Garante per la protezione dei dati personali (Italy) - 9737185
|Garante per la protezione dei dati personali (Italy) - 9737185|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 6(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 21 GDPR
|National Case Number/Name:||9737185|
|European Case Law Identifier:||n/a|
|Original Source:||Garante Privacy (in IT)|
The Italian DPA imposed a fine of €400,000 on a controller for the sending of unwanted advertising SMS without obtaining prior consent and without exercising adequate control over the lawfulness of the processor's activities.
English Summary[edit | edit source]
Facts[edit | edit source]
Following the receipt of several marketing SMS from a sender named Dorelan, the data subject tried to stop the unwanted activity by contacting what appeared to be the owner of the Dorelan brand, that is to say the company B&T Spa. The latter, however, claimed to have no involvement in the sending of the SMS and referred the data subject to another third party company, Aimon Srl. The data subject subsequently contacted Aimon in order to exercise their rights of access and objection. However, also Aimon denied any responsibility by claiming that the data subject's contact details had been obtained from other database suppliers.
During the investigation, the Italian DPA verified that B&T Spa had instructed Aimon to send promotional SMS to potential customers. The marketing company then made use of other suppliers who in turn had acquired the databases from third parties. In this succession of steps, based on the model of "Chinese boxes", it emerged that the data of the people contacted came from unverified, most likely unlawful collection activity. Just to name a couple, two data brokers had declared their offices in Florida and Switzerland. None of them had ever appointed their own representative in Italy or, to our knowledge, in any other Member State, in violation of Article 27 GDPR.
Holding[edit | edit source]
Taking into account the circumstances of the case, the Italian DPA affirmed that B&T was certainly to be qualified as data controller and Aimon as data processor. More precisely, B&T had, among other things, determined the reason for which the processing was carried out (the sending of promotional messages) and had chosen the criteria that Aimon should have followed in carrying out such activity.
The Italian DPA held that B&T had violated different provisions. First, the company did not seek any consent prior to the sending of the advertising SMS, therefore violating Article 6 (1)(a) GDPR and Article 130 of the Italian Privacy Code. Second, the company failed to define the roles within the data processing chain, did not provide clear information to the data subject and, in so doing, made it impossible for the data subject(s) to exercise their right. This amounted to a violation of Article 5 (1)(a), Article 12, Article 13, Article 14 GDPR and Article 21 GDPR.
Therefore, on the basis of all the elements indicated above, the DPA held that a €400,000 fine should be applied to B&T.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.