Garante per la protezione dei dati personali (Italy) - 9706389

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9706389
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 7 GDPR
Article 14 GDPR
Article 21 GDPR
Article 28 GDPR
Article 29 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 16.09.2021
Fine: 3,000,000
Parties: Sky Italia
National Case Number/Name: 9706389
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: garanteprivacy.it (in IT)
Initial Contributor: FA

The Italian DPA fined Sky Italia €3,000,000 for making unsolicited direct marketing calls, both independently and through call centres. It obtained the data necessary to make these through third party companies, thus unlawfully circumventing the requirement for data subjects to have consented to their personal data being used for promotional purposes.

English Summary

Facts

The Italian DPA (Garante) began an investigation into the processing activities of Sky Italia after receiving "several dozens" of complaints and reports from parties who received repeated unsolicited direct marketing calls from Sky and its sales teams.

Holding

The Garante investigated the company's marketing practices, including its relationships with third parties conducting marketing operations on its behalf, and found a range of violations of the GDPR.

First, the DPA found that Sky Italia unlawfully processed personal data for the purpose of promoting its own products and services without the required consent and suitable information; that the company failed to carry out necessary checks on contact lists acquired from third parties; and that it failed to correctly register objections to receiving marketing calls. (In violation of Articles 5(1), (2), 6(1), 7, 14 and 21 GDPR.)

Second, the Garante held that the company contravened the principle of accountability and provisions on consent, and failed to verify the legitimacy of the communication of data from different third party data suppliers (Wind Tre S.p.A.; Brands Up); failed to check the information provided by its suppliers at the time of the first contact with the people the company called; did not correctly appoint suppliers as data processors; did not adopt procedures for filtering the contact lists, leading them to remain available to the person who carried out the promotional contacts. (In violation of Articles 5(1), (2), 6(1), 7, 14, 28 and 29 GDPR)

Third, the DPA held that Sky lacked the consent necessary to lawfully make direct marketing calls. (In violation of Articles 5(1), (2), 6 and 7 GDPR)

Fourth, it found the company infringed Articles 5, 6, 7, 12, 13 and 21 GDPR, in relation to the procedures for activating, providing information on and revoking the "Call me now" service.

Finally, it held the company breached Articles 5, 6, 7, 12(2) and 21 GDPR by making direct marketing calls in the absence of the necessary prerequisite of lawfulness; failing to take into account the objections received through its official email address; and for not having adopted a system that "facilitates the exercise of the rights of the interested party", such as the right to object.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
















SEE ALSO PRESS RELEASE OF OCTOBER 19, 2021

[doc. web n. 9706389]

Order injunction against Sky Italia S.r.l. - September 16, 2021

Record of measures
n. 332 of 16 September 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000, adopted by resolution of June 28, 2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Premise

With act no. 19846/21 of 13 April 2021 (notified on the same date by certified e-mail), which here must be understood as fully referred to and reproduced, the Office has started, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards Sky Italia S.r.l. (hereinafter “Sky” or “the Company”), in the person of the pro-tempore legal representative, with registered office in Milan, Via Monte Penice 7, VAT number: 04619241005.

The proceeding originates from a complex investigation launched by the Authority following the receipt of several dozen reports and complaints sent by interested parties who complained, and still complain today, continuous unwanted telephone contacts made by Sky and its sales network to promote telephone and internet services offered by the same.

From August 2020 to January 2021, Sky was the recipient of two cumulative requests for information (prot. Nos. 30003/20 and 3005/21) relating to 37 files, in addition to the complaints submitted pursuant to art. 77 of Regulation (EU) 2016/679 (hereinafter the "Regulation") that the Guarantor handled, in the preliminary phase, individually and the reports received after the latest requests for information.

1.2. Challenge of administrative violations

Having examined the first feedback provided by the Company, the Office, pursuant to art. 166, paragraph 5, of the Code, adopted the act of initiation of the procedure referred to in the introduction, with which it challenged Sky:

1. the violation of articles 5, para. 1 and 2, art. 6, par. 1 and art. 7, 14, 21 of the Regulations for having Sky processed personal data for promotional purposes of its products and services, in the absence of the required consent and appropriate information; for not having carried out checks on the contact lists acquired from third parties; for the failure to correctly register the oppositions (see, among other things, files nos. 131703, 135014, 134205, 135070, 135511, 136291, 140229, 147537);

2. the violation of the provisions of art. 5, para. 1 and 2, art. 6, par. 1, 7, 14, 28 and 29 of the Regulation in relation to the violation of the accountability principle and the provisions on consent as well as, due to failure to verify the legitimacy of data communication by Wind Tre S.p.A. to Brands Up; for failure to check the information provided by suppliers to interested parties at the time of first contact; for not having correctly appointed the suppliers as data processors; for not having adopted procedures for filtering the contact lists that remained in the availability of the person who carried out the promotional contacts (the violation concerns the conduct referred to in paragraph 2.2., as well as files nos. 133373, 135620, 136731, 142746, 135535 , 152391, 139142 and 156682);

3. violations of articles 5, para. 1 and 2, 6 and 7 of the Regulation, in relation to the processing of personal data carried out for promotional purposes of its products and services, carried out in the absence of the required consent (file nos. 134528 and 135584);

4. violation of articles 5, 6, 7, 12, 13 and 21, in relation to the methods of activation, release of the information and revocation of the "Call me now" service (file no. 153251);

5. violation of art. 5, 6, 7, 12 par. 2 and 21 of the Regulations, for having made promotional contacts in the absence of the necessary prerequisite of lawfulness; for not having taken into account the objections received through the address p.e.c. official of the Company and, therefore, for not having adopted a system that "facilitates the exercise of the rights of the interested party" including the right to object (this violation appears to be attributable to a critical system as also found in the file no. 155336).

The aforementioned disputes were formulated by the Office on the basis of the observations that are summarized below.

1.2.1. As for the dispute referred to in point 1), the violation of Articles 5, para. 1 and 2, art. 6, par. 1 and art. 7, 14, 21 of the Regulations in relation to promotional contacts made by Sky on the basis of contracts for the transfer of personal data signed with other companies (hereinafter the "Third Parties").

In particular, when responding to requests for information, the Company stated, among other things, that (i) the whistleblower received the unwanted contact as "he has given an independent data controller ... consent to the transfer of data personal to third parties for marketing purposes "; (ii) "Sky has signed [with" autonomous holder "] a contract concerning the transfer of personal data ... by virtue of which it received the consented contact of the [reporting person]"; (iii) the Company would therefore have “legitimately contacted [the reporting person] on the basis of consent… Sky has therefore not carried out any unlawful processing of personal data”.

In this regard, it was noted that the communication of data from owner (the Third Party) to owner (Sky) must be supported by the prescribed consent, a circumstance that has been confirmed by the Company, while the subsequent treatments of which Sky is the owner, had to be preceded by suitable information, pursuant to art. 14 of the Regulations, made at the latest during the first promotional contact.

With reference to the consents issued by the interested parties for the communication of their data to Sky, it was noted that the Company did not notify the Authority of the procedures subsequent to the acquisition of the contact lists from third parties, nor if random checks had been carried out. on the consents issued by the interested parties or if the lists had been subject to deduplication with respect to the Register of oppositions and their own black-lists.

In addition, the repeated phone calls made also to subjects who have declared that they have expressed their opposition to the processing to the call-center operators, have led the Authority to believe that Sky has not correctly registered the objections as expected.

1.2.2. As for the dispute referred to in point 2), the violation of Articles 5, para. 1 and 2, art. 6, par. 1, 7, 14, 28 and 29 of the Regulation in relation to promotional contacts made by Wind Tre S.p.A. and by other autonomous owners to promote Sky's services.

In particular, in relation to some reports, the Company stated, inter alia, that:

- the whistleblowers received direct contact to promote Sky services as they "gave their consent to Wind Tre S.p.A for third party marketing purposes";

- Sky has signed a contract with "the supplier Brands Up s.r.l. ... to carry out Advertising activities with the Telephone Operator Wind Tre S.p.A. for Consent Customers ";

- "Brands Up acts on behalf of Wind Tre SpA, as independent data controller", from which it is "authorized to (i) enter into agreements concerning the carrying out of promotional campaigns regarding third party products or services via SMS or MMS sent by Wind Tre to Wind Tre customers who have given appropriate consent; as well as to (ii) communicate to independent third parties the data of those who have given their consent to Wind Tre to be contacted by third parties for the promotion of third party products or services ";

- the promotional contacts received from the aforementioned reporting entities are "therefore a promotional [contact] sent by Wind Tre S.p.A. as independent data controller, to which the [reporting person] will eventually have to address his complaints ";

- not having the aforementioned reporting "consented to be contacted by third parties for the promotion of third party products or services, his contact was not communicated by Brands Up to Sky, which therefore did not enter it in its prospect database and did not contact her ".

Similarly, in relation to other reports (see, among other things, files nos. 135535, 152391 and 139142 referred to in the first finding and file no. 156682), the Company noted, among other things, that :

- "Sky has signed a contract with ... supplier [i] [including Indicta S.r.l. and R&D Communication S.r.l.] to carry out 'Advertising' activities through SMS on the customers "of the supplier;

- the whistleblowers "has [nno] received an SMS aimed at promoting Sky's services ... as they have given [the Sky provider] their consent for promotional purposes";

- these suppliers, “acting as [i] independent [i] data controller, carry out [no] advertising campaigns to promote the signing of Sky television contracts. This activity consists of (i) sending SMS to a target of customers [of the supplier] who have given appropriate consent; as well as (ii) in the communication to Sky of the data of those who have given their consent [to the supplier] to be contacted by Sky ";

- not having the aforementioned reporting "consented to be contacted by third parties for the promotion of third party products or services, [their] contact was not communicated to Sky, which therefore did not enter it in its prospect database and did not contacted her ".

Finally, in the report filed against Sky and Ediscom S.p.A. (file no. 156682), the latter argued that:

- “Your data was collected by the company 6 Safe Spa, the Data Controller. … EDISCOM SPA managed the data for this company, as Data Processor, in accordance with the consent to the transfer to third parties and to the marketing communications issued by you to the Data Controller during the registration of your data… on the website www.chiarezza. it ";

- "On this occasion, the interested party gave his specific consent to receive commercial and / or promotional information from both Chiarezza and third-party companies (so-called direct marketing and / or third party purposes)";

- "Ediscom, ... sent you an information campaign on behalf of Sky, your data was passed to the latter only after clicking on the link bearing the following wording: 'Click {shortlink} to be contacted by Sky ".

In this regard, the Company added that "Sky Italia has not communicated your data to any company or to the Ediscom company in order to send the text message you reported. Ediscom, as indicated directly by the company itself, therefore acted as manager of independent third party owners ".

It was highlighted that, in the case in question, despite being the "advertising campaign ... directed by Wind Tre to [its] Consent Customers", the latter concerns "the promotion of a Sky offer". It follows that, precisely because of its fundamental role as "client", Sky cannot exempt itself from the burden of adequately supervising the work of the aforementioned suppliers. In this sense, the Company should have verified, among other things:

- the legitimacy of the communication of data by Wind Tre S.p.A. to Brands Up;

- that the information provided by the suppliers to the interested parties at the time of the first contact was clear regarding the triple relationship and the parties involved in the processing of your personal data (i.e., the supplier, Wind Tre and Sky).

As regards Sky's thesis according to which, in the aforementioned cases, the suppliers would act "as [the] autonomous [i] holder [i] of the treatment", the attached documentation shows that, if "the Customers, upon receipt of the communication advertising via SMS / MMS "send" an SMS with text 'OK' to a number [of the supplier] to be contacted by SKY ", after" the release of the aforementioned consent by the Customers, [the supplier] undertakes to communicate to SKY the mobile phone number… of the Customers who have authorized to be contacted by a SKY telephone operator for the promotion of the Offer ".

It follows that, both at the time of the acquisition of the personal data lists, and at the time of data communication to Sky, the suppliers are permanently included in the processing carried out by Sky and this the Company should have taken into account to define, also on the basis of the provisions of art. 28 and 29 of the Regulation, the distribution of responsibilities to these subjects and to itself.
In addition, it was disputed that the Company has not demonstrated - as it should have, since it was the client of the treatments in question - that it has put in place filtering procedures for the contact lists remaining in the availability of the subject who made the first promotional contacts. , possibly communicating to the latter its own black-list.

Specifically, Sky did not clarify the procedure adopted for the formation of the lists of numbers potentially contactable by the suppliers, nor did it specify, among other things, how often these lists are updated and the procedures adopted to exclude the inclusion of numbers in the list. contactable (for example, numbers in the opposition register, numbers that cannot be contacted due to the withdrawal of consent, etc.).

1.2.3. As for the dispute referred to in point 3), the unlawfulness of some promotional contacts made by Sky for promotional purposes of its products and services, made through the use of numbers not included, was found in the act of initiation of the procedure. in the Company's sales network and in the absence of the required consent.

1.2.4. With regard to the dispute referred to in point 4), relating to the methods of activation, release of the information and revocation of the "Call me now" service, some critical issues were highlighted that emerged, in the light of the information available, from the procedure described by Sky.

In particular, from the documentation produced by Sky in response to the requests for information formulated by the Authority, it emerged the lack of ad hoc information in relation to the aforementioned service, in which the functioning of the service was explained, the methods of treatment of personal and contact details of the user. In addition, there was a lack of a system that would allow the user to interrupt the flow of calls resulting from his "click" on the "Call me back" button with equal simplicity.

1.2.5. As for the dispute referred to in point 5), in the act of initiation of the procedure some critical issues were highlighted regarding the failure to adopt a system that "facilitates the exercise of the rights of the interested party" including the right to opposition. In particular, it emerged that Sky did not take into account the objections received through the address p.e.c. official of the Company (indicated in the Business Register), making subsequent promotional contacts in the absence of the necessary prerequisite of lawfulness.

2. DEFENSIVE OBSERVATIONS AND AUTHORITY ASSESSMENTS

2.1. The defense brief and Sky's hearing

On May 13, 2021, Sky sent the Authority the defense brief required by art. 166, paragraph 6, of the Code. Under the same provision, on May 25, 2021, the hearing requested by the party for which a specific report was drawn up was held via videoconference. Both documents are to be understood here, for the protection of the party, in full and reproduced.

The Company first intended to provide a general overview on the processing of personal data and on its "business philosophy", representing that it has always raised its compliance standards to the maximum protection of personal data and specifying that, even before the start of the procedure in question, radically changed its marketing strategies, massively reducing the number of calls addressed to prospect subjects contacted for promotional purposes. Sky then highlighted that, among the cases examined, “only n. 19 are explicitly challenged in the Proceedings and, in any case, refer to conduct allegedly carried out in the time period from 2018 to 2021 and ... dating back over time and no longer current: precisely, n. 2 of 2018, n. 12 in 2019, n. 4 of 2020 and no. 1 of 2021… about 97% of reports and complaints less than the average of companies comparable to this ". Finally, the Company focused on the individual disputes.

2.1.1. With regard to the promotional contacts made by Sky on the basis of the contracts for the transfer of personal data signed with third parties (see point 1 of the dispute), the Company represented the following.

In the first place, Sky noted that “the Accountability principle does not require [e] the data controller (Sky) to carry out checks on the compliance of the processing carried out by another data controller”. According to Sky, "to consider that there is a timely burden of verification and control by the transferee (Sky) with respect to all the numerous individual contact details given by the business partner, constitutes, on the one hand, an impossible, unreasonable operation and contrary to the principle of free circulation of data sanctioned by art. 1 of the Regulation, on the other hand, it constitutes an operation not required by current legislation on the protection of personal data ". Sky noted that the Regulation prescribes a series of obligations for the data controller "only when he decides to make use of managers entrusted with processing tasks on behalf of the data controller" while "no prescription, not even in terms of control or supervision, it is sanctioned in the case in question, in which Sky (transferee) purchases a list of data that can be contacted by a different third party owner ". According to Sky, “the partners must be qualified as autonomous owners - and not as responsible - as these third parties act according to the methods and purposes established by them… they are… therefore called to answer exclusively for their treatment pursuant to art. 82 of the Regulations, with the consequent extraneousness of Sky which is not required to check its work ... nor to exchange its own Blacklist "(BL).

In support of its thesis, Sky recalled the Authority's provisions of May 29, 2003, July 4, 2013 and May 9, 2018, arguing "that they explicitly admit the lawfulness of the processing of autonomous data controllers who communicate data to third parties for marketing purposes , provided that information is provided and consent to the transfer is obtained ".

The Company noted:

- to have demonstrated the lawfulness of the processing and that this would be "attested ... expressly by Sky's contracts with third parties ... by the information provided by the third parties to the interested parties who correctly mention the transfer of data to third parties ... as well as by the consents already documented";

- to have “in any case carried out random checks on the consents collected”. In particular, during the hearing, Sky specified that it had given rise to "16 third-party audits" from 2013 to June 2021;

- to “check [re] with the BL all the prospect lists (including the personal data coming from the sale of lists by third parties, which are physically acquired through ftp download on the list provider's systems). These lists are then filtered with the BL, fragmented and made available for the campaign through the various call centers, also with updates during the campaign. A similar activity is performed on the campaign side towards customers, filtering those who have revoked their consent to commercial contact ";

- that "by its own independent business decision, starting from the beginning of 2020 ... does not currently make use of the activity of sales of prospect master data by third parties autonomous holders of Data Base treatment consented to data transfer (" Leads ") for third party marketing purposes ('Leads Transfer') ". The violations for "promotional contacts made by Sky on the basis of data transfer agreements by third parties", would therefore not be attributable to Sky, "also pursuant to art. 14 par. 5 Regulation of the Guarantor n. 1/2019 ".

Secondly, Sky contested "the failure to provide the information pursuant to art. 14 of the Regulations, as the information was provided on first contact (Attachment 25_Evidenza B - Attachments 04, 14.2, 21.2, 27, 37.2, 48, 62) "and added that" no responsibility can be ascribed to Sky in relation to information provided by the data controller who transferred the data lists, as Sky does not have (and cannot have) any control over the data processing carried out by the transferring owner, who is solely responsible pursuant to art. 24 of the Regulation ".

Furthermore, the Company contested that Articles 6 and 7 of the Regulation, "as the existence of the conditions of lawfulness of the processing and of the consent in this case must necessarily be verified in relation to the data controller who has transferred the data lists, guaranteeing the existence of the conditions of lawfulness of the treatment and consent of the data subjects sold ".

Finally, Sky contested what was stated by the whistleblowers in files nos. 131703, 135014, 134205, 140229, 135070, about the number of calls allegedly received, highlighting that "the number of calls never exceeded 3 per campaign ... in line with Sky's Contact Policy (Annex 17) and respectful of the interested party ".

2.1.2. Regarding the promotional contacts made by Wind Tre S.p.A. and by other autonomous owners to promote Sky's services (see point 2 of the dispute), the Company represented the following.

In the first place, Sky underlined that "the assumption ... according to which 'the client cannot exempt himself from the burden of adequately supervising the work of the suppliers' cannot disengage from the prior identification of the subject who determined the means and purposes of the treatment". According to Sky, it is necessary to "examine the legal relationships between the parties in question ... distinguishing the cases in which the partners perform legal acts as independent data controllers, albeit in the interest of Sky, compared to cases in which the partners are entrusted with processing operations by the latter pursuant to art. 28 of the Regulation ". Specifically, "the classification of each person ... can never be the result of a mere automatism (promote my service so you are my manager)" and it would be "completely irrelevant whether or not there is any economic interest underlying the operation , as well as the commissioning or not of the promotional companions is irrelevant ".

Sky clarified that "Ediscom S.p.A. partner of Indicta S.r.l. (file n.152391, n.135535) and R&D Communication Srl (file n.139142), with which Sky has entered into contracts concerning the commercial promotion of its services, act as independent data controllers in consideration of the autonomy with which carry out the contractually agreed activities and precisely collect approved third party marketing data in their databases, organize and use them for their specific and autonomous purposes, as well as send promotional sms to interested parties who have previously been informed and approved third party marketing, for their own autonomous purposes. and without receiving any instructions from Sky, in the face of adequate information and specific consent of the interested party to third party marketing .... In other cases ... instead the configuration of the relationships identified by the Guarantor corresponds to the reality of the processing of personal data put in place in the context of promotional activities on behalf of Sky. This is the case of Brands Up s.r.l. (files n. 136731, n. 135620, n. 142746, n. 133373) and Ediscom s.p.a. (files n.15668 and n. 152391) who, vis-à-vis Sky, operate as data processors pursuant to art. 28 of the Regulation with reference to the treatment consisting of (i) in the collection, (ii) in the historicization of the consent to the processing of personal data provided by the interested party to know the Sky offers and (iii) in the communication to Sky of the contact details of the consented prospects ".

Sky then summarized as follows:

- "the partners ... classified as autonomous owners, deal, among other things, with processing consisting of (i) collecting consented third party marketing data in their databases, organizing them and using them for their specific and autonomous purposes, as well as (ii) in transmitting promotional sms to interested parties previously informed and consented to third party marketing, for their own autonomous purposes and without receiving any instructions from Sky, in the face of adequate information and specific consent of the interested party to third party marketing.

- the suppliers ... classified as external managers, on the other hand, deal with the processing consisting of (i) collecting, (ii) historicizing for consent to know Sky's offer and (ii) communicating to Sky the data consented to re-contact and for this purpose they strictly follow Sky's instructions ”.

By applying these principles to the present cases, according to Sky, "the third parties (eg Wind 3, Ediscom and R&D) collect data and campaign their own database which is allowed for third party marketing according to logics - both technical and organizational, purposes and methods of all autonomous and distinct, as well as unrelated to Sky and only defined by the third party. They are therefore, peacefully, autonomous owners pursuant to art. 4 Regulation, therefore called to answer exclusively for their treatment pursuant to art. 82 Regulations. With consequent strangeness of Sky which is not required to control its privacy treatments, much less to exchange its BL with said subjects ... Instead, third parties such as Brands UP carry out Sky's instructions in carrying out the processing of user data that they click OK on the SMS to find out about Sky's offer, gathering the relative consents to re-contact, historicizing them and passing them to Sky on a format defined by Sky itself. These subjects therefore do not have autonomy for these activities and are contracted with a contract that binds the supplier. They are therefore clearly responsible for the processing pursuant to art. 28 of the Regulations, and therefore duly contracted and controlled by Sky ". This would be in line, among other things, with the Authority's provisions of 9 May 2018 and 15 June 20211.

2.1.3. With regard to the receipt of promotional calls by Sky in the absence of prior consent from the reporting party (see point 3 of the dispute), the Company stated that "the contact processes of the interested parties have been defined by Sky in compliance with provisions of the law regarding the protection of personal data ".

Specifically, "Sky does not entrust lists for telemarketing activities to telesellers, having opted for the adoption of a completely centralized campaign management system and process, which arranges for individual promotional calls to be sorted to the various call centers: reside centrally on Sky systems (the so-called Reitek platform, in use since 2011, managed by Sky Italia), all outbound calls addressed to prospects are made by a single outgoing number ... and Sky defines and continuously checks the contact logics, guiding and verifying operations in terms of contact assignment to each teleseller / call center ".

Sky specified that "the Reitek platform, moreover, has been designed from the outset with a view to privacy by design" as it "generates outbound calls and distributes the call and not the contact to telephone customers. The operator receives the call through the headset, the telephone number is obscured on the receiving screen and the contact cannot be managed independently, as the rules are dictated by the Sky telephone exchange ".

With regard to the frequency of contacts, the configuration of the centralized platform provides that "(i) a numbering enters the campaign once a quarter and that within the same campaign can be called up, in case of no contact, for a maximum of 7 attempts (for no more than 2 attempts per day, if the interested party does not respond); and (ii) that he can be contacted from Monday to Friday from 9:30 am and on Saturday from 9:30 am to 6 pm, excluding weekends and public holidays. Therefore, a user will be able to receive a maximum of n. 28 call attempts per year ".

Therefore "the centralization of campaign management ... therefore guarantees maximum control over calls, prevents the entrusting of lists to telesellers and excludes, from the outset, the phenomenon of unlisted calls, giving guarantee and proof of calls made and those disowned in anything not referable to Sky ".

2.1.4. As for the methods of activation, release of the information and revocation of the "Call me now" service, (see point 4 of the dispute), the Company has represented the following.

Preliminarily, Sky briefly described the ways in which prospect recontact initiatives on Sky can take place: in the case of "Call Me Now", the recontact takes place "directly with one's own landing page" (file no. 153251, object of dispute), where, in the case of Call Me Now Partner, this occurs "as a result of commercial agreements or partnerships". In particular, "In the case of Call Me Now Partner, the suppliers / partners transmit, in their capacity as i) autonomous Data Base holders consented to the marketing of third party products, or ii) external managers appointed by third parties Data Base holders consented to marketing of third-party products for carrying out promotional activities, or iii) intermediaries, autonomous owners, of Sky promotional content to third-party owners of Data Base consented to third-party marketing, third-party commercial communications (including Sky) via DEM or SMS , agreed with Sky, in order to promote offers on Sky products / services ". If the recipient of the DEM or SMS is interested in Sky's offer, he will provide the supplier / partner - appropriately appointed as Sky's data processor with an appropriate Appointment Deed - consent to be contacted by telephone by Sky and Sky may contact him for that specific offer '”.

Sky then underlined that, in both processes, the information provides that "Sky will call back only once" and that "the interested party can always prevent the call by revoking his consent and exercising his right to object ... by sending a request to Sky Italia srl ".

2.1.5. As for the management of the rights of the interested party (see point 5 of the dispute), the Company represented the following.

In the case object of the proceeding (file no. 155336), which according to Sky "derives from a continuous change of opinion of the interested party ... through manifestly excessive requests, in particular due to their repetitive nature", the Company "has in any case registered the opposition of the interested party by inserting it in BL ". The process of managing the rights of the interested party adopted by Sky provides that "Where communications are sent to incorrect channels and not expressly dedicated to privacy, eg. via certified email, it is in any case managed directly by the Protocol function which ... manually sorts the remaining certified e-mails, if not directly assigned by the software ". The Company added that, following the complaint subject to this proceeding, the aforementioned procedure was "further strengthened" with the addition, among other things, "of the sorting automatism in use, which today takes into account in the first classification of communications of major privacy keywords ".

Finally, the Company (i) invoked the defenses regarding the individual disputes; (ii) briefly described the "further measures to improve its processes and mitigation" adopted by Sky to demonstrate its desire to "strengthen and improve its processes and systems"; (iii) reiterated that "the reports in the deeds ... are few and date back over time" and that, therefore, "at most, if ascertained, the conduct may involve a mere warning".

2.2. Considerations in fact and in law

2.2.1. With reference to the dispute referred to in point 1), the existence of the contested violation of Articles 5, para. 1 and 2, art. 6, par. 1 and art. 7, 14, 21 of the Regulation in relation to the reports referred to in files nos. 131703, 135014, 134205, 135070, 135511, 136291, 140229 and 147537.

In general, it must be assumed that the strengthening measures adopted by the Company and the additional initiatives undertaken - including the interruption, starting from the beginning of 2020, of the sale of prospect data by third parties independent holders of the Data Base processing consented to the transfer of data for third party marketing purposes - certainly demonstrate the awareness by the latter of the seriousness of the phenomenon of illicit promotional calls, and the will to stem it.

However, the limits and criticalities encountered with regard to some of the procedures adopted by Sky cannot fail to be highlighted.

First of all, with reference to the processing of personal data carried out by Sky after the acquisition of the contact lists from third parties, it is noted that, if the consent given by the interested parties to the aforementioned third parties constitutes an appropriate legal basis for the communication of data by the owner (the Third Parties) to the owner (Sky), this does not apply in relation to the subsequent processing by virtue of which Sky then contacted the interested parties.

The simplification regime provided for by the aforementioned provision of the Authority of 4 July 2013 according to which "if the interested party gives ... consent for communication to third parties, these may carry out promotional activities for him with the automated methods referred to in 'art. 130, paragraphs 1 and 2, without having to acquire a new consent for the promotional purpose "or, if" the other elements provided for in art. 13 of the Code ", they will be able to carry out promotional activities towards you without issuing" further information to the interested parties ", refers exclusively to" promotional activities with the automated methods referred to in art. 130, paragraphs 1 and 2 ". It follows that Sky, for promotional activities carried out through contacts with human operators, cannot make use of the simplification regime provided for by the 2013 provision, but, during the promotional contact, it must provide its own information, which contains, among other things, , also elements regarding the origin of the personal data communicated to the Company (so that each interested party can also contact the person who collected and communicated them to oppose the processing) and only after having acquired the consent can he proceed to make the proposal promotional. This, however, is what is obtained from the combined provisions of Articles 6, 7 and 14, par. 3, lett. b) of the Regulation.

In the present case, the Company has not demonstrated that it has provided the interested parties, recipients of promotional contacts by a subject to whom they had not expressly given consent to the processing of data for promotional purposes, with suitable information to make them aware, among other things, "that the data was collected from third parties and indicating the original owner of the data", allowing him, for example, to revoke the consent originally given to the third party.

In particular, the script produced by Sky refers to the hypothesis of contact of people present in the Sky databases or in the telephone directories ("Sky name" and "name extracted from telephone directories") and does not contain any indication regarding the case in question. in which Sky made promotional contacts on the basis of contracts for the transfer of personal data signed with third parties. Nor is this shown in attachment 14 to the defense brief, a document containing a privacy prospect disclosure in which, although it is explicitly stated that the Company uses data "provided to Sky by third-party companies to which [the interested party] has given specific consent for the transfer of the .. data for marketing purposes to companies belonging to the product categories indicated in the privacy information provided to you by these third-party companies ", the exact origin of the data has not been clarified and it is also not clear on what occasion and how this information would be communicated to the interested party, since it is a document that consists of 5 pages and whose full reading by the operator during a promotional telephone contact cannot be seriously taken into consideration as an ordinary method of fulfillment of the provisions of art. 13 and ss. of the Regulation.

Secondly, with reference to the acquisition of the contact lists from third parties, it is not considered possible to agree with Sky's orientation according to which the latter would not be required to verify the correct acquisition by the same third parties of the consent for the communication of data or to carry out skimming operations of the aforementioned data with respect to those included in its black lists.

On the contrary, given that the promotional campaign is aimed at promoting Sky services, once the contact details have been received from third parties, it is Sky's responsibility to verify that the subjects who are contacted are "consensus" and, more importantly, they are not people who have expressed an unequivocal desire to oppose promotional contacts relating to the Company's products and services. If this were not the case, the rules relating to the right of opposition for promotional-advertising treatments could be easily circumvented, since the withdrawal of consent made towards a holder would not result in the termination of promotional contacts. This, in addition to determining a legally illogical result (the emptying of the right to object), would entail the further serious consequence that the interested party could no longer control the fate of his data, given that not even a clear opposition to promotional contacts addressed to a owner could lead to the definitive termination of such contacts.

As for the measures referred to by the Company (provision no.280 of 9 May 2018, web doc. 9025666 and general provision of 29 May 2003), they appear completely irrelevant to the case in question since although the first refers to complaints “of various reporting agents [who] complained that the receipt of unwanted promotional calls (attributable to Telefonika's activity) took place without having given any consent and, in some cases, despite the registration of the respective users in the cd. Register of oppositions ”, the processing processes are not comparable to those carried out by Sky; while the second, in addition to concerning processing relating to the sending of e-mail messages (comparable to automated processing and therefore subject to a different discipline), in any case provides that "whoever acquires the database must ascertain that each interested party has validly consented to the communication of their e-mail address and its subsequent use for the purpose of sending advertising material; at the time of recording the data, he must then send in any case, to all interested parties, an information message specifying the elements indicated in art. 10 of the law n. 675, including a place reference - and not only an e-mail address - at which the interested party can exercise the rights recognized by law ".

The Authority acknowledges that Sky stated:

- to have “in any case carried out random checks on the consents collected”. In particular, during the hearing, Sky specified that it had given rise to "16 third-party audits" from 2013 to June 2021;

- of "contra [re] with the BL all prospect lists (including master data from the sale of lists by third parties ...)";

- to have "progressively abandoned the use of data transfer contracts ('Leads Transfer'), preferring ... less invasive methods of telephone calls, including SMS".

While acknowledging that the above activities are potentially suitable for stemming the phenomenon of unwanted calls, it must be noted that, in practice, numerous contacts have been made in violation of the provisions on information, consent and accountability, and must therefore be confirmed the responsibility of Sky in relation to what is contested in point 1).

It should also be noted that Sky considered untrue the circumstance expressed by some reporting persons that they had been recipients of numerous telephone calls from the Company's call centers within a few days, stating that the system allows “Maximum 28 call attempts per year”. In this regard, it should be noted that this approach, in addition to being in stark contrast to what was declared by various whistleblowers, appears in any case suitable for causing significant inconvenience to the data subject. To this it must be added that Sky has not documented the procedure according to which the call centers acquire and register the objections expressed by the interested parties during the telephone contact. The existence of the disputed violation must be inferred from all these elements, again included in point 1) of art. 21 of the Regulation, regarding the exercise of the right to object.

2.2.2. With reference to the dispute referred to in point 2), the violation of the provisions of Articles 5, para. 1 and 2, art. 6, par. 1, 7, 14, 28 and 29 of the Regulation in relation to the violation of the accountability principle and the provisions on consent as well as, due to failure to verify the legitimacy of data communication by Wind Tre S.p.A. to Brands Up; for failure to check the information provided by suppliers to interested parties at the time of first contact; for not having correctly appointed the suppliers as data processors; for not having adopted procedures for filtering the contact lists that remained in the availability of the person who carried out the promotional contacts (the violation concerns the conduct referred to in paragraph 2.2., as well as files nos. 133373, 135620, 136731, 142746, 135535 , 152391, 139142 and 156682).

From the investigation carried out, it emerged that Sky has signed Advertising contracts with some suppliers (eg Indicta S.rl.l, R&D Communication srl and Brands Up Srl) for the performance of "a promotional advertising activity ... which will be carried out through a series of advertising campaigns ... to promote the signing of Sky pay TV contracts ... via SMS addressed to a target customer "of the supplier (or of Wind Tre SpA, as in the case of Brands Up), who expressed consent to third party marketing. This promotional activity "is aimed at soliciting customers, upon receipt of the advertising communication, to send an SMS with the text 'OK' to a number [of the supplier] to be contacted by Sky. Only after the release of the aforementioned consent, [the supplier] undertakes to communicate to Sky the mobile phone number ... of the customers who have authorized to be contacted by a Sky telephone operator for the promotion of the offer ".

In light of the above, two different phases of promotional activity can be distinguished (i) a first phase, which sees the partners / suppliers as protagonists, who "collect approved third party marketing data in their databases, organize and use them for their specific and autonomous purposes, as well as send promotional sms to their interested parties previously informed and consented to third party marketing, for their own autonomous purposes and without receiving any instructions from Sky, in the face of adequate information and specific consent of the interested party to third party marketing " and (ii) a second phase, if any, in which the protagonist of the marketing activity is Sky, which carries out promotional contacts with users who “click [to] OK on the SMS to find out about Sky's offer”.

In this regard, it should be noted that Sky's approach according to which in the first phase "the partners are classified as independent owners" is not acceptable as they "deal ... with the processing ... for their own autonomous purposes and without receiving any instructions from Sky , subject to adequate information and specific consent of the interested party to third party marketing ".

In this case, it must be noted that the promotional campaign carried out by the partners / suppliers on behalf of Sky is not constituted by the mere illustration of the Company's services and products, but by the sending of promotional sms aimed at obtaining a flow of feedback information. towards the latter (the positive response of the person contacted to receive the promotion of Sky) and a communication of contact data to Sky itself, against an extremely (and arbitrarily) simplified opt-in (the "OK" SMS) .

In this case it is clear that, without prejudice to what was observed in the previous paragraph on accountability, the partners / suppliers, who send promotional sms to their interested parties in order to promote services on behalf of Sky as well as in order to “solicit customers. .. to send an SMS with the text "OK" "to be contacted by Sky" they actually operate, and to all intents and purposes, as if they had been 'appointed by the owner to process personal data', therefore in full and substantial adherence to the definition of the 'manager' "(see provision no. 230 of June 15, 2011, in www.gpdp.it, web doc. no. 1821257). A different approach, in addition to representing a marked forcing of the rules on the protection of personal data where the roles and responsibilities of the various subjects who contribute to carrying out a treatment that instead must be considered unitary, mainly to guarantee the interested parties are arbitrarily changed, would make the client of the advertising campaign, in this case Sky, completely unrelated and "irresponsible" to choices and processes that are fully included in the campaign itself and which have the sole purpose and consequence of bringing personal information into the client's databases some CD. "Prospect" in order to convey to them an articulated commercial proposal relating to their services. The consequence of this setting is suitable to prevent the data subject from having full control of their data and a full exercise of the rights towards the subject in the interest of which the treatments are carried out.

As already observed by the Authority in the past (see provision no. 230 of June 15, 2011, in www.gpdp.it, web doc. No. 1821257) "it must be ... reiterated that outsourcing agencies ... cannot be considered as independent holders, since the alleged formal ownership does not correspond, even in concrete terms, to the powers strictly provided for by the Code for the configuration and exercise of ownership, which are and remain the exclusive prerogative of the principals. Among these, first of all: - make decisions relating to the purposes of processing the data of recipients of promotional campaigns for the purpose of sending advertising or direct sales material or commercial research or commercial communication carried out by third parties acting in outsourcing for the performance of the aforementioned promotion and marketing activities of goods, products and services; - to issue binding instructions and directives towards outsourcers, substantially corresponding to the instructions that the data controller must give to the manager; - to carry out control functions with respect to the work of outsourcers themselves ".

It has been noted that "It is ... always left to the owner, as an exercise of his own free faculty, the choice to make use of one or more subjects who, even in outsourcing, still carry out, even in practice, the typical activities of the manager ; if, however - as in the cases examined - the owner decides to do so, he will be required to ensure that the concrete attitude of the relationships also corresponds to their correct legal classification in terms of the protection of personal data. It follows that in such situations, in order for the related processing of personal data to comply with the regulations on the protection of personal data, it is necessary that the outsourcers, who ... already concretely operate, in fact, in the specific capacity of data processors according to the definition of the Code, also receive an express and formal designation to that effect, according to the provisions of art. 29 ".

As is known, the data controller's obligation to supervise the work of the latter derives from the designation of data processor. The new principles dictated by the Regulation frame the responsibilities of the data controller with a view to accountability and require all actors in the processing of personal data to behave proactively and coherently with the aim of proving, at every stage, the lawfulness of the same treatments.

In this regard, it has already been pointed out that "the entire system of the Regulation is supported by the accountability of the data controller. These, due to the fact that the personal data of the subjects contacted who have subscribed to the promotional offers are destined to flow into the company databases, should adopt particular guarantee measures in order to prove that the contracts and activations registered in their systems originate from contacts made in full compliance with the provisions on the protection of personal data, in particular those referred to in Articles 5, 6 and 7 of the Regulation relating to consent "(see provision no. 143 of 9 July 2020).

Sky therefore acting as owner also with reference to the so-called first phase of the promotional campaign should have verified that the subjects contacted had obtained the information and issued an appropriate consent to receive promotional SMS and were not included in the Company's BL. Subsequently, in the face of the "OK" expressed by the interested parties, Sky could have contacted the latter but, on the occasion of the contact, it should have provided the elements referred to in art. 14 of the Regulations and to acquire consent for promotional contact with a human operator, which on the basis of the documentation provided by the Company does not appear to have occurred.

In light of the above, Sky's responsibility for the violation of Articles 5 para. 1 and 2, 6, par. 1, 7, 14, as well as 28 and 29 of the Regulations, referred to in point 2) of the dispute.

2.2.3. With reference to the dispute referred to in point 3), Sky's arguments are accepted in the context of the exercise of the right of defense, which lead to the filing of the dispute regarding the violation of Articles 5, para. 1 and 2, 6 and 7 of the Regulations, in relation to telephone contacts made from numbers not attributable to the Company's sales network.

Indeed, the contact policy process described by Sky appears suitable to stem the phenomenon of illicit contacts and unwanted promotional calls from subjects unrelated to the Sky commercial network.

According to the aforementioned process, Sky, "unlike other companies ... centralizes on its system the lists for telemarketing activities to which the so-called telesellers log in to make calls, having opted for the adoption of a completely centralized system and process that arranges for the sorting of individual promotional calls to the various call centers: the personal data reside centrally on Sky systems (the so-called Reitek platform, in use since 2011, managed by Sky Italia), all calls addressed to interested parties are made by a single outgoing number ... and Sky defines and continuously checks the contact logics, guiding and verifying operations in terms of assigning contact to each teleseller / call center (ie, to the suppliers designated external managers) ".

As noted by the Company, the centralization of campaign management allows "(i) to guarantee a widespread and timely control of telesellers / call centers through the use of advanced monitoring tools, avoiding both the phenomenon of uncontrolled calls and that of unlisted calls, that of manual calls (ii) to centrally verify the effectiveness of the lists (iii) to monitor the progress of the outbound activities in real time (iv) to guarantee a centralized, homogeneous policy in the treatment of contact, binding call centers to comply with criteria relating to contact methods (call times, contact frequency, maximum number of contact attempts) (v) to always know and have constant evidence of having made calls or not (and to be able therefore at any time to prove that he has not carried out them and legitimately disavow them) ".

The centralization of the personal data appears, at least in the abstract, suitable for determining an operational and logical connection between the promotional phase and the subsequent registration phase of the contract and, therefore, to exclude that promotional contacts made outside the Company's sales network may result in subsequent contracts. registered in the Sky databases. To this must be added the circumstance that, on the basis of the information provided by Sky in the defense brief, the number of subjects contacted by numbers which were then denied by the Company must be considered completely irrelevant.

It is therefore believed that the violations contested in point 3) of the section can be archived.

2.2.4. With reference to the dispute referred to in point 4), Sky's arguments are accepted in the context of exercising the right of defense and it is believed that the disputes relating to the violations of Articles 5, 6, 7, 12, 13 and 21, on how to activate, release the information and revoke the "Call me now" service.

In fact, Sky represented that the "Call me now" service follows a well-defined procedure that allows a planned recontact of the prospect client directly through the Sky website (Call me Now Sky), or even following commercial agreements or partnerships (Call me now Partner).

From the documentation initially produced by the Company in response to the requests for information formulated by the Authority, it emerged the lack of ad hoc information in relation to the aforementioned service, as well as the lack of a system that would allow the user to interrupt the flow of calls resulting from his "click" on the "Call Me" button with equal ease. From the documentation subsequently produced in the defense brief, it emerged instead that the Company has prepared ad hoc information in relation to these services, which explains the operation, data processing methods and user recontact. Indeed, the information informs the user that, by activating the service, "Sky will call you back only once, following only the instructions you provided and will not proceed to further subsequent recontacts".

It follows that, since a "call flow" is not envisaged in this case following the user's request to be contacted again but "only one ... call", in this specific case, the procedure for deactivating the service appears proportionate. 'sending an e-mail.

Therefore, in the light of the defensive arguments of the Company, it is believed to be able to proceed, in relation to the alleged violations, to the archiving of those referred to in the aforementioned point 4).

2.2.5. With reference to the dispute referred to in point 5), the existence of the contested violation of Articles 5, 6, 7, 12 par. 2 and 21 of the Regulations, for having made a promotional contact despite the interested party having exercised the right of opposition through the address p.e.c. official of the Company and, therefore, for not having adopted a system that "facilitates the exercise of the rights of the interested party" including the right to object (this violation appears to be attributable to a critical system as also found in the file no. 155336).

In general, it must be assumed that the strengthening measures adopted by the Company "with the addition of the pec skyitalia@pec.skytv.it to the channels that can be used by the interested party ... the strengthening of the sorting automatism in use [as well as] actions training courses dedicated to the personnel dedicated to the management of the certified e-mail account "certainly demonstrate the spirit of collaboration of the Company with this Authority.

The investigation relating to file no. 155336 pointed out that Sky did not respond to the complainant's requests, stating that he would have addressed his letters to an incorrect certified e-mail address. However, it was observed that the address p.e.c. skyitalia@pec.skytv.it, used to convey the complainant's request, corresponds to a certified e-mail user of the Company (also indicated as the official contact address in the business register). Therefore, the failure to reply to a letter duly received by e-mail certified in the corporate systems was considered completely unjustified (see, among other things, provision no.224 of 12 November 2020, in www.gpdp.it, doc . web n. 9485681).

The procedure implemented by Sky to allow interested parties to oppose promotional contacts, if not accompanied by a verification of the main Sky communication channels (i.e. the Company's certified e-mail address), is not suitable for providing users with any useful contribution.

It should also be noted that, not only has the Company failed to "promptly" manage the request to exercise the rights sent to the address p.e.c. of the Company, but the fact that the request for opposition of the interested party was registered and managed after seven months and only after the request for information formulated by the Authority, raises doubts regarding the management of all requests to exercise the rights addressed to the Company through the pec indicated in the business register.

The fact that Sky has not taken into account the objections received through the address p.e.c. official of the Company and, therefore, has not adopted a system that "facilitates the exercise of the rights of the interested party" including the right to object, or has made promotional contacts in the absence of the necessary condition of lawfulness, constitutes a violation of the related provisions of the Regulation, contained in Articles 5, 6, 7, 12 par. 2 and 21.

3. CONCLUSIONS

For the foregoing, Sky's responsibility is deemed to be ascertained for the following violations:

1. violation of articles 5, para. 1 and 2, art. 6, par. 1 and art. 7, 14, 21 of the Regulations for having Sky processed personal data for promotional purposes of its products and services, in the absence of the required consent and appropriate information; for not having carried out checks on the contact lists acquired from third parties; for the failure to correctly register the oppositions (see, among other things, files nos. 131703, 135014, 134205, 135070, 135511, 136291, 140229, 147537);

2. violation of the provisions of art. 5, para. 1 and 2, art. 6, par. 1, 7, 14, 28 and 29 of the Regulation in relation to the violation of the accountability principle and the provisions on consent as well as, due to failure to verify the legitimacy of data communication by Wind Tre S.p.A. to Brands Up; for failure to check the information provided by suppliers to interested parties at the time of first contact; for not having correctly appointed the suppliers as data processors; for not having adopted procedures for filtering the contact lists that remained in the availability of the person who carried out the promotional contacts (the violation concerns the conduct referred to in paragraph 2.2., as well as files nos. 133373, 135620, 136731, 142746, 135535 , 152391, 139142 and 156682);

3. violation of art. 5, 6, 7, 12 par. 2 and 21 of the Regulations, for having made promotional contacts in the absence of the necessary prerequisite of lawfulness; for not having taken into account the objections received through the address p.e.c. official of the Company and, therefore, for not having adopted a system that "facilitates the exercise of the rights of the interested party" including the right to object (this violation appears to be attributable to a critical system as also found in the file no. 155336).

Having ascertained the unlawfulness of the Company's conduct with reference to the treatments examined, it is necessary:

- with reference to the violation referred to in point 1), to impose, pursuant to art. 58, par. 2, lett. f) of the Regulations, to Sky Italia S.r.l. the prohibition of any further processing for promotional and commercial purposes carried out through lists acquired from third parties in the absence of effective checks on the consent to the communication of data, the release of suitable information at the time of first contact and the acquisition of consent for promotional communications made by a human operator;

- with reference to the violation referred to in point 2), prescribe to Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt the telemarketing treatments in order to provide that the promotional contacts carried out through the partners / suppliers are preceded by the designation of the same as responsible for all phases of the treatment;

- with reference to the violation referred to in point 3), prescribe to Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. d) of the Regulations, to facilitate the exercise of the right of opposition by including the p.e.c. indicated in the business register.

- adopt an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application against Sky Italia S.r.l. of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation.

4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application against Sky Italia S.r.l. of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5 of the Regulations (payment of a sum up to Euro 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous year, if higher).

For the determination of the maximum edictal of the pecuniary sanction, it is considered necessary to refer to the turnover of Sky Italia Srl, in accordance with the previous provisions adopted by the Authority, and therefore to have to determine this maximum edict, in the case in question, in Euro 131,853,063.00.

To determine the amount of the penalty, the elements indicated in art. 83, par. 2, of the Regulation.

In the case in question, the following are relevant:

1. as an aggravating factor, the seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation) with reference to the complaints referred to in points 1), 2), which refer to "systemic conduct ”Therefore rooted in corporate procedures;

2. as an aggravating factor, the significantly negligent nature of the conduct (Article 83, paragraph 2, letter b) of the Regulations), given that Sky's constant interlocutions with the Authority and the Company's presence on the market for many years they should have allowed it to acquire a sufficient background of experience and competence to adopt basic choices more in line with the law;

3. as a mitigating factor, the measures adopted by the Company to mitigate the effects of the contested conduct (Article 83, paragraph 2, letter c) of the constructive in dealing with the changes dictated by the Regulations;

4. as a mitigating factor, cooperation with the Authority (Article 83, paragraph 2, letter f) of the Regulation) during the preliminary investigation, also due to the size of the Company and the complexity of the treatments, so that a concrete collaboration made it easier to carry out the investigation activities, especially in the delicate period of pandemic emergency.

Based on the set of elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, in the initial application of the administrative pecuniary sanctions provided for by the Regulation, also in order to limit the economic impact of the sanction on the organizational, functional and occupations of the Company, it is believed that it should apply to Sky Italia Srl the administrative sanction for the payment of a sum of Euro 3,296,326.00 equal to 2.5% of the maximum legal sanction.

In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the invasiveness of treatments with a human operator in the context of telemarketing as well as the high number of subjects potentially involved in the treatments examined.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL OF THIS GIVEN THE GUARANTOR

a) requires Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. f) of the Regulations, the prohibition of any further processing for promotional and commercial purposes carried out through lists acquired from third parties in the absence of checks on the consent to the communication of data, the release of suitable information at the time of first contact and acquisition consent for promotional communications made by a human operator;

b) prescribes to Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. d) of the Regulations, within 30 days from the notification of this provision, to adapt the telemarketing treatments in order to provide that promotional contacts carried out through partners / suppliers are preceded by their designation as responsible for all phases of the treatment;

c) prescribes to Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. d) of the Regulations, within the same term referred to in point b), to facilitate the exercise of the right of opposition by providing, among the channels for receiving the related requests, also the p.e.c. indicated in the business register.

d) orders Sky Italia S.r.l., pursuant to art. 157 of the Code, to communicate to the Authority, within the same term indicated above, the initiatives undertaken in order to implement the provisions and prohibitions adopted; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation.

ORDER

to Sky Italia Srl, in the person of its pro-tempore legal representative, with registered office in Milan, Via Monte Penice 7, VAT number: 04619241005, to pay the sum of Euro 3,296,326.00 (three million two hundred ninety-six thousand three hundred twenty-six / 00) as a pecuniary administrative sanction for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed

INJUNCES

to the aforementioned company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 3,296,326.00 (three million two hundred ninety-six thousand three hundred twenty-six / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive deeds pursuant to art. 27 of the law n. 689/1981

HAS

the application of the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, considering at the same time that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 152 of the Code and 10 of Legislative Decree n. 150/2011, against this provision, opposition may be proposed to the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, September 16, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei









   function printDiv (divIdToPrint, title)
    {
var divToPrint = document.getElementById (divIdToPrint);
var newWin = window.open ('', 'Print-Window');
newWin.document.open ();
newWin.document.write ('<html> <body onload = "window.print ()"> <img style = "width: 100%;" src = "/ o / guarante-privacy-theme / images / topdoc.gif "/> <h2 class =" internal-title "> '+ title +' </h2> '+ divToPrint.innerHTML +' </body> </html> ');
newWin.document.close ();
setTimeout (function () {newWin.close ();}, 10);
  }






SEE ALSO PRESS RELEASE OF OCTOBER 19, 2021

[doc. web n. 9706389]

Order injunction against Sky Italia S.r.l. - September 16, 2021

Record of measures
n. 332 of 16 September 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000, adopted by resolution of June 28, 2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Premise

With act no. 19846/21 of 13 April 2021 (notified on the same date by certified e-mail), which here must be understood as fully referred to and reproduced, the Office has started, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards Sky Italia S.r.l. (hereinafter “Sky” or “the Company”), in the person of the pro-tempore legal representative, with registered office in Milan, Via Monte Penice 7, VAT number: 04619241005.

The proceeding originates from a complex investigation launched by the Authority following the receipt of several dozen reports and complaints sent by interested parties who complained, and still complain today, continuous unwanted telephone contacts made by Sky and its sales network to promote telephone and internet services offered by the same.

From August 2020 to January 2021, Sky was the recipient of two cumulative requests for information (prot. Nos. 30003/20 and 3005/21) relating to 37 files, in addition to the complaints submitted pursuant to art. 77 of Regulation (EU) 2016/679 (hereinafter the "Regulation") that the Guarantor handled, in the preliminary phase, individually and the reports received after the latest requests for information.

1.2. Challenge of administrative violations

Having examined the first feedback provided by the Company, the Office, pursuant to art. 166, paragraph 5, of the Code, adopted the act of initiation of the procedure referred to in the introduction, with which it challenged Sky:

1. the violation of articles 5, para. 1 and 2, art. 6, par. 1 and art. 7, 14, 21 of the Regulations for having Sky processed personal data for promotional purposes of its products and services, in the absence of the required consent and appropriate information; for not having carried out checks on the contact lists acquired from third parties; for the failure to correctly register the oppositions (see, among other things, files nos. 131703, 135014, 134205, 135070, 135511, 136291, 140229, 147537);

2. the violation of the provisions of art. 5, para. 1 and 2, art. 6, par. 1, 7, 14, 28 and 29 of the Regulation in relation to the violation of the accountability principle and the provisions on consent as well as, due to failure to verify the legitimacy of data communication by Wind Tre S.p.A. to Brands Up; for failure to check the information provided by suppliers to interested parties at the time of first contact; for not having correctly appointed the suppliers as data processors; for not having adopted procedures for filtering the contact lists that remained in the availability of the person who carried out the promotional contacts (the violation concerns the conduct referred to in paragraph 2.2., as well as files nos. 133373, 135620, 136731, 142746, 135535 , 152391, 139142 and 156682);

3. violations of articles 5, para. 1 and 2, 6 and 7 of the Regulation, in relation to the processing of personal data carried out for promotional purposes of its products and services, carried out in the absence of the required consent (file nos. 134528 and 135584);

4. violation of articles 5, 6, 7, 12, 13 and 21, in relation to the methods of activation, release of the information and revocation of the "Call me now" service (file no. 153251);

5. violation of art. 5, 6, 7, 12 par. 2 and 21 of the Regulations, for having made promotional contacts in the absence of the necessary prerequisite of lawfulness; for not having taken into account the objections received through the address p.e.c. official of the Company and, therefore, for not having adopted a system that "facilitates the exercise of the rights of the interested party" including the right to object (this violation appears to be attributable to a critical system as also found in the file no. 155336).

The aforementioned disputes were formulated by the Office on the basis of the observations that are summarized below.

1.2.1. As for the dispute referred to in point 1), the violation of Articles 5, para. 1 and 2, art. 6, par. 1 and art. 7, 14, 21 of the Regulations in relation to promotional contacts made by Sky on the basis of contracts for the transfer of personal data signed with other companies (hereinafter the "Third Parties").

In particular, when responding to requests for information, the Company stated, among other things, that (i) the whistleblower received the unwanted contact as "he has given an independent data controller ... consent to the transfer of data personal to third parties for marketing purposes "; (ii) "Sky has signed [with" autonomous holder "] a contract concerning the transfer of personal data ... by virtue of which it received the consented contact of the [reporting person]"; (iii) the Company would therefore have “legitimately contacted [the reporting person] on the basis of consent… Sky has therefore not carried out any unlawful processing of personal data”.

In this regard, it was noted that the communication of data from owner (the Third Party) to owner (Sky) must be supported by the prescribed consent, a circumstance that has been confirmed by the Company, while the subsequent treatments of which Sky is the owner, had to be preceded by suitable information, pursuant to art. 14 of the Regulations, made at the latest during the first promotional contact.

With reference to the consents issued by the interested parties for the communication of their data to Sky, it was noted that the Company did not notify the Authority of the procedures subsequent to the acquisition of the contact lists from third parties, nor if random checks had been carried out. on the consents issued by the interested parties or if the lists had been subject to deduplication with respect to the Register of oppositions and their own black-lists.

In addition, the repeated phone calls made also to subjects who have declared that they have expressed their opposition to the processing to the call-center operators, have led the Authority to believe that Sky has not correctly registered the objections as expected.

1.2.2. As for the dispute referred to in point 2), the violation of Articles 5, para. 1 and 2, art. 6, par. 1, 7, 14, 28 and 29 of the Regulation in relation to promotional contacts made by Wind Tre S.p.A. and by other autonomous owners to promote Sky's services.

In particular, in relation to some reports, the Company stated, inter alia, that:

- the whistleblowers received direct contact to promote Sky services as they "gave their consent to Wind Tre S.p.A for third party marketing purposes";

- Sky has signed a contract with "the supplier Brands Up s.r.l. ... to carry out Advertising activities with the Telephone Operator Wind Tre S.p.A. for Consent Customers ";

- "Brands Up acts on behalf of Wind Tre SpA, as independent data controller", from which it is "authorized to (i) enter into agreements concerning the carrying out of promotional campaigns regarding third party products or services via SMS or MMS sent by Wind Tre to Wind Tre customers who have given appropriate consent; as well as to (ii) communicate to independent third parties the data of those who have given their consent to Wind Tre to be contacted by third parties for the promotion of third party products or services ";

- the promotional contacts received from the aforementioned reporting entities are "therefore a promotional [contact] sent by Wind Tre S.p.A. as independent data controller, to which the [reporting person] will eventually have to address his complaints ";

- not having the aforementioned reporting "consented to be contacted by third parties for the promotion of third party products or services, his contact was not communicated by Brands Up to Sky, which therefore did not enter it in its prospect database and did not contact her ".

Similarly, in relation to other reports (see, among other things, files nos. 135535, 152391 and 139142 referred to in the first finding and file no. 156682), the Company noted, among other things, that :

- "Sky has signed a contract with ... supplier [i] [including Indicta S.r.l. and R&D Communication S.r.l.] to carry out 'Advertising' activities through SMS on the customers "of the supplier;

- the whistleblowers "has [nno] received an SMS aimed at promoting Sky's services ... as they have given [the Sky provider] their consent for promotional purposes";

- these suppliers, “acting as [i] independent [i] data controller, carry out [no] advertising campaigns to promote the signing of Sky television contracts. This activity consists of (i) sending SMS to a target of customers [of the supplier] who have given appropriate consent; as well as (ii) in the communication to Sky of the data of those who have given their consent [to the supplier] to be contacted by Sky ";

- not having the aforementioned reporting "consented to be contacted by third parties for the promotion of third party products or services, [their] contact was not communicated to Sky, which therefore did not enter it in its prospect database and did not contacted her ".

Finally, in the report filed against Sky and Ediscom S.p.A. (file no. 156682), the latter argued that:

- “Your data was collected by the company 6 Safe Spa, the Data Controller. … EDISCOM SPA managed the data for this company, as Data Processor, in accordance with the consent to the transfer to third parties and to the marketing communications issued by you to the Data Controller during the registration of your data… on the website www.chiarezza. it ";

- "On this occasion, the interested party gave his specific consent to receive commercial and / or promotional information from both Chiarezza and third-party companies (so-called direct marketing and / or third party purposes)";

- "Ediscom, ... sent you an information campaign on behalf of Sky, your data was passed to the latter only after clicking on the link bearing the following wording: 'Click {shortlink} to be contacted by Sky ".

In this regard, the Company added that "Sky Italia has not communicated your data to any company or to the Ediscom company in order to send the text message you reported. Ediscom, as indicated directly by the company itself, therefore acted as manager of independent third party owners ".

It was highlighted that, in the case in question, despite being the "advertising campaign ... directed by Wind Tre to [its] Consent Customers", the latter concerns "the promotion of a Sky offer". It follows that, precisely because of its fundamental role as "client", Sky cannot exempt itself from the burden of adequately supervising the work of the aforementioned suppliers. In this sense, the Company should have verified, among other things:

- the legitimacy of the communication of data by Wind Tre S.p.A. to Brands Up;

- that the information provided by the suppliers to the interested parties at the time of the first contact was clear regarding the triple relationship and the parties involved in the processing of your personal data (i.e., the supplier, Wind Tre and Sky).

As regards Sky's thesis according to which, in the aforementioned cases, the suppliers would act "as [the] autonomous [i] holder [i] of the treatment", the attached documentation shows that, if "the Customers, upon receipt of the communication advertising via SMS / MMS "send" an SMS with text 'OK' to a number [of the supplier] to be contacted by SKY ", after" the release of the aforementioned consent by the Customers, [the supplier] undertakes to communicate to SKY the mobile phone number… of the Customers who have authorized to be contacted by a SKY telephone operator for the promotion of the Offer ".

It follows that, both at the time of the acquisition of the personal data lists, and at the time of data communication to Sky, the suppliers are permanently included in the processing carried out by Sky and this the Company should have taken into account to define, also on the basis of the provisions of art. 28 and 29 of the Regulation, the distribution of responsibilities to these subjects and to itself.
In addition, it was disputed that the Company has not demonstrated - as it should have, since it was the client of the treatments in question - that it has put in place filtering procedures for the contact lists remaining in the availability of the subject who made the first promotional contacts. , possibly communicating to the latter its own black-list.

Specifically, Sky did not clarify the procedure adopted for the formation of the lists of numbers potentially contactable by the suppliers, nor did it specify, among other things, how often these lists are updated and the procedures adopted to exclude the inclusion of numbers in the list. contactable (for example, numbers in the opposition register, numbers that cannot be contacted due to the withdrawal of consent, etc.).

1.2.3. As for the dispute referred to in point 3), the unlawfulness of some promotional contacts made by Sky for promotional purposes of its products and services, made through the use of numbers not included, was found in the act of initiation of the procedure. in the Company's sales network and in the absence of the required consent.

1.2.4. With regard to the dispute referred to in point 4), relating to the methods of activation, release of the information and revocation of the "Call me now" service, some critical issues were highlighted that emerged, in the light of the information available, from the procedure described by Sky.

In particular, from the documentation produced by Sky in response to the requests for information formulated by the Authority, it emerged the lack of ad hoc information in relation to the aforementioned service, in which the functioning of the service was explained, the methods of treatment of personal and contact details of the user. In addition, there was a lack of a system that would allow the user to interrupt the flow of calls resulting from his "click" on the "Call me back" button with equal simplicity.

1.2.5. As for the dispute referred to in point 5), in the act of initiation of the procedure some critical issues were highlighted regarding the failure to adopt a system that "facilitates the exercise of the rights of the interested party" including the right to opposition. In particular, it emerged that Sky did not take into account the objections received through the address p.e.c. official of the Company (indicated in the Business Register), making subsequent promotional contacts in the absence of the necessary prerequisite of lawfulness.

2. DEFENSIVE OBSERVATIONS AND AUTHORITY ASSESSMENTS

2.1. The defense brief and Sky's hearing

On May 13, 2021, Sky sent the Authority the defense brief required by art. 166, paragraph 6, of the Code. Under the same provision, on May 25, 2021, the hearing requested by the party for which a specific report was drawn up was held via videoconference. Both documents are to be understood here, for the protection of the party, in full and reproduced.

The Company first intended to provide a general overview on the processing of personal data and on its "business philosophy", representing that it has always raised its compliance standards to the maximum protection of personal data and specifying that, even before the start of the procedure in question, radically changed its marketing strategies, massively reducing the number of calls addressed to prospect subjects contacted for promotional purposes. Sky then highlighted that, among the cases examined, “only n. 19 are explicitly challenged in the Proceedings and, in any case, refer to conduct allegedly carried out in the time period from 2018 to 2021 and ... dating back over time and no longer current: precisely, n. 2 of 2018, n. 12 in 2019, n. 4 of 2020 and no. 1 of 2021… about 97% of reports and complaints less than the average of companies comparable to this ". Finally, the Company focused on the individual disputes.

2.1.1. With regard to the promotional contacts made by Sky on the basis of the contracts for the transfer of personal data signed with third parties (see point 1 of the dispute), the Company represented the following.

In the first place, Sky noted that “the Accountability principle does not require [e] the data controller (Sky) to carry out checks on the compliance of the processing carried out by another data controller”. According to Sky, "to consider that there is a timely burden of verification and control by the transferee (Sky) with respect to all the numerous individual contact details given by the business partner, constitutes, on the one hand, an impossible, unreasonable operation and contrary to the principle of free circulation of data sanctioned by art. 1 of the Regulation, on the other hand, it constitutes an operation not required by current legislation on the protection of personal data ". Sky noted that the Regulation prescribes a series of obligations for the data controller "only when he decides to make use of managers entrusted with processing tasks on behalf of the data controller" while "no prescription, not even in terms of control or supervision, it is sanctioned in the case in question, in which Sky (transferee) purchases a list of data that can be contacted by a different third party owner ". According to Sky, “the partners must be qualified as autonomous owners - and not as responsible - as these third parties act according to the methods and purposes established by them… they are… therefore called to answer exclusively for their treatment pursuant to art. 82 of the Regulations, with the consequent extraneousness of Sky which is not required to check its work ... nor to exchange its own Blacklist "(BL).

In support of its thesis, Sky recalled the Authority's provisions of May 29, 2003, July 4, 2013 and May 9, 2018, arguing "that they explicitly admit the lawfulness of the processing of autonomous data controllers who communicate data to third parties for marketing purposes , provided that information is provided and consent to the transfer is obtained ".

The Company noted:

- to have demonstrated the lawfulness of the processing and that this would be "attested ... expressly by Sky's contracts with third parties ... by the information provided by the third parties to the interested parties who correctly mention the transfer of data to third parties ... as well as by the consents already documented";

- to have “in any case carried out random checks on the consents collected”. In particular, during the hearing, Sky specified that it had given rise to "16 third-party audits" from 2013 to June 2021;

- to “check [re] with the BL all the prospect lists (including the personal data coming from the sale of lists by third parties, which are physically acquired through ftp download on the list provider's systems). These lists are then filtered with the BL, fragmented and made available for the campaign through the various call centers, also with updates during the campaign. A similar activity is performed on the campaign side towards customers, filtering those who have revoked their consent to commercial contact ";

- that "by its own independent business decision, starting from the beginning of 2020 ... does not currently make use of the activity of sales of prospect master data by third parties autonomous holders of Data Base treatment consented to data transfer (" Leads ") for third party marketing purposes ('Leads Transfer') ". The violations for "promotional contacts made by Sky on the basis of data transfer agreements by third parties", would therefore not be attributable to Sky, "also pursuant to art. 14 par. 5 Regulation of the Guarantor n. 1/2019 ".

Secondly, Sky contested "the failure to provide the information pursuant to art. 14 of the Regulations, as the information was provided on first contact (Attachment 25_Evidenza B - Attachments 04, 14.2, 21.2, 27, 37.2, 48, 62) "and added that" no responsibility can be ascribed to Sky in relation to information provided by the data controller who transferred the data lists, as Sky does not have (and cannot have) any control over the data processing carried out by the transferring owner, who is solely responsible pursuant to art. 24 of the Regulation ".

Furthermore, the Company contested that Articles 6 and 7 of the Regulation, "as the existence of the conditions of lawfulness of the processing and of the consent in this case must necessarily be verified in relation to the data controller who has transferred the data lists, guaranteeing the existence of the conditions of lawfulness of the treatment and consent of the data subjects sold ".

Finally, Sky contested what was stated by the whistleblowers in files nos. 131703, 135014, 134205, 140229, 135070, about the number of calls allegedly received, highlighting that "the number of calls never exceeded 3 per campaign ... in line with Sky's Contact Policy (Annex 17) and respectful of the interested party ".

2.1.2. Regarding the promotional contacts made by Wind Tre S.p.A. and by other autonomous owners to promote Sky's services (see point 2 of the dispute), the Company represented the following.

In the first place, Sky underlined that "the assumption ... according to which 'the client cannot exempt himself from the burden of adequately supervising the work of the suppliers' cannot disengage from the prior identification of the subject who determined the means and purposes of the treatment". According to Sky, it is necessary to "examine the legal relationships between the parties in question ... distinguishing the cases in which the partners perform legal acts as independent data controllers, albeit in the interest of Sky, compared to cases in which the partners are entrusted with processing operations by the latter pursuant to art. 28 of the Regulation ". Specifically, "the classification of each person ... can never be the result of a mere automatism (promote my service so you are my manager)" and it would be "completely irrelevant whether or not there is any economic interest underlying the operation , as well as the commissioning or not of the promotional companions is irrelevant ".

Sky clarified that "Ediscom S.p.A. partner of Indicta S.r.l. (file n.152391, n.135535) and R&D Communication Srl (file n.139142), with which Sky has entered into contracts concerning the commercial promotion of its services, act as independent data controllers in consideration of the autonomy with which carry out the contractually agreed activities and precisely collect approved third party marketing data in their databases, organize and use them for their specific and autonomous purposes, as well as send promotional sms to interested parties who have previously been informed and approved third party marketing, for their own autonomous purposes. and without receiving any instructions from Sky, in the face of adequate information and specific consent of the interested party to third party marketing .... In other cases ... instead the configuration of the relationships identified by the Guarantor corresponds to the reality of the processing of personal data put in place in the context of promotional activities on behalf of Sky. This is the case of Brands Up s.r.l. (files n. 136731, n. 135620, n. 142746, n. 133373) and Ediscom s.p.a. (files n.15668 and n. 152391) who, vis-à-vis Sky, operate as data processors pursuant to art. 28 of the Regulation with reference to the treatment consisting of (i) in the collection, (ii) in the historicization of the consent to the processing of personal data provided by the interested party to know the Sky offers and (iii) in the communication to Sky of the contact details of the consented prospects ".

Sky then summarized as follows:

- "the partners ... classified as autonomous owners, deal, among other things, with processing consisting of (i) collecting consented third party marketing data in their databases, organizing them and using them for their specific and autonomous purposes, as well as (ii) in transmitting promotional sms to interested parties previously informed and consented to third party marketing, for their own autonomous purposes and without receiving any instructions from Sky, in the face of adequate information and specific consent of the interested party to third party marketing.

- the suppliers ... classified as external managers, on the other hand, deal with the processing consisting of (i) collecting, (ii) historicizing for consent to know Sky's offer and (ii) communicating to Sky the data consented to re-contact and for this purpose they strictly follow Sky's instructions ”.

By applying these principles to the present cases, according to Sky, "the third parties (eg Wind 3, Ediscom and R&D) collect data and campaign their own database which is allowed for third party marketing according to logics - both technical and organizational, purposes and methods of all autonomous and distinct, as well as unrelated to Sky and only defined by the third party. They are therefore, peacefully, autonomous owners pursuant to art. 4 Regulation, therefore called to answer exclusively for their treatment pursuant to art. 82 Regulations. With consequent strangeness of Sky which is not required to control its privacy treatments, much less to exchange its BL with said subjects ... Instead, third parties such as Brands UP carry out Sky's instructions in carrying out the processing of user data that they click OK on the SMS to find out about Sky's offer, gathering the relative consents to re-contact, historicizing them and passing them to Sky on a format defined by Sky itself. These subjects therefore do not have autonomy for these activities and are contracted with a contract that binds the supplier. They are therefore clearly responsible for the processing pursuant to art. 28 of the Regulations, and therefore duly contracted and controlled by Sky ". This would be in line, among other things, with the Authority's provisions of 9 May 2018 and 15 June 20211.

2.1.3. With regard to the receipt of promotional calls by Sky in the absence of prior consent from the reporting party (see point 3 of the dispute), the Company stated that "the contact processes of the interested parties have been defined by Sky in compliance with provisions of the law regarding the protection of personal data ".

Specifically, "Sky does not entrust lists for telemarketing activities to telesellers, having opted for the adoption of a completely centralized campaign management system and process, which arranges for individual promotional calls to be sorted to the various call centers: reside centrally on Sky systems (the so-called Reitek platform, in use since 2011, managed by Sky Italia), all outbound calls addressed to prospects are made by a single outgoing number ... and Sky defines and continuously checks the contact logics, guiding and verifying operations in terms of contact assignment to each teleseller / call center ".

Sky specified that "the Reitek platform, moreover, has been designed from the outset with a view to privacy by design" as it "generates outbound calls and distributes the call and not the contact to telephone customers. The operator receives the call through the headset, the telephone number is obscured on the receiving screen and the contact cannot be managed independently, as the rules are dictated by the Sky telephone exchange ".

With regard to the frequency of contacts, the configuration of the centralized platform provides that "(i) a numbering enters the campaign once a quarter and that within the same campaign can be called up, in case of no contact, for a maximum of 7 attempts (for no more than 2 attempts per day, if the interested party does not respond); and (ii) that he can be contacted from Monday to Friday from 9:30 am and on Saturday from 9:30 am to 6 pm, excluding weekends and public holidays. Therefore, a user will be able to receive a maximum of n. 28 call attempts per year ".

Therefore "the centralization of campaign management ... therefore guarantees maximum control over calls, prevents the entrusting of lists to telesellers and excludes, from the outset, the phenomenon of unlisted calls, giving guarantee and proof of calls made and those disowned in anything not referable to Sky ".

2.1.4. As for the methods of activation, release of the information and revocation of the "Call me now" service, (see point 4 of the dispute), the Company has represented the following.

Preliminarily, Sky briefly described the ways in which prospect recontact initiatives on Sky can take place: in the case of "Call Me Now", the recontact takes place "directly with one's own landing page" (file no. 153251, object of dispute), where, in the case of Call Me Now Partner, this occurs "as a result of commercial agreements or partnerships". In particular, "In the case of Call Me Now Partner, the suppliers / partners transmit, in their capacity as i) autonomous Data Base holders consented to the marketing of third party products, or ii) external managers appointed by third parties Data Base holders consented to marketing of third-party products for carrying out promotional activities, or iii) intermediaries, autonomous owners, of Sky promotional content to third-party owners of Data Base consented to third-party marketing, third-party commercial communications (including Sky) via DEM or SMS , agreed with Sky, in order to promote offers on Sky products / services ". If the recipient of the DEM or SMS is interested in Sky's offer, he will provide the supplier / partner - appropriately appointed as Sky's data processor with an appropriate Appointment Deed - consent to be contacted by telephone by Sky and Sky may contact him for that specific offer '”.

Sky then underlined that, in both processes, the information provides that "Sky will call back only once" and that "the interested party can always prevent the call by revoking his consent and exercising his right to object ... by sending a request to Sky Italia srl ".

2.1.5. As for the management of the rights of the interested party (see point 5 of the dispute), the Company represented the following.

In the case object of the proceeding (file no. 155336), which according to Sky "derives from a continuous change of opinion of the interested party ... through manifestly excessive requests, in particular due to their repetitive nature", the Company "has in any case registered the opposition of the interested party by inserting it in BL ". The process of managing the rights of the interested party adopted by Sky provides that "Where communications are sent to incorrect channels and not expressly dedicated to privacy, eg. via certified email, it is in any case managed directly by the Protocol function which ... manually sorts the remaining certified e-mails, if not directly assigned by the software ". The Company added that, following the complaint subject to this proceeding, the aforementioned procedure was "further strengthened" with the addition, among other things, "of the sorting automatism in use, which today takes into account in the first classification of communications of major privacy keywords ".

Finally, the Company (i) invoked the defenses regarding the individual disputes; (ii) briefly described the "further measures to improve its processes and mitigation" adopted by Sky to demonstrate its desire to "strengthen and improve its processes and systems"; (iii) reiterated that "the reports in the deeds ... are few and date back over time" and that, therefore, "at most, if ascertained, the conduct may involve a mere warning".

2.2. Considerations in fact and in law

2.2.1. With reference to the dispute referred to in point 1), the existence of the contested violation of Articles 5, para. 1 and 2, art. 6, par. 1 and art. 7, 14, 21 of the Regulation in relation to the reports referred to in files nos. 131703, 135014, 134205, 135070, 135511, 136291, 140229 and 147537.

In general, it must be assumed that the strengthening measures adopted by the Company and the additional initiatives undertaken - including the interruption, starting from the beginning of 2020, of the sale of prospect data by third parties independent holders of the Data Base processing consented to the transfer of data for third party marketing purposes - certainly demonstrate the awareness by the latter of the seriousness of the phenomenon of illicit promotional calls, and the will to stem it.

However, the limits and criticalities encountered with regard to some of the procedures adopted by Sky cannot fail to be highlighted.

First of all, with reference to the processing of personal data carried out by Sky after the acquisition of the contact lists from third parties, it is noted that, if the consent given by the interested parties to the aforementioned third parties constitutes an appropriate legal basis for the communication of data by the owner (the Third Parties) to the owner (Sky), this does not apply in relation to the subsequent processing by virtue of which Sky then contacted the interested parties.

The simplification regime provided for by the aforementioned provision of the Authority of 4 July 2013 according to which "if the interested party gives ... consent for communication to third parties, these may carry out promotional activities for him with the automated methods referred to in 'art. 130, paragraphs 1 and 2, without having to acquire a new consent for the promotional purpose "or, if" the other elements provided for in art. 13 of the Code ", they will be able to carry out promotional activities towards you without issuing" further information to the interested parties ", refers exclusively to" promotional activities with the automated methods referred to in art. 130, paragraphs 1 and 2 ". It follows that Sky, for promotional activities carried out through contacts with human operators, cannot make use of the simplification regime provided for by the 2013 provision, but, during the promotional contact, it must provide its own information, which contains, among other things, , also elements regarding the origin of the personal data communicated to the Company (so that each interested party can also contact the person who collected and communicated them to oppose the processing) and only after having acquired the consent can he proceed to make the proposal promotional. This, however, is what is obtained from the combined provisions of Articles 6, 7 and 14, par. 3, lett. b) of the Regulation.

In the present case, the Company has not demonstrated that it has provided the interested parties, recipients of promotional contacts by a subject to whom they had not expressly given consent to the processing of data for promotional purposes, with suitable information to make them aware, among other things, "that the data was collected from third parties and indicating the original owner of the data", allowing him, for example, to revoke the consent originally given to the third party.

In particular, the script produced by Sky refers to the hypothesis of contact of people present in the Sky databases or in the telephone directories ("Sky name" and "name extracted from telephone directories") and does not contain any indication regarding the case in question. in which Sky made promotional contacts on the basis of contracts for the transfer of personal data signed with third parties. Nor is this shown in attachment 14 to the defense brief, a document containing a privacy prospect disclosure in which, although it is explicitly stated that the Company uses data "provided to Sky by third-party companies to which [the interested party] has given specific consent for the transfer of the .. data for marketing purposes to companies belonging to the product categories indicated in the privacy information provided to you by these third-party companies ", the exact origin of the data has not been clarified and it is also not clear on what occasion and how this information would be communicated to the interested party, since it is a document that consists of 5 pages and whose full reading by the operator during a promotional telephone contact cannot be seriously taken into consideration as an ordinary method of fulfillment of the provisions of art. 13 and ss. of the Regulation.

Secondly, with reference to the acquisition of the contact lists from third parties, it is not considered possible to agree with Sky's orientation according to which the latter would not be required to verify the correct acquisition by the same third parties of the consent for the communication of data or to carry out skimming operations of the aforementioned data with respect to those included in its black lists.

On the contrary, given that the promotional campaign is aimed at promoting Sky services, once the contact details have been received from third parties, it is Sky's responsibility to verify that the subjects who are contacted are "consensus" and, more importantly, they are not people who have expressed an unequivocal desire to oppose promotional contacts relating to the Company's products and services. If this were not the case, the rules relating to the right of opposition for promotional-advertising treatments could be easily circumvented, since the withdrawal of consent made towards a holder would not result in the termination of promotional contacts. This, in addition to determining a legally illogical result (the emptying of the right to object), would entail the further serious consequence that the interested party could no longer control the fate of his data, given that not even a clear opposition to promotional contacts addressed to a owner could lead to the definitive termination of such contacts.

As for the measures referred to by the Company (provision no.280 of 9 May 2018, web doc. 9025666 and general provision of 29 May 2003), they appear completely irrelevant to the case in question since although the first refers to complaints “of various reporting agents [who] complained that the receipt of unwanted promotional calls (attributable to Telefonika's activity) took place without having given any consent and, in some cases, despite the registration of the respective users in the cd. Register of oppositions ”, the processing processes are not comparable to those carried out by Sky; while the second, in addition to concerning processing relating to the sending of e-mail messages (comparable to automated processing and therefore subject to a different discipline), in any case provides that "whoever acquires the database must ascertain that each interested party has validly consented to the communication of their e-mail address and its subsequent use for the purpose of sending advertising material; at the time of recording the data, he must then send in any case, to all interested parties, an information message specifying the elements indicated in art. 10 of the law n. 675, including a place reference - and not only an e-mail address - at which the interested party can exercise the rights recognized by law ".

The Authority acknowledges that Sky stated:

- to have “in any case carried out random checks on the consents collected”. In particular, during the hearing, Sky specified that it had given rise to "16 third-party audits" from 2013 to June 2021;

- of "contra [re] with the BL all prospect lists (including master data from the sale of lists by third parties ...)";

- to have "progressively abandoned the use of data transfer contracts ('Leads Transfer'), preferring ... less invasive methods of telephone calls, including SMS".

While acknowledging that the above activities are potentially suitable for stemming the phenomenon of unwanted calls, it must be noted that, in practice, numerous contacts have been made in violation of the provisions on information, consent and accountability, and must therefore be confirmed the responsibility of Sky in relation to what is contested in point 1).

It should also be noted that Sky considered untrue the circumstance expressed by some reporting persons that they had been recipients of numerous telephone calls from the Company's call centers within a few days, stating that the system allows “Maximum 28 call attempts per year”. In this regard, it should be noted that this approach, in addition to being in stark contrast to what was declared by various whistleblowers, appears in any case suitable for causing significant inconvenience to the data subject. To this it must be added that Sky has not documented the procedure according to which the call centers acquire and register the objections expressed by the interested parties during the telephone contact. The existence of the disputed violation must be inferred from all these elements, again included in point 1) of art. 21 of the Regulation, regarding the exercise of the right to object.

2.2.2. With reference to the dispute referred to in point 2), the violation of the provisions of Articles 5, para. 1 and 2, art. 6, par. 1, 7, 14, 28 and 29 of the Regulation in relation to the violation of the accountability principle and the provisions on consent as well as, due to failure to verify the legitimacy of data communication by Wind Tre S.p.A. to Brands Up; for failure to check the information provided by suppliers to interested parties at the time of first contact; for not having correctly appointed the suppliers as data processors; for not having adopted procedures for filtering the contact lists that remained in the availability of the person who carried out the promotional contacts (the violation concerns the conduct referred to in paragraph 2.2., as well as files nos. 133373, 135620, 136731, 142746, 135535 , 152391, 139142 and 156682).

From the investigation carried out, it emerged that Sky has signed Advertising contracts with some suppliers (eg Indicta S.rl.l, R&D Communication srl and Brands Up Srl) for the performance of "a promotional advertising activity ... which will be carried out through a series of advertising campaigns ... to promote the signing of Sky pay TV contracts ... via SMS addressed to a target customer "of the supplier (or of Wind Tre SpA, as in the case of Brands Up), who expressed consent to third party marketing. This promotional activity "is aimed at soliciting customers, upon receipt of the advertising communication, to send an SMS with the text 'OK' to a number [of the supplier] to be contacted by Sky. Only after the release of the aforementioned consent, [the supplier] undertakes to communicate to Sky the mobile phone number ... of the customers who have authorized to be contacted by a Sky telephone operator for the promotion of the offer ".

In light of the above, two different phases of promotional activity can be distinguished (i) a first phase, which sees the partners / suppliers as protagonists, who "collect approved third party marketing data in their databases, organize and use them for their specific and autonomous purposes, as well as send promotional sms to their interested parties previously informed and consented to third party marketing, for their own autonomous purposes and without receiving any instructions from Sky, in the face of adequate information and specific consent of the interested party to third party marketing " and (ii) a second phase, if any, in which the protagonist of the marketing activity is Sky, which carries out promotional contacts with users who “click [to] OK on the SMS to find out about Sky's offer”.

In this regard, it should be noted that Sky's approach according to which in the first phase "the partners are classified as independent owners" is not acceptable as they "deal ... with the processing ... for their own autonomous purposes and without receiving any instructions from Sky , subject to adequate information and specific consent of the interested party to third party marketing ".

In this case, it must be noted that the promotional campaign carried out by the partners / suppliers on behalf of Sky is not constituted by the mere illustration of the Company's services and products, but by the sending of promotional sms aimed at obtaining a flow of feedback information. towards the latter (the positive response of the person contacted to receive the promotion of Sky) and a communication of contact data to Sky itself, against an extremely (and arbitrarily) simplified opt-in (the "OK" SMS) .

In this case it is clear that, without prejudice to what was observed in the previous paragraph on accountability, the partners / suppliers, who send promotional sms to their interested parties in order to promote services on behalf of Sky as well as in order to “solicit customers. .. to send an SMS with the text "OK" "to be contacted by Sky" they actually operate, and to all intents and purposes, as if they had been 'appointed by the owner to process personal data', therefore in full and substantial adherence to the definition of the 'manager' "(see provision no. 230 of June 15, 2011, in www.gpdp.it, web doc. no. 1821257). A different approach, in addition to representing a marked forcing of the rules on the protection of personal data where the roles and responsibilities of the various subjects who contribute to carrying out a treatment that instead must be considered unitary, mainly to guarantee the interested parties are arbitrarily changed, would make the client of the advertising campaign, in this case Sky, completely unrelated and "irresponsible" to choices and processes that are fully included in the campaign itself and which have the sole purpose and consequence of bringing personal information into the client's databases some CD. "Prospect" in order to convey to them an articulated commercial proposal relating to their services. The consequence of this setting is suitable to prevent the data subject from having full control of their data and a full exercise of the rights towards the subject in the interest of which the treatments are carried out.

As already observed by the Authority in the past (see provision no. 230 of June 15, 2011, in www.gpdp.it, web doc. No. 1821257) "it must be ... reiterated that outsourcing agencies ... cannot be considered as independent holders, since the alleged formal ownership does not correspond, even in concrete terms, to the powers strictly provided for by the Code for the configuration and exercise of ownership, which are and remain the exclusive prerogative of the principals. Among these, first of all: - make decisions relating to the purposes of processing the data of recipients of promotional campaigns for the purpose of sending advertising or direct sales material or commercial research or commercial communication carried out by third parties acting in outsourcing for the performance of the aforementioned promotion and marketing activities of goods, products and services; - to issue binding instructions and directives towards outsourcers, substantially corresponding to the instructions that the data controller must give to the manager; - to carry out control functions with respect to the work of outsourcers themselves ".

It has been noted that "It is ... always left to the owner, as an exercise of his own free faculty, the choice to make use of one or more subjects who, even in outsourcing, still carry out, even in practice, the typical activities of the manager ; if, however - as in the cases examined - the owner decides to do so, he will be required to ensure that the concrete attitude of the relationships also corresponds to their correct legal classification in terms of the protection of personal data. It follows that in such situations, in order for the related processing of personal data to comply with the regulations on the protection of personal data, it is necessary that the outsourcers, who ... already concretely operate, in fact, in the specific capacity of data processors according to the definition of the Code, also receive an express and formal designation to that effect, according to the provisions of art. 29 ".

As is known, the data controller's obligation to supervise the work of the latter derives from the designation of data processor. The new principles dictated by the Regulation frame the responsibilities of the data controller with a view to accountability and require all actors in the processing of personal data to behave proactively and coherently with the aim of proving, at every stage, the lawfulness of the same treatments.

In this regard, it has already been pointed out that "the entire system of the Regulation is supported by the accountability of the data controller. These, due to the fact that the personal data of the subjects contacted who have subscribed to the promotional offers are destined to flow into the company databases, should adopt particular guarantee measures in order to prove that the contracts and activations registered in their systems originate from contacts made in full compliance with the provisions on the protection of personal data, in particular those referred to in Articles 5, 6 and 7 of the Regulation relating to consent "(see provision no. 143 of 9 July 2020).

Sky therefore acting as owner also with reference to the so-called first phase of the promotional campaign should have verified that the subjects contacted had obtained the information and issued an appropriate consent to receive promotional SMS and were not included in the Company's BL. Subsequently, in the face of the "OK" expressed by the interested parties, Sky could have contacted the latter but, on the occasion of the contact, it should have provided the elements referred to in art. 14 of the Regulations and to acquire consent for promotional contact with a human operator, which on the basis of the documentation provided by the Company does not appear to have occurred.

In light of the above, Sky's responsibility for the violation of Articles 5 para. 1 and 2, 6, par. 1, 7, 14, as well as 28 and 29 of the Regulations, referred to in point 2) of the dispute.

2.2.3. With reference to the dispute referred to in point 3), Sky's arguments are accepted in the context of the exercise of the right of defense, which lead to the filing of the dispute regarding the violation of Articles 5, para. 1 and 2, 6 and 7 of the Regulations, in relation to telephone contacts made from numbers not attributable to the Company's sales network.

Indeed, the contact policy process described by Sky appears suitable to stem the phenomenon of illicit contacts and unwanted promotional calls from subjects unrelated to the Sky commercial network.

According to the aforementioned process, Sky, "unlike other companies ... centralizes on its system the lists for telemarketing activities to which the so-called telesellers log in to make calls, having opted for the adoption of a completely centralized system and process that arranges for the sorting of individual promotional calls to the various call centers: the personal data reside centrally on Sky systems (the so-called Reitek platform, in use since 2011, managed by Sky Italia), all calls addressed to interested parties are made by a single outgoing number ... and Sky defines and continuously checks the contact logics, guiding and verifying operations in terms of assigning contact to each teleseller / call center (ie, to the suppliers designated external managers) ".

As noted by the Company, the centralization of campaign management allows "(i) to guarantee a widespread and timely control of telesellers / call centers through the use of advanced monitoring tools, avoiding both the phenomenon of uncontrolled calls and that of unlisted calls, that of manual calls (ii) to centrally verify the effectiveness of the lists (iii) to monitor the progress of the outbound activities in real time (iv) to guarantee a centralized, homogeneous policy in the treatment of contact, binding call centers to comply with criteria relating to contact methods (call times, contact frequency, maximum number of contact attempts) (v) to always know and have constant evidence of having made calls or not (and to be able therefore at any time to prove that he has not carried out them and legitimately disavow them) ".

The centralization of the personal data appears, at least in the abstract, suitable for determining an operational and logical connection between the promotional phase and the subsequent registration phase of the contract and, therefore, to exclude that promotional contacts made outside the Company's sales network may result in subsequent contracts. registered in the Sky databases. To this must be added the circumstance that, on the basis of the information provided by Sky in the defense brief, the number of subjects contacted by numbers which were then denied by the Company must be considered completely irrelevant.

It is therefore believed that the violations contested in point 3) of the section can be archived.

2.2.4. With reference to the dispute referred to in point 4), Sky's arguments are accepted in the context of exercising the right of defense and it is believed that the disputes relating to the violations of Articles 5, 6, 7, 12, 13 and 21, on how to activate, release the information and revoke the "Call me now" service.

In fact, Sky represented that the "Call me now" service follows a well-defined procedure that allows a planned recontact of the prospect client directly through the Sky website (Call me Now Sky), or even following commercial agreements or partnerships (Call me now Partner).

From the documentation initially produced by the Company in response to the requests for information formulated by the Authority, it emerged the lack of ad hoc information in relation to the aforementioned service, as well as the lack of a system that would allow the user to interrupt the flow of calls resulting from his "click" on the "Call Me" button with equal ease. From the documentation subsequently produced in the defense brief, it emerged instead that the Company has prepared ad hoc information in relation to these services, which explains the operation, data processing methods and user recontact. Indeed, the information informs the user that, by activating the service, "Sky will call you back only once, following only the instructions you provided and will not proceed to further subsequent recontacts".

It follows that, since a "call flow" is not envisaged in this case following the user's request to be contacted again but "only one ... call", in this specific case, the procedure for deactivating the service appears proportionate. 'sending an e-mail.

Therefore, in the light of the defensive arguments of the Company, it is believed to be able to proceed, in relation to the alleged violations, to the archiving of those referred to in the aforementioned point 4).

2.2.5. With reference to the dispute referred to in point 5), the existence of the contested violation of Articles 5, 6, 7, 12 par. 2 and 21 of the Regulations, for having made a promotional contact despite the interested party having exercised the right of opposition through the address p.e.c. official of the Company and, therefore, for not having adopted a system that "facilitates the exercise of the rights of the interested party" including the right to object (this violation appears to be attributable to a critical system as also found in the file no. 155336).

In general, it must be assumed that the strengthening measures adopted by the Company "with the addition of the pec skyitalia@pec.skytv.it to the channels that can be used by the interested party ... the strengthening of the sorting automatism in use [as well as] actions training courses dedicated to the personnel dedicated to the management of the certified e-mail account "certainly demonstrate the spirit of collaboration of the Company with this Authority.

The investigation relating to file no. 155336 pointed out that Sky did not respond to the complainant's requests, stating that he would have addressed his letters to an incorrect certified e-mail address. However, it was observed that the address p.e.c. skyitalia@pec.skytv.it, used to convey the complainant's request, corresponds to a certified e-mail user of the Company (also indicated as the official contact address in the business register). Therefore, the failure to reply to a letter duly received by e-mail certified in the corporate systems was considered completely unjustified (see, among other things, provision no.224 of 12 November 2020, in www.gpdp.it, doc . web n. 9485681).

The procedure implemented by Sky to allow interested parties to oppose promotional contacts, if not accompanied by a verification of the main Sky communication channels (i.e. the Company's certified e-mail address), is not suitable for providing users with any useful contribution.

It should also be noted that, not only has the Company failed to "promptly" manage the request to exercise the rights sent to the address p.e.c. of the Company, but the fact that the request for opposition of the interested party was registered and managed after seven months and only after the request for information formulated by the Authority, raises doubts regarding the management of all requests to exercise the rights addressed to the Company through the pec indicated in the business register.

The fact that Sky has not taken into account the objections received through the address p.e.c. official of the Company and, therefore, has not adopted a system that "facilitates the exercise of the rights of the interested party" including the right to object, or has made promotional contacts in the absence of the necessary condition of lawfulness, constitutes a violation of the related provisions of the Regulation, contained in Articles 5, 6, 7, 12 par. 2 and 21.

3. CONCLUSIONS

For the foregoing, Sky's responsibility is deemed to be ascertained for the following violations:

1. violation of articles 5, para. 1 and 2, art. 6, par. 1 and art. 7, 14, 21 of the Regulations for having Sky processed personal data for promotional purposes of its products and services, in the absence of the required consent and appropriate information; for not having carried out checks on the contact lists acquired from third parties; for the failure to correctly register the oppositions (see, among other things, files nos. 131703, 135014, 134205, 135070, 135511, 136291, 140229, 147537);

2. violation of the provisions of art. 5, para. 1 and 2, art. 6, par. 1, 7, 14, 28 and 29 of the Regulation in relation to the violation of the accountability principle and the provisions on consent as well as, due to failure to verify the legitimacy of data communication by Wind Tre S.p.A. to Brands Up; for failure to check the information provided by suppliers to interested parties at the time of first contact; for not having correctly appointed the suppliers as data processors; for not having adopted procedures for filtering the contact lists that remained in the availability of the person who carried out the promotional contacts (the violation concerns the conduct referred to in paragraph 2.2., as well as files nos. 133373, 135620, 136731, 142746, 135535 , 152391, 139142 and 156682);

3. violation of art. 5, 6, 7, 12 par. 2 and 21 of the Regulations, for having made promotional contacts in the absence of the necessary prerequisite of lawfulness; for not having taken into account the objections received through the address p.e.c. official of the Company and, therefore, for not having adopted a system that "facilitates the exercise of the rights of the interested party" including the right to object (this violation appears to be attributable to a critical system as also found in the file no. 155336).

Having ascertained the unlawfulness of the Company's conduct with reference to the treatments examined, it is necessary:

- with reference to the violation referred to in point 1), to impose, pursuant to art. 58, par. 2, lett. f) of the Regulations, to Sky Italia S.r.l. the prohibition of any further processing for promotional and commercial purposes carried out through lists acquired from third parties in the absence of effective checks on the consent to the communication of data, the release of suitable information at the time of first contact and the acquisition of consent for promotional communications made by a human operator;

- with reference to the violation referred to in point 2), prescribe to Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt the telemarketing treatments in order to provide that the promotional contacts carried out through the partners / suppliers are preceded by the designation of the same as responsible for all phases of the treatment;

- with reference to the violation referred to in point 3), prescribe to Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. d) of the Regulations, to facilitate the exercise of the right of opposition by including the p.e.c. indicated in the business register.

- adopt an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application against Sky Italia S.r.l. of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation.

4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application against Sky Italia S.r.l. of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5 of the Regulations (payment of a sum up to Euro 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous year, if higher).

For the determination of the maximum edictal of the pecuniary sanction, it is considered necessary to refer to the turnover of Sky Italia Srl, in accordance with the previous provisions adopted by the Authority, and therefore to have to determine this maximum edict, in the case in question, in Euro 131,853,063.00.

To determine the amount of the penalty, the elements indicated in art. 83, par. 2, of the Regulation.

In the case in question, the following are relevant:

1. as an aggravating factor, the seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation) with reference to the complaints referred to in points 1), 2), which refer to "systemic conduct ”Therefore rooted in corporate procedures;

2. as an aggravating factor, the significantly negligent nature of the conduct (Article 83, paragraph 2, letter b) of the Regulations), given that Sky's constant interlocutions with the Authority and the Company's presence on the market for many years they should have allowed it to acquire a sufficient background of experience and competence to adopt basic choices more in line with the law;

3. as a mitigating factor, the measures adopted by the Company to mitigate the effects of the contested conduct (Article 83, paragraph 2, letter c) of the constructive in dealing with the changes dictated by the Regulations;

4. as a mitigating factor, cooperation with the Authority (Article 83, paragraph 2, letter f) of the Regulation) during the preliminary investigation, also due to the size of the Company and the complexity of the treatments, so that a concrete collaboration made it easier to carry out the investigation activities, especially in the delicate period of pandemic emergency.

Based on the set of elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, in the initial application of the administrative pecuniary sanctions provided for by the Regulation, also in order to limit the economic impact of the sanction on the organizational, functional and occupations of the Company, it is believed that it should apply to Sky Italia Srl the administrative sanction for the payment of a sum of Euro 3,296,326.00 equal to 2.5% of the maximum legal sanction.

In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the invasiveness of treatments with a human operator in the context of telemarketing as well as the high number of subjects potentially involved in the treatments examined.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL OF THIS GIVEN THE GUARANTOR

a) requires Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. f) of the Regulations, the prohibition of any further processing for promotional and commercial purposes carried out through lists acquired from third parties in the absence of checks on the consent to the communication of data, the release of suitable information at the time of first contact and acquisition consent for promotional communications made by a human operator;

b) prescribes to Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. d) of the Regulations, within 30 days from the notification of this provision, to adapt the telemarketing treatments in order to provide that promotional contacts carried out through partners / suppliers are preceded by their designation as responsible for all phases of the treatment;

c) prescribes to Sky Italia S.r.l., pursuant to art. 58, par. 2, lett. d) of the Regulations, within the same term referred to in point b), to facilitate the exercise of the right of opposition by providing, among the channels for receiving the related requests, also the p.e.c. indicated in the business register.

d) orders Sky Italia S.r.l., pursuant to art. 157 of the Code, to communicate to the Authority, within the same term indicated above, the initiatives undertaken in order to implement the provisions and prohibitions adopted; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation.

ORDER

to Sky Italia Srl, in the person of its pro-tempore legal representative, with registered office in Milan, Via Monte Penice 7, VAT number: 04619241005, to pay the sum of Euro 3,296,326.00 (three million two hundred ninety-six thousand three hundred twenty-six / 00) as a pecuniary administrative sanction for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed

INJUNCES

to the aforementioned company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 3,296,326.00 (three million two hundred ninety-six thousand three hundred twenty-six / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive deeds pursuant to art. 27 of the law n. 689/1981

HAS

the application of the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, considering at the same time that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 152 of the Code and 10 of Legislative Decree n. 150/2011, against this provision, opposition may be proposed to the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, September 16, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei