Garante per la protezione dei dati personali (Italy) - 10134791

Garante per la protezione dei dati personali - 10134791

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 13 GDPR Article 14 GDPR Art. 130 c. 3-bis Art. 130 c.3 d. lgs. 196/2003
Type:	Complaint
Outcome:	Upheld
Started:	15.01.2024
Decided:	29.04.2025
Published:
Fine:	40,000 EUR
Parties:	MA Immobiliare S.r.l.s.
National Case Number/Name:	10134791
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	GPDP (in IT)
Initial Contributor:	cci

The DPA fined a real estate agency €40,000 for unlawfully processing personal data for direct marketing and for failing to adequately respond to an access request.

English Summary

Facts

A data subject received unwanted marketing calls from real estate agency MA Immobiliare S.r.l.s. (the controller). In October 2023 the data subject filed an access request with the controller. In its response, the controller told the data subject that it received its contact information from data broker Realmaps S.r.l. The controller provided no other information and referred the data subject to Realmaps for the rest of his request, including the documentation of his consent to the initial collection of his contact data.

In January 2024 the data subject filed a complaint against the controller. During the procedure, the controller only offered scant information to the DPA and did not submit a defense or require to be heard.

Holding

The DPA first clarified that MA Immobiliare was a controller for the processing of the subject’s data. So, it could not “offload” its GDPR obligations to Realmaps. Rather, the controller had to respond to the data subject’s request and provide him with information about the processing of his data. Likewise, the controller had to track consent along the value chain and demonstrate the data subject’s consent to the original collection of personal data from Realmaps.

The DPA held that the controller failed to do so, in violations of Articles 5(1)(a), 6(1)(a), 7, 13 and 14 GDPR as well as Articles 130 paragraph 3 and 3-bis of the Italian data protection code^[1]. The DPA clarified that the violations involved a large number of data subjects besides the complainant.

On these grounds, the DPA fined the controller €40,000. The DPA also ordered ordered the controller to bring the processing of personal data into compliance by verifying consent along the data processing chain, by providing data subject with the information required under Article 14, by implementing procedures to handle data subject requests correctly, and by erasing the data it acquired unlawfully.

Comment

The DPA fined other companies for unlawfully acquiring personal data from Realmaps and processing it for direct marketing. The DPA also fined Realmaps €100,000 itself for collecting personal data unlawfully and for other GDPR violations (a summary of the decision can be found here).

The operative part of the decision does not list Article 15 GDPR (right of access) among the violations. This might be an oversight, as the DPA noted in the motivation that the controller failed to properly reply to the data subject’s access request.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10134791]

Provision of 29 April 2025

Register of provisions
no. 278 of 29 April 2025

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Acting Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

HAVING SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018 no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the “Code”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor’s regulation no. 1/2000;

REPORTER Dr. Agostino Ghiglia;

WHEREAS

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

With the complaint received by the Authority on 15 January 2024, Mr. XX complained about receiving unwanted telephone calls from MA Immobiliare S.r.l.s. (hereinafter «MA Immobiliare» and «Company») which, in response to the request made by the interested party on 24 October 2023, represented that it had acquired the contact details from Realmaps S.r.l. (hereinafter also «Realmaps» and «supplier») of which the email address to contact to obtain information on the processing of personal data was indicated, including "tracking" of any consent given for commercial purposes. The Realmaps company was the subject of a separate investigation, conducted in April 2024, which allowed the Authority to ascertain several critical issues in the processing of personal data intended for real estate agencies for marketing purposes (provision no. 11 of 16 January 2025, available at www.gpdp.it [web doc. no. 10110241]).

Considering, from what has emerged in the documents, that the Company is included among the Real Estate Agencies to which Realmaps would have provided data for promotional purposes, on 21 May 2024 the Office formulated a request for information (ref. prot. no. 61527/24), pursuant to art. 157 of the Code, aimed primarily at clarifying the relationships with the aforementioned supplier and to know the obligations regarding the protection of personal data that MA Immobiliare has implemented in relation to the lists acquired, with particular reference to: - the verification of an original informed consent that authorized their use for commercial purposes; - the information provided during the telephone calls as well as the call script used; - the verification in the Public Register of Oppositions of the users contacted; - the management of the requests for opposition submitted by the interested parties. With a communication dated 12 June 2024, the Company responded to the aforementioned request of the Office by attaching the contractual documentation signed with the supplier and stating that it was not “aware of how the company Realmaps S.r.l. operates and how it obtains the relevant consents”; it also claimed to have contacted “about a hundred people” among those indicated in the lists acquired from the aforementioned supplier. With regard to the obligations regarding information and management of requests for opposition made by interested parties, the Company declared that it was not “able to give a certain answer” and that it did not consult the Public Register of Oppositions.

2. THE DISPUTE OF VIOLATIONS

With a note dated 2 July 2024 (prot. no. 0081217/24), the Company was informed of the initiation of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation, recognizing MA Immobiliare's liability for the alleged violation of the following provisions of the Regulation:

- art. 5, par. 1, letter a), 6, par. 1, letter a), 7, 13, 14 of the Regulation and art. 130, paragraphs 3 and 3 bis, of the Code for not having verified, nor documented, the conditions of lawfulness of the data acquired by the supplier (information and consent) and for not having carried out the check in the Public Register of Oppositions of the users contacted;

- art. 12 and 15 of the Regulation since the response to the requests of the interested parties regarding the processing of their personal data is subject to the necessary comparison with Realmaps which holds such information, determining a potential delay in the processing of the aforementioned requests and a non-complete satisfaction on the part of the applicant;

- art. 5, par. 2, 24 and 25 of the Regulation for not having demonstrated the fulfilled obligations in terms of personal data protection.

3. LEGAL ASSESSMENTS OF THE AUTHORITY

The Company did not submit defensive briefs, nor did it ask to be heard by the Authority but simply sent, on 18 July 2024, a copy of the 2023 financial statements.

Based on the factual profiles highlighted above and the statements made by MA Immobiliare during the response, for which the declarant is responsible pursuant to art. 168 of the Code, it is believed that the violations identified in the notice of contestation should be confirmed.

MA Immobiliare is to be considered the owner, pursuant to art. 4 of the Regulation, having specifically determined the purpose for which the processing was carried out (promotion of its services) and the telephone channel used for this purpose. The same Company is therefore directly responsible for both the obligations imposed by the legislation on the protection of personal data and the responsibility for the violations detected.

From the answers, albeit brief, that the Company provided to the Authority with the communication of 12 June 2024, a total lack of checks of the lists acquired by Realmaps emerges, to which, from what can be understood, all requests for the exercise of rights advanced by interested parties who intend to have information on the processing of their personal data are addressed. In fact, already in the pre-investigation phase, there is evidence of this operating method since the interested party was immediately invited to contact Realmaps to obtain proof of the alleged consent given to communication to third parties for commercial purposes (see e-mail of 26 October 2023). This redirection, in the reconstruction made by the Company, would shift the responsibility exclusively to Realmaps and, above all, would relieve MA Immobiliare from any obligation to provide information and control over the processing carried out in its interest, completely abdicating its role as owner.

That said, it does not appear that MA Immobiliare, the data controller, has produced documentation proving the existence of the requirements for the lawfulness of the personal data acquired by Realmaps. In particular, the Company has not verified, and therefore proven, the release of the information to the interested parties by the original owner who acquired the data; similarly, any alleged consent to communication to third parties (including MA Immobiliare) for marketing purposes that the interested parties would have given has not been proven, nor, therefore, has it been verified whether such authorization complied with the requirements of freedom and specificity (pursuant to art. 4, point 11, of the Regulation), with inevitable repercussions on the legitimacy of the Company's promotional activity as well.

It should also be noted that the Company did not produce, during the verification, the call script used for promotional contacts nor, from the documentation in the files, does it appear to have provided the interested parties, on the occasion of unwanted phone calls, with the necessary information, pursuant to art. 13 of the Regulation, with which to make known the most relevant aspects of the processing of personal data (nature, origin of the data, legal basis) and the rights pursuant to arts. 15 - 22 of the same Regulation. Partial information (exclusively on the origin of the data) was provided to the interested party only following a formal request, demonstrating that the telephone contact occurred in violation of the principles of lawfulness and transparency.

Added to this is the fact that MA Immobiliare represented not to verify in the Public Register of Oppositions (so-called RPO) the registration of the users receiving the promotional contacts. In this regard, it should be noted that the verification in the aforementioned Register must be considered a precondition for being able to correctly carry out telemarketing activities and failure to consult it can only determine the impossibility of starting any promotional campaign for which the use of the telephone is foreseen.

Ultimately, the described processing gave rise to the making of promotional telephone calls in the absence of informed consent from the interested parties, since the Company did not produce evidence to document their acquisition, and without having verified the registration in the RPO of the users contacted. Therefore, the violation of Articles 5, paragraph 1, letter a), 6, paragraph 1, letter a), 7, 13, 14 of the Regulation and Article 130, paragraphs 3 and 3 bis, of the Code, not only in relation to the case referred to in the complaint, but in the complex of the treatments carried out by MA Immobiliare and related to the personal data acquired by Realmaps.

From what is represented in point 1 of this provision, it emerges that the response to the interested party regarding the processing of his/her personal data inevitably passes through the requests that the latter is required to address to Realmaps. This method of redirection determines a potential delay in the processing of the interested party's requests and conflicts with the owner's obligation to provide timely response "without unjustified delay", integrating the violation of articles 12 and 15 of the Regulation.

The processing described above provides a picture of inadequate control and failure to comply with the rules on personal data protection. The Company has not provided elements to prove the lawfulness of the processing, with particular regard to the fulfillment of the information and consent. In the absence of adequate controls on the entire processing chain (from collection to the implementation of the promotional campaign), the marketing activity violates Articles 5, paragraph 2, and 24 of the Regulation, which frame the controller's responsibilities in a perspective of necessary enhancement of the principle of accountability aimed at proving the fulfillment of the obligations carried out in terms of personal data protection, also taking into account the principle of privacy by design (Article 25 of the Regulation).

It should be noted that already with the validity of the previous state legislation, but even more so today with the introduction of the aforementioned principles in the context of the unitary legislation, in no way can the provision of a contractual indemnity clause exempt the owner from carrying out the necessary activities in order to prove that the processing has been carried out in compliance with the principles of lawfulness, transparency and correctness from which the provisions on the legal basis and information derive.

4. CONCLUSIONS

In light of the arguments referred to in point 3 of this provision, the contested violations are considered confirmed and it is necessary:

- pursuant to art. 58, par. 2, letter f) of the Regulation, prohibit any further processing for promotional and commercial purposes carried out through lists acquired by Realmaps for which the Company does not have free, specific and informed consent from the interested parties (articles 6 and 7 of the Regulation, as well as 130 of the Code);

- pursuant to art. 58, par. 2, letter d), of the Regulation, order the deletion of such data without delay, except for those that are necessary to retain for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unequivocal consent of the interested party;

- pursuant to art. 58, par. 2, letter d) of the Regulation, order the Company, if it intends in the future to direct promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, also through adequate sample checks, that personal data are processed in full compliance with the provisions in force (prior acquisition of free, specific, unequivocal, documented, as well as informed, consent of the interested parties for the sending of commercial communications) (articles 6, 7 and 14 of the Regulation);

- pursuant to art. 58, par. 2, letter d), of the Regulation, order to proceed without delay to the deletion of said data, except for those that are necessary to retain for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unequivocal consent of the interested party;

- pursuant to art. 58, par. 2, letter d) of the Regulation, order, for the purposes of the information obligation referred to in art. 13 of the Regulation, to provide the interested parties with all the information provided for therein;

- pursuant to art. 58, par. 2, letter d) of the Regulation, order MA Immobiliare to adopt adequate technical and organizational measures to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the related requests, including the right to object that can be advanced "at any time" by the interested party.

Finally, with regard to the processing already carried out and in consideration of the violations identified above, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to Articles 58, paragraph 2, letter i) and 83 of the Regulation.

5. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

Based on the above, various provisions of the Regulation and the Code have been violated in relation to connected processing carried out by MA Immobiliare, for which reason it is necessary to apply Article 83, paragraph 3, of the Regulation, according to which, if, in relation to the same processing or connected processing, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation with consequent application of only the sanction provided for by Article 83, paragraph 5, of the Regulation.

For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum amount of 20 million euros or, for companies, 4% of the annual worldwide turnover of the previous financial year if higher, specifies the methods of quantifying the aforementioned sanction which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying, to this end, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount.

In this case, the following circumstances must be considered, in terms of aggravating circumstances:

1. the seriousness of the violations detected, with particular reference to the lack of random checks of the contact numbers acquired by the supplier, the inadequate management of requests to exercise the rights of the interested parties, as well as the lack of information during promotional telephone calls (art. 83, par. 2, letter a of the Regulation);

2. the negligent nature of the conduct, since the rules for the protection of personal data were ignored by the owner until the intervention of the Guarantor (Article 83, paragraph 2, letter b of the Regulation);

3. the non-compliance of the Company's conduct with the consistent disciplinary activity of the Authority in the field of marketing, with particular reference to the obligations of information and consent (Article 83, paragraph 2, letter k of the Regulation);

4. the poor cooperation with the Supervisory Authority since the Company, in responding to the request for information from the Office, prepared synthetic standard responses that revealed total disregard for the duties of the Guarantor and, more generally, for the discipline regarding the protection of personal data and the related responsibilities to which the data controller is called (Article 83, paragraph 2, letter f of the Regulation).

As mitigating factors, it is believed that the following can be taken into account:

1. the absence of previous proceedings initiated against the Company (Article 83, paragraph 2, letter e of the Regulation);

2. the nature of the data processed, consisting of common personal and contact data (Article 83, paragraph 2, letter g of the Regulation);

3. the overall assessment of the economic capacity of MA Immobiliare, with particular reference to the latest financial statements for the 2023 tax period (Article 83, paragraph 2, letter k of the Regulation).

In an overall perspective of necessary balance between the rights of the interested parties and freedom of enterprise, it is necessary to prudently evaluate the aforementioned criteria, also in order to limit the economic impact of the sanction.

Therefore, it is believed that - based on the set of elements indicated above - the administrative sanction of the payment of a sum of €40,000.00 (forty thousand/00) equal to 0.2% of the maximum statutory sanction of €20 million should be applied to MA Immobiliare.

In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation no. 1/2019.

In implementation of the principles set out in art. 83 of the Regulation, the imposition of this accessory sanction appears proportionate in relation to the seriousness and the particular disvalue of the conduct subject to censure, with particular reference to the absence of adequate controls on the lists acquired from third parties and on the related fulfillment of the information and consent of the interested parties to the processing of data for promotional purposes; furthermore, the brief and evasive answers provided to the Authority reveal a total disregard for the duties of collaboration identified by art. 31 of the Regulation, which results in an assessment of significant disvalue of the conduct itself.

It is recalled that, pursuant to art. 170 of the Code, anyone who, being required to do so, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in the event of non-compliance with the same provision, the sanction referred to in art. 83, paragraph 5, letter e) of the Regulation is also applied in an administrative capacity

Finally, the conditions referred to in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected herein in the internal register of the Authority, provided for by art. 57, paragraph 1, letter e) are met. u) of the Regulation.

GIVEN ALL THE ABOVE, THE GUARANTOR

pursuant to art. 57, par. 1, letter f), of the Regulation, declares the processing described in the terms of the motivation carried out by MA Immobiliare S.r.l.s., with registered office in Via Goffredo Mameli 10, 37126 Verona (VR), VAT number 04949990230, to be unlawful; consequently:

a) pursuant to art. 58, par. 2, letter f) of the Regulation, prohibits any further processing for promotional and commercial purposes carried out using the lists acquired from Realmaps for which the Company does not have free, specific and informed consent from the interested parties (articles6 and 7 of the Regulation, as well as 130 of the Code);

b) pursuant to art. 58, par. 2, letter d), of the Regulation, orders to proceed without delay to the cancellation of said data, except for those that are necessary to retain for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unequivocal consent of the interested party;

c) pursuant to art. 58, par. 2, letter d) of the Regulation, orders the Company, if it intends in the future to direct promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, including through adequate sample checks, that personal data are processed in full compliance with the provisions in this area (prior acquisition of free, specific, unequivocal, documented, as well as informed, consent of the interested parties for the sending of commercial communications) (articles 6, 7 and 14 of the Regulation);

d) pursuant to art. 58, par. 2, letter d) of the Regulation, orders, for the purposes of the information obligation referred to in art. 13 of the Regulation, to provide the interested parties with all the information provided for therein;

e) pursuant to art. 58, par. 2, letter d) of the Regulation, orders to adopt adequate technical and organizational measures to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the related requests, including the right to object that can be advanced "at any time" by the interested party;

f) pursuant to art. 157 of the Code, orders MA Immobiliare to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measure imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, par. 5, of the Regulation.

ORDERS

pursuant to art. 58, par. 2, lett. i), of the Regulation, to MA Immobiliare S.r.l.s., in the person of its legal representative, to pay the sum of Euro 40,000.00 (forty thousand.00) as an administrative pecuniary sanction for the violations indicated in the reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.

ORDERS

the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 40,000.00 (forty thousand.00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981;

ORDERS

a) pursuant to articles 154-bis of the Code and 37 of Regulation no. 1/2019, the publication of this provision and, pursuant to art. 166, paragraph 7, of the Code, the publication of this injunction order on the website of the Guarantor;

b) pursuant to art. 17 of the Guarantor Regulation no. 1/2019, orders the annotation in the internal register of the Authority, provided for by art. 57, paragraph 1, letter u) of the Regulation, of the violations and the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as arts. 152 of the Code and 10 of Legislative Decree no. 1 September 2011, 150, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 29 April 2025

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE ACTING SECRETARY GENERAL
Filippi

[web doc. no. 10134791]

Provision of 29 April 2025

Register of provisions
no. 278 of 29 April 2025

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY'S meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, Members, and Dr. Claudio Filippi, Acting Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, containing provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter “Code”);

SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

REPORTER Dr. Agostino Ghiglia;

WHEREAS

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

With the complaint received by the Authority on 15 January 2024, Mr. XX complained about receiving unwanted phone calls from MA Immobiliare S.r.l.s. (hereinafter "MA Immobiliare" and "Company") which, in response to the request formulated by the interested party on 24 October 2023, represented that it had acquired the contact details from Realmaps S.r.l. (hereinafter also "Realmaps" and "supplier") of which the email address to contact to obtain information on the processing of personal data has been indicated, including "tracking" of any consent given for commercial purposes. The company Realmaps was the subject of a separate investigation, conducted in April 2024, which allowed the Authority to ascertain several critical issues in the processing of personal data intended for real estate agencies for marketing purposes (provision no. 11 of 16 January 2025, available at www.gpdp.it [web doc. no. 10110241]).

Considering, from what emerged in the documents, that the Company is included among the real estate agencies to which Realmaps would have provided data for promotional purposes, on 21 May 2024 the Office formulated a request for information (ref. prot. no. 61527/24), pursuant to art. 157 of the Code, aimed primarily at clarifying the relationships with the aforementioned supplier and knowing the obligations regarding the protection of personal data that MA Immobiliare has implemented in relation to the lists acquired, with particular reference to: - the verification of an original informed consent that authorized their use for commercial purposes; - the information provided during the telephone calls as well as the call script used; - the verification in the Public Register of Oppositions of the users contacted; - the management of the requests for opposition advanced by the interested parties.

With a communication dated 12 June 2024, the Company responded to the aforementioned request of the Office by attaching the contractual documentation signed with the supplier and representing that it was not "aware of how the company Realmaps S.r.l. operates and how it obtains the relevant consents"; it also claimed to have contacted "about a hundred people" among those indicated in the lists acquired from the aforementioned supplier. With regard to the obligations regarding information and management of requests for opposition submitted by interested parties, the Company stated that it was not “able to give a certain answer” and that it did not consult the Public Register of Oppositions.

2. DISPUTE OF VIOLATIONS

With a note dated 2 July 2024 (prot. no. 0081217/24), the Company was informed of the initiation of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures pursuant to art. 58, paragraph 2, of the Regulation, recognizing MA Immobiliare’s responsibility for the alleged violation of the following provisions of the Regulation:

- art. 5, paragraph 1, letter a), 6, paragraph 1, letter a), 7, 13, 14 of the Regulation and art. 130, paragraphs 3 and 3 bis, of the Code for not having verified, nor documented, the conditions of lawfulness of the data acquired by the supplier (information and consent) and for not having carried out the check in the Public Register of Oppositions of the users contacted;

- articles 12 and 15 of the Regulation as the response to the requests of the interested parties regarding the processing of their personal data is subject to the necessary comparison with Realmaps which holds such information, determining a potential delay in the processing of the aforementioned requests and a non-complete satisfaction on the part of the applicant;

- articles 5, paragraph 2, 24 and 25 of the Regulation for not having demonstrated the fulfillment of the obligations carried out in terms of personal data protection.

3. LEGAL ASSESSMENTS BY THE AUTHORITY

The Company did not submit any defense briefs, nor did it ask to be heard by the Authority, but simply sent, on 18 July 2024, a copy of the 2023 financial statements.

Based on the factual profiles highlighted above and the statements made by MA Immobiliare during the response, for which the declarant is responsible pursuant to art. 168 of the Code, it is believed that the violations identified in the notice of contestation should be confirmed.

MA Immobiliare is to be considered the owner, pursuant to art. 4 of the Regulation, having specifically determined the purpose for which the processing was carried out (promotion of its services) and the telephone channel used for this purpose. Therefore, both the obligations imposed by the legislation on the protection of personal data and the responsibility for the violations detected can be directly attributed to the same Company.

From the answers, albeit brief, that the Company provided to the Authority with the communication of 12 June 2024, a total lack of checks of the lists acquired from Realmaps emerges, to which, from what can be understood, all requests for the exercise of rights advanced by interested parties who intend to have information on the processing of their personal data are addressed. Already in the pre-investigation phase, in fact, there is evidence of this operating method since the interested party was immediately invited to contact Realmaps to obtain proof of the alleged consent given to communication to third parties for commercial purposes (see e-mail of 26 October 2023). This redirection, in the reconstruction made by the Company, would shift the responsibility exclusively to Realmaps and, above all, would relieve MA Immobiliare from any obligation to inform and control the processing carried out in its interest, entirely abdicating the role of owner.

That said, it does not appear that MA Immobiliare, the data controller, has produced documentation proving the existence of the requirements for the lawfulness of the personal data acquired by Realmaps. In particular, the Company has not verified, and therefore proven, the release of the information to the interested parties by the original owner who allegedly acquired the data; similarly, any alleged consent to communication to third parties (including MA Immobiliare) for marketing purposes that the interested parties allegedly released has not been proven, nor, therefore, has it been verified whether such authorization complied with the requirements of freedom and specificity (pursuant to art. 4, point 11, of the Regulation), with inevitable repercussions on the legitimacy of the Company's promotional activity as well.

It should also be noted that the Company has not produced, during the verification, the call script used for promotional contacts nor, from the documentation in the files, does it appear to have provided the interested parties, on the occasion of unwanted phone calls, with the necessary information, pursuant to art. 13 of the Regulation, with which to make known the most relevant aspects of the processing of personal data (nature, origin of the data, legal basis) and the rights referred to in Articles 15 - 22 of the same Regulation. Partial information (exclusively on the origin of the data) was provided to the interested party only following a formal request to demonstrate that the telephone contact occurred in violation of the principles of lawfulness and transparency.

Added to this is the fact that MA Immobiliare represented not to verify in the Public Register of Oppositions (so-called RPO) the registration of the users receiving promotional contacts. In this regard, it must be noted that the verification in the aforementioned Register must be considered a pre-condition for being able to correctly carry out telemarketing activities and failure to consult can only determine the impossibility of starting any promotional campaign for which the use of the telephone medium is foreseen.

Ultimately, the processing described gave rise to promotional phone calls being made without the informed consent of the interested parties, since the Company did not produce evidence to document the acquisition, and without having verified the registration of the contacted users in the RPO. Therefore, the violation of Articles 5, paragraph 1, letter a), 6, paragraph 1, letter a), 7, 13, 14 of the Regulation and Article 130, paragraphs 3 and 3 bis, of the Code must be considered integrated, not only in relation to the case referred to in the complaint, but in the complex of the processing carried out by MA Immobiliare and relating to the personal data acquired by Realmaps.

From what is represented in point 1 of this provision, it emerges that the response to the interested party regarding the processing of his/her personal data inevitably passes through the requests that the latter is required to address to Realmaps. This redirection method determines a potential delay in processing the interested party's requests and conflicts with the owner's obligation to provide timely feedback "without unjustified delay", thus violating Articles 12 and 15 of the Regulation.

The processing described above provides a framework of inadequate control and non-compliance with the rules on personal data protection. The Company has not provided elements to prove the lawfulness of the processing, with particular regard to the fulfillment of the information and consent. In the absence of adequate controls on the entire processing chain (from collection to the implementation of the promotional campaign), the marketing activity violates Articles 5, par. 2, and 24 of the Regulation, which frame the powers of the owner in a perspective of necessary enhancement of the principle of accountability aimed at proving the fulfillment of the obligations carried out in terms of personal data protection, also taking into account the principle of privacy by design (art. 25 of the Regulation).

It should be noted that already with the validity of the previous state legislation, but even more so today with the introduction of the aforementioned principles in the context of the unitary legislation, in no way can the provision of a contractual indemnity clause exempt the owner from carrying out the necessary activities in order to prove that the processing has been carried out in compliance with the principles of lawfulness, transparency and correctness from which the provisions on the legal basis and information derive.

4. CONCLUSIONS

In light of the arguments referred to in point 3 of this provision, the contested violations are considered confirmed and it is necessary:

- pursuant to art. 58, par. 2, letter f) of the Regulation, prohibit any further processing for promotional and commercial purposes carried out through lists acquired by Realmaps for which the Company does not have free, specific and informed consent from the interested parties (articles 6 and 7 of the Regulation, as well as 130 of the Code);

- pursuant to art. 58, par. 2, letter d), of the Regulation, order the deletion of said data without delay, except for those that are necessary to retain for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unequivocal consent from the interested party;

- pursuant to art. 58, par. 2, letter d) of the Regulation, order the Company, if it intends in the future to direct promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, including through adequate sample checks, that personal data are processed in full compliance with the provisions in this area (prior acquisition of free, specific, unequivocal, documented, as well as informed, consent of the interested parties for the sending of commercial communications) (articles 6, 7 and 14 of the Regulation);

- pursuant to art. 58, par. 2, letter d), of the Regulation, order it to proceed without delay to the deletion of said data, except for those that are necessary to retain for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unequivocal consent of the interested party;

d) of the Regulation, order, for the purposes of the information obligation referred to in art. 13 of the Regulation, to provide the interested parties with all the information provided for therein;

- pursuant to art. 58, par. 2, letter d) of the Regulation, order MA Immobiliare to adopt adequate technical and organizational measures to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the related requests, including the right to object that can be advanced "at any time" by the interested party.

Finally, with regard to the processing already carried out and in consideration of the violations identified above, it is believed that the conditions exist for the application of an administrative pecuniary sanction pursuant to art. 58, par. 2, letter i) and 83 of the Regulation.

5. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

Based on the above, various provisions of the Regulation and the Code have been violated in relation to connected processing carried out by MA Immobiliare, therefore it is necessary to apply art. 83, par. 3, of the Regulation, according to which, if, in relation to the same processing or connected processing, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation with consequent application of the sanction provided for by art. 83, par. 5, of the Regulation.

For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum fine at 20 million euros or, for companies, 4% of the annual global turnover of the previous financial year if higher, specifies the methods of quantifying the aforementioned sanction which must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, to this end, a series of elements, listed in paragraph 2, to be assessed when quantifying the relative amount.

In this case, the following circumstances must be considered, in terms of aggravating circumstances:

1. the seriousness of the violations detected, with particular reference to the lack of random checks of the contact numbers acquired by the supplier, the inadequate management of requests to exercise the rights of the interested parties, as well as the lack of information during promotional telephone calls (Article 83, paragraph 2, letter a of the Regulation);