Garante per la protezione dei dati personali (Italy) - 9871886

From GDPRhub
Garante per la protezione dei dati personali - 9871886
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 7 GDPR
Article 13 GDPR
Article 28 GDPR
Type: Investigation
Outcome: Violation Found
Started: 11.03.2022
Decided: 23.02.2023
Published: 23.02.2023
Fine: 54,609,62 EUR
Parties: n/a
National Case Number/Name: 9871886
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (Italy) (in IT)
Initial Contributor: n/a

The Italian DPA viewed the one-person telesales company as an independent controller when the company acquired contact details for the telephone company Vodafone. The DPA imposed a fine of €54,609 and ordered a prohibition of any further processing of the personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The Italian DPA investigated the Italian company Problem Solving s.r.l. (the Company) after having adopted a decision against the telephone company Vodafone Italia S.p.A. in November 2020. The DPA made an information request to the Company to which the Company replied on 5 November 2021.

The Company acted as a telesales partner of Vodafone, and acquired lists containing contact details from third party providers to further communicate the lists to Vodafone. The agreement between Vodafone and the Company was about the execution of outbound and inbound call management services for the promotion of commercial campaigns. The agreement did not mention the activity of acquiring lists of contact details on behalf of Vodafone.

The Company acquired contact lists containing approximately 4,300,000 personal data and communicated them to Vodafone between 2019 and 2020. The lists were acquired from third parties, Ad-Opera s.r.l. and BR Pharma s.r.l. The initial list provider was Ad-Opera s.r.l. which the Company chose to replace in 2020 with BR Pharma s.r.l. The latter was deemed more fit to raise the quality level of the Company’s activities.

During the investigation, the Company claimed that it did not have any decision-making role on the use of any lists and viewed Vodafone as the controller. Vodafone, it argued, only allowed the use of the lists after a rigorous verification procedure. The Company argued that it uploaded the contact details on the "Vodafone Deduplica Liste" system, in order to obtain "validation" from Vodafone and to act in compliance with the will and purposes of Vodafone which the Company held was the controller. The Company also highlighted that it did not proceed to any further use of the lists of contact details in question.

The DPA established that the company acquired approximately 4,300,000 personal data from Ad-Opera and BR Pharma, which the Company then had communicated to Vodafone for the purpose of carrying out promotional campaigns. The DPA considered this as carrying out a transfer between independent controllers.

The DPA initiated the proceedings against the Company on 11 March 2022, in which it challenged the Company for several violations. First, (i) violation of Article 13 GDPR, by not informing the data subjects included in the Ad-Opera and Br Pharma’s lists about the data sharing with Vodafone Second, infringement of Articles 5(1)(a), 6 and 7, for having disclosed the data referred to in point (i) above without the data subjects’ prior consent.

The Company then submitted a defence statement and requested a hearing.

The Company had provided information notices of the third party list providers to the DPA which the DPA had analysed. During the hearing, the Company provided a new information notice and exhibited e-mails with Vodafone. The Company argued that on the basis of the new information notice and the e-mail exchange, it was clear Vodafone had acknowledged its role of being the sole controller.

The Company argued that it had always acted as Vodafone's intermediary and processor, even during the phase of the acquisition of the lists of personal data. It also referred to the content of the EDPB Guidelines 07/2020 on the concepts of controller and processor under the GDPR, highlighting that such concepts are "functional rather than formal". Also during the hearing, the Company highlighted its constant attention to the aspects related to the protection of personal data, with constant verifications that it always brought to Vodafone's attention.

The Company saw that the processing of personal data for the purpose of acquiring new personal data lists was part of the complex of processing operations aimed at the promotional contact of potential customers, processing for which Vodafone was unquestionably the sole controller. The Company represented that it carried out the activities only in the interest of Vodafone, without any autonomous business assessment.

Holding[edit | edit source]

The DPA did not consider the Company’s arguments convincing to exclude its liability. The DPA referred to its initial investigation in 2020 where it established that the Company had acted as an independent controller in the processing of personal data connected to the acquisition of lists from third parties (list providers).

In its initial investigation the DPA pointed out that the Company has a twofold activity. The first activity consists of the acquisition of lists from third party providers, where the DPA considered the Company as an independent controller. The second activity was seen typically of a promotional nature and consisting contacting the persons included in the contact lists acquired (and authorised by Vodafone) to promote the services of Vodafone, where the DPA considered the Company as the processor of Vodafone.

The DPA also noted that the contract between the Company and Ad-Opera did not mention that the company purchased the lists on behalf of Vodafone. Moreover, according to the Italian DPA, the object of the contract between the Company and Br Pharma, the supply of "business consulting services”, was vague and undefined. This revealed that the Company acted as the first person in formalising the mutual obligations with the list providers, and also expanded its own operational perimeter, for the benefit of itself and certainly not Vodafone.

The DPA also viewed that the procedure of replacing the previous list supplier with the one contracted in 2020 showed that the Company acted on its own, on the basis of autonomous company assessments.

The DPA confirmed its observations made in the main investigation and affirmed the Company’s liability, as the Company acquired the lists of personal data by autonomously entering into contact with such third parties, signing the relevant contracts that, in the case of Br Pharma, also had a broader scope than the communication of the data, directly acquiring the lists and then transferring them to the system, owned by Vodafone which the DPA considered this a "double transfer" of the data.

As a result, the DPA found the Company to violate Article 13, 5(1)(a), 6, and 7 GDPR. The DPA imposed a fine of €54,609, equal to 2% of the Company's turnover, and prohibited the company from any further processing of the data acquired from the third party list providers.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9871886]

Prescriptive and sanctioning measure against Problem Solving s.r.l. - February 23, 2023

Register of measures
no. 50 of 23 February 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Dr. Agostino Ghiglia.

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Premise

With deed no. 14987/22 of 11 March 2022 (notified on the same date by certified email), which here must be understood as referred to in full, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation towards Problem Solving s.r.l. (hereinafter "Problem Solving" or "the Company"), in the person of its pro-tempore legal representative, with registered office in Rome, viale Palmiro Togliatti, n. 1640, tax code 02587440609.

The proceeding originates from an investigation initiated by the Authority following the adoption of a corrective measure against the telephone company Vodafone Italia S.p.A. (provision n. 224 of 12 November 2020, in www.gpdp.it, web doc. n. 9485681). In this provision, with reference to Problem Solving, it was highlighted that:

- “Problem Solving s.r.l. is a teleseller partner of Vodafone which makes use of the list provider AdOpera”;

- "The framework agreement which regulates the teleseller's activities on behalf of Vodafone, which has as its object the execution of outbound and inbound call management services for the promotion of commercial campaigns, does not mention the acquisition of mailing lists personal data on behalf of Vodafone [...]. The same framework agreement referred to above also regulates the relations between Vodafone and Problem Solving s.r.l., which is why in this case as well, it has been observed that the lists provided by AdOpera (which are not mentioned in the call scripts) are acquired by Problem Solving as an independent data controller and subsequently transferred to the Vodafone systems realizing a further transfer of the same data (in the absence, therefore, of specific consent to further communication)”;

- "Vodafone […] illustrated the main characteristics in terms of roles, activities and implications of the two main business models used in the field of distance selling activities. The first model envisages that the subject carrying out the promotion (teleseller) uses its own lists or those purchased from a third party (list provider) as independent data controller. This subject, who in any case is designated by Vodafone as responsible for the subsequent part of the contractualisation, provides the Company with the lists exclusively for skimming the personal data present in the register of oppositions and in Vodafone's black-lists. This business model makes it possible to maintain unchanged, for the companies that carry out promotional contacts, the value of the lists they have, a value that would in fact be emptied if a double step of consent were required for these lists in order to be lawfully used with reference to the promotional campaigns of the clients";

- “With reference to [...] Problem Solving [...], Vodafone specified that the supply of personal data lists by these companies is carried out on the basis of the first business model illustrated in the responses to the request for information and in the defense brief. Based on this model, Vodafone can authorize the use of lists that they themselves have acquired from list providers. In this context, the partners qualify as independent owners of the processing of the acquired personal data lists and can use them for all their clients in various product sectors. According to this approach, which would also be used by all the other companies that make use of telesellers and agencies, Vodafone being extraneous to the main purchase relationship of the lists, becomes the owner of master data only and exclusively in the event of subsequent contracting of the end user".

- "Also in these cases, therefore, there was a double communication of data, the first, from the subject who formed the lists of personal data to Vodafone's partner agencies, the second from the aforementioned agencies to Vodafone itself, within the context of the telemarketing activity of which the Company has assumed full ownership".

1.2. The request for information formulated by the Authority

In order to establish the operational areas pertaining to Problem Solving in the framework of the treatments carried out to promote Vodafone's products and services, the Authority therefore made a request for information and presentation of documents, pursuant to art. 157 of the Code, to which the Company responded with a note dated November 5, 2021.

It was shown that between 2019 and 2020 Problem Solving, a single-firm partner agency of Vodafone, acquired and communicated to the latter contact lists containing around 4 million and 300 thousand personal data. The master data was acquired from the companies Ad-Opera s.r.l. and, since 2020, by BR Pharma s.r.l. (both with registered offices in Rome).

The Company intended to represent that it had no decision-making role on the use of any lists, limiting itself according to the agreements agreed and current practice to their "uploading" on the "Vodafone Deduplica Liste" system (for example those purchased from the supplier Ad-Opera ), so as to obtain the "validation" by the client and to act in compliance with the will and purposes of the Data Controller. Over time, Problem Solving has always made use of a single supplier, in order to set the parameters of reliability of the interlocutor and to evaluate any qualitative deterioration of the supplies.

In 2019 and in the first months of 2020, the lists were provided by Ad-Opera S.r.l., a company with which Problem Solving had relations since 2012. During 2020, as part of a series of initiatives aimed at raising the quality level of the activity to be carried out on behalf of the client telephone operator, a new supplier was identified (BR Pharma Srl) deemed more adequate to the established standards. The transition from Ad-Opera to BR Pharma was preceded by a series of assessments on the existing supply (market research aimed at identifying a potential alternative suitable for the pre-established purpose, weight analysis of the characteristics of each presumed "replacer" to the original supplier ; comparison between the possible subjects aimed at obtaining the preliminary identification of the one most corresponding to expectations; evaluation in terms of costs and benefits; formulation of a request for an offer linked to compliance with specific characteristics of the supply of interest; commercial negotiation, stipulation of the contract ).

The transfer of data from Ad-Opera to Problem Solving took place on the basis of a disclosure prepared by the original owner which reported verbatim: "Our Company AD-Opera Srl, [...] will only acquire and process personal and contact data to follow up to your request for marketing and advertising purposes in accordance with the law. Name […] Surname […] Telephone […] Mobile […] Email […]. The legal basis of the processing is constituted by the consent of the interested party, expressed at the time of sending the request. [...] The provision of data is necessary to allow us to execute the user's requests. Any refusal to provide, in whole or in part, the personal data in question could make it impossible to respond to the request of the interested party. [...] Recipients of the data. The data may be known by personnel authorized by our Company AD-Opera srl and in particular, the personnel in charge of the commercial, technical and administrative areas will be aware of the data. The processing may also be carried out by third parties who provide specific processing, administrative and instrumental services necessary to achieve the aforementioned purposes.". Ad-Opera also acquired consent from the interested parties and, in this regard, Problem Solving exhibited the screenshot taken from a page of the Ad-Opera website, which bears a form for the collection of personal data and two boxes with the request for consent . The first reads "your data may be communicated to leading direct marketing companies, specifically identified on a specific page of the website www.ad-opera.it" and the second contains a reference to the company's information.

As regards the transfer of data from BR Pharma to Problem Solving, the latter has shown a copy of the information which reads verbatim: "Data controller: The data controller is BR PHARMA SRL [...] Type of data processed. The processing concerns the following personal data: personal data: name, surname, contact data: telephone number and email address, telematic traffic data: log and IP address. Purpose of the treatment. The purpose of the processing is the transfer of your data to third parties to receive promotional offers. Recipients of the assignment (Transferee). The data collected will be transferred exclusively to PROBLEM SOLVING SRL (hereinafter "transferee") partner Vodafone Italia S.p.A. who may contact you to provide you with information regarding the promotional offer for which you have shown interest. Reason for the assignment to allow PROBLEM SOLVING SRL to contact you and provide you with information regarding the promotional offer for which you have shown interest. Contact details of the transferee: info@problemsolvingsrl.it. Data object of the transfer name, surname (optional) and telephone number. In the absence of the telephone number, the data cannot be transferred to the transferee. […]. Legal basis art. 6 par.1 lett. to. Lawfulness of processing. Consent to the assignment". In order to prove the consent acquired by BR Pharma for the communication of data, Problem Solving exhibited a list of 2308 leads which shows the date and time of creation, the telephone number, the name, the email address , the lead identifier and the IP address of the data subject.

With reference to the process of acquiring the lists, the Company declared: "we would like to point out that all compliance check activities for the purposes of compliance with the rules on personal data (here including the verification of the information provided to the interested parties by the suppliers AD-OPERA and BR PHARMA Srl) are contractually shared with Vodafone Italia SpA”; "Problem Solving does not make any further use of the personal data lists in question, it limits their use to activities carried out in the name and on behalf of Vodafone". The Company also represented that "Vodafone considers the lists provided by the call centers a "raw" product and does not allow the use of lists unless after a rigorous feedback procedure which is articulated in a check on privacy compliance (suitability of the information model provided to the interested parties; method of acquiring consent; verification of the presence of numbers already customers; verification of the presence of numbers in the company's black list; cross-reference of the numbers made available by the partner with the public register of oppositions; control of the presence of numbers in lists provided by other partners)” returning a list of names to contact to the structure that makes the calls only after the outcome of this check”.

1.3. Complaint of administrative violations

The Office has acknowledged that Problem Solving carries out a dual activity which is part of the partnership relationship with Vodafone. The first activity consists in acquiring personal data lists from third parties, personal data which, with the "deduplication" carried out through the use of the VDL platform (owned by Vodafone), become part of the contact lists of the telephone company. The second activity, on the other hand, is typically of a promotional nature and the sale of services and consists in contacting the people included in the lists of personal data acquired (and authorized by Vodafone) to promote the services of the telephone company. In the event that the person contacted proves interested in joining the Vodafone offer, Problem Solving proceeds to fill in the PDA on the proprietary electronic platform, carry out quality checks and send the PDA to the Vodafone administrative systems.

The notice of dispute points out that the second activities are carried out by Problem Solving in its capacity as responsible for the treatment ritually designated by Vodafone (as represented by the same telephone company during the preliminary investigation from which the aforementioned provision no. 224 originated of 12 November 2020), while the acquisition of the personal data lists would be carried out by Problem Solving in its capacity as independent data controller. This would emerge, first of all, from the contracts that have regulated and regulate the relations between Problem Solving and the suppliers: in the one stipulated with Ad-Opera there is no mention of the circumstance that Problem Solving has operated the purchase of the lists in the name and on behalf or with the participation or consent for acceptance of Vodafone. The contract stipulated with Br Pharma does not concern the transfer of personal data lists but the provision of "business consultancy services" based on a work plan set up and managed by Problem Solving "with the intention of giving visibility on the web and on Digital Social Networks in order to find new customers, start the communication process with the potential customer, gain customer trust over time".

The dispute also highlights that the procedure for replacing the previous list supplier with the one contracted in 2020 demonstrated that Problem Solving acted personally, on the basis of independent company assessments also in terms of product quality and costs/benefits of the 'offer.

From the analysis of the information it would also emerge that that of Ad-Opera is seriously deficient and does not bear any indication of the communication of data to third parties, which is explained, in general terms, only in the box for requesting consent on the company's web page containing a data collection form. The one provided by Br Pharma, while mentioning Vodafone as Problem Solving's commercial partner, qualifies the latter company as the "transferee" of the data and the person who will carry out any subsequent promotional contacts.

Problem Solving, therefore, on the basis of the deeds, allegedly acquired approximately 4 million and 300 thousand personal data from the companies Ad-Opera and BR Pharma, which it would then communicate to Vodafone for carrying out promotional campaigns by realizing a transfer between independent data controllers. With reference to this transfer, it would not appear that Problem Solving has provided the interested parties with its own information pursuant to articles 13 and 14 of the Regulation and has acquired from them the consent provided by the articles 6 and 7 of the same Regulation.

The Office has therefore adopted the aforementioned act of initiation of administrative procedure no. 14987/22 of 11 March 2022, with which it challenged Problem Solving for the following hypotheses of violation:

a) articles 13, of the Regulation, for having communicated the personal data of interested parties present in the lists of personal data provided by the companies Ad-Opera and Br Pharma, without having provided them with the necessary preventive information on the processing of personal data;

b) articles 5, paragraph 1, lett. a), 6 and 7 of the Regulation, for having communicated the data referred to in point a) to third parties without having acquired the required consent from the interested parties.

2. DEFENSIVE OBSERVATIONS AND ASSESSMENTS OF THE AUTHORITY

2.1. The defensive memory and the hearing of Problem Solving.

The Company submitted a defense brief within the deadline (April 11, 2022) and asked to be heard at a hearing. This hearing was held by video conference, for reasons of caution related to the current pandemic, on 10 May 2022 and its contents were summarized in a report signed by the Office and by the Company.

In the defense brief, Problem Solving first of all stated that, in responding to the request for information dated November 5, 2021, the Company, by mere typo, sent only the first information that BR Pharma presented to its users, referred to in chapter 1.2 and not the second, formally adopted in February 2021 but already formulated in September 2020, and therefore in an era prior to the date of adoption of the provision of the Guarantor against Vodafone, in which it is represented that "the data collected will be transferred exclusively to Vodafone SpA (hereinafter "transferee") partner Problem Solving Srl who may contact you to provide information regarding the promotional offer for which you have shown interest. Reason for the transfer to allow Vodafone SpA to contact you through the partner Problem Solving Srl and to provide you with information regarding the promotional offer for which you have shown interest. Contact details of the partner: info@problemsolvingsrl.it". Exhibiting an exchange of emails between Vodafone and Problem Solving, the Company then highlighted that the telephone company, on the basis of the new information, recognized its role as data controller also in the stage of acquiring the personal data lists and reconfirmed that of responsible for the treatment of Problem Solving, also during this process.

Problem Solving also reiterated that it has always acted, even in the phase of acquiring the personal data lists, as an intermediary of Vodafone and data processing manager of the telephone company, having destined the acquired lists only for the use of Vodafone, having complied with the provisions of the time given by the company from time to time, having been subjected to a strict audit process by the latter and having also had to answer for the choice of supplier companies and the criteria with which these companies collected personal data intended for promotional contact.

The Company also referred to the content of the EDPB Guidelines 07/2020 on the concepts of data controller and data processor pursuant to the GDPR, highlighting that these concepts are "functional rather than formal" and that, precisely on the basis of factual data indicated above (absence of decision-making power on the part of Problem Solving, intervention by Vodafone in all phases of the processing, audits of Problem Solving, evaluation regarding the choice of suppliers) Vodafone must unequivocally qualify itself as the owner of the overall processing which begins with the collection of data from the list-editors and ends with the promotional contact and the possible improvement of the purchase offer.

Also during the hearing, the Company highlighted the constant attention of Problem Solving in relation to the aspects related to the protection of personal data, with constant checks, always brought to the attention of Vodafone, also with reference to the subject of the ownership of the treatments and, to this in this regard, he recalled that, precisely by virtue of these checks, since September 2020 Vodafone has intended to modify the information relating to the processing of data acquired through Problem Solving, in particular those originating from Premialoo.it, correctly attributing to itself the legal status of the data controller. As for the previous period, if it is true that the disclosure contained other elements, it is also true that the same had been dictated by Vodafone, a subject which evidently had a much higher contractual strength than that of Problem Solving. However, going beyond the purely formal data, even before September 2020 the processing of personal data aimed at acquiring new personal data lists was grafted into the complex of treatments aimed at promotional contact with potential customers, treatments which unquestionably saw Vodafone as the only holder.

Problem Solving reiterated that even the old disclosure model, adopted in the 2019/2020 period, had been imposed by Vodafone and that already in that period Problem Solving was subject to the stringent quality and consistency controls of the procedures set up by the telephone company, since the audit of the Company took place in 2019.

The Company therefore underlined that these circumstances also highlight the role of manager, and not of owner, covered by Problem Solving and the very narrow margin of maneuver granted to the latter by Vodafone, margin of maneuver which was limited to purely technical aspects of the treatment or to the identification of the best subject from which to acquire lists of personal data, by virtue of the consolidated experience of Problem Solving in the sector. However, every activity carried out by the Company was carried out only in the interest of Vodafone, without autonomous business spaces and, above all, without the acquired data ever being communicated or transferred to other subjects unrelated to the treatment of the Vodafone owner.

Finally, Problem Solving intended to draw attention to the fact that the transfer of data acquired by the partners to Vodafone's VDL platform took place at the same time as the acquisition by the Company, an element which therefore excludes the so-called “double step” from partners to Problem Solving and from Problem Solving to Vodafone.

2.2. The observations of the Authority.

The arguments put forward by the Company do not appear suitable for excluding its liability in relation to the disputed conduct.

In the first place, it must be observed that already with provision no. 224 of 12 November 2020 it was ascertained, by Vodafone's admission and on the basis of the documents produced, that Problem Solving had acted as an independent data controller in the processing of personal data connected to the acquisition of personal data lists from third parties (list providers). This admission by the telephone company did not change the Authority's assessment regarding the responsibilities for the violations committed, so that it must be considered that the same was not functional to a convenient reconstruction regarding the carrying out of the processing operations but corresponded to the real relationships between between Vodafone and Problem Solving.

However, the Office correctly intended to involve Problem Solving personally in the preliminary phase, requesting the Company to provide information and exhibit documents from which elements that had not previously emerged on the existence of agreements or directives could be gleaned, even if not explicit in the contractual form , which would allow the acquisition of personal data lists to be traced back to the complex of personal data processing carried out in the capacity of data processor on behalf of Vodafone (point 3 of the request for information pursuant to article 157 of the Code: "mode for acquiring the lists and basis provided for the communication of the aforesaid lists to Vodafone"). This precisely in order to overcome the formal data and concretely qualify the roles and responsibilities of the two companies.

The findings provided by Problem Solving did not reveal significant elements in the sense indicated by the Company and in this regard we must recall the numerous critical points already highlighted in the act of initiation of the procedure, in which, for example, we focus on contractual relationships between list suppliers and Problem Solving: in the one stipulated with Ad-Opera there is no mention of the circumstance that Problem Solving has operated the purchase of the lists in the name and on behalf or with the co-participation or consent of Vodafone. The contract stipulated with Br Pharma does not have as its object the transfer of personal data lists but the provision of "business consultancy services" based on a work plan set up and managed by Problem Solving "with the intention of giving visibility on the web and on Digital Social Networks in order to find new customers, start the communication process with the potential customer, gain customer trust over time".

If it is true that the identification of the data controller must go beyond the formal data, this certainly cannot mean that what emerges from the contracts is to be considered a mere legal simulacrum, and in this case the contracts reveal not only that Problem Solving acted personally in the formalization of reciprocal obligations with list suppliers, but has also expanded the operating perimeter with one of the two companies (Br Pharma) to include consultancy activities and valorisation of its assets for the benefit of itself and certainly not of Vodafone.

What is indicated in the dispute must also be referred to with reference to the "selection" process of the partner who should have replaced Ad-Opera in the activity of collecting data intended for promotional contact, highlighting that in this phase, by admission of Problem Solving, the Company it acted with great autonomy, on the basis of independent company assessments also in terms of product quality and the costs/benefits of the offer.

Furthermore, the findings of the circumstance, also deduced from the contractual relationships between Problem Solving and Vodafone that emerged during the main investigation (Framework Agreement signed between the two companies on 1 October 2019), appear insurmountable, that the object of the collaboration between the two company is the carrying out of inbound and outbound calls on behalf of Vodafone and not the acquisition of personal data lists, an activity which is taken into consideration as a faculty of the Company, which in this case would act outside the contractual framework and therefore as independent owner.

As for the content of the disclosures, we acknowledge the new document produced in the defense brief relating to the disclosure adopted by Br Pharma since February 2021, which obviously bears the same considerations regarding the prevalence of the factual element with respect to purely formal data referred to in the EDPB Guidelines 07/2020, but it must be noted that it clearly indicates the data controller (Br Pharma) and the assignee (Vodafone) without clarifying either the role of Problem Solving in the acquisition of data, or the process transfer of the same data which, due to its characteristics repeatedly represented both by Vodafone and by Problem Solving itself, highlights the so-called "double passage" between different data controllers without excluding that each of them can operate, finding their convenience, autonomous uses of the personal data lists in their availability.

The above considerations must also extend to the treatments carried out with the use of the personal data provided by Ad-Opera, in relation to which the serious critical issues inferred from the text of the information provided by Ad-Opera itself and from the collection methods must be reiterated. consent.

On the basis of the above considerations, the observations made during the dispute must be confirmed and the responsibility of Problem Solving affirmed, which acquired personal data lists from third parties by entering into contact autonomously with these subjects, signing the related contracts on its own , in the case of Br Pharma they also had a wider range of data communication, acquiring the lists directly and then transferring them to the VDL system, owned by Vodafone. In this way the CD was created. "double passage" of data, from list providers to Problem Solving and from Problem Solving to Vodafone, to nothing by noting the exclusive destination of the data (which only represented a guarantee in the interest of the list providers) and the prior authorization and subsequent validation of data from Vodafone (functional only when the lists enter the company database).

3. CONCLUSIONS

For the above, the responsibility of Problem Solving is deemed to have been established for the following violations:

a) articles 13, of the Regulation, for having communicated the personal data of interested parties present in the lists of personal data provided by the companies Ad-Opera and Br Pharma, without having provided them with the necessary preventive information on the processing of personal data;

b) articles 5, paragraph 1, lett. a), 6 and 7 of the Regulation, for having communicated the data referred to in point a) to third parties without having acquired the required consent from the interested parties.

Having also ascertained the unlawfulness of the Company's conduct with reference to the treatments examined, it becomes necessary:

- impose on Problem Solving, pursuant to art. 58, par. 2, lit. f) of the Regulation, the prohibition of any further processing of the data acquired by Ad-Opera and Br-Pharma;

- prescribe to the Company, pursuant to art. 58, par. 2, lit. f) of the Regulation, to provide for a procedure for acquiring personal data lists which makes clear to the interested parties the ownership of the various treatments put in place and the legal basis of any data communications;

- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Problem Solving of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation.

4. ORDER-INJUNCTION FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Problem Solving of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5 of the Regulations (payment of a sum up to €20,000,000);

In order to determine the amount of the fine, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.

In the present case, the following are relevant:

1) the seriousness of the violation (Article 83, paragraph 2, letter a) of the Regulation), due to the pervasive nature of the treatments in the field of telemarketing, the duration of the treatments themselves and the particularly high number of data subjects involved, elements mitigated by the circumstance that the conduct implemented by Problem Solving was partly influenced by the contracting telephone company;

2) as a mitigating factor, the appreciable collaboration with the Authority in the context of the investigation (Article 83, paragraph 2, letter f) of the Regulation);

3) as additional factors to be taken into consideration for setting the fine (art. 83, paragraph 2, letter k) of the Regulation), the data regarding the economic capacity of the Company, taken from the financial statements for the year 2020.

Based on the set of elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom to conduct a business, in the initial application of the pecuniary administrative sanctions envisaged by the Regulation, also in order to limit the impact of the sanction in a period marked by the economic repercussions of the serious pandemic emergency, it is believed that the administrative sanction of the payment of a sum of 54,609.62 euros, equal to 2% of the Company's turnover reported in the latest available financial statements, should be applied to the same.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the nature of the treatments and the number of subjects involved, as well as the elements of risk for the exercise of the rights of the interested parties;

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the provision in the internal register of the Authority provided for by art. 57, par. 1, lit. u), of the Regulation.

ALL THIS CONSIDERING THE GUARANTEE

a) imposes on Problem Solving, pursuant to art. 58, par. 2, lit. f) of the Regulation, the prohibition of any further processing of the data acquired by Ad-Opera and Br-Pharma;

b) requires the Company, pursuant to art. 58, par. 2, lit. d) of the Regulation, to provide for a procedure for acquiring personal data lists which makes clear to the interested parties the ownership of the various treatments put in place and the legal basis of any data communications;

c) enjoins Problem Solving, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5, of the Regulation

ORDER

to Problem Solving s.r.l., in the person of its pro-tempore legal representative, with registered office in Rome, viale Palmiro Togliatti, n. 1640, tax code 02587440609, to pay the sum of 54,609.62 (fifty-four thousand, six hundred and nine/62) euros as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 54,609.62 (fifty-four thousand, six hundred and nine/62), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to the 'art. 27 of the law n. 689/1981.

HAS

The application of the ancillary sanction of publication on the Guarantor's website of this provision, provided for by articles 166, paragraph 7 of the Code and 16 of the Regulation of the Guarantor n. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, par. 1, lit. u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with art. 58, par. 2, of the Regulation itself.

Pursuant to articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within the term of thirty days from the date of communication of the provision itself .

Rome, 23 February 2023

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew



[doc. web no. 9871886]

Prescriptive and sanctioning measure against Problem Solving s.r.l. - February 23, 2023

Register of measures
no. 50 of 23 February 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Dr. Agostino Ghiglia.

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Premise

With deed no. 14987/22 of 11 March 2022 (notified on the same date by certified email), which here must be understood as referred to in full, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation towards Problem Solving s.r.l. (hereinafter "Problem Solving" or "the Company"), in the person of its pro-tempore legal representative, with registered office in Rome, viale Palmiro Togliatti, n. 1640, tax code 02587440609.

The proceeding originates from an investigation initiated by the Authority following the adoption of a corrective measure against the telephone company Vodafone Italia S.p.A. (provision n. 224 of 12 November 2020, in www.gpdp.it, web doc. n. 9485681). In this provision, with reference to Problem Solving, it was highlighted that:

- “Problem Solving s.r.l. is a teleseller partner of Vodafone which makes use of the list provider AdOpera”;

- "The framework agreement which regulates the teleseller's activities on behalf of Vodafone, which has as its object the execution of outbound and inbound call management services for the promotion of commercial campaigns, does not mention the acquisition of mailing lists personal data on behalf of Vodafone [...]. The same framework agreement referred to above also regulates the relations between Vodafone and Problem Solving s.r.l., which is why in this case as well, it has been observed that the lists provided by AdOpera (which are not mentioned in the call scripts) are acquired by Problem Solving as an independent data controller and subsequently transferred to the Vodafone systems realizing a further transfer of the same data (in the absence, therefore, of specific consent to further communication)”;

- "Vodafone […] illustrated the main characteristics in terms of roles, activities and implications of the two main business models used in the field of distance selling activities. The first model envisages that the subject carrying out the promotion (teleseller) uses its own lists or those purchased from a third party (list provider) as independent data controller. This subject, who in any case is designated by Vodafone as responsible for the subsequent part of the contractualisation, provides the Company with the lists exclusively for skimming the personal data present in the register of oppositions and in Vodafone's black-lists. This business model makes it possible to maintain unchanged, for the companies that carry out promotional contacts, the value of the lists they have, a value that would in fact be emptied if a double step of consent were required for these lists in order to be lawfully used with reference to the promotional campaigns of the clients";

- “With reference to [...] Problem Solving [...], Vodafone specified that the supply of personal data lists by these companies is carried out on the basis of the first business model illustrated in the responses to the request for information and in the defense brief. Based on this model, Vodafone can authorize the use of lists that they themselves have acquired from list providers. In this context, the partners qualify as independent owners of the processing of the acquired personal data lists and can use them for all their clients in various product sectors. According to this approach, which would also be used by all the other companies that make use of telesellers and agencies, Vodafone being extraneous to the main purchase relationship of the lists, becomes the owner of master data only and exclusively in the event of subsequent contracting of the end user".

- "Also in these cases, therefore, there was a double communication of data, the first, from the subject who formed the lists of personal data to Vodafone's partner agencies, the second from the aforementioned agencies to Vodafone itself, within the context of the telemarketing activity of which the Company has assumed full ownership".

1.2. The request for information formulated by the Authority

In order to establish the operational areas pertaining to Problem Solving in the framework of the treatments carried out to promote Vodafone's products and services, the Authority therefore made a request for information and presentation of documents, pursuant to art. 157 of the Code, to which the Company responded with a note dated November 5, 2021.

It was shown that between 2019 and 2020 Problem Solving, a single-firm partner agency of Vodafone, acquired and communicated to the latter contact lists containing around 4 million and 300 thousand personal data. The master data was acquired from the companies Ad-Opera s.r.l. and, since 2020, by BR Pharma s.r.l. (both with registered offices in Rome).

The Company intended to represent that it had no decision-making role on the use of any lists, limiting itself according to the agreements agreed and current practice to their "uploading" on the "Vodafone Deduplica Liste" system (for example those purchased from the supplier Ad-Opera ), so as to obtain the "validation" by the client and to act in compliance with the will and purposes of the Data Controller. Over time, Problem Solving has always made use of a single supplier, in order to set the parameters of reliability of the interlocutor and to evaluate any qualitative deterioration of the supplies.

In 2019 and in the first months of 2020, the lists were provided by Ad-Opera S.r.l., a company with which Problem Solving had relations since 2012. During 2020, as part of a series of initiatives aimed at raising the quality level of the activity to be carried out on behalf of the client telephone operator, a new supplier was identified (BR Pharma Srl) deemed more adequate to the established standards. The transition from Ad-Opera to BR Pharma was preceded by a series of assessments on the existing supply (market research aimed at identifying a potential alternative suitable for the pre-established purpose, weight analysis of the characteristics of each presumed "replacer" to the original supplier ; comparison between the possible subjects aimed at obtaining the preliminary identification of the one most corresponding to expectations; evaluation in terms of costs and benefits; formulation of a request for an offer linked to compliance with specific characteristics of the supply of interest; commercial negotiation, stipulation of the contract ).

The transfer of data from Ad-Opera to Problem Solving took place on the basis of a disclosure prepared by the original owner which reported verbatim: "Our Company AD-Opera Srl, [...] will only acquire and process personal and contact data to follow up to your request for marketing and advertising purposes in accordance with the law. Name […] Surname […] Telephone […] Mobile […] Email […]. The legal basis of the processing is constituted by the consent of the interested party, expressed at the time of sending the request. [...] The provision of data is necessary to allow us to execute the user's requests. Any refusal to provide, in whole or in part, the personal data in question could make it impossible to respond to the request of the interested party. [...] Recipients of the data. The data may be known by personnel authorized by our Company AD-Opera srl and in particular, the personnel in charge of the commercial, technical and administrative areas will be aware of the data. The processing may also be carried out by third parties who provide specific processing, administrative and instrumental services necessary to achieve the aforementioned purposes.". Ad-Opera also acquired consent from the interested parties and, in this regard, Problem Solving exhibited the screenshot taken from a page of the Ad-Opera website, which bears a form for the collection of personal data and two boxes with the request for consent . The first reads "your data may be communicated to leading direct marketing companies, specifically identified on a specific page of the website www.ad-opera.it" and the second contains a reference to the company's information.

As regards the transfer of data from BR Pharma to Problem Solving, the latter has shown a copy of the information which reads verbatim: "Data controller: The data controller is BR PHARMA SRL [...] Type of data processed. The processing concerns the following personal data: personal data: name, surname, contact data: telephone number and email address, telematic traffic data: log and IP address. Purpose of the treatment. The purpose of the processing is the transfer of your data to third parties to receive promotional offers. Recipients of the assignment (Transferee). The data collected will be transferred exclusively to PROBLEM SOLVING SRL (hereinafter "transferee") partner Vodafone Italia S.p.A. who may contact you to provide you with information regarding the promotional offer for which you have shown interest. Reason for the assignment to allow PROBLEM SOLVING SRL to contact you and provide you with information regarding the promotional offer for which you have shown interest. Contact details of the transferee: info@problemsolvingsrl.it. Data object of the transfer name, surname (optional) and telephone number. In the absence of the telephone number, the data cannot be transferred to the transferee. […]. Legal basis art. 6 par.1 lett. to. Lawfulness of processing. Consent to the assignment". In order to prove the consent acquired by BR Pharma for the communication of data, Problem Solving exhibited a list of 2308 leads which shows the date and time of creation, the telephone number, the name, the email address , the lead identifier and the IP address of the data subject.

With reference to the process of acquiring the lists, the Company declared: "we would like to point out that all the compliance check activities for the purposes of compliance with the rules on personal data (here including the verification of the information provided to the interested parties by the suppliers AD-OPERA and BR PHARMA Srl) are contractually shared with Vodafone Italia SpA”; "Problem Solving does not make any further use of the personal data lists in question, it limits their use to activities carried out in the name and on behalf of Vodafone". The Company also represented that "Vodafone considers the lists provided by the call centers a "raw" product and does not allow the use of lists unless after a rigorous feedback procedure which is articulated in a check on privacy compliance (suitability of the information model provided to the interested parties; method of acquiring consent; verification of the presence of numbers already customers; verification of the presence of numbers in the company's black list; cross-reference of the numbers made available by the partner with the public register of oppositions; control of the presence of numbers in lists provided by other partners)” returning a list of names to contact to the structure that makes the calls only after the outcome of this check”.

1.3. Complaint of administrative violations

The Office has acknowledged that Problem Solving carries out a dual activity which is part of the partnership relationship with Vodafone. The first activity consists in acquiring personal data lists from third parties, personal data which, with the "deduplication" carried out through the use of the VDL platform (owned by Vodafone), become part of the contact lists of the telephone company. The second activity, on the other hand, is typically of a promotional nature and the sale of services and consists in contacting the people included in the lists of personal data acquired (and authorized by Vodafone) to promote the services of the telephone company. In the event that the person contacted proves interested in joining the Vodafone offer, Problem Solving proceeds to fill in the PDA on the proprietary electronic platform, carry out quality checks and send the PDA to the Vodafone administrative systems.

The notice of dispute points out that the second activities are carried out by Problem Solving in its capacity as responsible for the treatment ritually designated by Vodafone (as represented by the same telephone company during the preliminary investigation from which the aforementioned provision no. 224 originated of 12 November 2020), while the acquisition of the personal data lists would be carried out by Problem Solving in its capacity as independent data controller. This would emerge, first of all, from the contracts that have regulated and regulate the relations between Problem Solving and the suppliers: in the one stipulated with Ad-Opera there is no mention of the circumstance that Problem Solving has operated the purchase of the lists in the name and on behalf or with the participation or consent for acceptance of Vodafone. The contract stipulated with Br Pharma does not concern the transfer of personal data lists but the provision of "business consultancy services" based on a work plan set up and managed by Problem Solving "with the intention of giving visibility on the web and on Digital Social Networks in order to find new customers, start the communication process with the potential customer, gain customer trust over time".

The dispute also highlights that the procedure for replacing the previous list supplier with the one contracted in 2020 demonstrated that Problem Solving acted personally, on the basis of independent company assessments also in terms of product quality and costs/benefits of the 'offer.

From the analysis of the information it would also emerge that that of Ad-Opera is seriously deficient and does not bear any indication of the communication of data to third parties, which is explained, in general terms, only in the box for requesting consent on the company's web page containing a data collection form. The one provided by Br Pharma, while mentioning Vodafone as Problem Solving's commercial partner, qualifies the latter company as the "transferee" of the data and the person who will carry out any subsequent promotional contacts.

Problem Solving, therefore, on the basis of the deeds, allegedly acquired approximately 4 million and 300 thousand personal data from the companies Ad-Opera and BR Pharma, which it would then communicate to Vodafone for carrying out promotional campaigns by realizing a transfer between independent data controllers. With reference to this transfer, it would not appear that Problem Solving has provided the interested parties with its own information pursuant to articles 13 and 14 of the Regulation and has acquired from them the consent provided by the articles 6 and 7 of the same Regulation.

The Office has therefore adopted the aforementioned act of initiation of administrative procedure no. 14987/22 of 11 March 2022, with which it challenged Problem Solving for the following hypotheses of violation:

a) articles 13, of the Regulation, for having communicated the personal data of interested parties present in the lists of personal data provided by the companies Ad-Opera and Br Pharma, without having provided them with the necessary preventive information on the processing of personal data;

b) articles 5, paragraph 1, lett. a), 6 and 7 of the Regulation, for having communicated the data referred to in point a) to third parties without having acquired the required consent from the interested parties.

2. DEFENSIVE OBSERVATIONS AND ASSESSMENTS OF THE AUTHORITY

2.1. The defensive memory and the hearing of Problem Solving.

The Company submitted a defense brief within the deadline (April 11, 2022) and asked to be heard at a hearing. This hearing was held by video conference, for reasons of caution related to the current pandemic, on 10 May 2022 and its contents were summarized in a report signed by the Office and by the Company.

In the defense brief, Problem Solving first of all stated that, in responding to the request for information dated November 5, 2021, the Company, by mere typo, sent only the first information that BR Pharma presented to its users, referred to in chapter 1.2 and not the second, formally adopted in February 2021 but already formulated in September 2020, and therefore in an era prior to the date of adoption of the provision of the Guarantor against Vodafone, in which it is represented that "the data collected will be transferred exclusively to Vodafone SpA (hereinafter "transferee") partner Problem Solving Srl who may contact you to provide information regarding the promotional offer for which you have shown interest. Reason for the transfer to allow Vodafone SpA to contact you through the partner Problem Solving Srl and to provide you with information regarding the promotional offer for which you have shown interest. Contact details of the partner: info@problemsolvingsrl.it". Exhibiting an exchange of emails between Vodafone and Problem Solving, the Company then highlighted that the telephone company, on the basis of the new information, recognized its role as data controller also in the stage of acquiring the personal data lists and reconfirmed that of responsible for the treatment of Problem Solving, also during this process.

Problem Solving also reiterated that it has always acted, even in the phase of acquiring the personal data lists, as an intermediary of Vodafone and data processing manager of the telephone company, having destined the acquired lists only for the use of Vodafone, having complied with the provisions of the time given by the company from time to time, having been subjected to a strict audit process by the latter and having also had to answer for the choice of supplier companies and the criteria with which these companies collected personal data intended for promotional contact.

The Company also referred to the content of the EDPB Guidelines 07/2020 on the concepts of data controller and data processor pursuant to the GDPR, highlighting that these concepts are "functional rather than formal" and that, precisely on the basis of factual data indicated above (absence of decision-making power on the part of Problem Solving, intervention by Vodafone in all phases of the processing, audits of Problem Solving, assessment regarding the choice of suppliers) Vodafone must unequivocally qualify itself as the owner of the overall processing which begins with the collection of data from the list-editors and ends with the promotional contact and the possible improvement of the purchase offer.

Also during the hearing, the Company highlighted the constant attention of Problem Solving in relation to the aspects related to the protection of personal data, with constant checks, always brought to the attention of Vodafone, also with reference to the subject of the ownership of the treatments and, to this in this regard, he recalled that, precisely by virtue of these checks, since September 2020 Vodafone has intended to modify the information relating to the processing of data acquired through Problem Solving, in particular those originating from Premialoo.it, correctly attributing to itself the legal status of the data controller. As for the previous period, if it is true that the disclosure contained other elements, it is also true that the same was dictated by Vodafone, a subject which evidently had a contractual strength far superior to that of Problem Solving. However, going beyond the purely formal data, even before September 2020 the processing of personal data aimed at acquiring new personal data lists was grafted into the complex of treatments aimed at promotional contact with potential customers, treatments which unquestionably saw Vodafone as the only holder.

Problem Solving reiterated that even the old disclosure model, adopted in the 2019/2020 period, had been imposed by Vodafone and that already in that period Problem Solving was subject to the stringent quality and consistency controls of the procedures set up by the telephone company, since the audit of the Company took place in 2019.

The Company therefore underlined that these circumstances also highlight the role of manager, and not of owner, covered by Problem Solving and the very narrow margin of maneuver granted to the latter by Vodafone, margin of maneuver which was limited to purely technical aspects of the treatment or to the identification of the best subject from which to acquire lists of personal data, by virtue of the consolidated experience of Problem Solving in the sector. However, every activity carried out by the Company was carried out only in the interest of Vodafone, without autonomous business spaces and, above all, without the acquired data ever being communicated or transferred to other subjects unrelated to the treatment of the Vodafone owner.

Finally, Problem Solving intended to draw attention to the fact that the transfer of data acquired by the partners to Vodafone's VDL platform took place at the same time as the acquisition by the Company, an element which therefore excludes the so-called “double step” from partners to Problem Solving and from Problem Solving to Vodafone.

2.2. The observations of the Authority.

The arguments put forward by the Company do not appear suitable for excluding its liability in relation to the disputed conduct.

In the first place, it must be observed that already with provision no. 224 of 12 November 2020 it was ascertained, by Vodafone's admission and on the basis of the documents produced, that Problem Solving had acted as an independent data controller in the processing of personal data connected to the acquisition of personal data lists from third parties (list providers). This admission by the telephone company did not change the Authority's assessment regarding the responsibilities for the violations committed, so that it must be considered that the same was not functional to a convenient reconstruction regarding the carrying out of the processing operations but corresponded to the real relationships between between Vodafone and Problem Solving.

However, the Office correctly intended to involve Problem Solving personally in the preliminary phase, requesting the Company to provide information and exhibit documents from which elements that had not previously emerged on the existence of agreements or directives could be gleaned, even if not explicit in the contractual form , which would allow the acquisition of personal data lists to be traced back to the complex of personal data processing carried out in the capacity of data controller on behalf of Vodafone (point 3 of the request for information pursuant to article 157 of the Code: "mode for acquiring the lists and basis provided for the communication of the aforesaid lists to Vodafone"). This precisely in order to overcome the formal data and concretely qualify the roles and responsibilities of the two companies.

The findings provided by Problem Solving did not reveal significant elements in the sense indicated by the Company and in this regard we must recall the numerous critical points already highlighted in the act of initiation of the proceeding, in which, for example, we focus on contractual relationships between list suppliers and Problem Solving: in the one stipulated with Ad-Opera there is no mention of the circumstance that Problem Solving has operated the purchase of the lists in the name and on behalf or with the co-participation or consent of Vodafone. The contract stipulated with Br Pharma does not have as its object the transfer of personal data lists but the provision of "business consultancy services" based on a work plan set up and managed by Problem Solving "with the intention of giving visibility on the web and on Digital Social Networks in order to find new customers, start the communication process with the potential customer, gain customer trust over time".

If it is true that the identification of the data controller must go beyond the formal data, this certainly cannot mean that what emerges from the contracts is to be considered a mere legal simulacrum, and in this case the contracts reveal not only that Problem Solving acted personally in the formalization of reciprocal obligations with list suppliers, but has also expanded the operating perimeter with one of the two companies (Br Pharma) to include consultancy activities and valorisation of its assets for the benefit of itself and certainly not of Vodafone.

What is indicated in the dispute must also be referred to with reference to the "selection" process of the partner who should have replaced Ad-Opera in the activity of collecting data intended for promotional contact, highlighting that in this phase, by admission of Problem Solving, the Company it acted with great autonomy, on the basis of independent company assessments also in terms of product quality and the costs/benefits of the offer.

Furthermore, the findings of the circumstance, also deduced from the contractual relationships between Problem Solving and Vodafone that emerged during the main investigation (Framework Agreement signed between the two companies on 1 October 2019), appear insurmountable, that the object of the collaboration between the two company is the carrying out of inbound and outbound calls on behalf of Vodafone and not the acquisition of personal data lists, an activity which is taken into consideration as a faculty of the Company, which in this case would act outside the contractual framework and therefore as independent owner.

As for the content of the disclosures, we acknowledge the new document produced in the defense brief relating to the disclosure adopted by Br Pharma since February 2021, which obviously bears the same considerations regarding the prevalence of the factual element with respect to purely formal data referred to in the EDPB Guidelines 07/2020, but it must be noted that it clearly indicates the data controller (Br Pharma) and the assignee (Vodafone) without clarifying either the role of Problem Solving in the acquisition of data, or the process transfer of the same data which, due to its characteristics repeatedly represented both by Vodafone and by Problem Solving itself, highlights the so-called "double passage" between different data controllers without excluding that each of them can operate, finding their convenience, autonomous uses of the personal data lists in their availability.

The above considerations must also extend to the treatments carried out with the use of the personal data provided by Ad-Opera, in relation to which the serious critical issues inferred from the text of the information provided by Ad-Opera itself and from the collection methods must be reiterated. consent.

On the basis of the above considerations, the observations made during the dispute must be confirmed and the responsibility of Problem Solving affirmed, which acquired personal data lists from third parties by entering into contact autonomously with these subjects, signing the related contracts on its own , in the case of Br Pharma they also had a wider range of data communication, acquiring the lists directly and then transferring them to the VDL system, owned by Vodafone. In this way the CD was created. "double passage" of data, from list providers to Problem Solving and from Problem Solving to Vodafone, to nothing by noting the exclusive destination of the data (which only represented a guarantee in the interest of the list providers) and the prior authorization and subsequent validation of data from Vodafone (functional only when the lists enter the company database).

3. CONCLUSIONS

For the above, the responsibility of Problem Solving is deemed to have been established for the following violations:

a) articles 13, of the Regulation, for having communicated the personal data of interested parties present in the lists of personal data provided by the companies Ad-Opera and Br Pharma, without having provided them with the necessary preventive information on the processing of personal data;

b) articles 5, paragraph 1, lett. a), 6 and 7 of the Regulation, for having communicated the data referred to in point a) to third parties without having acquired the required consent from the interested parties.

Having also ascertained the unlawfulness of the Company's conduct with reference to the treatments examined, it becomes necessary:

- impose on Problem Solving, pursuant to art. 58, par. 2, lit. f) of the Regulation, the prohibition of any further processing of the data acquired by Ad-Opera and Br-Pharma;

- prescribe to the Company, pursuant to art. 58, par. 2, lit. f) of the Regulation, to provide for a procedure for acquiring personal data lists which makes clear to the interested parties the ownership of the various treatments put in place and the legal basis of any data communications;

- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Problem Solving of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation.

4. ORDER-INJUNCTION FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Problem Solving of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5 of the Regulations (payment of a sum up to €20,000,000);

In order to determine the amount of the fine, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.

In the present case, the following are relevant:

1) the seriousness of the violation (Article 83, paragraph 2, letter a) of the Regulation), due to the pervasive nature of the treatments in the field of telemarketing, the duration of the treatments themselves and the particularly high number of data subjects involved, elements mitigated by the circumstance that the conduct implemented by Problem Solving was partly influenced by the contracting telephone company;

2) as a mitigating factor, the appreciable collaboration with the Authority in the context of the investigation (Article 83, paragraph 2, letter f) of the Regulation);

3) as additional factors to be taken into consideration for setting the fine (art. 83, paragraph 2, letter k) of the Regulation), the data regarding the economic capacity of the Company, taken from the financial statements for the year 2020.

Based on the set of elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom to conduct a business, in the initial application of the pecuniary administrative sanctions envisaged by the Regulation, also in order to limit the impact of the sanction in a period marked by the economic repercussions of the serious pandemic emergency, it is believed that the administrative sanction of the payment of a sum of 54,609.62 euros, equal to 2% of the Company's turnover reported in the latest available financial statements, should be applied to the same.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the nature of the treatments and the number of subjects involved, as well as the elements of risk for the exercise of the rights of the interested parties;

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the provision in the internal register of the Authority provided for by art. 57, par. 1, lit. u), of the Regulation.

ALL THIS CONSIDERING THE GUARANTEE

a) imposes on Problem Solving, pursuant to art. 58, par. 2, lit. f) of the Regulation, the prohibition of any further processing of the data acquired by Ad-Opera and Br-Pharma;

b) requires the Company, pursuant to art. 58, par. 2, lit. d) of the Regulation, to provide for a procedure for acquiring personal data lists which makes clear to the interested parties the ownership of the various treatments put in place and the legal basis of any data communications;

c) enjoins Problem Solving, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5, of the Regulation

ORDER

to Problem Solving s.r.l., in the person of its pro-tempore legal representative, with registered office in Rome, viale Palmiro Togliatti, n. 1640, tax code 02587440609, to pay the sum of 54,609.62 (fifty-four thousand, six hundred and nine/62) euros as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 54,609.62 (fifty-four thousand, six hundred and nine/62), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to the 'art. 27 of the law n. 689/1981.

HAS

The application of the ancillary sanction of publication on the Guarantor's website of this provision, provided for by articles 166, paragraph 7 of the Code and 16 of the Regulation of the Guarantor n. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, par. 1, lit. u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with art. 58, par. 2, of the Regulation itself.

Pursuant to articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within the term of thirty days from the date of communication of the provision itself .

Rome, 23 February 2023

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew