Bordoni Foundation, manager of the Public Register of Oppositions, a list of 6,592 telephone numbers taken from the approximately thirty thousand PDAs brought into activation in the sample period 6-13 March 2023.

In this context, information was requested, pursuant to art. 157 of the Code, on which customer telephone numbers, as of 31 January 2023, had been registered in the RPO, requesting to also include in the results the registrations prior to the entry into force of the Presidential Decree of 27 January 2022, no. 26 establishing the new register, and in particular 27 July 2022, the date on which the registrations on the old register were transferred to the new one (art. 7, co. 11 ibidem).

On 2 October 2023, the aforementioned Foundation sent its response, the analysis of which revealed that 511 telephone users were registered in the Public Register of Oppositions at the time of the promotional calls made by the aforementioned Company, equal to approximately 7.75% of the total number of users contacted in the sample period.

1.1.4) Contestation of the violations and defenses of the Company.

The Office, in light of all the elements and documents acquired overall, adopted the aforementioned act of initiation of the proceeding no. 139761 of 12 October 2023 in which, in summary, it considered the conduct of the company in possible conflict with the regulations on personal data under two aspects:

- access by company personnel unrelated to the management of open cases for the resolution of technical problems - and therefore not "authorized" pursuant to art. 29 of the Regulation - requires assessing the possible violation of art. 5, par. 1, letter a); f) and 32, par. 1. letter b), of the Regulation;

- having contacted 511 telephone users in the context of telemarketing activities carried out in the sample period from 6 to 13 March 2023, while the same users were registered with the RPO - with the consequent obligation of non-contactability - entails the identification of the conditions for the violation of art. 130, paragraphs 3 and 3-bis of the Code, regarding electronic communications, as well as, more generally, of art. 6, par. 1 letter a) of the Regulation, with regard to the lack of the necessary legal basis of consent to legitimise the processing of the data in question for promotional purposes.

In response to the initiation of the proceedings, the Company submitted its own defense briefs on 14 November 2023 (ref. prot. 153235/23), with which, together with the hearing held at the Authority's headquarters on 5 December 2023 (ref. internal prot. 0162150/23), it requested the archiving of the proceedings on the basis of the following reasons.

First of all, with regard to the alleged access of unauthorized personnel to the management of the technical problems underlying the alleged violation of Articles 5, paragraph 1 and 32, paragraph 1, letter b) of the GDPR, it would be necessary, in the Company's opinion, to make distinctions.

In fact, the processing of telephone data in the cases referred to in two of the three disputed files, Nos. 175615 and 179555, carried out by a self-styled third-party network operator, in this case XX, would be one thing. on the basis of interconnection agreements for the provision of termination services on fixed and mobile networks.

In particular, according to these agreements, the virtual operator, in the case in question Fastweb, uses the physical infrastructure owned – or managed – by another telecommunications operator, in the case de quo XX, for any intervention on the network, activation or support (selection of faults or requests for assistance).

With the latter, in compliance with the provisions of AGCOM, Fastweb shares information necessary for the execution of service contracts, such as user data. This occurs through IT systems whose operation and compliance with security standards is the sole responsibility of the host operator who owns the network, in the capacity of independent data controller, i.e. always XX.

On this point, Fastweb also recalls what was already illustrated during the investigation that led to the previous provision no. 112 of 25 March 2021.

In fact, already in the defensive documents of that proceeding, the Party complained, also with complaints submitted to this Authority, that the illicit processing of telephone data of its customers could be traced back to illegal accesses to databases held by XX, as also attested by proceedings initiated by other Supervisory Authorities, for the profiles of their competence, in relation to the same facts.

With regard to the competitive environment, in particular, the Company during the hearing reiterated the need for the owner of the line to adopt standardized conditions, also in light of the legislative and regulatory provisions that govern the sector, such as, respectively, the Electronic Communications Code (Legislative Decree 1 August 2003 no. 259) and the AGCOM resolutions regulating interconnection services.

A completely different story, however, concerns the other of the three disputed files, no. 175615, deriving from episodes of harassment and threats for having refused commercial offers, received from a Fastweb customer and coming from unknown persons.

Following well-founded suspicions about a call center operator, the Company carried out targeted checks and identified, criminally reported and sanctioned the person responsible for such offences.

This highlighted how the sending of offensive and threatening text messages, later traced back to the employee in question, is a serious fact but not attributable to the Company through its duty to prove the adoption of adequate models for the prevention of the violation of personal data in its internal organization. This is because the author of the facts had the right to process, among other things, that data, according to the system of distribution of tasks and duties within the company, and even if limited to the promotional purposes that characterized the role of the operator in question.

However, the Company could have done nothing if the employee authorized to process personal data for a certain purpose had decided to use it, as it then was, to send inappropriate content: the fact does not fall within the type of risks from which the company is normally required, in general, to protect itself by identifying security measures.

For this purpose, those already prepared in compliance with the previous corrective and sanctioning provision no. 112 of 2021 (to which the party refers) and which ordered "the adaptation of the security measures for access to its databases in order to eliminate or in any case significantly reduce the risk of unauthorized access and processing not compliant with the purposes of the collection."

As for the dispute referred to in point no. 2), from the total of 511 numbers considered in the sample period, 285 should be preliminarily excluded since, although they belong to subjects registered in the Public Register of Oppositions since before the day of contact, they were not used by the owner for promotional or recontact purposes, since they were customers who purchased Fastweb services in person, or at a store or at a point of sale, and not through tele-selling.

The Office's investigation should therefore be limited to the numbers in the sample period actually contacted for the remote purchase of Fastweb services, corresponding to 226 numbers, or approximately 3.43% of the total of 6592 sample numbers.

In this context, it would be necessary to further distinguish between calls on the one hand (i) inbound and (ii) websales (the latter in turn divisible between call me-back and comparators), made by virtue of the interested party's consent after the date of registration in the Register and therefore legitimate pursuant to art. 1, co 6 of Law no. 5 of 11 January 2018.

On the other hand, outbound calls (iii) would require separate treatment. In fact, where these are made to numbers of non-customers, deriving from lists acquired in compliance with the principles imparted by the owner, they would presuppose the acquisition of the interested party's consent in a legitimate manner.

Furthermore, the number is always checked in the Register of Oppositions every time a "cold" promotional call is planned, i.e. on a day following the day of acquisition of consent.

As for calls to its customers' numbers, these, according to Fastweb, would in themselves be legitimate even in the absence of marketing consent, as they are the result of a legitimate corporate interest in offering its customers improved services or in any case linked to those already purchased.

1.2.1) The second procedure: the request for information of 28 November 2023 and the response from Fastweb S.p.A. of 19 December 2023.

With a subsequent request for information dated 28 November 2023, ref. prot. 0158998/23, the Office submitted to Fastweb S.p.A. the report ref. prot. 167397/23 concerning the alleged illegitimacy of the web form for modifying consents that the same had sent via email to customers on the occasion of the changes to the information on data processing.

In fact, the report revealed that when the new information was inserted into the privacy policy regarding the retention of customers' personal data for promotional purposes, including telephone numbers, for up to 24 months after the termination of the contract, customers were submitted a pre-filled consent form such that, in the absence of any selection by the interested party, the retention of data (including telephone numbers) for promotional purposes was considered permitted.

Conversely, the procedure for making any changes to consents appeared to lack the saving function, which in any case made the right to object to the processing unexercisable.

The company, with a response note dated 19 December 2023 (ref. prot. 167397/23), explained, first of all, that the option to save changes was regularly recognised by the specific function located at the bottom of the consent modification page.

Secondly, the company denied the violation of the opt-in principle as it was not applicable in the case in question: on the contrary, the legal basis for the retention of contact data of former customers for promotional purposes would be the mere legitimate corporate interest in sending commercial communications even after the contracts have ended, for 24 months and until they object.

1.2.2) The contestation of the violations and the company's defences.

The Office, in light of all the elements and documents acquired overall, adopted a new act to initiate proceedings no. 25538 of 29 February 2024 in which, in summary, it considered the company's conduct to be in possible conflict with the regulations on personal data under the following additional profiles:

- the processing of customer data, ongoing and terminated less than 24 months ago, for promotional purposes, declaredly carried out on the basis of legitimate interest not opposed, would be in violation of Articles 6 of Regulation (EU) no. 679/2016 and 130 of the Privacy Code which instead identify the prior and unambiguous consent given, for each contact data (including telephone number) as the only legal basis for sending promotional electronic communications, even for services connected or linked to those already purchased (with the sole exception of Article 130 paragraph 4 of the Code, which cannot be invoked in the case in question, as discussed in detail below);

- without prejudice to the unsuitability of the legal basis of legitimate interest for the processing in question, as regards the need to cultivate a qualified relationship with its ceased customers, in order to bring it back to the legal basis of legitimate interest, it does not seem justifiable in any case that it continues indiscriminately for all contact data known to the company for a period as long as 24 months from cessation, with possible prejudice to the rights and freedoms of the interested parties based on the provisions of Articles 5, paragraph 1, letter c), e) and 2 of the Regulation respectively in terms of data minimization, storage limitation and accountability;

- the privacy policy does not comply with the principles of clarity, transparency and ease of understanding pursuant to Article 12, paragraph 1 of the Regulation. The processing in the context of the execution of the contract and those for advertising purposes, to which the respective legal bases are linked, are processed incompletely. In fact, it turned out that only some promotional processing is expressly linked to the legal basis of consent: others, such as the one disputed (specifically the update of the offer and promotions that allow discounts or advantages on services already activated), despite having the same legal nature, are considered to be forms of data processing for contractual purposes.

- Fastweb failed to promptly and exhaustively respond to various requests for the exercise of rights by customers, which they complained of having been violated for various reasons.

The company, after deferring the deadline for submitting the written defense referred to in art. 166, paragraph 6 of the Code, which the Authority recognized in accordance with the regulatory provision referred to in art. 13 of Regulation no. 1 of 2019 of the Office of the Guarantor concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data (in www.gpdp.it, web doc. no. 9107633, also “Regulation no. 1/2019”), with a memorandum dated 15 April 2024 (ref. prot. 47417/24) first of all observed that file no. 133009 is the same as the procedure that led to provision no. 112 of 25 March 2021, as well as the present procedure initiated with an act of 12 October 2023 (ref. prot. 139761/23) and continued with an act of 29 February 2024 (25538/23).

As for the new processing of personal data announced with the update of the information sent to the Customer Base and consisting in the sending of information about the goods and/or services offered by Fastweb for 24 months from the termination of the contractual relationship and subject to any opposition by the interested party, which constitutes the main object of this dispute, the company has offered some clarifications.

First of all, both the planning of the campaign and the carrying out of individual contacts towards customers and former customers would be validly supported by the legitimate corporate interest in bringing the initiatives in question to their attention, regardless of their consent.

In any case, no promotional material, not even the one in question, was sent without sending the updated information, demonstrating the utmost attention to the protection of customer data in the exercise of business activities.

The company, in carrying out an in-depth assessment of the interests at stake, in order to fairly balance the corporate interest with the protection of the rights of interested former customers, has identified precise limits in the performance of the promotion in question, including for example a suitable period of time to object to the processing and the reminder of the right to object which, if exercised, entails exclusion from the contact lists.

In particular, Fastweb considered the procedure as highlighted above to be legitimate based on what is established by recital 47 of the Regulation on direct marketing, and the internal discipline would be a confirmation of this: art. 130, co. 1 of the Code, which implements art. 13 of Directive 2002/58/EC, should be interpreted as a rule that, exceptionally, legitimises electronic communications for promotional purposes on the basis of the data subject’s consent alone when these are carried out using automated systems or without the intervention of an operator (a rule that the following paragraph extends to e-mail, messages and other types of automated communications). Conversely, telephone calls with an operator referred to in paragraph 3 of the same article would fall under the general regulation, in application of Articles 6 and 7 of the Regulation.

In this context, the fourth paragraph on the so-called soft spam, in legitimising the use, in the absence of consent, of customers’ e-mail addresses for direct marketing purposes limited to services or products of the owner similar to those that were the subject of a previous sale, would be the expression of a general principle, applicable, albeit only in the context of relationships with the Customer Base, also to contact data other than e-mail, for example the telephone number.

In this sense, a passage from the previous provision no. 112 of 25 March 2021 where it is not excluded that "contacts based on legitimate interest may concern commercial proposals linked to services already offered to the customer", as well as a general provision of the Spanish Supervisory Authority, no. 1 of 26 June 2023, which reiterates the suitability of legitimate interest as a legal basis, in general, of communications for advertising purposes.

With reference to the method of opposition and management of consents (point A.2 of the briefs), the company considered the web form under examination compliant with the current regulatory framework, as the legal basis indicated to justify all the contested treatments, i.e. legitimate interest, would be unique for all contact data processed for promotional purposes: therefore, it would not be necessary to highlight any distinction within it since the interested party can exercise his/her opposition to the aforementioned treatments both with reference to the overall purpose and by opting for specific contact channels (email, telephone, sms).

As for communications with terminated customers (point A.3 of the briefs), Fastweb has decided not to limit the retention for the purpose of sending promotional content to the channel considered the least invasive, i.e. email, firstly because art. 130 of the Code, in the interpretation offered by the party, would consider contact by telephone to be less invasive and therefore preferable to the email address (the former would in fact retain margins of use even in the absence of consent, the latter instead is assimilated to automated systems and can only be used with prior consent). Secondly, also with a view to the effectiveness of the promotional message, the company believes that a message conveyed by voice, as it is more “human,” can overcome a written one, which is colder and more asynchronous, especially in the case in question where the offer is formulated in the prevailing interest of the recipient and usually focuses on updating the infrastructure.

Even in terms of data retention, Fastweb represented that the retention of personal data of terminated customers for a period of 24 months would be legitimate, reiterating that the qualified relationship between the owner and the manager does not end with the conclusion of the contract and therefore the retention period identified seems appropriate to the purposes, also with a view to ensuring the best infrastructural technology on the market and in light of the case law of the Guarantor on customer loyalty programs (provision of 24 February 2005, in www.gpdp.it, web doc. no. 1103045).

In any case, consistently with the fact that, according to the owner, the legal basis for the processing of both types of data is identical (i.e., once again, legitimate interest), the retention period should also be the same (moreover, a differentiation would lead to the development of unsustainable business processes, as the proposal or offer of the service would not be abstractly categorizable based on its effectiveness of transmission via email rather than through the use of the telephone number).

Having reiterated the need, as regards the retention period for promotional purposes, to align all contact data on a common threshold, the company has recognized that the retention limit of 24 months may be subject to changes.

With reference, then, to point B), relating to the violation of the principles of correctness and transparency of the information, already the subject, for other reasons, of the previous sanctioning provision no. 221 of 25 March 2021, Fastweb reiterated the correctness of its actions: the sending of communications for the purpose of "updating the offer", even if attributable, in the opinion of the Company, to the management of the contractual relationship, was instead linked to the different legal basis of legitimate interest, due to the promotional characteristics of the communications themselves.

More precisely, the company did not consider this formulation misleading since, considering it correct to base this latter type of processing (where also carried out via telephone contact) on legitimate interest, it did not consider it necessary to separate the treatment or to place it in paragraph no. 6 dedicated to processing based on consent.

Then, with regard to point C), regarding the lack of, incomplete or late response to requests to exercise the rights of interested parties pursuant to articles 15-22 of the Regulation, it would be necessary to distinguish:

- file no. 323331 – the applicant reported the change, which he claimed was unsolicited, of the marketing consents to the telephone contact. However, it was the applicant himself who requested the revocation of the marketing consent precisely on the occasion of an unwanted contact. The confirmation occurred with the subsequent communications from the company “no-reply” mailbox of the owner, of which the applicant confirmed receipt;

- files nos. 325741 and 317883 – following the termination of the contract, the complainant requested the company to delete his data; within 30 days of the request, Fastweb presented a generic impediment consisting of the malfunctioning of the system for closing the customer’s position. Following numerous reminders, the interested party, once the terms for responding to the request had expired, filed a complaint with the Authority. Following the opening of the file and during the dialogue now underway with the Office (in the case of file no. 325741, also with a request for information and a simultaneous invitation to join with respect to the company pursuant to art. 157 of the Code of 8 January 2024, ref. prot. 1915/24), the company, albeit late with respect to the original request (and, in the case of file 325741, in compliance with the requests of the Office), proceeded to delete the personal data of the interested party;

- file no. 292562 – a customer, following the termination of the contract for the fixed network service, complained that the data reported on the waybill for the return of the modem were transcribed incorrectly, above all his postal address. The company responded to the request for rectification with a delay of over five months, stating that the address reported in the letter (in both the recipient and sender fields) was that of the carrier appointed by Fastweb to receive the delivery of the modem, the processing of which was authorized for contractual reasons. Therefore, in the case in question, there had been no error but a simple operational indication for the correct dispatch of the package;

- file no. 316719 – the reporting party complained of several fraudulent telephone calls from so-called Fastweb operators with the purpose of migrating to another operator. The telephone numbers cannot be traced in any way to the Company, which in fact immediately reported them to the Public Prosecutor's Office following the report. On the assumption that the processing had been carried out on behalf of or with the participation of Fastweb, the reporting party exercised its rights pursuant to Articles 15-22 of the Regulation, and the Company provided feedback directly through the call center operator contacted;

- file no. 331661 – the complainant, faced with some unwanted promotional contacts from the company in question, filed a request for compensation via PEC, intending at the same time to revoke the marketing consent given at the time of the conclusion of the contract with Fastweb. The company, more than a month after receiving the request, positively acknowledged the interested party's request.

2)  AUTHORITY’S EVALUATIONS

It should be noted that this provision deals with the overall phenomenon of unwanted marketing and telemarketing, for which the Company has been the recipient of numerous provisions from the Authority over the years.

In particular, provisions nos. 300 of 18 October 2012 (in www.gpdp.it, web doc. no. 2368171), 235 of 18 April 2018 (in www.gpdp.it, web doc. no. 9358243), 441 of 26 July 2018 (in www.gpdp.it, web doc. no. 9040267) and 112 of 25 March 2021 (in www.gpdp.it, web doc. no. 9570997) which imposed prescriptions, processing bans and administrative sanctions in relation to millions of contacts via telephone and text messages, which Fastweb and its sales network implemented without obtaining suitable consent from the subjects contacted.

The last provision no. 112 of 25 March 2121, in particular, following an in-depth investigation, culminated with the injunction of multiple measures, including the provisions pursuant to art. 58, par. 2, letter d) of the Regulation to:

- adapt the treatments in the field of telemarketing in order to foresee and prove that the activation of offers and services and the registration of contracts occurs only following promotional contacts made by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators;

- reformulate the information relating to the "Call me back" service, specifically indicating the methods of recontact by Fastweb S.p.A. and, always in relation to the aforementioned service, to provide an automated method of deactivating the service;

- adapt the security measures for access to its databases in order to eliminate or in any case significantly reduce the risk of unauthorized access and treatments that do not comply with the purposes of the collection;

More generally, in the field of telemarketing and tele-selling, the Authority has adopted numerous provisions that have outlined the regulatory framework, including for other companies operating in the national territory, including provisions no. 143 of 9 July 2020, in www.gpdp.it, web doc. no. 9435753; 224 of 12 November 2020, in www.gpdp.it, web doc. no. 9485681; 183 of 13 April 2023; 81 of 8 February 2024, in www.gpdp.it web doc no. 9988710).

2.1) On the consolidation of the proceedings

The two proceedings initiated separately deserve to be consolidated pursuant to the aforementioned Regulation of the Guarantor no. 1/2019.

They concern, on the one hand, identical issues, namely the programming and sending of electronic communications in the absence of an appropriate legal basis, contested in both the first and second act initiating the proceedings.

On the other hand, the additional charges that characterize the second proceeding concern the same controller, albeit for different processing of personal data (art. 10, co 4 of Regulation no. 1/2019).

Conversely, it is important to note that the separate handling of the proceedings and their definition independently of each other would give rise, in addition to a duplication of provisions on closely related issues, to the possible valorization, to the detriment of the controller, of one as a previous violation of the other, relevant as an aggravating circumstance pursuant to art. 83, par. 2, letter e) of the Regulation.

2.2) with reference to the first proceeding;

With reference to the first of the two disputes (point D1), Fastweb's defenses appear to be well-founded. In particular, the ECJ recently reiterated in the ruling of the Third Section, 25 January 2024 (case C-687/21, BL v MediaMarktSa-turn Hagcn-Iscrlohn GmbH) that the technical and organizational measures implemented by the controller require an assessment of adequacy in concrete terms: in that case, the fact that an employee of the controller, through isolated conduct, would have mistakenly delivered to an unauthorized third party a document containing confidential data does not in itself appear sufficient to deem the preventive measures adopted by the controller unsuitable.

This is even more true in the case of the Fastweb employee in question, who addressed offensive communications to a stranger that were not related to the work context, and did so not by mere mistake but on purpose.

With reference to the violations covered by the D2 dispute in the field of telemarketing, some distinctions must be made.

First of all, it must be noted, also following the defensive observations, that the numbers in the sample period actually contacted for the remote purchase of Fastweb services amount to 226 and not 511: the Company has in fact clarified that the remaining numbers refer to “in person” sales within Fastweb stores.

Among these 226, the contacts must be divided into three categories:

- 34 are inbound contacts and constitute the telephone activity received on the toll-free number.

- 139 are websales contacts, i.e. telephone recontact activities following a request formulated via the web on the company's website. This is a very widespread phenomenon among telephone companies, which Fastweb has already had to correct following the aforementioned provision no. 226 of 25 March 2021 (even for profiles other than those in question), according to which the Company initially receives an expression of interest in a generic recontact, if applicable, also for promotional purposes, registering it via a dedicated web portal and with the times and methods set out in the privacy policy, and then proceeding to recontact at a later time.

- 53 are outbound contacts, outgoing telephone contact activities only on numbers for which consent is acquired initially.

As for the first category, the consents expressed through requests for recontact to the toll-free number (inbound telesales) appear suitable to legitimise subsequent contacts made after 31 January 2023, the date taken as a reference by this Authority to verify the registration of the numbers contacted in the RPO.

In fact, art. 1, co 6 of law no. 5 of 11 January 2018, containing new provisions on the registration and operation of the register of objections and the establishment of national prefixes for telephone calls for statistical, promotional and market research purposes, states that registration in the RPO cancels only the consents previously given: those in question, however, as they are subsequent, are not subject to the effect of registration and therefore serve to legitimise subsequent recontacts for promotional purposes.

This is sufficient to justify inbound contacts, for which the expression of consent occurs at the same time as the telephone contact: since there is no interval between the two moments, it cannot even be assumed that any request for registration in the RPO occurs in the intermediate period.

Conversely, in the case of the 82 websales contacts acquired through the specific call me-back function on comparison sites, although it is true that these consents are also subsequent to the date of registration in the RPO, there is still a time gap between the insertion of the telephone number and the recontact, which can begin on the same day but usually lasts for several days.

In this time frame, it may happen that the interested party, due to a change of heart, renews his/her registration in the RPO with the effect of overwhelming, among the new marketing consents, also the one released via websales.

In fact, on the one hand it is specified that the marketing consent is completely optional: if the relevant box is not checked, it is still possible to successfully send the request to recontact the number for pre-contractual purposes only.

Furthermore, pursuant to art. 6, co 1 lett. a) of the Code of Conduct for telemarketing and tele-selling activities (provision of the Guarantor no. 70 of 9 March 2023, published in the Official Journal no. 73 of 27 March 2024 and which can be invoked as best practice regardless of its direct applicability to the case in question) a procedure should be provided for which there is no trace on the web page of the service in question, i.e. the so-called double opt-in, according to which the consent acquired online is confirmed by the interested party in response to an automatic verification message sent immediately after the transmission of the telephone number. This allows verification that the person being contacted is actually someone interested in the offer, and not an unrelated third party.

Finally, given that the RPO registration procedure is completed within one working day, if the recontact is scheduled and occurs on a day after the acquisition of marketing consent in the manner described (which is quite possible as reported by the information overall on the site and summarized here), the company has not demonstrated that it adopts, for the intermediate period in question, procedures for verifying RPO registrations.

It should also be noted that, with regard to the 82 recontacts that occurred in this manner by the so-called comparators (websites that allow the interested party to compare different operators based on the service requested, e.g. XX), the company in the supplementary notes of the hearing of 5 December 2023 (ref. incoming prot. no. 168558/23, page 2), states that the period of time between the expression of interest and the signing of the contract is usually a few days.

It should be noted that the criterion stated above, according to which if the contact occurs some time after the acquisition of consent it is necessary to proceed with a check of the numbering with the Register of Oppositions, is ordinarily followed by Fastweb in the case of outbound calls by telesellers (page 4 of the same supplementary notes), so there is no reason why the same criterion should not also be applied to the “Call me back” procedures.

It is true that a similar check (and its negative outcome) was given account in the defense briefs, however these were one-off checks specifically carried out after the communication of the start of the procedure in question: there is no trace, however, of ex ante checks.

This omission is in conflict with articles 5 et seq. of Presidential Decree 27 January 2022, no. 26 (Regulation containing provisions on the establishment and functioning of the public register of contractors who object to the use of their personal data and telephone number for sales or commercial promotions, pursuant to article 1, paragraph 15, of law 11 January 2018, no. 5) which establish the obligation to consult the RPO prior to telephone contact; this latter obligation is instrumental to the applicability of art. 130 of the Code, on commercial electronic communications based on consent.

Finally, as for the 53 outbound calls, consents are collected by the teleseller on the same day that the customers are contacted. In the event that the contact occurs later, a consultation procedure of the RPO is also carried out at the FUB to allow the processing of the telephone number for which the promotional consent is collected for a longer period.

However, with particular reference to the calls made to propose the purchase of services and products similar to those purchased, i.e. 9 out of 53, these are considered lawful even in the absence of marketing consent if made to current customers (or, as explained in the previous paragraph, even former customers who ceased less than 24 months ago), with non-opposition to the legitimate interest of the company being considered sufficient in their case.

In fact, promotional calls were made using these methods to 9 of the 53 contested outbound contacts: of these, only registration with the RPO on 31 January 2023 is documented. No marketing consent after that date has been proven.

Nor, in this regard, does the thesis that commercial communications to one's customers (both current and terminated) do not require consent deserve acceptance; this conflicts with art. 130 of the Code.

Art. 130 constitutes in fact the transposition of art. 13 of Directive 2002/58/EC, which in turn regulates, in the European context, unwanted communications via electronic instruments.

The supranational law establishes a dual principle.

On the one hand, it is established, to guarantee the interested party, that the only legal basis permitted for the sending of advertising material via electronic instruments is the consent of the latter (opt-in rule), thereby excluding all the others provided for by art. 6 et seq. of the Regulation.

This rule applies to the aforementioned art. 130, paragraph 1 of the Code, which thus regulates telephone calls without the intervention of an operator.

Para. 2 of the same article then extends the same discipline to other types of electronic communications such as email and SMS.

On the other hand, for contacts made with different means, including the traditional telephone channel/with operator, the aforementioned Directive left the Member States the option of choosing whether to maintain the legal basis of consent (opt-in) or justify the advertising activity of the owner only on the basis of the data subject's failure to refuse (opt-out), which can be exercised, in Italy, by registering the user in the Public Register of Oppositions.

The opt-out rule is considered a point of balance between business activity, marketing and the data subject's right to object, therefore it is adopted by the European legislator as the only alternative for less invasive communications, such as non-automated/with operator.

In implementing the supranational legislation examined, Article 130 of the Code therefore adopts the opt-in as a general rule, implementing the opt-out only in paragraph 3-bis with reference to the use of the telephone (obviously only with an operator, because automated telephone calls, as mentioned, are bound to the opt-in based on the first paragraph) and paper mail.

The provision applies only to the numbers and postal addresses published in the lists of contractors referred to in Articles 129 et seq. of the Code.

With reference, however, to reserved postal addresses and reserved numbers, since the Italian legislator has not expressly provided anything, the general rule of electronic communications for advertising purposes, i.e. the opt-in, applies.

Confirmation of this can also be found in the specific regulation of the aforementioned RPO.

In fact, Law 5/2018 - which has substantially changed the regulatory framework conferred by the Presidential Decree 7 September 2010 n. 178 and which regulates the establishment and functioning of the RPO - refers exclusively to processing based on previously expressed consents which, with the registration in the said Register, are revoked, "without prejudice to the consents given in the context of specific contractual relationships in existence, or ceased no more than thirty days ago" (see art. 1, paragraph 5, of the aforementioned Law 5/2018). From this it can be deduced that:

- a controller who has a contractual relationship with an interested party can make promotional telephone communications to the latter only if he can document the possession of an appropriate consent.

In fact, if this remains valid despite the registration of the number in the RPO, it is even more valid to justify the processing in the absence of any opposition.

- Registration in the RPO does not serve to revoke the customer's consent, for whom, due to their particularly qualified position, other forms of revocation are provided.

This shows that the processing of customer data for advertising purposes is always supported by their consent, even if differently revocable than those who, not being customers, use the RPO to oppose it.

2.3) with reference to the second proceeding;

Also during the second proceeding, the main violation emerged in having led their customers to have to take action to refuse treatments that by law should always be prohibited by default.

First of all, on the defensive observation relating to the identity of the number of today's proceeding with the one that determined the adoption of the aforementioned provision no. 112 of 25 March 2021, it is highlighted that the file number is a mere container, which does not uniquely identify a single proceeding but is used by the Office to classify the documents, being attributable also to distinct proceedings, some concluded and others in progress.

With regard, then, to point A.1 of the parties' briefs, the following is noted.

Recital no. 47 mentioned, which does not have the force of law, does not refer to electronic communications, which are instead governed by the aforementioned art. 130 of the Code and with which the described system of corporate consents is in direct conflict.

The discipline applicable to the case illustrated requires, as examined in the previous paragraph, consent as the sole legal basis for the processing of telephone data for promotional purposes, regardless of whether the subjects are already customers.

Legitimate interest cannot be invoked as the legal basis for marketing activities, as declared by the Company in its response, since, in derogation of art. 130, paragraph 4, of the Code which governs the cases of so-called soft spam by admitting, under specific conditions, the sending of promotional communications without the consent of the interested party exclusively through the e-mail channel, any other promotional communication carried out outside of these conditions and using a different channel falls under the more general discipline of art. 130 of the Code, which provides as a legal basis only the consent of the interested party.

As illustrated in the previous paragraph, in fact, art. 1, paragraph 5, last sentence of law no. 5 of 11 January 2018, in establishing that for contractual relationships in existence (or terminated less than thirty days ago) registration with the RPO does not affect the revocation of consent to processing for marketing purposes, postulates precisely such consent as the legal basis for processing for promotional purposes even when these are referred to its customers.

Fastweb commits the interpretative error of considering the provisions of art. 130, paragraph 4 of the Code as exceptional only with respect to the first two paragraphs of the article in question, which establish consent as the only legal basis for automated telephone calls. By not recognizing, however, that the rule also has special scope with respect to paragraph 3 (which concerns telephone calls with an operator to public numbers), it erroneously considers it, like the latter, a provision further declaring the articles. 6 and 7 of the Regulation susceptible to analogous application to all relationships, for promotional purposes, with the customer base, regardless of the choice of contact method, which would be left to the discretionary assessment of the owner rather than bound by the legislator to e-mail only.

By virtue of this interpretation, the company considers itself authorized to adopt legitimate interest as a legal basis for promotional activity tout court towards its customers, not only via e-mail but also through the traditional channel.

This interpretation is in obvious contrast with the law in question.

Article 130, paragraph 4 not only does not refer to the general discipline of articles 6 and 7 of the Regulation, but rather establishes a derogating discipline with reference to both this and the specific one regarding electronic communications for commercial purposes (articles 130, paragraphs 1-3-bis of the Code).

In fact, the provision does not identify a different legal basis for the so-called “soft-spam” towards its customers, it simply limits itself to not considering any necessary when the two conditions provided for therein occur: one subjective regarding the audience of recipients, i.e. the customers; the other, objective, regarding the means of contact, i.e. the email address and the content of the promotional message, which must be similar to the service purchased previously, so as to presume interest.

Only in the presence of these conditions does the rationale for privileging the qualified relationship already established as a result of the conclusion of a contract exist, being able to disregard consent.

Precisely because of the certainly exceptional scope of the provision in question, any form of analogy legis must be rejected, which is why any promotional communication carried out, even to its customers, with means other than email, such as in this case the telephone number, makes it necessary to choose a specific legal basis, thus falling within the more general discipline of art. 130 of the Code and, in particular, to the opt-in principle.

Moreover, the passage of the provision of the Guarantor no. 112 of 25 March 2021 referred to in the parties' briefs is taken from the argumentative process in support, in that provision, of the judgment of ascertainment of the violation consisting in the performance of marketing activities on the sole basis of the legitimate interest regarding services not originating from the owner but from third parties, towards which the interested party is completely extraneous and does not boast that qualified relationship that he has only with the owner and which would lead to the presumption of his interest in receiving the offers.

Instead, in this second proceeding, the legitimate interest is invoked not with regard to the content or origin of the message, but rather to the means of electronic communication used to convey it, given that this cannot be represented by the telephone number of the customers, but only by the email address.

Therefore, the violation, which in this provision is contested with regard to the channel chosen for the transmission of the promotional content, i.e. the performance of marketing activities to its customers in the absence of consent, is the same that in the previous provision had been charged with reference to the origin of the message from a third-party company.

For all the reasons set out, the system of promotional communications by Fastweb via electronic means of communication towards its customers is to be considered illegitimate for violation of art. 6, par. 1, letter a), 7 of the Regulation and art. 130 of the Code, as it is based on the opt-out and on the undue non-opposition to the legitimate interest, rather than on the opt-in.

In this sense, the methods of opposition and management of consents also appear to be in conflict with the regulatory framework in question (point A.2 of the briefs).

In fact, since the legal basis for data processing for telemarketing purposes is different depending on the tool used for the promotion (by telephone with an operator, by telephone without an operator or with other automated messages, by email or, finally, by paper mail), it must be justified differently for each of them: the processing for the purposes referred to in art. 130 of the Code of telephone data of customers/former customers can never be based on assessments tout court about the legitimate interest of the owner, but consent is required as the only condition of legitimacy and, to this end, the consent collection form must also reproduce this regulation.

On the contrary, the Company's consent management form allows the interested party, on the one hand, only to object tout court to the receipt of promotional communications and on the other, in the event of failure to object, to formulate preferences on the contact channel.

Consequently, the described model conflicts with art. 130 of the Code both because it configures the receipt of promotional electronic communications as an opposition rather than a prior consent to the processing and because, for electronic communications via telephone only, it does not expressly link consent as the only legal basis provided for by art. 130 of the Code, thereby distinguishing them from those that occur through other channels.

With specific regard to communications to terminated customers (A.3 of the briefs), the choice of a legal basis other than that provided for by law is, in itself, sufficient to demonstrate the illegitimacy of the processing in question.

In addition, with regard to the application of the principle of minimization, according to which in the opinion of Fastweb and contrary to what the Office claims, the data to be retained would be the telephone number, as it is less invasive than the customer's email credentials, the following is noted.

Not the Authority, but Article 130 of the Code in question considers email credentials as less invasive data when it connects them to greater possibilities of processing, which in fact is lawful even without consent (see soft-spam); instead, by telephone no advertising communication is ever legitimate in the absence of prior regular consent to processing, as widely illustrated.

Moreover, even in arguing, absurdly and to the contrary, that the storage of only customers' telephone numbers is more appropriate and pertinent, the company has not argued why, in this case, it has not consequently excluded other data deemed superfluous from storage.

In fact, it is true that in the context of minimization, the company is called upon to adapt the processing to the specific purpose it pursues, however the moment of evaluation must culminate, in practice, in the self-limitation of certain treatments, deemed unsatisfactory from the point of view of the invasiveness/effectiveness ratio and therefore avoided.

Fastweb does not review this conclusion, reserving the right to retain data deemed less useful, i.e. emails, even if only as a subsidiary, which constitutes a further violation of the principle of minimization.

Even with regard to the fact that the choice of the preferred channel would always be left to the interested party, because he is only asked to oppose each of these channels, this is not a well-founded statement: in fact, it is reiterated that, even in the absence of any choice, Fastweb considers it lawful to send advertising, indifferently, through each means of contact, including the telephone number, which is again in conflict with the aforementioned discipline.

For completeness, and without prejudice to the critical issues highlighted above, it must be pointed out that, with regard to the retention period of former customers' data, the aforementioned provision of the Guarantor no. 24 February 2005 on loyalty programs in art. 8 entitled “retention periods” identifies, in abstract, a maximum term of 12 months for profiling activities and 24 months for marketing activities within which, for these purposes, customer data can be stored and otherwise processed. It should be noted, however, that these are abstract terms, to be implemented according to the principles of accountability, minimization and limitation of purposes (see also the injunction order no. 20 October 2022 (www.gpdp.it, web doc. 9825667) and that in any case they cannot be applied to processing hypotheses supported by legal bases other than the consent of the interested party.

Moreover, precisely because of the rapid obsolescence of technologies (which, according to the company on page 22 of its briefs, is also the reason why it is not possible to classify offers based on the effectiveness of transmission, in order to identify a single means for their communication), an excessively long retention period may lead to an ever-increasing number of unwanted promotions.

Sub-point B), regarding clarity and transparency of the information pursuant to art. 13 of the Regulation, in the previous provision of 2021 this had been found to be lacking for the aforementioned profiles connected to the origin of the offers from third parties rather than from the owner, who could not justify the processing of customer data on the basis of legitimate interest.

On the contrary, today's dispute refers to Fastweb's own processing, not third parties', and is considered unfounded on the basis of the fact that, in its opinion, not consent but legitimate interest was considered suitable to justify telemarketing activities, which justifies the treatment of these operations separately from the paragraph dedicated to the legal basis of consent.

The conclusion cannot be shared, for the same reasons as above.

As for the fact (which the party raises) that point 1 of the information notice, in which this activity can be placed, is explicit in referring to not only contractual but also advertising treatments, it must be noted that the information notice, in wanting to expressly refer to both, is also ambiguous in not equally clearly connecting the legal bases provided by law, which it is reiterated are different: in the case of advertising treatments by means of electronic communications (excluding emails) it is consent and not legitimate interest.

Although the company's thesis is shared according to which the more objectively advantageous a proposal is, the more easily it will be presumed that the interested party will consent to it being advanced by means of electronic communication (even traditional or by telephone), it, for the sole fact of having as its object a contract different from the one in force, still falls within the common discipline of art. 130 of the Code, according to which telephone promotion presupposes consent.

In other words, the fact that they are treated in the same paragraph, but distinguished in the provision of the service and the update of the offer, does not take away the fact that the treatments in question needed to be distinguished also with regard to the legal basis of the treatment, which for telephone contacts cannot be legitimate interest.

As regards the dispute under point C, regarding the failure to respond to requests to exercise the rights of interested parties pursuant to Articles 15-22 of the Regulation, the defenses referred to file no. 323331, whose report lacked the prior request (removed by the interested party when submitting it to the Authority) to modify the consents towards the owner, and no. 316719, where the reporting party was able to verify, through verbal confrontation, that the illicit contact came from persons external to the company, obviously not authorized to process the data on its behalf, appear to be well-founded.

With reference, instead, to files nos. 325741, 317883, 292562 and 331661, all have in common that the company's response to the requests for exercising the rights of the interested parties (concerning respectively the erasure of data pursuant to art. 17 in the first two cases, the rectification of data pursuant to art. 16 and the opposition to the processing pursuant to art. 21 of the Regulation in the other two cases) arrived late, that is, after the deadline that art. 12, paragraph 3 of the Regulation assigns to the owner to provide feedback had expired.

In fact, in the case referred to in file no. 325741, the company responded to the interested party's request submitted on 21 August 2023 only on 8 January 2024 (furthermore, after the interested party had lodged a complaint in the meantime and the Office's subsequent invitation to comply with it).

The merely interlocutory response received on 21 September 2023, whose content referring to generic system malfunctions does not equate to an appropriate response, should not be considered.

The latter, although timely, is illegitimate as it is not based on any of the reasons set out in art. 17, paragraph 2 of the Regulation.

In the case referred to in file no. 317883, the company responded to the request for deletion of the interested party's personal data of 2 October 2023 only on 19 January 2024, with a delay of over three months.

In the case referred to in file no. 292562, the company responded to the request for rectification of the personal data on the consignment note for returning the modem at the end of the contract submitted on 19 July 2023, only on 27 November 2023, over four months later, without justifying the delay. The request in question, in fact, although unfounded on the merits because it is the result of confusion by the interested party between the address of his home and the delivery address, still requires processing and verification within the aforementioned legal deadlines (even more so if one considers the ease with which it could have been resolved).

Finally, file no. 331661 also includes a request for opposition to the processing presented on 4 December 2023 and only found on 9 January 2024.

In fact, even if the request was unfounded to the extent that the marketing consent, contrary to what was stated by the applicant, had indeed been given at the time of the conclusion of the contract (albeit in the form of a failure to object, therefore in an irregular manner, as amply illustrated in the previous paragraph), it could immediately be classified as a revocation of that consent and as such could be promptly found within the legal deadline starting from its presentation.

For the reasons amply illustrated, the liability of Fastweb S.p.A. must therefore be confirmed. in relation to the violations contested through the communications of initiation of proceedings pursuant to art. 166, paragraph 5, of the Code of 12 October 2023 and 29 February 2024.

3) CONCLUSIONS

For the above reasons, Fastweb's liability is deemed to be ascertained in relation to the following violations:

a) art. 130 of the Code (in relation to art. 5 of Presidential Decree no. 26 of 2022), and arts. 5, par. 2, 24, par. 1 of the Regulation for having failed to consult the Public Register of Oppositions, in relation to 82 numbers contacted after the day of acquisition of consent to the sending of communications for promotional purposes using the websales method;

b) art. 4 no. 11), 5, co 2, 6, 7, 24 and 25 of the Regulation and 130 of the Code for having provided for the sending of commercial communications to the telephone number of its customers during the contractual relationship and up to 24 months after termination, on the basis of mere legitimate interest rather than consent.

d) art. 5, par. 1 lett. a), lett. c) and lett. e); art. 5 par. 2; art. 6; art. 21, co 2; art. 24, par. 1; art. 25 of the Regulation and 130 of the Code, all for having carried out the above-described processing of personal data of its customers in conflict with the principles of lawfulness, correctness and transparency of processing, with reference to data minimization, purpose limitation, accountability, in the absence of an appropriate legal basis, by implementing inadequate technical and organizational measures to guarantee, from the design stage, and to be able to demonstrate, that the processing is carried out, in all its aspects and at any stage and/or level, in accordance with the Regulation;

e) art. 12, paragraph 1, and 13 of the Regulation for having provided information lacking in terms of clarity, transparency and suitability with reference to the legal bases of the processing of customer contact data for promotional purposes;

f) art. 12, par. 3; 15-22 of the Regulation for not having responded within the terms of the request of the interested parties referred to in files 325741, 317883, 292562 and 331661.

Having also ascertained the unlawfulness of the Company's conduct with reference to the processing under examination, it is necessary to:

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter f) of the Regulation, to prohibit the processing of all numbers whose marketing consent is acquired through websales methods;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter e) of the Regulation to massively inform all holders of numbers acquired through these methods of the violation perpetrated through their recontacting on the basis of uninformed, non-specific and non-unequivocal marketing consent;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt a procedure for consulting the Public Register of Oppositions with references to the telephone numbers recontacted starting from the day after the one in which the websales marketing consents are acquired, monitoring compliance also with reference to the data controllers;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation, to use a double opt-in system, according to which the consent acquired online is always confirmed by the interested party in response to an automatic verification message sent immediately after the transmission of the telephone number;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to reformulate the information with reference to the processing that makes up the “offer update”, treating it separately from the chapter on the provision of the service and basing it on as many legal bases as those provided for by law for the contact channels chosen for the promotional activity, specifying that, for telemarketing to reserved numbers, the only permitted legal basis is that of consent;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation, to adapt the “consents and contact preferences” form so that, in cases where consent is the only legal basis, such as that of marketing calls to reserved numbers, the interested party is put in a position to express it in the forms provided for by law, in particular: prior to any processing operation, including storage; in an express form, and not for failure to refuse or for non-opposition; is specifically referred to the type of electronic communication to be adopted, be it SMS, automated phone call or operator-assisted phone call; is formulated in such a way as to allow the interested party to consent to or deny a specific activity, and not simply to prefer it or not to prefer it;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to inform the applicants referred to in the four files no. 325741, 317883, 292562 and 331661 that they have found with unjustified delay and that they have therefore been recipients of this provision;

- order Fastweb S.p.A., pursuant to art. 58. par. 2, letter d) of the Regulation to conclude the examination of the requests regarding the exercise of the rights of the interested parties within the deadline established by law, with an express and reasoned provision;

- adopt an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application to Fastweb of the administrative pecuniary sanction provided for by Article 83, paragraphs 3 and 5, of the Regulation;

4) INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application to Fastweb of the administrative pecuniary sanction provided for by Article 83, paragraphs 3 and 5, of the Regulation. 3 and 5 of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous financial year, if higher);

To determine the maximum statutory fine of the pecuniary sanction, it is therefore necessary to refer to the turnover of Fastweb, as obtained from the latest available financial statement (31 December 2023) in accordance with the previous provisions adopted by the Authority, and therefore this maximum statutory fine is determined, in the case in question, at € 106,444,795.00 equal to 4% of the turnover indicated in the ordinary financial statement relating to the year 2023.

To determine the amount of the fine, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purposes of the data processed, attributable to the overall phenomenon of unwanted telemarketing, in relation to which the Authority has adopted, in particular in the last four years, numerous provisions that have fully examined the multiple critical elements, providing the owners with numerous indications to adapt the processing to the legislation in force and to mitigate the impact of nuisance calls on the interested parties, most recently the Code of Conduct on telemarketing and tele-selling published in the Official Journal on 27 March 2024;

2) the circumstance that, in the previous sanctioning provision adopted by the Guarantor (no. 112 of 25 March 2021), Fastweb settled the dispute with a reduced payment, which determines, pursuant to art. 8-bis, paragraph 5, of Law no. 681/1989, the non-applicability of the aggravating circumstance referred to in art. 83, paragraph 2, letter e, of the Regulation;

3) as a mitigating factor, the degree and quality of cooperation shown with the Supervisory Authority in order to remedy the violation and mitigate its possible negative effects (art. 83, paragraph 2, letter f) of the Regulation);

4) as a mitigating factor, compliance with the previous provision of the Guarantor no. 221 of 25 March 2021 issued against Fastweb (art. 83, paragraph 2, letter i) of the Regulation);

Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, it is believed that the administrative sanction of the payment of a sum of €1,000,000.00 equal to 0.93% of the maximum statutory sanction and 0.03% of the annual turnover should be applied to Fastweb.

In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, taking into account the nature of the processing and conduct of the Company, as well as the elements of risk for the rights and freedoms of the interested parties.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 are met, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

CONSIDERING ALL THE ABOVE, THE GUARANTOR

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter f) of the Regulation, to prohibit the processing of all numbers whose marketing consent is acquired through websales methods;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter e) of the Regulation, to massively inform all holders of numbers acquired through these methods of the violation perpetrated through their recontact based on uninformed, non-specific and non-unequivocal marketing consent;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to adopt a procedure for consulting the Public Register of Oppositions with references to the telephone numbers recontacted starting from the day after the day on which the websales marketing consents are acquired, monitoring compliance also with reference to the data controllers;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to use a double opt-in system, according to which the consent acquired online is always confirmed by the interested party in response to an automatic verification message sent immediately after the transmission of the telephone number;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to reformulate the information with reference to the processing that makes up the “offer update”, treating it separately from the chapter on the provision of the service and basing it on as many legal bases as those provided for by law for the contact channels chosen for the promotional activity, specifying that, for telemarketing to reserved numbers, the only legal basis permitted is that of consent;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to adapt the “consents and contact preferences” form so that, in cases where consent is the only legal basis, such as that of marketing calls to reserved numbers, the interested party is put in a position to express it in the forms provided for by law, in particular: prior to any processing operation, including storage; in an express form, and not for failure to refuse or for non-opposition; is specifically referred to the type of electronic communication to be adopted, be it SMS, automated phone call or with an operator; be formulated in such a way as to allow the interested party to consent to or deny a specific activity, and not simply to prefer it or not to prefer it;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to inform the applicants referred to in the four files no. 325741, 317883, 292562 and 331661 that they have found with unjustified delay and that they have therefore been recipients of this provision;

- orders Fastweb S.p.A., pursuant to art. 58. par. 2, letter d) of the Regulation to conclude the examination of the requests regarding the exercise of the rights of the interested parties within the deadline provided by law, with an express and reasoned provision;

- orders Fastweb S.p.A., pursuant to art. 157 of the Code, to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation;

ORDERS

Fastweb S.p.A., in the person of its legal representative pro-tempore, with registered office in Piazza Adriano Olivetti n. 1 Milan, C.F. and VAT no. 12878470157 to pay the sum of Euro 1,000,000.00 (one million/00) as an administrative pecuniary sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the power to settle the dispute, with the fulfillment of the instructions given and the payment, within thirty days, of an amount equal to half of the sanction imposed.

ORDERS

the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 1,000,000.00 (one million/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981.

ORDERS

The application of the accessory sanction of publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, par. 1, letter u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor - relating to the violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself.

Pursuant to art. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within thirty days of the date of communication of the provision itself.

Rome, 20 June 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei

[web doc. no. 10040382]

Measure of 20 June 2024

Register of measures
no. 401 of 20 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, general secretary;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

HAVING SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, containing provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter “Code”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000, adopted with resolution of 28 June 2000;

REPORTER Prof. Pasquale Stanzione;

1) THE INVESTIGATIVE ACTIVITY CARRIED OUT

Introduction.

With notes no. 139761/133009 of 12 October 2023 and no. 25538/133009 of 29 February 2024 (notified on the same dates of adoption by certified email), which must be considered fully recalled and reproduced here, the Office initiated, pursuant to art. 166, paragraph 5 of the Code, two proceedings for the adoption of the provisions referred to in art. 58, paragraph 2 and the administrative pecuniary sanctions referred to in art. 83, paragraphs 4 and 5 of the Regulation against Fastweb S.p.A., (hereinafter “Fastweb” or “the Company”), in the person of its legal representative pro-tempore, with registered office in Milan, Piazza Adriano Olivetti n. 1, C.F. 12878470157.

These are proceedings initiated following the receipt, by the Office, of multiple reports and complaints.

In particular, the first of the two proceedings, no. 139761/133009, concerns several promotional telephone contacts made by Fastweb and its sales network to acquire new subscriptions to fixed-line, mobile and internet services. It also contains hypotheses of violations relating to possible shortcomings in the management of former customers' data, in terms of the security of the collection and storage systems, and the failure to respond to requests for access, cancellation, rectification and exercise of other rights of the interested party.

The second act of contestation no. 25538/133009 also arises from reports of the latter type described, i.e. incomplete processing of requests for information on the exercise of rights, which the Office received after 12 October 2023, the date of notification of the first act initiating the proceeding.

The latter also includes hypotheses of violations arising from two reports (nos. 316604 and 331661) relating to the retention of customer contact data for the sending of promotional communications, even after termination of the contract and for a further 24 months.

1.1.1) Proceeding no. 0139761/133009. The request for information of 2 December 2022 and the response provided by Fastweb.

As mentioned, following 58 reports and complaints, the Authority, with note ref. prot. 75428 of 2 December 2022, sent Fastweb a cumulative request for information for several files relating to the period from 1 October 2021 to 31 October 2022, relating to the area of unwanted phone calls (49 files), as well as additional profiles regarding: communications sent by mistake to subjects other than customers (2 files); insufficient response to requests to exercise the rights of interested parties (1 file); poor management of customer data in terms of security (6 files).

With a note dated 20 January 2023, the Company provided an analytical response from which it emerges that:

- approximately 80% of the reports relating to unwanted contacts would be attributable to calls made from numbers not registered in the Register of Communication Operators (ROC) or in any case not belonging to the Company's official sales network;

- in this regard, the Company highlighted that it had reported such abusive conduct by third parties to the Postal Police of Milan;

- for other cases (5 files), it stated, in a documented manner, that the calling numbers were correctly registered in the ROC by some authorised partners such as Supermoney S.p.A. or Accueil s.r.l., which allegedly collected the contact details of the whistleblowers during their own initiatives conveyed via the web, in which the interested parties had given their specific consent to the processing of personal data for marketing purposes;

- in one case, the promotional call occurred following a request for recontact by the whistleblower.

With regard to the exercise of the rights of the interested parties pursuant to articles 15-22 of Regulation (EU) 2016/679, the Company represented, in the only case that led to the start of an investigation, that "unlike what was indicated in the report, during the period indicated, the [whistleblower, editor's note] had interactions with the Fastweb customer service which then led to the closure of the case in June 2022 with the reimbursement of the amount due" and that, therefore, "no shortcomings were found in the exercise of the rights of the interested parties".

With regard to the reported critical issues in the security of the personal data of the interested parties receiving promotional calls for XX products and/or services, he first specified that the whistleblowers had been – or were, at the time of the checks – Fastweb customers, for example on ADSL_WS technology. This type of technology requires that the telecommunications company providing the service, in the case in question Fastweb, uses the physical infrastructure owned – or managed – by another telecommunications operator for the customer's users. Therefore, any intervention on the network, for activation or support (selection of faults or requests for assistance), requires the necessary involvement of the entity managing or owning the network. Consequently, it is necessary that, in such situations, the data of the user on whom the intervention is necessary be communicated to the owner or manager of the network. This sharing is carried out via the portal made available by the operator, whose security standards have been the subject of specific interventions at the request of AGCOM (see files nos. 175615; 1795557; 183763); in the context of these operations, the interested parties complain of having received promotional communications not only from the network operator but also from other companies. Furthermore, from in-depth investigations conducted by Fastweb on the personal data of other whistleblowers, it emerged that these had been accessed and viewed by its own employees other than the personnel assigned to this purpose. Fastweb therefore proceeded with disciplinary action against the personnel whose responsibilities it ascertained.

Furthermore, the Company added (producing the relevant documentation) that the facts in question were reported to the Judicial Authority, so that the latter could ascertain the possible involvement of outsiders also in other cases, hypothetically, more serious than those dealt with internally (see e.g. file nos. 175615; 1795557; 183763).

1.1.2) The subsequent request for documents of 31 March 2023 and Fastweb's response of 30 April 2023.

In light of the above, the Office with subsequent note prot. no. 1492653 of 31 March 2023 focused the investigation on the contacts made by four partner agencies that acquire personal data lists from their own list providers, inviting the owner, pursuant to art. 157 of the Code, to clarify, specifically:

- the methods of acquisition, by the partner agencies, of consent for commercial purposes as well as the methods of communication to third parties of the personal data thus collected;

- whether in collecting the consents they acted as owners or as data controllers;

- what checks the Company carries out on the personal data lists thus acquired from its partners;

- in particular whether the version of the personal data lists, once transmitted to Fastweb, is the definitive one, or whether even after transmission the partner agency can continue to modify it.

In addition, a request was made for the list of promotional contacts made in the period between 1 October 2021 and 31 October 2022 using the lists thus acquired, as well as the number of contracts and activations carried out following the aforementioned contracts.

Finally, the Authority requested information:

- on the "order blocking" system, requesting to quantify the contacts blocked in the thirteen months selected and to specify the reason for each block (numbering out of the list, outgoing numbering not registered with the ROC or not authorized), also illustrating what measures the operator would have faced.

- on the status of decommissioning of the agency outbound call channel, as per the project shared with the Authority during the investigation of the previous provision no. 112 of 2021 (in www.gpdp.it. web doc. no. 9570997);

- to produce a list of purchase proposals (PDA) from its sales network that led to the activation of electronic communication services in the period from 6 March 2023 to 13 March 2023 inclusive (hereinafter also “sample week”), divided between “consumer” and “business”, in order to verify the correctness of the promotional contact.

The Company provided feedback with a note dated 30 April 2023 (ref. prot. 0070466/23) – for the truthfulness of which it is responsible pursuant to art. 168 of the Privacy Code – producing, upon request (accepted) for an extension of the terms, the list of PDAs perfected in the sample week and also representing that:

- some partners of the sales network who carry out outbound contacts in various capacities (and in particular, those remaining following the divestment activity started during the proceedings culminating with the injunction order no. 112 of 2021) have received authorization from the Company to collect contact data through their own portals or social initiatives, or to purchase personal data lists relating to business customers, for promotional processing exclusively attributable to Fastweb and in compliance with the instructions given by the same Company. This last faculty is reserved for those particular so-called Business Partner Agencies that deal with the promotion of Fastweb services towards business customers only. The lists that can be purchased in this way are in any case only those containing contacts whose source is the General Telephone Directory (ETG);

- on the contrary, "with a view to ensuring the best standards regarding/controls carried out on contacts/outbound and the legitimacy with respect to the processing of personal data", Fastweb partners are not authorized in any case to directly purchase contact lists relating to residential customers.

And in fact, as represented following provision no. 112/2021, this latter activity is carried out in a centralized manner exclusively by Fastweb alone. The lead collection activities, i.e. the so-called "Initiatives", in any case, must be previously authorized by the Company, and said authorizations are based on the presence of all compliance factors with current legislation;

- in cases where a Fastweb partner has been authorized to collect and use leads through its own web portal rather than a social initiative or its own lists of business customers, the same are subject to verification by Fastweb both prior and subsequent.

The process by which the so-called “Initiatives” or business customer lists are managed requires that, before the contacts are made, Fastweb is made aware of the details in order to carry out the appropriate checks and authorize the collection and use of the lists. Only after these have been successfully completed can the partner start collecting leads, which are then brought to the attention of Fastweb by previously uploading them to the XX portal dedicated to this purpose. At this point, it is possible to start contact activities on the numbers present in the uploaded list, on which, it should be remembered, control activities are also carried out (so-called mystery calls);

- the aforementioned master data are uploaded to the XX portal, through which the following are carried out:

i. deduplication activities with respect to Fastweb blacklists;

ii. management of overlapping to prevent the same master data from being assigned to multiple partners during the same planning, which makes the controls carried out more effective;

iii. to the assignment to the partner to carry out the outbound contact; with reference to the innovations introduced with regard to the Public Register of Oppositions (hereinafter also “RPO”), the Company represents that the contacts made on the same day in which the personal data are collected are in all respects lawful even in the absence of prior verification at the RPO. Differently, when the contact occurs on a date subsequent to the date of collection of the consent, it is always preceded by the verification of the same at the RPO, which is a condition of legitimacy of the processing.

- As a further measure, the company has then provided that the compensation for the sale made is paid to the partner with the constraint that the numbering used for the subscription of the same belongs to assigned lists. For further control, Fastweb carries out, through the third-party company XX, activities of so-called “PDA Validation”, whereby the number assigned to the partner via the XX platform is contacted, on which a sale has been declared, and it is verified that the call is answered precisely by the contract holder uploaded in the Order Entry system, as well as that the sales experience has followed the correct course.

- At the state of the art, over 50% of the contracts entered are verified and, of these, 100% confirm the subscription and the contract holder.

- The adoption of the so-called “order block” system prevents the insertion and consequently the activation of contracts that do not comply with the policies adopted by Fastweb for the protection of personal data. Before entering personal data, the Order Entry platform verifies that: i) the telephone number called was assigned by XX to that partner before contact; ii) the partner has entered a sales declaration on XX with the CF/P.IVA of the contact called. If these conditions are met, the Agency can enter the contract; alternatively, the system generates a “KO” and the contract cannot be entered.

Everything is further verified also with the cross-referencing by the Tool Log on which the LOGs of the outbound contacts carried out by the partners are loaded. That said, in the period from 1 October 2021 to 31 October 2022 this order blocking system generated 3324 KOs relating to attempts to enter contracts resulting from outbound contacts.

- Where the system blocks an entered order, Fastweb first requests the necessary clarifications from the Agency that attempted to enter it in contempt of one of the imposed rules. If these clarifications are not sufficient and it is therefore a case outside the list or out of range or the use of an unregistered calling number, the matter is brought to the attention of the Sales Privacy Committee, the independent corporate body responsible for this.

- As regards the customer, the latter is informed of the incident in order to collect in a traceable manner the intention to continue with the activation.

1.1.3) Verification of the opposition register managed by the Ugo Bordoni Foundation.

In order to carry out the necessary checks regarding the correctness of the aforementioned telemarketing activities, on 28 September 2023 the Office sent the Ugo Bordoni Foundation, manager of the Public Register of Opposition, a list of 6,592 telephone numbers taken from the approximately thirty thousand PDAs activated in the sample period 6-13 March 2023.

In this context, information was requested, pursuant to art. 157 of the Code, on which customer telephone numbers, as of 31 January 2023, had been registered in the RPO, requesting that the results also include registrations prior to the entry into force of Presidential Decree 27 January 2022, n. 26 of establishment of the new register, and in particular to 27 July 2022, the date on which the registrations in the old register were transferred to the new one (art. 7, co. 11 ibidem).

On 2 October 2023, the aforementioned Foundation sent its response, from the analysis of which it was found that 511 telephone users were registered in the Public Register of Oppositions at the time of the promotional calls made by this Company, equal to approximately 7.75% of the total number of users contacted in the sample period.

1.1.4) Contestation of the violations and defenses of the Company.

The Office, in light of all the elements and documents acquired overall, adopted the aforementioned act of initiation of the proceeding no. 139761 of 12 October 2023 in which, in summary, it considered the company's conduct to be in possible conflict with the regulations on personal data under two aspects:

- the access of company personnel unrelated to the management of open cases for the resolution of technical problems - and therefore not "authorized" pursuant to art. 29 of the Regulation - requires assessing the possible violation of art. 5, par. 1, letter f) and 32, par. 1. letter b), of the Regulation;

- having contacted 511 telephone users in the context of telemarketing activities carried out in the sample period from 6 to 13 March 2023, while the same users were registered with the RPO - with the consequent restriction of non-contactability - entails the identification of the conditions for the violation of art. 130, paragraphs 3 and 3-bis of the Code, concerning electronic communications, as well as, more generally, art. 6, paragraph 1, letter a) of the Regulation, with regard to the lack of the necessary legal basis of consent to legitimise the processing of the data in question for promotional purposes.

Following the initiation of the proceedings, the Company submitted its own defence briefs on 14 November 2023 (ref. prot. 153235/23), with which, together with the hearing held at the Authority's headquarters on 5 December 2023 (ref. internal prot. 0162150/23), it requested the archiving of the proceedings on the basis of the following reasons.

First of all, with regard to the alleged access of unauthorised personnel to the management of the technical problems underlying the alleged violation of art. 5, paragraph 1 and 32, paragraph 1, letter b) GDPR, it would be necessary, in the opinion of the Company, to make some distinctions.

One thing would be, in fact, the processing of telephone data in the cases referred to in two of the three contested files, nos. 175615 and 179555, carried out, these yes, by a self-styled third-party network operator, in this case XX. on the basis of interconnection agreements for the provision of termination services on fixed and mobile networks.

In particular, according to these agreements, the virtual operator, in the case in question Fastweb, uses the physical infrastructure owned – or managed – by another telecommunications operator, in the case in question XX, for any intervention on the network, activation or support (selection of faults or requests for assistance).

With the latter, in compliance with the provisions of AGCOM, Fastweb shares information necessary for the execution of service contracts, such as user data. This occurs through IT systems whose operation and compliance with security standards is the sole responsibility of the host operator owner of the network, in the capacity of independent data controller, i.e. always XX.

On this point, Fastweb also recalls what was already illustrated during the investigation that led to the previous provision no. 112 of 25 March 2021.

In fact, already in the defensive documents of that proceeding, the Party complained, also with complaints presented to this Authority, that the illicit processing of telephone data of its customers could be traced back to illegal accesses to databases held by XX, as also attested by proceedings initiated by other Supervisory Authorities, for the profiles of their competence, in relation to the same facts.

With regard to the competitive sphere, in particular, the Company during the hearing reiterated the need for the owner of the line to adopt standardized conditions, also in light of the legislative and regulatory provisions that govern the sector, such as, respectively, the Electronic Communications Code (Legislative Decree 1 August 2003 no. 259) and the AGCOM resolutions regulating interconnection services.

A completely different story, however, concerns the other of the three disputed files, no. 175615, arising from episodes of harassment and threats for having refused commercial offers, received from a Fastweb customer and coming from unknown persons.

Following well-founded suspicions about a call center operator, the Company carried out targeted checks and identified, criminally reported and sanctioned the person responsible for such offences.

This highlighted how the sending of offensive and threatening text messages, later traced back to the employee in question, is a serious fact but not attributable to the Company through its duty to prove the adoption of adequate models for the prevention of the violation of personal data in its internal organization. This is because the perpetrator of the facts had the right to process, among other things, that data, according to the system of distribution of tasks and duties within the company, and even if limited to the promotional purposes that characterized the role of the operator in question.

However, the Company could have done nothing if the employee authorised to process personal data for a certain purpose had decided to use it, as it then was, to send inappropriate content: the fact does not fall within the type of risks from which the company is normally required, in general, to protect itself by identifying security measures.

For this purpose, those already prepared in compliance with the previous corrective and sanctioning provision no. 112 of 2021 (to which the party refers) and which ordered "the adaptation of the security measures for access to its databases in order to eliminate or in any case significantly reduce the risk of unauthorised access and processing not in accordance with the purposes of the collection." 

As for the dispute referred to in point no. 2), from the total of 511 numbers considered in the sample period, 285 should be preliminarily excluded since, although they belong to subjects registered in the Public Register of Oppositions since before the day of contact, they were not used by the owner for promotional or recontact purposes, since they were customers who purchased Fastweb services in person, or at a store or at a point of sale, and not through tele-selling.

The Office's investigation should therefore be limited to the numbers in the sample period actually contacted for the remote purchase of Fastweb services, corresponding to 226 numbers, or approximately 3.43% of the total of 6592 sample numbers.

In this context, it would be necessary to further distinguish between calls on the one hand (i) inbound and (ii) websales (the latter in turn divisible between call me-back and comparators), made by virtue of the interested party's consent after the date of registration in the Register and therefore legitimate pursuant to art. 1, co 6 of Law no. 5 of 11 January 2018.

On the other hand, outbound calls (iii) would require separate treatment. In fact, where these are made to numbers of non-customers, deriving from lists acquired in compliance with the principles imparted by the owner, they would presuppose the acquisition of the interested party's consent in a legitimate manner.

Furthermore, the number is always checked in the Register of Oppositions every time a "cold" promotional call is planned, i.e. on a day following the day of acquisition of consent.

As for calls to its customers' numbers, these, according to Fastweb, would in themselves be legitimate even in the absence of marketing consent, as they are the result of a legitimate corporate interest in offering its customers improved services or in any case linked to those already purchased.

1.2.1) The second procedure: the request for information of 28 November 2023 and the response from Fastweb S.p.A. of 19 December 2023.

With a subsequent request for information dated 28 November 2023, ref. prot. 0158998/23, the Office submitted to Fastweb S.p.A. the report ref. prot. 167397/23 concerning the alleged illegitimacy of the web form for modifying consents that the same had sent via email to customers on the occasion of the changes to the information on data processing.

In fact, the report revealed that when the new information was inserted into the privacy policy regarding the retention of customers' personal data for promotional purposes, including telephone numbers, for up to 24 months after the termination of the contract, customers were submitted a pre-filled consent form such that, in the absence of any selection by the interested party, the retention of data (including telephone numbers) for promotional purposes was considered permitted.

Conversely, the procedure for making any changes to consents appeared to lack the saving function, which in any case made the right to object to the processing unexercisable.

The company, with a response note dated 19 December 2023 (ref. prot. 167397/23), explained, first of all, that the option to save changes was regularly recognised by the specific function located at the bottom of the consent modification page.

Secondly, the company denied the violation of the opt-in principle as it was not applicable in the case in question: on the contrary, the legal basis for the retention of contact data of former customers for promotional purposes would be the mere legitimate corporate interest in sending commercial communications even after the contracts have ended, for 24 months and until they object.

1.2.2) The contestation of the violations and the company's defences.

The Office, in light of all the elements and documents acquired overall, adopted a new act to initiate proceedings no. 25538 of 29 February 2024 in which, in summary, it considered the company's conduct to be in possible conflict with the regulations on personal data under the following additional profiles:

- the processing of customer data, ongoing and terminated less than 24 months ago, for promotional purposes, declaredly carried out on the basis of legitimate interest not opposed, would be in violation of Articles 6 of Regulation (EU) no. 679/2016 and 130 of the Privacy Code which instead identify the prior and unambiguous consent given, for each contact data (including telephone number) as the only legal basis for sending promotional electronic communications, even for services connected or linked to those already purchased (with the sole exception of Article 130 paragraph 4 of the Code, which cannot be invoked in the case in question, as discussed in detail below);

- without prejudice to the unsuitability of the legal basis of legitimate interest for the processing in question, as regards the need to cultivate a qualified relationship with its ceased customers, in order to bring it back to the legal basis of legitimate interest, it does not seem justifiable in any case that it continues indiscriminately for all contact data known to the company for a period as long as 24 months from cessation, with possible prejudice to the rights and freedoms of the interested parties based on the provisions of Articles 5, paragraph 1, letter c), e) and 2 of the Regulation respectively in terms of data minimization, storage limitation and accountability;

- the privacy policy does not comply with the principles of clarity, transparency and ease of understanding pursuant to Article 12, paragraph 1 of the Regulation. The processing in the context of the execution of the contract and those for advertising purposes, to which the respective legal bases are linked, are processed incompletely. In fact, it turned out that only some promotional processing is expressly linked to the legal basis of consent: others, such as the one disputed (specifically the update of the offer and promotions that allow discounts or advantages on services already activated), despite having the same legal nature, are considered to be forms of data processing for contractual purposes.

- Fastweb failed to promptly and exhaustively respond to various requests for the exercise of rights by customers, which they complained of having been violated for various reasons.

The company, after deferring the deadline for submitting the written defense referred to in art. 166, paragraph 6 of the Code, which the Authority recognized in accordance with the regulatory provision referred to in art. 13 of Regulation no. 1 of 2019 of the Office of the Guarantor concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data (in www.gpdp.it, web doc. no. 9107633, also “Regulation no. 1/2019”), with a memorandum dated 15 April 2024 (ref. prot. 47417/24) first of all observed that file no. 133009 is the same as the procedure that led to provision no. 112 of 25 March 2021, as well as the present procedure initiated with an act of 12 October 2023 (ref. prot. 139761/23) and continued with an act of 29 February 2024 (25538/23).

As for the new processing of personal data announced with the update of the information sent to the Customer Base and consisting in the sending of information about the goods and/or services offered by Fastweb for 24 months from the termination of the contractual relationship and subject to any opposition by the interested party, which constitutes the main object of this dispute, the company has offered some clarifications.

First of all, both the planning of the campaign and the carrying out of individual contacts towards customers and former customers would be validly supported by the legitimate corporate interest in bringing the initiatives in question to their attention, regardless of their consent.

In any case, no sending of promotional material, not even the one in question, was carried out without sending the updated information, as proof of the utmost attention to the protection of customer data in the exercise of business activity.

The company, in carrying out an in-depth assessment of the interests at stake, in order to fairly balance the corporate interest with the protection of the rights of the interested former customers, has identified specific limits in the performance of the promotion in question, including for example a suitable period of time to object to the processing and the reminder of the right to object which, if exercised, entails exclusion from the contact lists.

In particular, Fastweb considered the procedure as highlighted above to be legitimate by virtue of what is established by recital 47 of the Regulation on direct marketing, and the internal discipline would be a confirmation of this: art. 130, paragraph 1 of the Code, which implements art. 13 of Directive 2002/58/EC, should be interpreted as a rule that, exceptionally, legitimises electronic communications for promotional purposes on the basis of the consent of the interested party only when these are carried out through the use of automated systems or without the intervention of an operator (a rule that the following paragraph extends to electronic mail, messages and other types of automated communications). Conversely, the telephone calls with an operator referred to in paragraph 3 of the same article would fall within the general discipline, in application of articles 6 and 7 of the Regulation.

In this context, the fourth paragraph on the so-called soft spam, in legitimizing the use, in the absence of consent, of customers' email coordinates for direct marketing purposes limited to services or products of the owner similar to those subject to a previous sale, would be the expression of a general principle, applicable, albeit only in the context of relationships with the Customer Base, also to contact data other than email, for example the telephone number. 

In this sense, a passage from the previous provision no. 112 of 25 March 2021 is also recalled where it is not excluded that "contacts based on legitimate interest may concern commercial proposals linked to services already offered to the customer", as well as a general provision of the Spanish Supervisory Authority, no. 1 of 26 June 2023, which reiterates the suitability of legitimate interest as a legal basis, in general, of communications for advertising purposes. 

With reference to the method of opposition and management of consents (point A.2 of the briefs), the company considered the web form under examination to be compliant with the current regulatory framework, since the legal basis indicated to justify all the contested processing, i.e. legitimate interest, would be unique for all contact data processed for promotional purposes: therefore, there would be no need to highlight any distinction within it since the interested party can exercise his/her opposition to the aforementioned processing both with reference to the overall purpose and by opting for specific contact channels (email, telephone, text message).

As for communications with terminated customers (point A.3 of the briefs), Fastweb has decided not to limit the storage aimed at sending promotional content to the only channel considered less invasive, i.e. email, firstly because art. 130 of the Code, in the interpretation offered by the party, would consider contact via telephone less invasive and therefore preferable to the e-mail address (the former in fact would retain margins of use even in the absence of consent, the latter instead is assimilated to automated systems and can only be used with prior consent). Secondly, also in terms of the effectiveness of the promotional message, the company believes that a message conveyed by voice, as it is more "human," can overcome the written one, which is colder and more asynchronous, especially in the case in question where the offer is formulated in the prevailing interest of the recipient and usually focuses on the updating of the infrastructures.

Even in terms of data retention, Fastweb represented that the retention of personal data of terminated customers for a period of 24 months would be legitimate, reiterating that the qualified relationship between the owner and the manager does not end with the conclusion of the contract and therefore the retention period identified seems appropriate to the purposes, also with a view to ensuring the best infrastructural technology on the market and in light of the case law of the Guarantor on customer loyalty programs (provision of 24 February 2005, in www.gpdp.it, web doc. no. 1103045).

In any case, consistently with the fact that, according to the owner, the legal basis for the processing of both types of data is identical (i.e., once again, legitimate interest), the retention period should also be the same (moreover, a differentiation would lead to the development of unsustainable business processes, as the proposal or offer of the service would not be abstractly categorizable based on its effectiveness of transmission via email rather than through the use of the telephone number).

Having reiterated the need, as regards the retention period for promotional purposes, to align all contact data on a common threshold, the company has recognized that the retention limit of 24 months may be subject to changes.

With reference, then, to point B), relating to the violation of the principles of correctness and transparency of the information, already the subject, for other reasons, of the previous sanctioning provision no. 221 of 25 March 2021, Fastweb reiterated the correctness of its actions: the sending of communications for the purpose of "updating the offer", even if attributable, in the opinion of the Company, to the management of the contractual relationship, was instead linked to the different legal basis of legitimate interest, due to the promotional characteristics of the communications themselves.

More precisely, the company did not consider this formulation misleading since, considering it correct to base this latter type of processing (where also carried out via telephone contact) on legitimate interest, it did not consider it necessary to separate the treatment or to place it in paragraph no. 6 dedicated to processing based on consent.

Then, with regard to point C), regarding the lack of, incomplete or late response to requests to exercise the rights of interested parties pursuant to articles 15-22 of the Regulation, it would be necessary to distinguish:

- file no. 323331 – the applicant reported the change, which he claimed was unsolicited, of the marketing consents to the telephone contact. However, it was the applicant himself who requested the revocation of the marketing consent precisely on the occasion of an unwanted contact. The confirmation occurred with the subsequent communications from the company “no-reply” mailbox of the owner, of which the applicant confirmed receipt;

- files nos. 325741 and 317883 – following the termination of the contract, the complainant requested the company to delete his data; within 30 days of the request, Fastweb presented a generic impediment consisting of the malfunctioning of the system for closing the customer’s position. Following numerous reminders, the interested party, once the terms for responding to the request had expired, filed a complaint with the Authority. Following the opening of the file and during the dialogue now underway with the Office (in the case of file no. 325741, also with a request for information and a simultaneous invitation to join with respect to the company pursuant to art. 157 of the Code of 8 January 2024, ref. prot. 1915/24), the company, albeit late with respect to the original request (and, in the case of file 325741, in compliance with the requests of the Office), proceeded to delete the personal data of the interested party;

- file no. 292562 – a customer, following the termination of the contract for the fixed network service, complained that the data reported on the waybill for the return of the modem were transcribed incorrectly, above all his postal address. The company responded to the request for rectification with a delay of over five months, stating that the address reported in the letter (in both the recipient and sender fields) was that of the carrier appointed by Fastweb to receive the delivery of the modem, the processing of which was authorized for contractual reasons. Therefore, in the case in question, there had been no error but a simple operational indication for the correct dispatch of the package;

- file no. 316719 – the reporting party complained of several fraudulent telephone calls from so-called Fastweb operators with the purpose of migrating to another operator. The telephone numbers cannot be traced in any way to the Company, which in fact immediately reported them to the Public Prosecutor's Office following the report. On the assumption that the processing had been carried out on behalf of or with the participation of Fastweb, the reporting party exercised its rights pursuant to Articles 15-22 of the Regulation, and the Company provided feedback directly through the call center operator contacted;

- file no. 331661 – the complainant, faced with some unwanted promotional contacts from the company in question, filed a request for compensation for damages via PEC, intending at the same time to revoke the marketing consent given at the time of the conclusion of the contract with Fastweb. The company, more than a month after receiving the request, positively found the interested party's request.

2) EVALUATIONS BY THE AUTHORITY

It must be stated that this provision deals with the overall phenomenon of unwanted marketing and telemarketing, for which the Company has been the recipient of numerous provisions from the Authority over the years.

In particular, provisions nos. 300 of 18 October 2012 (in www.gpdp.it, web doc. no. 2368171), 235 of 18 April 2018 (in www.gpdp.it, web doc. no. 9358243), 441 of 26 July 2018 (in www.gpdp.it, web doc. no. 9040267) and 112 of 25 March 2021 (in www.gpdp.it, web doc. no. 9570997) which imposed prescriptions, processing bans and administrative sanctions in relation to millions of contacts via telephone and text messages, which Fastweb and its sales network implemented without obtaining suitable consent from the subjects contacted.

The last provision no. 112 of 25 March 2121, in particular, following an in-depth investigation, culminated with the injunction of multiple measures, including the provisions pursuant to art. 58, par. 2, letter d) of the Regulation to:

- adapt the treatments in the field of telemarketing in order to foresee and prove that the activation of offers and services and the registration of contracts occurs only following promotional contacts made by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators;

- reformulate the information relating to the "Call me back" service, specifically indicating the methods of recontact by Fastweb S.p.A. and, always in relation to the aforementioned service, to provide an automated method of deactivating the service;

- adapt the security measures for access to its databases in order to eliminate or in any case significantly reduce the risk of unauthorized access and treatments that do not comply with the purposes of the collection;

More generally, in the field of telemarketing and tele-selling, the Authority has adopted numerous provisions that have outlined the regulatory framework, including for other companies operating in the national territory, including provisions no. 143 of 9 July 2020, in www.gpdp.it, web doc. no. 9435753; 224 of 12 November 2020, in www.gpdp.it, web doc. no. 9485681; 183 of 13 April 2023; 81 of 8 February 2024, in www.gpdp.it web doc no. 9988710).

2.1) On the joining of the proceedings

The two proceedings initiated separately deserve to be joined pursuant to the aforementioned Regulation of the Guarantor no. 1/2019.

On the one hand, they concern identical issues, namely the programming and sending of electronic communications in the absence of an appropriate legal basis, contested in both the first and second act of initiation of the proceedings.

On the other hand, the additional charges that characterize the second proceeding concern the same controller, albeit for different processing of personal data (art. 10, co 4 of Regulation no. 1/2019).

Conversely, it is important to note that the separate handling of the proceedings and their definition independently of each other would give rise, in addition to a duplication of measures on closely related issues, to the possible valorization, to the detriment of the controller, of one as a previous violation of the other, relevant as an aggravating circumstance pursuant to art. 83, par. 2, letter e) of the Regulation.

2.2) with reference to the first proceeding;

With reference to the first of the two disputes (point D1), Fastweb's defenses appear to be well-founded. In particular, the ECJ in the ruling of the III Section, 25 January 2024 (case C-687/21, BL v MediaMarktSa-turn Hagcn-Iscrlohn GmbH) recently reiterated that the technical and organizational measures implemented by the controller require an assessment of adequacy in concrete terms: in that case, the fact that an employee of the controller, through isolated conduct, would have mistakenly delivered to an unauthorized third party a document containing confidential data does not in itself appear sufficient to deem the prevention measures adopted by the controller unsuitable.

This is even more true in the case of the Fastweb employee in question, who addressed offensive communications to a stranger that were not related to the work context, and did so not by mere mistake but on purpose.

With reference to the violations covered by the D2 dispute in the field of telemarketing, some distinctions must be made.

First of all, it must be noted, also following the defensive observations, that the numbers in the sample period actually contacted for the remote purchase of Fastweb services amount to 226 and not 511: the Company has in fact clarified that the remaining numbers refer to "in person" sales within Fastweb stores.

Among these 226, the contacts must be divided into three categories:

- 34 are inbound contacts and constitute the telephone activity received on the toll-free number.

- 139 are websales contacts, i.e. telephone recontact activities following a request made via the web on the company's website. This is a very widespread phenomenon among telephone companies, which Fastweb has already had to correct following the aforementioned provision no. 226 of 25 March 2021 (even for profiles other than those in question), according to which the Company initially receives an expression of interest in a generic recontact, if applicable, also for promotional purposes, registering it via a dedicated web portal and with the times and methods set out in the privacy policy, and then proceeding to recontact at a later time.

- 53 are outbound contacts, outgoing telephone contact activities only on numbers for which consent is acquired initially.

As for the first category, the consents expressed through requests for recontact to the toll-free number (inbound telesales) appear suitable to legitimise subsequent contacts made after 31 January 2023, the date taken as a reference by this Authority to verify the registration of the numbers contacted in the RPO.

In fact, art. 1, co 6 of law no. 5 of 11 January 2018, containing new provisions on the registration and operation of the register of objections and the establishment of national prefixes for telephone calls for statistical, promotional and market research purposes, states that registration in the RPO cancels only the consents previously given: those in question, however, as they are subsequent, are not subject to the effect of registration and therefore serve to legitimise subsequent recontacts for promotional purposes.

This is sufficient to justify inbound contacts, for which the expression of consent occurs at the same time as the telephone contact: since there is no interval between the two moments, it cannot even be assumed that any request for registration in the RPO occurs in the intermediate period.

Conversely, in the case of the 82 websales contacts acquired through the specific call me-back function on comparison sites, although it is true that these consents are also subsequent to the date of registration in the RPO, there is still a time gap between the insertion of the telephone number and the recontact, which can begin on the same day but usually lasts for several days.

In this time frame, it may happen that the interested party, due to a change of heart, renews his/her registration in the RPO with the effect of overwhelming, among the new marketing consents, also the one released via websales.

In fact, on the one hand it is specified that the marketing consent is completely optional: if the relevant box is not checked, it is still possible to successfully send the request to recontact the number for pre-contractual purposes only.

Furthermore, pursuant to art. 6, co 1 lett. a) of the Code of Conduct for telemarketing and tele-selling activities (provision of the Guarantor no. 70 of 9 March 2023, published in the Official Journal no. 73 of 27 March 2024 and which can be invoked as best practice regardless of its direct applicability to the case in question) a procedure should be provided for which there is no trace on the web page of the service in question, i.e. the so-called double opt-in, according to which the consent acquired online is confirmed by the interested party in response to an automatic verification message sent immediately after the transmission of the telephone number. This allows verification that the person being contacted is actually someone interested in the offer, and not an unrelated third party.

Finally, given that the RPO registration procedure is completed within one working day, if the recontact is scheduled and occurs on a day after the acquisition of marketing consent in the manner described (which is quite possible as reported by the information overall on the site and summarized here), the company has not demonstrated that it adopts, for the intermediate period in question, procedures for verifying RPO registrations.

It should also be noted that, with regard to the 82 recontacts that occurred in this manner by the so-called comparators (websites that allow the interested party to compare different operators based on the service requested, e.g. XX), the company in the supplementary notes of the hearing of 5 December 2023 (ref. incoming prot. no. 168558/23, page 2), states that the period of time between the expression of interest and the signing of the contract is usually a few days.

It should be noted that the criterion stated above, according to which if the contact occurs some time after the acquisition of consent it is necessary to proceed with a check of the numbering with the Register of Oppositions, is ordinarily followed by Fastweb in the case of outbound calls by telesellers (page 4 of the same supplementary notes), so there is no reason why the same criterion should not also be applied to the “Call me back” procedures.

It is true that an analogous check (and its negative outcome) was given account in the defense briefs, however these were one-off checks specifically carried out after the communication of the start of the procedure in question: there is no trace, however, of ex ante checks.

This omission is in conflict with articles 5 et seq. of the Presidential Decree of 27 January 2022, n. 26 (Regulation containing provisions on the establishment and operation of the public register of contractors who object to the use of their personal data and telephone number for sales or commercial promotions, pursuant to Article 1, paragraph 15, of Law 11 January 2018, no. 5) which establish the obligation to consult the RPO prior to telephone contact; this obligation is instrumental to the applicability of Article 130 of the Code, on the subject of commercial electronic communications based on consent.

Finally, as regards the 53 outbound calls, the consents are collected by the teleseller on the same day that the customers are contacted. In the event that the contact occurs later, a consultation procedure of the RPO is also carried out at the FUB to allow the processing of the telephone number for which the promotional consent is collected for a longer period.

However, with particular reference to calls made to propose the purchase of services and products similar to those purchased, i.e. 9 out of 53, these are considered lawful even in the absence of marketing consent when made to current customers (or, as set out in the previous paragraph, even former customers who ceased less than 24 months ago), with non-opposition to the legitimate interest of the company being considered sufficient in their case.

In fact, promotional calls were made using these methods to 9 of the 53 contested outbound contacts: of these, only registration with the RPO on 31 January 2023 is documented. No marketing consent after that date has been proven.

Nor, in this regard, does the thesis that commercial communications to one's customers (both current and ceased) do not require consent deserve acceptance; this conflicts with art. 130 of the Code.

In fact, art. 130 constitutes the transposition of art. 13 of Directive 2002/58/EC, which in turn regulates, at European level, unwanted communications via electronic instruments.

The supranational law establishes a dual principle.

On the one hand, it is established, to guarantee the interested party, that the only legal basis permitted for sending advertising material via electronic means is the consent of the latter (opt-in rule), thereby excluding all the others provided for by Articles 6 et seq. of the Regulation.

This rule applies to the aforementioned Article 130, paragraph 1 of the Code, which thus regulates telephone calls without the intervention of an operator.

Paragraph 2 of the same article then extends the same regulation to other types of electronic communications such as email and SMS.

On the other hand, for contacts made with different means, including traditional telephone channels/with an operator, the aforementioned Directive left Member States the option of choosing whether to maintain the legal basis of consent (opt-in) or to justify the advertising activity of the owner only on the basis of the data subject's failure to refuse (opt-out), which can be exercised, in Italy, by registering the user in the Public Register of Oppositions.

The opt-out rule is considered a point of balance between business activity, marketing and the data subject's right to object, therefore it is adopted by the European legislator as the only alternative for less invasive communications, such as non-automated/operator-based ones.

In implementing the supranational legislation examined, art. 130 of the Code therefore adopts the opt-in as a general rule, implementing the opt-out only in paragraph 3-bis with reference to the use of the telephone (obviously only with an operator, because automated telephone calls, as mentioned, are subject to opt-in under the first paragraph) and paper mail.

The provision applies only to numbers and postal addresses published in the lists of contractors referred to in articles 129 et seq. of the Code.

With reference, however, to reserved postal addresses and reserved numbers, since the Italian legislator has not expressly provided anything, the general rule of electronic communications for advertising purposes, i.e. opt-in, applies.

Confirmation of this can also be found in the specific regulation of the aforementioned RPO.

In fact, Law 5/2018 - which has substantially changed the regulatory framework established by Presidential Decree no. 7 September 2010, 178 and which regulates the establishment and functioning of the RPO - refers exclusively to processing based on previously expressed consents which, with the registration in the said Register, are revoked, "without prejudice to the consents given in the context of specific contractual relationships in existence, or ceased no more than thirty days ago" (see art. 1, paragraph 5, of the aforementioned Law 5/2018). From this it can be deduced that:

- a data controller who has a contractual relationship with an interested party can make promotional telephone communications to the latter only if he can document the possession of an appropriate consent.

In fact, if this remains valid despite the registration of the number in the RPO, it is even more valid to justify the processing in the absence of any opposition.

- Registration in the RPO does not serve to revoke the customer's consent, for whom, due to their particularly qualified position, other forms of revocation are provided.

This shows that the processing of customer data for advertising purposes is always supported by their consent, even if differently revocable than those who, not being customers, use the RPO to oppose it.

2.3) with reference to the second proceeding;

Also during the second proceeding, the main violation emerged in having led their customers to have to take action to refuse treatments that by law should always be prohibited by default.

First of all, on the defensive observation relating to the identity of the number of today's proceeding with the one that determined the adoption of the aforementioned provision no. 112 of 25 March 2021, it is highlighted that the file number is a mere container, which does not uniquely identify a single proceeding but is used by the Office to classify the documents, being attributable also to distinct proceedings, some concluded and others in progress.

With regard, then, to point A.1 of the parties' briefs, the following is noted.

Recital no. 47 mentioned, which does not have the force of law, does not refer to electronic communications, which are instead governed by the aforementioned art. 130 of the Code and with which the described system of corporate consents is in direct conflict.

The discipline applicable to the case illustrated requires, as examined in the previous paragraph, consent as the sole legal basis for the processing of telephone data for promotional purposes, regardless of whether the subjects are already customers.

Legitimate interest cannot be invoked as the legal basis for marketing activities, as declared by the Company in its response, since, in derogation of art. 130, paragraph 4, of the Code which governs the cases of so-called soft spam by admitting, under specific conditions, the sending of promotional communications without the consent of the interested party exclusively through the e-mail channel, any other promotional communication carried out outside of these conditions and using a different channel falls under the more general discipline of art. 130 of the Code, which provides as a legal basis only the consent of the interested party.

As illustrated in the previous paragraph, in fact, art. 1, paragraph 5, last sentence of law no. 5 of 11 January 2018, in establishing that for contractual relationships in existence (or terminated less than thirty days ago) registration with the RPO does not affect the revocation of consent to processing for marketing purposes, postulates precisely such consent as the legal basis for processing for promotional purposes even when these are referred to its customers.

Fastweb commits the interpretative error of considering the provisions of art. 130, paragraph 4 of the Code as exceptional only with respect to the first two paragraphs of the article in question, which establish consent as the only legal basis for automated telephone calls. By not recognizing, however, that the rule also has special scope with respect to paragraph 3 (which concerns telephone calls with an operator to public numbers), it erroneously considers it, like the latter, a provision further declaring the articles. 6 and 7 of the Regulation susceptible to analogous application to all relationships, for promotional purposes, with the customer base, regardless of the choice of contact method, which would be left to the discretionary assessment of the owner rather than bound by the legislator to e-mail only.

By virtue of this interpretation, the company considers itself authorized to adopt legitimate interest as a legal basis for promotional activity tout court towards its customers, not only via e-mail but also through the traditional channel.

This interpretation is in obvious contrast with the law in question.

Article 130, paragraph 4 not only does not refer to the general discipline of articles 6 and 7 of the Regulation, but rather establishes a derogating discipline with reference to both this and the specific one regarding electronic communications for commercial purposes (articles 130, paragraphs 1-3-bis of the Code).

In fact, the provision does not identify a different legal basis for the so-called “soft-spam” towards its customers, simply limits itself to not considering any of them necessary when the two conditions provided for therein apply: one subjective regarding the audience of recipients, i.e. customers; the other, objective, regarding the means of contact, i.e. the email address and the content of the promotional message, which must be similar to the service purchased previously, so as to presume interest.

Only in the presence of these conditions does the rationale for privileging the qualified relationship already established as a result of the conclusion of a contract exist, being able to disregard consent.

Precisely because of the certainly exceptional scope of the provision in question, any form of analogy legis must be rejected, which is why any promotional communication carried out, even to its customers, with means other than email, such as in this case the telephone number, requires the choice of a specific legal basis, thus falling within the more general discipline of art. 130 of the Code and, in particular, the opt-in principle.

Moreover, the passage of the provision of the Guarantor no. 112 of 25 March 2021 referred to in the parties' briefs is taken from the argumentative process in support, in that provision, of the judgment of ascertainment of the violation consisting in the performance of marketing activities on the sole basis of the legitimate interest regarding services not originating from the owner but from third parties, towards which the interested party is completely extraneous and does not boast that qualified relationship that he has only with the owner and which would lead to the presumption of his interest in receiving the offers.

In this second proceeding, however, the legitimate interest is invoked not with regard to the content or origin of the message, but rather to the means of electronic communication used to convey it, given that this cannot be represented by the telephone number of the customers, but only by the email address.

Therefore, the violation, which in this provision is contested with regard to the channel chosen for the transmission of the promotional content, i.e. the performance of marketing activities to its customers in the absence of consent, is the same that in the previous provision had been charged with reference to the origin of the message from a third-party company.

For all the reasons set out, the system of promotional communications by Fastweb via electronic means of communication towards its customers is to be considered illegitimate for violation of art. 6, par. 1, letter a), 7 of the Regulation and art. 130 of the Code, as it is based on the opt-out and on the undue non-opposition to the legitimate interest, rather than on the opt-in.

In this sense, the methods of opposition and management of consents are also in conflict with the regulatory framework under examination (point A.2 of the briefs).

In fact, since the legal basis for the processing of data for telemarketing purposes is different depending on the tool with which the promotion takes place (by telephone with an operator, by telephone without an operator or with other automated messages, by e-mail or, finally, by paper mail), it must be justified differently for each of them: the processing for the purposes referred to in art. 130 of the Code of telephone data of customers/former customers can never be based on assessments tout court regarding the legitimate interest of the owner, but consent is required as the only condition of legitimacy and, to this end, the consent collection form must also reproduce this regulation.

On the contrary, the Company's consent management form allows the interested party, on the one hand, only to object tout court to the receipt of promotional communications and on the other, in the event of failure to object, to formulate preferences on the contact channel.

Consequently, the described model conflicts with art. 130 of the Code both because it configures the receipt of promotional electronic communications as an objection rather than a prior consent to the processing and because, for electronic communications via telephone only, it does not expressly link consent as the only legal basis provided for by art. 130 of the Code, thereby distinguishing them from those that occur with other channels.

With specific regard to communications to ceased customers (A.3 of the briefs), the choice of a legal basis other than that provided for by law is, in itself, sufficient to demonstrate the illegitimacy of the processing in question.

In addition, with regard to the application of the principle of minimization, according to which, in Fastweb's opinion and contrary to what the Office claims, the data to be retained would be the telephone number, as it is less invasive than the customer's email credentials, the following is noted.

Not the Authority, but Article 130 of the Code in question considers email credentials as less invasive data when it links them to greater possibilities of processing, which in fact is lawful even without consent (see soft-spam); instead, by telephone no advertising communication is ever legitimate in the absence of prior regular consent to processing, as widely illustrated.

Moreover, even when arguing, absurdly and contrary to the contrary, that the retention of only the customers' telephone numbers is more appropriate and pertinent, the company did not argue why, in this case, it did not consequently exclude other data deemed superfluous from retention.

In fact, it is true that in the context of minimization, the company is required to adapt the processing to the specific purpose it pursues, however the moment of evaluation must culminate, in practice, in the self-limitation of certain treatments, deemed unsatisfactory from the point of view of the invasiveness/effectiveness ratio and therefore avoided.

Fastweb does not review this conclusion, reserving however the right to retain data deemed less useful, i.e. e-mails, albeit in a subsidiary manner, which constitutes a further violation of the principle of minimization.

Even as regards the fact that the choice of the preferred channel would always be left to the interested party, because he is only asked to oppose each of these channels, this is not a well-founded statement: in fact, it is reiterated that, even in the absence of any choice, Fastweb considers it lawful to send advertising, indifferently, through each means of contact, including the telephone number, which again conflicts with the discipline referred to.

For the sake of completeness, and without prejudice to the critical issues highlighted above, it must be pointed out that, as regards the retention period of former customers' data, the aforementioned provision of the Guarantor no. 24 February 2005 on loyalty programs in art. 8 entitled "retention periods" identifies, in theory, a maximum term of 12 months for profiling activities and 24 months for marketing activities within which, for such purposes, customer data can be retained and otherwise processed. It should be noted, however, that these are abstract terms, to be implemented according to the principles of accountability, minimization and limitation of purposes (see also the injunction order no. 20 October 2022 (www.gpdp.it, web doc. 9825667) and that in any case they cannot be applied to processing hypotheses supported by legal bases other than the consent of the interested party.

Moreover, precisely because of the rapid obsolescence of technologies (which, according to the company on page 22 of its briefs, is also the reason why it is not possible to classify offers based on the effectiveness of transmission, in order to identify a single means for their communication), an excessively long retention period may lead to an ever-increasing number of unwanted promotions.

Sub-point B), regarding clarity and transparency of the information pursuant to art. 13 of the Regulation, in the previous provision of 2021 this had been found to be lacking for the aforementioned profiles connected to the origin of the offers from third parties rather than from the owner, who could not justify the processing of customer data on the basis of legitimate interest.

On the contrary, today's dispute refers to Fastweb's own processing, not third parties', and is considered unfounded on the basis of the fact that, in its opinion, not consent but legitimate interest was considered suitable to justify telemarketing activities, which justifies the treatment of these operations separately from the paragraph dedicated to the legal basis of consent.

The conclusion cannot be shared, for the same reasons as above.

As for the fact (which the party raises) that point 1 of the information notice, in which this activity can be placed, is explicit in referring to not only contractual but also advertising treatments, it must be noted that the information notice, in wanting to expressly refer to both, is also ambiguous in not equally clearly connecting the legal bases provided by law, which it is reiterated are different: in the case of advertising treatments by means of electronic communications (excluding emails) it is consent and not legitimate interest.

Although the company's thesis is shared according to which the more objectively advantageous a proposal is, the more easily it will be presumed that the interested party will consent to it being advanced by means of electronic communication (even traditional or by telephone), it, for the sole fact of having as its object a contract different from the one in force, still falls within the common discipline of art. 130 of the Code, according to which telephone promotion presupposes consent.

In other words, the fact that they are treated in the same paragraph, but distinct in the provision of the service and update of the offer, does not detract from the fact that the treatments in question needed to be distinguished also with regard to the legal basis of the treatment, which for telephone contacts cannot be legitimate interest.

As for the dispute under point C, regarding the failure to respond to requests to exercise the rights of interested parties pursuant to Articles 15-22 of the Regulation, the defenses referred to file no. 323331, whose report lacked the prior request (removed by the interested party when submitting it to the Authority) to modify the consents towards the owner, and no. 316719, where the reporting party was able to verify, through verbal comparison, that the illicit contact came from subjects external to the company, obviously not authorized to process the data on its behalf, appear to be well-founded.

With reference, instead, to files no. 325741, 317883, 292562 and 331661, all have in common that the company's response to the requests for exercising the rights of the interested parties (concerning respectively the erasure of data pursuant to art. 17 in the first two cases, the rectification of data pursuant to art. 16 and the opposition to the processing pursuant to art. 21 of the Regulation in the other two cases) arrived late, that is, after the deadline that art. 12, paragraph 3 of the Regulation assigns to the owner to provide feedback had expired.

In fact, in the case referred to in file no. 325741, the company responded to the interested party's request submitted on 21 August 2023 only on 8 January 2024 (furthermore, after the interested party had lodged a complaint in the meantime and the Office's subsequent invitation to comply with it).

The merely interlocutory response received on 21 September 2023, whose content referring to generic system malfunctions does not equate to an appropriate response, should not be considered.

The latter, although timely, is illegitimate as it is not based on any of the reasons set out in art. 17, paragraph 2 of the Regulation.

In the case referred to in file no. 317883, the company responded to the request for deletion of the interested party's personal data of 2 October 2023 only on 19 January 2024, with a delay of over three months.

In the case referred to in file no. 292562, the company responded to the request for rectification of the personal data on the consignment note for returning the modem at the end of the contract submitted on 19 July 2023, only on 27 November 2023, over four months later, without justifying the delay. The request in question, in fact, although unfounded in merit because it is the result of confusion by the interested party between the address of his home and the delivery address, still requires processing and verification within the aforementioned legal terms (even more so if one considers the ease with which it could have been resolved).

Finally, file no. 331661 also includes a request for opposition to the processing submitted on 4 December 2023 and only found on 9 January 2024.

In fact, even if the request was unfounded to the extent that the marketing consent, contrary to what was stated by the applicant, had indeed been given at the time of the conclusion of the contract (albeit in the form of a failure to object, therefore in an irregular manner, as widely illustrated in the previous paragraph), it could immediately be classified as a revocation of that consent and as such could be promptly found within the legal deadline starting from its submission.

For the reasons widely illustrated, the liability of Fastweb S.p.A. must therefore be confirmed with regard to the violations contested through the communications of initiation of proceedings pursuant to art. 166, paragraph 5, of the Code of 12 October 2023 and 29 February 2024.

3) CONCLUSIONS

For the above reasons, Fastweb is deemed to be liable for the following violations:

a) art. 130 of the Code (in relation to art. 5 of Presidential Decree no. 26 of 2022), and art. 5, par. 2, 24, par. 1 of the Regulation for having failed to consult the Public Register of Oppositions, in relation to 82 numbers contacted after the day of acquisition of consent to the sending of promotional communications using the websales method;

b) art. 4 no. 11), 5, co 2, 6, 7, 24 and 25 of the Regulation and 130 of the Code for having provided for the sending of commercial communications to the telephone number of its customers during the contractual relationship and up to 24 months after termination, on the basis of mere legitimate interest rather than consent.

d) art. 5, par. 1 lett. a), lett. c) and lett. e); art. 5 par. 2; art. 6; art. 21, co 2; art. 24, par. 1; art. 25 of the Regulation and 130 of the Code, all for having carried out the above-described processing of personal data of its customers in conflict with the principles of lawfulness, correctness and transparency of processing, with reference to data minimization, purpose limitation, accountability, in the absence of an appropriate legal basis, by implementing inadequate technical and organizational measures to guarantee, from the design stage, and to be able to demonstrate, that the processing is carried out, in all its aspects and at any stage and/or level, in accordance with the Regulation;

e) art. 12, paragraph 1, and 13 of the Regulation for having provided information lacking in terms of clarity, transparency and suitability with reference to the legal bases of the processing of customer contact data for promotional purposes;

f) art. 12, par. 3; 15-22 of the Regulation for not having responded within the terms of the request of the interested parties referred to in files 325741, 317883, 292562 and 331661.

Having also ascertained the unlawfulness of the Company's conduct with reference to the processing under examination, it is necessary to:

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter f) of the Regulation, to prohibit the processing of all numbers whose marketing consent is acquired through websales methods;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter e) of the Regulation to massively inform all holders of numbers acquired through these methods of the violation perpetrated through their recontacting on the basis of uninformed, non-specific and non-unequivocal marketing consent;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt a procedure for consulting the Public Register of Oppositions with references to the telephone numbers recontacted starting from the day after the one in which the websales marketing consents are acquired, monitoring compliance also with reference to the data controllers;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation, to use a double opt-in system, according to which the consent acquired online is always confirmed by the interested party in response to an automatic verification message sent immediately after the transmission of the telephone number;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to reformulate the information with reference to the processing that makes up the “offer update”, treating it separately from the chapter on the provision of the service and basing it on as many legal bases as those provided for by law for the contact channels chosen for the promotional activity, specifying that, for telemarketing to reserved numbers, the only permitted legal basis is that of consent;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation, to adapt the “consents and contact preferences” form so that, in cases where consent is the only legal basis, such as that of marketing calls to reserved numbers, the interested party is put in a position to express it in the forms provided for by law, in particular: prior to any processing operation, including storage; in an express form, and not for failure to refuse or for non-opposition; is specifically referred to the type of electronic communication to be adopted, be it SMS, automated phone call or operator-assisted phone call; is formulated in such a way as to allow the interested party to consent to or deny a specific activity, and not simply to prefer it or not to prefer it;

- order Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to inform the applicants referred to in the four files no. 325741, 317883, 292562 and 331661 that they have found with unjustified delay and that they have therefore been recipients of this provision;

- order Fastweb S.p.A., pursuant to art. 58. par. 2, letter d) of the Regulation to conclude the examination of the requests regarding the exercise of the rights of the interested parties within the deadline established by law, with an express and reasoned provision;

- adopt an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application to Fastweb of the administrative pecuniary sanction provided for by Article 83, paragraphs 3 and 5, of the Regulation;

4) INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application to Fastweb of the administrative pecuniary sanction provided for by Article 83, paragraphs 3 and 5, of the Regulation. 3 and 5 of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual global turnover of the previous financial year, if higher);

To determine the maximum fine, it is therefore necessary to refer to the turnover of Fastweb, as obtained from the latest available financial statement (31 December 2023) in accordance with the previous provisions adopted by the Authority, and therefore this maximum fine is determined, in the case in question, at € 106,444,795.00 equal to 4% of the turnover indicated in the ordinary financial statement relating to the year 2023.

To determine the amount of the fine, it is necessary to take into account the elements indicated in art. 83, par. 2 of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation), taking into account the object and purposes of the data processed, attributable to the overall phenomenon of unwanted telemarketing, in relation to which the Authority has adopted, in particular in the last four years, numerous provisions that have fully examined the multiple critical elements by providing the owners with numerous indications to adapt the processing to the legislation in force and to mitigate the impact of nuisance calls on the interested parties, most recently the Code of Conduct on telemarketing and tele-selling published in the Official Journal on 27 March 2024;

2) the circumstance that, in the previous sanctioning provision adopted by the Guarantor (No. 112 of 25 March 2021), Fastweb settled the dispute with the payment in a reduced amount, which determines, pursuant to Article 8-bis, paragraph 5, of Law No. 681/1989, the non-applicability of the aggravating circumstance referred to in art. 83, par. 2, letter e, of the Regulation;

3) as a mitigating factor, the degree and quality of cooperation shown with the Supervisory Authority in order to remedy the violation and mitigate its possible negative effects (art. 83, par. 2, letter f) of the Regulation);

4) as a mitigating factor, compliance with the previous provision of the Guarantor no. 221 of 25 March 2021 issued against Fastweb (art. 83, par. 2, letter i) of the Regulation);

Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, it is believed that the administrative sanction of the payment of a sum of €1,000,000.00 equal to 0.93% of the maximum statutory sanction and 0.03% of the annual turnover should be applied to Fastweb.

In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, taking into account the nature of the processing and conduct of the Company, as well as the elements of risk for the rights and freedoms of the interested parties.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 are met, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

GIVEN ALL THE ABOVE, THE GUARANTOR

- orders Fastweb S.p.A., pursuant to art.58, par. 2, letter f) of the Regulation, the prohibition on processing all numbers whose marketing consent is acquired through websales methods;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter e) of the Regulation, to massively inform all holders of numbers acquired through these methods of the violation perpetrated through their recontacting based on uninformed, non-specific and non-unequivocal marketing consent;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation, to adopt a procedure for consulting the Public Register of Oppositions with references to the telephone numbers recontacted starting from the day following the day on which the websales marketing consents are acquired, monitoring compliance also with reference to the data controllers;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to use a double opt-in system, according to which the consent acquired online is always confirmed by the interested party in response to an automatic verification message sent immediately after the transmission of the telephone number;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to reformulate the information with reference to the processing that makes up the "update of the offer", treating it separately from the chapter on the provision of the service and basing it on as many legal bases as those provided by law for the contact channels chosen for the promotional activity, specifying that, for telemarketing to reserved numbers, the only legal basis permitted is that of consent;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to adapt the “consents and contact preferences” form so that, in cases where consent is the only legal basis, such as that of marketing calls to reserved numbers, the interested party is put in a position to express it in the forms provided for by law, in particular: prior to any processing operation, including storage; in an express form, and not for failure to refuse or for non-opposition; is specifically referred to the type of electronic communication to be adopted, be it SMS, automated phone call or with an operator; is formulated in a way that allows the interested party to consent or deny a specific activity, and not simply to prefer it or not to prefer it;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to inform the applicants referred to in the four files no. 325741, 317883, 292562 and 331661 that they found it with unjustified delay and were therefore the recipients of this provision;

- orders Fastweb S.p.A., pursuant to art. 58, par. 2, letter d) of the Regulation to conclude the examination of the requests for information on the exercise of the rights of the interested parties within the deadline established by law, with an express and reasoned provision;

- orders Fastweb S.p.A., pursuant to art. 157 of the Code, to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation;

ORDER

to Fastweb S.p.A., in the person of its legal representative pro-tempore, with registered office in Piazza Adriano Olivetti n. 1 Milan, Tax Code and VAT no. 12878470157 to pay the sum of Euro 1,000,000.00 (one million/00) as an administrative pecuniary sanction for the violations indicated in the reasons, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the provisions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 1,000,000.00 (one million/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981.

ORDERS

The application of the accessory sanction of publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, paragraph 1, letter u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor - relating to violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself.

Pursuant to art. 152 of the Code and 10 of Legislative Decree no. 150/2011, this provision may be contested by the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days of the date of communication of the provision itself.

Rome, 20 June 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei