Garante per la protezione dei dati personali (Italy) - 9880336

From GDPRhub
Garante per la protezione dei dati personali - 9880336
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.03.2023
Published: 09.03.2023
Fine: 3,000.00 EUR
Parties: n/a
National Case Number/Name: 9880336
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: Jelena

The Italian DPA fined the controller € 3,000 for multiple GDPR violations in relation to unsolicited telephone marketing as the controller failed to demonstrate the lawfulness of processing of personal data acquired from third parties.

English Summary[edit | edit source]

Facts[edit | edit source]

Aesse S.r.l.s., the controller, offered boiler maintenance services to the data subject via phone call. When the data subject asked the controller about the origin of the personal data, the controller was unable to specifically indicate to the data subject the source from which it had acquired the personal data.

The data subject filed a complaint with the Italian DPA claiming they never gave their consent to receive marketing communication. Moreover, the data subject claimed that the controller had been evasive in responding to the request concerning the origin of the personal data.

During the investigation, the controller stated that it had acquired a list of names and numbers that could be contacted for the purpose of marketing from a third party telemarketing company. The third party telemarketing company guaranteed that the names and the numbers on the list could be used for marketing purposes. The controller shared the list with both the Italian DPA and the data subject.

Holding[edit | edit source]

At the end of the preliminary investigation, the Italian DPA found that the controller violated the following GDPR provisions:

  • Articles 5(1), 6(1) and 7 GDPR for acquiring personal data from a third party for marketing purposes without previously checking if consent was validly given. The absolute good faith in the guarantees that the third party offered was not considered sufficient by the supervisory authority. The DPA held that the data controller did not take any precaution in acquiring the data from the third party nor took steps to demonstrate the lawfulness of the processing. The DPA further elaborated that, while relying on the professional guarantees offered by the third party, the controller failed to use its control power. In fact, the controller did not request from the third party the documentation proving the lawfulness of the processing, such as the origin of the data, the information provided to the data subjects and the consent obtained from the data subjects, nor did the controller carry out such checks in another way.
  • Also, the controller violated the same norms by unlawfully communicating information on other data subjects present in the personal data list to the data subject.
  • Articles 13 and 14 GDPR for not providing the data subjects, whose data were acquired by the third party, with information in relation to the processing of their data for marketing purposes.
  • Articles 12 and 15 GDPR, for not having provided the data subject with a complete reply to the request to exercise the right of access. In particular, the controller did not provide the information concerning the origin of the data to the data subject until the intervention of the DPA. In this way, the data subject could not exercise the right of access.

In light of the above, the DPA ordered the controller to pay and administrative fine of € 3,000 and prohibited further processing of personal data from the list that the controller acquired from the third party.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9880336]

Prescriptive and sanctioning measure against Aesse S.r.l.s. - March 9, 2023

Register of measures
no. 71 of 9 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Personal Data Protection Code (Legislative Decree June 30, 2003, No. 196), as amended by Legislative Decree August 10, 2018, No. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

With the complaint of 5 April 2022, presented to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained of receiving, on the previous 8 March, an unwanted phone call concerning the promotion of boiler maintenance services offered by Aesse S.r.l.s. (hereinafter «Company»; «Aesse»).

The complainant declared that he had never given his consent to receive the aforementioned promotional communication and complained about the evasive and generic response that the Company would have provided regarding the request to know the origin of the personal data. In particular, in the communication of 24 March 2022, Aesse was unable to specifically indicate the subject from which it allegedly acquired the data subject's personal data, generically declaring that it had received from third-party companies engaged in the marketing of data, "packages of numbers with related names” allegedly collected on the occasion of gas and electricity contracts. In support of this reply, it has attached two invoices issued by XX and XX (XX), which allegedly show the sale of telephone numbers to Aesse.

On 8 April 2022, the Office formulated a request for information, pursuant to art. 157 of the Code, in order to acquire more elements of evaluation with particular reference to the documentation certifying the effective release of consent by the complainant for promotional purposes and the origin of the personal data of the same. Since no response was received within the requested time frame, on 2 May 2022, the Company was contacted at the telephone number on the contact page of the relevant website. Despite the assurances given during the phone call regarding a prompt response by the following 5 May, the Company only provided a reply on 23 May 2022, moreover using an incorrect address, so much so that it became available to the Office on 1 June 2022, conveyed by the complainant.

Aesse justified the delay in responding with the need to "investigate the legislation in order to try to understand the reasons underlying the complaint" and declared that it had acquired from the company XX (hereinafter "XX"), based in XX, a list of personal data and numbers that can be contacted for marketing purposes on the basis of a specific consent; in particular, this company would have guaranteed to Aesse that the names on the lists were approved and could therefore be used for marketing purposes. In this regard, the Company has sent the Authority an Excel file, entitled "Aesse 15_03_2021", with all the names and telephone numbers of the entities that can be contacted. The file in question, which contains multiple personal data of third parties (such as: mobile phone number; name; address; zip code; municipality; province; gender and year of birth), was also sent to the complainant.

2. THE DISPUTE

In the light of what emerged from the preliminary investigation, on the basis of the overall documentation acquired, on 28 October 2022 Aesse was notified of the start of the proceeding, pursuant to art. 166, paragraph 5, of the Code, with which the Company was charged with the alleged violation of the following provisions of the Regulation:

articles 5, par. 1, lit. a), 6, para. 1, lit. a) and 7 of the Regulation and 130 of the Code, for having acquired lists of personal data from XX, for marketing purposes, in the absence of the prescribed consent given by the interested parties: in fact, the Company has not produced suitable documentation - show the legitimacy of the acquisition of personal data lists from XX;

articles 13 and 14 of the Regulation for not having provided the interested parties, whose data have been acquired by XX, with suitable information in relation to the treatments for marketing purposes;

articles 12 and 15 of the Regulation, for not having provided the complainant with a complete reply to the request to exercise the right of access presented by the same;

articles 5, par. 1, lit. a), 6, para. 1, lit. a) and 7 of the Regulation, for having communicated to the complainant the data of the subjects present in the personal data lists acquired by XX, in the absence of suitable consent.

3. COMPANY'S DEFENSIVE MEMORIES

With the defense briefs forwarded on December 23, 2022, the Company asked this Authority to dismiss the proceeding initiated against it due to the absolute good faith found in appointing XX at a time of great economic difficulty caused by the pandemic emergency.

Trusting in the guarantees offered by this company in the telemarketing sector, and having previously obtained reassurances regarding the performance of the activity towards authorized users, Aesse has decided not to proceed with any further fulfillment that goes beyond the verbal interlocutions functional to the agreement. Moreover, "the circumstance that the company XX, although based in XX, operated with Italian personnel with whom there were various contacts, seemed suitable and sufficient guarantee of the correct execution of the operation".

Finally, Aesse, in representing "that the telemarketing activity is no longer in progress", specified that the contacts made to the users supplied by XX were not aimed at concluding contracts but only at promoting Company services (in particular the maintenance of the boiler at 60 euros). "The person contacted - if interested -", he argued, "could have requested further information, otherwise the phone call would have ended [...] and the name deleted. [...] In this logic, the phone call with the complainant also took place, whose name - as per his request - was immediately crossed out from the list provided to us, as well as that of those who reported that they were not interested in our services".

4. LEGAL ASSESSMENTS

As already emerged in the introduction (par. 1), it should be noted that Aesse, the data controller, has not taken any precautions in acquiring the data from XX nor has it provided suitable documentation to demonstrate the legitimacy of these personal data lists and has not even presented elements regarding the methods of obtaining consent by the Spanish company. Relying on the professional guarantees offered by XX, and trusting in the positive results of the collaboration established, Aesse did not exercise any power of control that went beyond the usual verbal interlocutions. In fact, it does not appear that the Company has requested from its commercial partners the documentation proving the existence of the requisites of lawfulness of the processing, such as the origin of the data, the information provided and the consents acquired from the interested recipients of the promotional campaign, nor that it has carried out such checks in another way. Moreover, from the initial interlocutions with the complainant, a profound gap would emerge in the identification of the actual supplier of the data whose personal details were communicated only after the intervention of the Authority; initially, in fact, as documented by the interested party in the correspondence attached to the complaint, the Company would not have been able to indicate the person from whom it would have acquired the personal data subject to contact (see response of 24 March 2022: "we cannot tell you if your name it came from one company or the other"). It follows that, as disputed, Aesse collected personal data, which was then used for promotional contacts, without having acquired the consent or proof of consent from the interested parties.

The arguments put forward in the defense brief, however, do not allow overcoming the critical issues that emerged in the notice of dispute, nor can the possible registration of the refusal expressed by the interested party during the telephone contact remedy the lack of prior consent, as a basis promotional activity law. It follows that the contacts made by the Company for the promotion of its products and services were found to be in contrast with the fundamental principle of self-determination of the interested party with regard to the processing of his personal data which manifests itself precisely in the correlated fulfillment of the prior, free, specific and documented for the aforementioned commercial purpose (see provision 10 February 2021, n. 49, web doc. n. 9756869).

Furthermore, Aesse did not provide the necessary information to the complainant, neither on the occasion of the complained contact, nor subsequently in the reply provided to the request advanced by the same interested party before the filing of the complaint, since the company name of the data supplier is was communicated only after the intervention of the Authority. Moreover, with regard to the latter aspect, it is noted that the response provided to the Office to the request for information did not clarify the lawfulness conditions that would have legitimized the availability of the data by XX. It should also be noted that in the absence of information on the processing carried out by Aesse, any consents allegedly acquired by the supplier must also be considered invalid. In this way, the interested party was prevented from exercising effective control over the processing carried out with his data.

Therefore, the violation of articles is considered integrated 5, par. 1, lit. a), 6, para. 1, lit. a), 7, 13, 14 of the Regulation and of the art. 130 of the Code.

Furthermore, the violation referred to in Articles must be confirmed. 12 and 15 of the Regulation, due to the unsuitable response of the Company to the request to exercise the right of access by the complainant.

Finally, it should be noted that the sending to the complainant of the Excel file containing 5,776 "contactable" personal data for promotional purposes, resulted in an undue communication of personal data to third parties. The Company should have limited the reply to only the data relating to the complainant which, moreover, from a nominal and telephone number check, are not present in the list in question. Furthermore, this list, which contains multiple personal data (such as: mobile phone number; name; address; zip code; municipality; province; gender and year of birth), appears to lack any reference that allows contextualizing the will allegedly expressed by the interested parties to be contacted for marketing purposes or to oppose the processing, preventing any verification regarding the legitimacy of the promotional contacts. Furthermore, given the heading of the file in question - "Aesse 15_03_2021" - it is possible to assume that the data acquired in March 2021 have been kept for at least a year, since the phone call complained of by the complainant dates back to March 2022, in the absence of a justification and in particular a legal basis that legitimizes its conservation.

The contestation of further unlawful processing must therefore be confirmed: the communication to third parties of the personal data lists held by the Company, in contrast with the aforementioned principle pursuant to art. 5, par. 1, lit. a), as well as with the articles 6, par. 1, lit. a) and 7 of the Regulation.

5. CONCLUSIONS

In the light of the arguments referred to in point 4 of this provision, the disputed violations are considered confirmed and it is necessary to enjoin Aesse, pursuant to art. 58, par. 2, lit. d) of the Regulation, if it intends in the future to direct the promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at:

- define and regulate the role of contractual partners in the field of data processing, with particular regard to marketing purposes;

- constantly check, also through appropriate sample checks, that personal data are processed in full compliance with the provisions on the subject (prior acquisition of a free, specific, unequivocal, documented, as well as informed, consent of the interested parties for sending communications commercial), pursuant to articles 5, par. 1, lit. a), 6, para. 1, lit. a), 7, 13, 14 of the Regulation and of the art. 130 of the Code;

- provide the interested parties with suitable information, pursuant to art. 13 of the Regulation;

- guarantee a full and effective response to the exercise of rights, pursuant to articles 12 and 15 of the Regulation.

Furthermore, considering that the Company has ensured that it has ceased the telemarketing activity, it is not deemed necessary to impose further requirements but, with regard to the data acquired by XX, Aesse is ordered, pursuant to art. 58, par. 2, lit. f) of the Regulation, the prohibition of processing and, as a result, the elimination from one's systems of the excel file "Aesse 15_03_2021" containing numbers kept for at least one year in the absence of a justification is required.

Finally, with regard to the treatments already carried out and the lack of suitable measures to guarantee them, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation.

6. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Aesse, for which it is necessary to apply the art. 83, par. 3, of the Regulation, on the basis of which "if, in relation to the same treatment or to related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation” with consequent application of the sole sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5 of the Regulation, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in each case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, hypothesized, on the basis of the economic information available, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 of the Regulation and therefore quantified at 20 million euros as the maximum statutory amount applicable, the following aggravating circumstances must be considered:

1. the high number of subjects involved in the contested processing (whose data are shown in the Excel file "Aesse 15_03_2021) for which the Company was unable to prove the lawfulness requirements for the promotional activity (such as: origin of data, disclosure and consent) (Article 83, paragraph 2, letter a of the Regulation);

2. the subjective dimension of the conduct, to be considered grossly negligent, with particular reference to the continuing substantial avoidance of the information requested both by the interested party and by the Authority, as well as with reference to the inadequacy of the control over the treatment chain (art. 83, par. 2, letters b and d of the Regulation);

3. the inadequate degree of cooperation shown in the interlocutions with the Authority as the Company belatedly found, despite the reminder from the Office, the request for information pursuant to art. 157 of the Code and in any case not having provided in the reply the information necessary for an adequate evaluation of the treatments (art. 83, paragraph 2, letter f of the Regulation);

4. the discrepancy of the Company's conduct with respect to the consistent regulatory activity of the Authority in the field of marketing (Article 83, paragraph 2, letter k of the Regulation).

As mitigating elements, it is considered necessary to take into account:

1. the absence of previous proceedings initiated against the Company (Article 83, paragraph 2, letter e of the Regulation);

2. the interruption of the telemarketing activity following the dispute by the Authority (Article 83, paragraph 2, letter c of the Regulation);

3. the overall assessment of the Company's economic capacity, with particular reference also to the latest available financial statements for the year 2021 (Article 83, paragraph 2, letter k of the Regulation).

Based on the set of elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness pursuant to art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company, it is believed that it should apply to Aesse - also taking into consideration other similar cases - the administrative sanction of the payment of a sum of Euro 3,000.00 (three thousand/00), equal to 0.015% of the maximum statutory sanction of Euro 20 million.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the preliminary investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers and on which the attention of the 'user.

Please note that pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e) of the Regulation. Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f) of the Regulation, declares the processing carried out by Aesse S.r.l.s., with registered office in Sarzana (La Spezia), via Cisa 208, VAT number 01418000111, described in the terms referred to in the justification, to be unlawful; therefore declares the complaint founded and, moreover, determines the following corrective measures against the same Company:

a) pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibits any further processing of personal data acquired by XX for promotional purposes and, as a result, requires the elimination from its systems of the excel file "Aesse 15_03_2021" containing numbers kept for at least one year in the absence of a justification;

b) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins Aesse, if it intends in the future to direct the promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at:

- define and regulate the role of contractual partners in the field of data processing, with particular regard to marketing purposes;

- constantly check, also through appropriate sample checks, that personal data are processed in full compliance with the provisions on the subject (prior acquisition of a free, specific, unequivocal, documented, as well as informed, consent of the interested parties for sending communications commercial), pursuant to articles 5, par. 1, lit. a), 6, para. 1, lit. a), 7, 13, 14 of the Regulation and of the art. 130 of the Code;

- provide the interested parties with suitable information, pursuant to art. 13 of the Regulation;

- guarantee a full and effective response to the exercise of rights, pursuant to articles 12 and 15 of the Regulation;

c)  pursuant to art. 157 of the Code, enjoins the Company to notify the Authority, within 30 days of notification of this provision, of the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5 lett. e) of the Regulation.

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulation, to Aesse S.r.l.s., in the person of its legal representative, to pay the sum of 3,000.00 (three thousand/00) euros, by way of administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 3,000.00 (three thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 9 March 2023

PRESIDENT
Station

THE SPEAKER
Station

THE SECRETARY GENERAL
Matthew

[doc. web no. 9880336]

Prescriptive and sanctioning measure against Aesse S.r.l.s. - March 9, 2023

Register of measures
no. 71 of 9 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Personal Data Protection Code (Legislative Decree June 30, 2003, No. 196), as amended by Legislative Decree August 10, 2018, No. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

With the complaint of 5 April 2022, presented to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained of receiving, on the previous 8 March, an unwanted phone call concerning the promotion of boiler maintenance services offered by Aesse S.r.l.s. (hereinafter «Company»; «Aesse»).

The complainant declared that he had never given his consent to receive the aforementioned promotional communication and complained about the evasive and generic response that the Company would have provided regarding the request to know the origin of the personal data. In particular, in the communication of 24 March 2022, Aesse was unable to specifically indicate the subject from which it allegedly acquired the data subject's personal data, generically declaring that it had received from third-party companies engaged in the marketing of data, "packages of numbers with related names” allegedly collected on the occasion of gas and electricity contracts. In support of this reply, it has attached two invoices issued by XX and XX (XX), which allegedly show the sale of telephone numbers to Aesse.

On 8 April 2022, the Office formulated a request for information, pursuant to art. 157 of the Code, in order to acquire more elements of evaluation with particular reference to the documentation certifying the effective release of consent by the complainant for promotional purposes and the origin of the personal data of the same. Since no response was received within the requested time frame, on 2 May 2022, the Company was contacted at the telephone number on the contact page of the relevant website. Despite the assurances given during the phone call regarding a prompt response by the following 5 May, the Company only provided a reply on 23 May 2022, moreover using an incorrect address, so much so that it became available to the Office on 1 June 2022, conveyed by the complainant.

Aesse justified the delay in responding with the need to "investigate the legislation in order to try to understand the reasons underlying the complaint" and declared that it had acquired from the company XX (hereinafter "XX"), based in XX, a list of personal data and numbers that can be contacted for marketing purposes on the basis of a specific consent; in particular, this company would have guaranteed to Aesse that the names on the lists were approved and could therefore be used for marketing purposes. In this regard, the Company has sent the Authority an Excel file, entitled "Aesse 15_03_2021", with all the names and telephone numbers of the entities that can be contacted. The file in question, which contains multiple personal data of third parties (such as: mobile phone number; name; address; zip code; municipality; province; gender and year of birth), was also sent to the complainant.

2. THE DISPUTE

In the light of what emerged from the preliminary investigation, on the basis of the overall documentation acquired, on 28 October 2022 Aesse was notified of the start of the proceeding, pursuant to art. 166, paragraph 5, of the Code, with which the Company was charged with the alleged violation of the following provisions of the Regulation:

articles 5, par. 1, lit. a), 6, para. 1, lit. a) and 7 of the Regulation and 130 of the Code, for having acquired lists of personal data from XX, for marketing purposes, in the absence of the prescribed consent given by the interested parties: in fact, the Company has not produced suitable documentation - show the legitimacy of the acquisition of personal data lists from XX;

articles 13 and 14 of the Regulation for not having provided the interested parties, whose data have been acquired by XX, with suitable information in relation to the treatments for marketing purposes;

articles 12 and 15 of the Regulation, for not having provided the complainant with a complete reply to the request to exercise the right of access presented by the same;

articles 5, par. 1, lit. a), 6, para. 1, lit. a) and 7 of the Regulation, for having communicated to the complainant the data of the subjects present in the personal data lists acquired by XX, in the absence of suitable consent.

3. COMPANY'S DEFENSIVE MEMORIES

With the defense briefs forwarded on December 23, 2022, the Company asked this Authority to dismiss the proceeding initiated against it due to the absolute good faith found in appointing XX at a time of great economic difficulty caused by the pandemic emergency.

Trusting in the guarantees offered by this company in the telemarketing sector, and having previously obtained reassurances regarding the performance of the activity towards authorized users, Aesse has decided not to proceed with any further fulfillment that goes beyond the verbal interlocutions functional to the agreement. Moreover, "the circumstance that the company XX, although based in XX, operated with Italian personnel with whom there were various contacts, seemed suitable and sufficient guarantee of the correct execution of the operation".

Finally, Aesse, in representing "that the telemarketing activity is no longer in progress", specified that the contacts made to the users supplied by XX were not aimed at concluding contracts but only at promoting Company services (in particular the maintenance of the boiler at 60 euros). "The person contacted - if interested -", he argued, "could have requested further information, otherwise the phone call would have ended [...] and the name deleted. [...] In this logic, the phone call with the complainant also took place, whose name - as per his request - was immediately crossed out from the list provided to us, as well as that of those who reported that they were not interested in our services".

4. LEGAL ASSESSMENTS

As already emerged in the introduction (par. 1), it should be noted that Aesse, the data controller, has not taken any precautions in acquiring the data from XX nor has it provided suitable documentation to demonstrate the legitimacy of these personal data lists and has not even presented elements regarding the methods of obtaining consent by the Spanish company. Relying on the professional guarantees offered by XX, and trusting in the positive results of the collaboration established, Aesse did not exercise any power of control that went beyond the usual verbal interlocutions. In fact, it does not appear that the Company has requested from its commercial partners the documentation proving the existence of the requisites of lawfulness of the processing, such as the origin of the data, the information provided and the consents acquired from the interested recipients of the promotional campaign, nor that it has carried out such checks in another way. Moreover, from the initial interlocutions with the complainant, a profound gap would emerge in the identification of the actual supplier of the data whose personal details were communicated only after the intervention of the Authority; initially, in fact, as documented by the interested party in the correspondence attached to the complaint, the Company would not have been able to indicate the person from whom it would have acquired the personal data subject to contact (see response of 24 March 2022: "we cannot tell you if your name it came from one company or the other"). It follows that, as disputed, Aesse collected personal data, which was then used for promotional contacts, without having acquired the consent or proof of consent from the interested parties.

The arguments put forward in the defense brief, however, do not allow overcoming the critical issues that emerged in the notice of dispute, nor can the possible registration of the refusal expressed by the interested party during the telephone contact remedy the lack of prior consent, as a basis promotional activity law. It follows that the contacts made by the Company for the promotion of its products and services were found to be in contrast with the fundamental principle of self-determination of the interested party with regard to the processing of his personal data which manifests itself precisely in the correlated fulfillment of the prior, free, specific and documented for the aforementioned commercial purpose (see provision 10 February 2021, n. 49, web doc. n. 9756869).

Furthermore, Aesse did not provide the necessary information to the complainant, neither on the occasion of the complained contact, nor subsequently in the reply provided to the request advanced by the same interested party before the filing of the complaint, since the company name of the data supplier is was communicated only after the intervention of the Authority. Moreover, with regard to the latter aspect, it is noted that the response provided to the Office to the request for information did not clarify the lawfulness conditions that would have legitimized the availability of data by XX. It should also be noted that in the absence of information on the processing carried out by Aesse, any consents allegedly acquired by the supplier must also be considered invalid. In this way, the interested party was prevented from exercising effective control over the processing carried out with his data.

Therefore, the violation of articles is considered integrated 5, par. 1, lit. a), 6, para. 1, lit. a), 7, 13, 14 of the Regulation and of the art. 130 of the Code.

Furthermore, the violation referred to in Articles must be confirmed. 12 and 15 of the Regulation, due to the unsuitable response of the Company to the request to exercise the right of access by the complainant.

Finally, it should be noted that the sending to the complainant of the Excel file containing 5,776 "contactable" personal data for promotional purposes, resulted in an undue communication of personal data to third parties. The Company should have limited the reply to only the data relating to the complainant which, moreover, from a nominal and telephone number check, are not present in the list in question. Furthermore, this list, which contains multiple personal data (such as: mobile phone number; name; address; zip code; municipality; province; gender and year of birth), appears to lack any reference that allows contextualizing the will allegedly expressed by the interested parties to be contacted for marketing purposes or to oppose the processing, preventing any verification regarding the legitimacy of the promotional contacts. Furthermore, given the heading of the file in question - "Aesse 15_03_2021" - it is possible to assume that the data acquired in March 2021 have been kept for at least a year, since the phone call complained of by the complainant dates back to March 2022, in the absence of a justification and in particular a legal basis that legitimizes its conservation.

The contestation of further unlawful processing must therefore be confirmed: the communication to third parties of the personal data lists held by the Company, in contrast with the aforementioned principle pursuant to art. 5, par. 1, lit. a), as well as with the articles 6, par. 1, lit. a) and 7 of the Regulation.

5. CONCLUSIONS

In the light of the arguments referred to in point 4 of this provision, the disputed violations are considered confirmed and it is necessary to enjoin Aesse, pursuant to art. 58, par. 2, lit. d) of the Regulation, if it intends in the future to direct the promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at:

- define and regulate the role of contractual partners in the field of data processing, with particular regard to marketing purposes;

- constantly check, also through appropriate sample checks, that personal data are processed in full compliance with the provisions on the subject (prior acquisition of a free, specific, unequivocal, documented, as well as informed, consent of the interested parties for sending communications commercial), pursuant to articles 5, par. 1, lit. a), 6, para. 1, lit. a), 7, 13, 14 of the Regulation and of the art. 130 of the Code;

- provide the interested parties with suitable information, pursuant to art. 13 of the Regulation;

- guarantee a full and effective response to the exercise of rights, pursuant to articles 12 and 15 of the Regulation.

Furthermore, considering that the Company has ensured that it has ceased the telemarketing activity, it is not deemed necessary to impose further requirements but, with regard to the data acquired by XX, Aesse is ordered, pursuant to art. 58, par. 2, lit. f) of the Regulation, the prohibition of processing and, as a result, the elimination from one's systems of the excel file "Aesse 15_03_2021" containing numbers kept for at least one year in the absence of a justification is required.

Finally, with regard to the treatments already carried out and the lack of suitable measures to guarantee them, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation.

6. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Aesse, for which it is necessary to apply the art. 83, par. 3, of the Regulation, on the basis of which "if, in relation to the same treatment or to related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation” with consequent application of the sole sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5 of the Regulation, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in each case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, hypothesized, on the basis of the economic information available, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 of the Regulation and therefore quantified at 20 million euros as the maximum statutory amount applicable, the following aggravating circumstances must be considered:

1. the high number of subjects involved in the contested processing (whose data are shown in the Excel file "Aesse 15_03_2021) for which the Company was unable to prove the lawfulness requirements for the promotional activity (such as: origin of data, disclosure and consent) (Article 83, paragraph 2, letter a of the Regulation);

2. the subjective dimension of the conduct, to be considered grossly negligent, with particular reference to the continuing substantial avoidance of the information requested both by the interested party and by the Authority, as well as with reference to the inadequacy of the control over the treatment chain (art. 83, par. 2, letters b and d of the Regulation);

3. the inadequate degree of cooperation shown in the interlocutions with the Authority as the Company belatedly found, despite the reminder from the Office, the request for information pursuant to art. 157 of the Code and in any case not having provided in the reply the information necessary for an adequate evaluation of the treatments (art. 83, paragraph 2, letter f of the Regulation);

4. the discrepancy of the Company's conduct with respect to the consistent regulatory activity of the Authority in the field of marketing (Article 83, paragraph 2, letter k of the Regulation).

As mitigating elements, it is considered necessary to take into account:

1. the absence of previous proceedings initiated against the Company (Article 83, paragraph 2, letter e of the Regulation);

2. the interruption of the telemarketing activity following the dispute by the Authority (Article 83, paragraph 2, letter c of the Regulation);

3. the overall assessment of the Company's economic capacity, with particular reference also to the latest available financial statements for the year 2021 (Article 83, paragraph 2, letter k of the Regulation).

Based on the set of elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness pursuant to art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company, it is believed that it should apply to Aesse - also taking into consideration other similar cases - the administrative sanction of the payment of a sum of Euro 3,000.00 (three thousand/00), equal to 0.015% of the maximum statutory sanction of Euro 20 million.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the preliminary investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers and on which the attention of the 'user.

Please note that pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e) of the Regulation. Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f) of the Regulation, declares the processing carried out by Aesse S.r.l.s., with registered office in Sarzana (La Spezia), via Cisa 208, VAT number 01418000111, described in the terms referred to in the justification, to be unlawful; therefore declares the complaint founded and, moreover, determines the following corrective measures against the same Company:

a) pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibits any further processing of personal data acquired by XX for promotional purposes and, as a result, requires the elimination from its systems of the excel file "Aesse 15_03_2021" containing numbers kept for at least one year in the absence of a justification;

b) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins Aesse, if it intends in the future to direct the promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at:

- define and regulate the role of contractual partners in the field of data processing, with particular regard to marketing purposes;

- constantly check, also through appropriate sample checks, that personal data are processed in full compliance with the provisions on the subject (prior acquisition of a free, specific, unequivocal, documented, as well as informed, consent of the interested parties for sending communications commercial), pursuant to articles 5, par. 1, lit. a), 6, para. 1, lit. a), 7, 13, 14 of the Regulation and of the art. 130 of the Code;

- provide the interested parties with suitable information, pursuant to art. 13 of the Regulation;

- guarantee a full and effective response to the exercise of rights, pursuant to articles 12 and 15 of the Regulation;

c)  pursuant to art. 157 of the Code, enjoins the Company to notify the Authority, within 30 days of notification of this provision, of the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5 lett. e) of the Regulation.

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulation, to Aesse S.r.l.s., in the person of its legal representative, to pay the sum of 3,000.00 (three thousand/00) euros, by way of administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 3,000.00 (three thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 9 March 2023

PRESIDENT
station

THE SPEAKER
station

THE SECRETARY GENERAL
Matthew