Garante per la protezione dei dati personali (Italy) - 9920942
From GDPRhub
| Garante per la protezione dei dati personali - 9920942 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 7 GDPR Article 12(1) GDPR Article 13(2) GDPR Article 24 GDPR Article 130(4) of the Codice in Materia di Protezione dei Dati Personali |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 03.05.2022 |
| Decided: | 18.07.2023 |
| Published: | 18.07.2023 |
| Fine: | 100,000 EUR |
| Parties: | Tiscali Italia S.p.A. |
| National Case Number/Name: | 9920942 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | AR |
The Italian DPA fined an Italian telecommunications company €100,000 following a control of marketing and profiling activities. According to the DPA, the company was unlawfully processing consumers´ data.
English Summary
Facts
On 3-5 May 2022, as part of the control of marketing and profiling activities conducted by telephone companies, an inspection was directed at Tiscali Italia S.p.A. (the “Controller”).
During the investigation, the Italian Data Protection Authority (DPA) found several issues concerning, among the others, the controller’s disclosure and consent for data processing, the call back service by pop-up, the use of so-called "soft spam", the management of denials and objections to processing and the data retention for marketing and profiling purposes.
Following the investigation, on 23 June 2022, the controller sent a note to the DPA explaining the work carried out to address the criticisms raised. Thus, on 14 October 2022, the DPA requested further information and proof of the changes carried out.
Holding
Following the documents provided by the controller, the DPA concluded the following on each point of contention:
On the disclosure and consent for data processing: Violation of the principles of fairness and transparency, as stipulated by Article 5(1)(a) GDPR, Article 12(1) GDPR, as well as Article 13(2) GDPR due to the lack of information on the period of data retention for marketing purposes and of the underlying profiling.
Secondly, on the call back service by pop-up: No violation of Article 5(1)(a) GDPR and Article 12(1) GDPR , given that the controller addressed the inconsistencies between the consent acquired through the call-back pop-up and that explained in the information notice.
Thirdly, on the use of so-called "soft spam": Violation of Article 130(4) of the Italian Privacy Code since the controller was sending promotional text messages rather than e-mails to customers who had not given consent for marketing purposes.
Fourthly, on the management of denials and objections to processing: Violation of Article 5(2) GDPR and Article 24 GDPR as although the controller acknowledged the objections, it did not make alterations to appropriately handle a system listing the changes in the customers´ consent given.
And lastly, on data retention for marketing and profiling purposes: Violation of Article 5(1)(b) GDPR since data retention related to marketing until the withdrawal of consent to processing is also not compliant with Article 7 GDPR, and the controller´s terms of data retention were considered excessively long.
The DPA fined the controller €100,000 under Article 58(2)(i) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Newsletter of 11 September 2023
[doc. web no. 9920942]
Provision of 18 July 2023
Register of measures
n. 321 of 18 July 2023
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");
HAVING SEEN the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;
SPEAKER Dr. Agostino Ghiglia;
1. INSPECTION ACTIVITIES CARRIED OUT BY THE AUTHORITY AT THE COMPANY HEADQUARTERS AND RELATED RESULTS.
1.1. Premise
As part of the control activity of the marketing and profiling activities conducted by the telephone companies, an inspection was carried out, on the dates 3-5 May 2022, at Tiscali Italia S.p.A. (hereinafter also: “Tiscali” or “the Company”).
The latter sent a note on 20 May dissolving the reservations contained in the inspection reports and a further note on 23 June, with specific reference to the corrective actions undertaken on the basis of some critical issues that emerged during the on-site assessment. This was followed, on 14 October and 9 December 2022, by this Authority sending a request for information and supplementary documents to better understand the treatments under investigation and the stage of progress of the changes made by the Company , also in consideration of the development of the incorporation process by merger of the Linkem company, operating in the same sector. The Company provided complete feedback with a note dated January 13th. (to which the reader is referred in full for further details).
The following emerged from the examination of the inspection documents.
1.2. Information and consent for data processing
With reference to data retention times, the Company's Privacy Policy (annex 5 to the minutes of 4 May), identical for the company website as for the shops - in particular in the paragraph "Right to delete personal data", is limited to declare “We keep user data only for the time necessary to provide the requested service or to comply with legal obligations.”, adding that: “If it is believed that we are keeping them for a longer period of time than necessary, to first of all it will be advisable to verify that the contract with Tiscali has ended. If you have no longer been a customer for at least 6 months and there is no active billing object and/or credit situations, fraud, complaints open with Tiscali, the user can also request the deletion of their data, so as not to make them more visible in the Tiscali IT systems. However, even in this case and under certain conditions, we may still be obliged not to permanently delete your data for: reasons of public safety; the establishment, exercise or defense of a right in court or for the fulfillment of a legal obligation". The privacy policy, issued by the Company on the website and in stores, essentially presents a similar formulation, which contemplates only contractual purposes and those envisaged by the legislator.
Therefore, no reference time limit is envisaged, much less distinguished by type of method and purpose (in particular for marketing and profiling), as well as based on the type of data processed, therefore the aforementioned information texts do not provide interested parties with sufficient elements to allow interested parties to be aware of this fundamental aspect of the processing, with the risk of also invalidating any consent given. The gap appears even more serious with respect to the data of prospect subjects and lead subjects recalled as part of the call-back service, whose data are retained, respectively, for 5 years and 2 years (see, below, par. 1.6 of this act).
1.3. Call back service via pop-up.
The Company highlighted that "the only marketing activity carried out on the contacts (leads) collected on the said site as part of the call back service, via pop up, is that relating to the callback for the proposition of the related Tiscali services and that the contact he is not included in lists for future generic contacts, instead being included "in a special call-back system, which only serves to manage callbacks".
With specific reference to one of the comparators ("friendly bill"), the following formulation of consent acquisition - useful was found in the pop-up: "Read the privacy information pursuant to Legislative Decree 196/03 and Regulation (EU) 679/2016 (GDPR) by clicking on "Call me for free" I consent to the processing of personal data in order to be contacted in order to obtain commercial information regarding this Tiscali service". However, in response to this formula, the following notice was present which can be reached via the provided link: "If you have given optional consent for marketing purposes, we inform you that your contact details may be used for sending by of Tiscali of information, communications and commercial offers, advertising and information material, via automated tools (sms, email, whatsapp) or traditional channels (paper mail and telephone calls with operator) relating to all Tiscali services."
Upon specific request from the Authority's staff, the Company confirmed that the aforementioned wording contained in the information refers to the consent referred to in the pop-up. In this regard, the inconsistency between the consent acquired through the call-back pop-up and that explained in the information was already highlighted during the inspection; inconsistency of which the Company has taken note for possible modifications (see minutes of 4 May).
1.4. The use of the so-called “soft spam”.
With regard to what is indicated in point 2 of the information on the website and the paper forms, and, in particular, to the so-called communications soft spam, directed at existing customers who have not expressed their consent to the promotional activities, the Company confirmed that it has "also used the SMS in a residual and episodic manner to send commercial communications on products/services similar to those already purchased by the Tiscali customers. In the period 2021-2022…. carried out 2 promotional campaigns via SMS, following the logic ex 130, 4th Co., of the Code. The first involved 70,000 customers, between October and November 2021. The second involved 95,000 customers, between December 2021 and February 2022.” In this regard, the Company added that it had carried out "an assessment based on which the SMS was considered similar to the email for mobile customers, in terms of invasiveness, taking into account that the telephone number is the only data certain issued by customers during the signing of the contract."
1.5. Management of refusals and objections to treatment.
The Company, in specifying that it does not currently carry out telemarketing campaigns, instead making use of e-mail and, occasionally, SMS messages for the same promotional purposes (see paragraph 1.4 "The use of soft spam"), has specified that " considers the consent given valid for 10 years from the date of termination of the contract, unless revoked. In this regard, ... keeps track of revocation requests, with regards to prospects, in a specific black-list, consisting, to date, of 975 lines, evaluated starting from 2018" (Annex 4, minutes of 3 May) and “… in the event of revocation by a former customer, the relevant consent in the CRM is updated.”
With regard to the management of denials and the black-list, possibly used in the period in which the company carried out teleselling activities, Tiscali declared that it was not able ("at the moment", i.e. on the date of the inspection in question), "to provide documentation and information, due to the changes in personnel and systems that have occurred in recent years. Even with regard to the black list, the company is not able to find the previous list, which is additional to the one already provided to the Authority, the first additions of which are in 2019". Tiscali added that: “Previously, denials were certainly recorded, but at present the company cannot provide documentation in this regard; since 2019 the privacy function has begun to include refusals to processing in the current blacklist, in a reduced number as the company no longer carries out telemarketing. To strengthen this aspect, a CR is in the works to automate the black-listing process and have the CRM and black-list relating to prospects communicate directly.”
At the specific request of the inspection staff regarding the possible function of the CRM or other corporate system to return the dates, channels or other circumstances relating to the changes in privacy consents possibly expressed over time by the individual interested parties, the Company represented "that it does not have this type of function, but which nevertheless has traces of the most recent and current option of will".
1.6. Data storage for marketing and profiling purposes
From the analysis of the "Data retention policy" (annex 6, minutes of 3 May) the following critical aspects emerged:
- to carry out marketing and profiling activities, all data ((including the "history of purchases of Tiscali products and services") are kept for 10 years, both in relation to inactive customers as well as customers, from the date of " last purchase” or “last interaction”;
- for the same purposes, the data (including the "purchase history of Tiscali products and services; personal and contact data such as name, surname, email address, information acquired from the public profile on social media, etc.") are kept for 5 years. ) of prospect subjects. As the initial term of conservation, the Company has identified the date of the "last interaction" (in this case providing for some exemplary hypotheses "participation in an event or competition), with respect to marketing and that of the "collection of consent", with respect to profiling .
Furthermore, in the said Policy relating to the management of lead lists, for the purposes of the call-back service, a retention period of 2 years is indicated (see, for the same term, the processing register, with reference to the relevant section) .
Furthermore, the number of interested parties assumes a significant amount; for example, as regards inactive and suspended customers, "the result of the query refers to 2,926,458 rows in which the customer's identification data have been subject to anonymisation, in line with Tiscali's data retention criteria" (see . note 20 May 2022).
2. CORRECTIVE ACTIONS IMPLEMENTED BY THE COMPANY.
On 23 June 2022 Tiscali sent a note - to which reference is made in full - in which it set out some corrective actions also taking into account the critical issues that emerged during the inspection. In particular, it also represented: that it had made the wording of the cookie banner clearer, also in relation to the declaration of consent to the purposes of the processing as well as the acceptance formula of contractual terms and privacy information, separating the relevant boxes proposed to users when registering on the website.
Furthermore, the Company, regarding the inconsistency noted above, informed that "on 19/5/22 the Company instructed its Engineering data controller, by means of an ad hoc ticket...., in order to remedy the anomaly detected during the inspection and realign the Siebel and MyTiscali tools. This activity was concluded by Engineering on 03/06/22", attaching, "to prove this, a screenshot relating to the conclusion of the positive processing".
With regard to "soft spam", the Company has produced the amended information with reference to this promotional activity towards those who are already customers (until they object), by e-mail, asking the Authority to evaluate, "even with the recourse to an interpretation of the art. 130, co. 4 of the Privacy Code based on the so-called "living right", if what is foreseen therein regarding soft spam can be considered - based on current technological and social evolution - also extendable to communication via SMS. This is in consideration of the fact that, to date, SMS has a significantly reduced range compared to the past (also due to the advent of new instant messaging systems). However, please note that following the last campaign carried out in February 2022, the Company had already suspended these soft spam activities.".
Tiscali also represented that the real-time alignment between the black list and the CRM was being worked on, again by the IT company responsible for the processing.
3. INTEGRATION OF THE INVESTIGATION.
In consideration of the completion of the incorporation operation into the Tiscali group of Linkem (now: Opnet S.p.A.), as well as the corrective activities implemented by the Company, it was deemed necessary to address a request to the latter for elements and documents, on 14 October 2022 - renewed on 9 December having received no response - in order to verify the roles of Tiscali Italia spa and Linkem spa in the processing of customer/prospect data; quantity and quality (types) of data acquired following the merger; data retention policy; information released to interested parties, as well as any corrective measures undertaken in relation to possible critical issues that emerged during the inspection or independently detected by the Company.
Tiscali - with a delay allegedly due to technical problems in the management of the certified mail service - provided feedback, with a note dated January 13th. (to which reference should be made for the details of the various profiles examined), representing first of all that: "The extraordinary operation completed on 1 August 2022 consisted of a series of corporate operations which ... led to the incorporation by Tiscali of the branch retail business of Linkem S.p.A. and the consequent takeover of Tiscali, in accordance with the provisions dictated by the articles. 2501 et seq. c.c., in a multiplicity of active and passive relationships of Linkem S.p.A.”. In particular, on 22 July 2022 the deed of merger by incorporation between Tiscali S.p.A. was formalized. (today, Tessellis S.p.A.), holding company of the Tiscali Group (incorporating company) and Linkem Retail S.r.l. (incorporated company) with effect from 1 August 2022; at the same time, the Company proceeded with an internal reorganization of its group, in order to centralize all retail activities within itself, taking over "As of 1 August 2022 ... ownership of all activities included in the retail branch, including including those for the processing of personal data of only active customers on 31 July 2022, previously carried out by Linkem ... On the contrary, the processing of data of Linkem customers which ceased before 31 July 2022 ... remained with Opnet S.p.A. (then Linkem S.p.A.).”
The Company added that it had "sent a communication to customers by email dated 28 July 2022 also containing the information on the processing of personal data (Annexes 1 and 2, to the aforementioned acknowledgment note); communication made available on the website dedicated to the Linkem service and still available on the page https://www.linkem.com/associazione-linkem-tiscali.”
As regards data retention, following the Extraordinary Operation, the Company represented that it had started the necessary internal analysis aimed at "a complete mix of the databases previously owned by Linkem S.p.A. within their systems. Since this objective has not yet been achieved, ... holds the personal data of acquired customers .... on different and additional systems - also acquired in the (said corporate matter) - compared to those used to carry out the personal data processing activities already subject to the (inspection) activities".
Furthermore, with particular regard to the storage terms, the Company has recalled those expressly provided for in the aforementioned privacy policy.
Regarding these terms, specifically, it emerges from the analysis of the said policy that, similarly to Tiscali customers, the retention of personal data collected and processed for marketing purposes relating to active customers is envisaged "until the (possible) revocation of consent ”.
Although expressly indicated in the aforementioned information among the purposes of the processing, there was no trace of the storage of the personal data in question for profiling purposes.
Lastly, on 28 January 2023 this Authority asked the Company to specify the following quantitative data: - number of customers (active and terminated) and - leads, distinguishing between the two brands "Tiscali" and "Linkem". The Company, providing feedback on February 7th, stated that, with reference to the Tiscali brand, there are 17,808,080 active customers; those terminated 1,384,029 8,076; leads 19,576; with reference to the Linkem brand: active 530,614; 47,474 terminated; leads 19,576.
4. THE DISPUTE MADE BY THE AUTHORITY.
4.1. Information and consent for data processing
The aforementioned gaps in the information highlighted the alleged violation of the principles of 'correctness' and 'transparency' (art. 5, par.1, letter a, and 12, par.1), as well as art. 13 of the Regulation.
Recalling what was said in par. 2 of this provision, the retention times for the albeit invasive marketing purposes (even targeted) and the underlying profiling were not indicated, not allowing interested parties to evaluate whether and which data to release or possibly unsubscribe from the company website. The conditions for the violation of the principles of transparency (art. 5, par.1, letter a) and 12, par.1 of the Regulation) and of adequate information (art. 13, par.2) were therefore recognizable. letter a) of the same Regulation.
Furthermore, this was also in conflict with the Guidelines of the European Data Protection Committee pursuant to the Regulation (wp260rev.01), in www.edpb.europa.eu, which, in coherence with the aforementioned legislation, expressly enhance the information fulfillment in terms of simplicity, clarity, immediate intelligibility, also taking into account the most vulnerable categories (such as the elderly and people with disabilities), and in particular characterized by a lower capacity for discernment.
With limited reference to customers who purchase Tiscali products and/or services, the possible violation has emerged - moreover in relation to invasive processing such as profiling - of the art. 6 of the Regulation, as the use of a correct legal basis is not recognized: in fact, it does not appear that said processing is based on the consent of the interested party (par.1, letter a), nor on legitimate interest (par.1, letter f ), the application of which, as is known, should have been based - a circumstance which is not in the documents - on a prior specific balancing test between the interests of the owner and that of the interested parties or even of third parties (see Group Guidelines ex art. 29 on this specific assumption; see also provision dated 15 January 2020 n.7, web doc. n.9256486).
4.2. Call back service via pop-up.
The inconsistency that emerged between the consent acquired through the call-back pop-up and that explained in the information - not allowing the interested party to understand which promotional initiatives he is giving consent to - appeared to be in conflict with the principle of correctness and transparency (articles 5, par.1, letter a, and 12, par.1, of the Regulation).
4.3. The use of the so-called “soft spam”,
The sending of promotional text messages - instead of e-mails - to individuals who were already customers, who had not given consent to the marketing, constituted a possible violation pursuant to 130, 4th co., of the Privacy Code, which, in allowing the use of e-mail for promotional purposes towards subjects who have already purchased a product or service regulates an exception - not susceptible to extensive application - compared to the general rule of prior, specific, provable and unequivocal consent. Furthermore, it is necessary to consider the high number of interested parties involved (70,000 customers, between October and November 2021; 95,000 customers, between December 2021 and February 2022).
4.4. Management of refusals and objections to treatment
With regard to the lack of a suitable procedure for returning (possibly since the establishment of the Company) the dates, channels or other circumstances relating to the variations in privacy consent expressed by the individual interested parties over time, the conditions for the violation of the principle of accountability (art. 5, par. 2 and 24, of the Regulation), given that the Company has not been able to demonstrate adequate management of the fundamental right of the interested party to self-determination (also pursuant to the aforementioned art. 6, par. 1 letter a of the Regulation) with respect to your sphere of personal data.
4.5. Data storage for marketing and profiling purposes
Regarding the retention terms, as highlighted in par. 1.6. of this act (specifically, therefore, referring to the data of active customers, terminated customers and leads), as well as the term ("until the (possible) revocation of consent" - provided for in the aforementioned paragraph 3 "Integration of preliminary investigation "in relation to "personal data collected and processed for marketing purposes relating to active customers" - the probable conflict with the principles of 'purpose, minimization and limitation of conservation' emerged, pursuant to art. 5, par. .1, letter b), c), and e) of the Regulation. The aforementioned terms, even assuming that they have been identified by the Company in the exercise of its accountability, nevertheless appear excessively extended. In fact, based on the provision. general 24 February 2005 [doc. web 1103045] the general rule applies regarding retention times, it is a maximum of 2 years for data relating to marketing and 1 year for data relating to profiling.
Furthermore, it was remembered that there are some exceptional cases in which the term (in particular, that relating to profiling activity) has been increased (in any case up to 7 years and not up to 10 or to the possible revocation of consent), but this is the term used as reference by brand companies belonging to the luxury sector, authorized by the Guarantor, however in a very different socio-economic and technological context, following a specific prior checking request and a specific investigation. It should be added that, as far as is in the documents, it was not considered that the type of products offered for sale by the Company was similar to that marketed by such companies (such as: Bulgari, Ferragamo; see provisions ti, 24 April 2013, doc. web 2499354 and 30 May 2013, web doc. n.2547834).
5. NOTIFICATION OF ALLEGED VIOLATIONS PURSUANT TO ART. 166, PARAGRAPH 5, OF THE CODE.
Based on the above, it was necessary to notify the Company of the alleged violation of the following provisions of the Regulation:
articles 5, par. 1, letter. a), b) c) and e) as well as par. 2; 6, par.1, letter. to);
12, par. 1, and 13, par. 2, letter. to);
24;
as well as the art. 130, co. 4, of the Code.
The start of the procedure for the possible adoption of the measures referred to in article 58, par. 2, of the Regulation and for the possible application of the pecuniary sanctions referred to in the art. 83, par. 4 and 5 of the Regulation.
6. DEFENSIVE MEMORY.
Through its defense statement dated 22 March 2023, the full text of which is referenced, the Company represented that:
6.1. Information and consent for data processing.
Regarding the "failure to indicate the terms of data retention for marketing and profiling purposes in the information addressed to customers", the Company represented "how, following the Extraordinary Merger Operation between Tiscali and the business unit retail of Linkem S.p.A., the Company has updated the information on the processing of personal data pursuant to art. 13 of the Regulation addressed to customers of Linkem branded Tiscali services, inserting within the same the precise indication of the terms of conservation of personal data with respect to each processing purpose pursued, including marketing ones ("until the revocation of consent by You expressed pursuant to art. 7 of the GDPR and/or until your opposition to the processing pursuant to art. 21 of the GDPR" ) and general profiling based on legitimate interest ("12 months" from collection). The same changes will also be made to the contractual privacy information aimed at customers of Tiscali brand services". The Company also highlighted that "the absence of any complaint included in this proceeding is further proof that, despite the presence of an outdated data retention policy, Tiscali has always operated in compliance with the relevant information without causing any type of prejudice towards the interested party".
Coming to the profiling activity, the Company represented: "how the processing indicated in the information with the term "aggregate profiling" consists of a data processing activity aimed at strategic orientation analyzes carried out by the Company, which can be qualified , using recently coined terminology, such as “aggregate analysis” or “classification”. The aforementioned processing, in reality, consists in analyzing, in a general and aggregate manner, the personal and purchasing information of the entire database of its customers to create strategic business models and improve its products and services, without carrying out evaluations, forecasts or draw conclusions regarding specific natural persons.
“Unlike profiling understood in the terms of art. 4 of the Regulation", the Company also specified that "no attribute and/or profiled marker is associated with the details of the customers present in the database. The personal data of the Company's customers are, therefore, used to carry out aggregate business intelligence processing which leads to high-level information not referring to individual customers, allowing the Company to know the number of how many (and not who) have benefited from specific services in a specific geographic area in a given period of time. Typical cases of aggregate business intelligence processing carried out are, for example, the general analyzes of the offers of its services through which it is verified, through aggregate evaluations, how many customers of the entire database have signed up to a specific promotion in a given period and/or or geographical area; or even the general analysis of the entire customer base aimed at knowing at a statistical level the targets that distinguish the customer base (for example, statistical evaluation of the percentage of women and men, percentage distribution by age group, geographical area, etc. ). The general analysis activity carried out by Tiscali - unlike the profiling activity - as defined pursuant to art. 4 of the GDPR - does not, therefore, imply any personalized impact on customers, as it is not directly and functionally aimed at the implementation of targeted and personalized commercial or advertising actions. The aforementioned analysis activity, projecting itself into the dimension of the Company's strategic choices, is directly functional to the satisfaction of a typically entrepreneurial interest of the same; the resulting data processing can therefore be based on the legitimate interest pursuant to art. 6, par. 1, letter. f) of the Regulation...".
6.2. Call-back service via pop-up.
In this regard, Tiscali represented that: "During the inspection activity (see minutes of 4 May 2022), it emerged that - in the context of the inbound marketing activity carried out following a collection of leads by third parties suppliers of offer comparison services in the telecommunications market - exclusively for one of these suppliers ("friendly bill"), the commercial consent formula to be given to be contacted again (call back) was misaligned with what is provided for in the relevant information call back privacy. The Company reiterated that "this is a mere material error in alignment and/or updating of the text, given that for the other comparators analyzed during the Inspection Activity, said inconsistency is absent... as indicated in the note dated 20 May 2022; (has) corrected/aligned ... this call back information regarding "friendly bill" so that the references to consent therein coincided with the aforementioned consent formula, which provides for specific commercial recontact for the advertised Tiscali service only. As further confirmation of the mere material error and as proof that this had no concrete impact on the interested parties, the Company added that: "- on the one hand, the data collected for the call back phase did not flow into the company CRM but rather in a specific call back system (see appendix 8 of the minutes of 4.5.22 with the screenshots of the call back system). Therefore, the risk of a commercial contact outside of the consent to recontact for the single Tiscali service was excluded... Only the administrators of the call back system had visibility of the numbers archived "up to a maximum of 30 days before". The data was verified and confirmed during the inspection, which took place from 3 to 5 May 2022, where it emerged that the oldest data referred to 24 April 2022 so that it was evidently kept for a period of no more than 30 days". Tiscali then stated that: "from the evidence of the systems collected in the Inspection Activity it was ascertained that said error had no impact on the systems and, therefore, even less so on the interested parties"; at the same time highlighting that "pursuant to art. 3 (general principles) of Regulation 1/2019 ... the Authority must take into account "the nature and seriousness of the offenses to be ascertained in relation to the related effects and the extent of the damage that they may cause for one or more interested parties, the probability to prove its existence, as well as the available resources."
6.3. The use of soft spam.
The Company represented "how this method of sending campaigns concerned exclusively two promotional campaigns and was subsequently definitively interrupted at the end of the second campaign in February 2022 ... the activity concerned only two campaigns for a small customer base compared to to the entire customer base communicated to this Authority".
6.4. Management of refusals and objections to treatment.
The Company preliminarily observed, reiterating what was declared during the inspection, that it had not carried out telemarketing and teleselling activities before 2018. "Consequently, the oppositions from prospects collected in the blacklist are made up only of cases of "generic" oppositions, valid that is, communications sent by interested parties without distinction to the main electronic communications operators (including Tiscali) to oppose any campaigns, and not following specific teleselling/telemarketing campaigns launched by Tiscali at least from 2018 onwards directly and/or indirectly ...has not even activated an Agency channel for the direct proposition of commercial contracts. For this reason, the content of the blacklist contains a relatively small number of oppositions.” The Company also documented that "the blacklist was shared including approximately 350 oppositions registered simultaneously at 00:00 on 25 September 2019, which are the result of a massive upload of all the oppositions previously collected and coming from another database, to date, at least, from 25 May 2018, the date of application of the GDPR. ... has recovered all the blacklists previously collected before 2019 up to 2018.. As can be easily verified through a comparison, all the names present in these blacklists coincide with the approximately 350 oppositions..."
6.5. The storage of data for marketing and profiling purposes.
With reference to the data retention policy relating to customers, the Company stated "first of all that the version shared with the Authority was not updated and is currently being revised also following the aforementioned Extraordinary Operation. As demonstrated during the inspection activity through evidence also collected on the systems...: - Tiscali does not carry out profiling activities; - as regards marketing towards prospects, it is important to remember how these subjects represent the so-called "lead" and, therefore, as per the relevant information viewed in Inspection Activities, said data was kept exclusively for 30 days.".
The Company then stated that the "criticism made regarding the retention times of data for marketing and profiling purposes, according to the orientation of the provision of 24 February 2005, according to which "the retention times of data relating to the details of purchases with reference to customers should be identified in 24 months (starting from registration) for marketing purposes and in 12 months (starting from registration) for profiling purposes - it does not appear to be applicable. According to the Company, it would in fact be up to the Data Controller, by virtue of the principle of responsibility, "the burden of carrying out every most appropriate assessment, adopting adequate technical-organizational measures in order to guarantee compliance of the processing with the Regulation", recalling "certain provisions of the Authorities who have recognized the possibility of extending the retention period for the processing of data relating to purchase details even up to a period of 10 years and this not only in favor of companies/brands belonging to the fashion/luxury sector (see ., for example, provision no. 274 of 9 May 2018 [web doc. no. 8998319], provision no. 297 of 12 June 2014 [web doc. no. 3315156], provision no. 329 of 22 May 2018 [web doc. n.9022048]). “
6.6. Overview of the improvement measures adopted.
The Company represented that it had spontaneously implemented a set of improvement actions, as proof of its accountability, both already started and/or concluded, also as a measure of further collaboration with this Authority. Among these:
- the correction of the call-back privacy information with reference to the "friendly bill" comparator;
- further clarification of the marketing consent formula;
- the separation, via a different and specific flag, of having read the information from the contractual conditions;
- the "refinement of the customer privacy information, through the use of even simpler and more effective terms in representing the marketing purpose and eliminating references to soft-spam via SMS";
- the implementation of a technical automation that aligns the opposition blacklist with the CRM in real-time; - the standardization of call-back information, following the said merger.
6.7. Conclusions formulated by the Company.
In light of all of the above, Tiscali, in the memorandum in question, requested the dismissal of the proceeding and, alternatively, to apply a sanction in its minimum statutory value, taking into account: (1) the measures adopted by the data controller to mitigate any damage suffered by the interested parties; (2) the degree of responsibility of the data controller taking into account the technical and organizational measures implemented by it; (3) the degree of cooperation with the Supervisory Authority in order to remedy the violation and mitigate its possible negative effects.
The Company has also documented, in detail, its condition of serious economic and financial crisis such as to have "closed 9 of the last 10 financial years with a highly negative net result to which must be added the widespread difficulty of all the small and medium telecommunications."
7. THE COMPANY HEARING.
During the hearing, held on 27 April, the Company, in recalling what was already represented in the defense brief, added that in the context of the said merger procedure with Linkem, data protection has been taken on as an increasingly central value in the scope of the corporate reorganization, establishing new functions (IT and compliance) in the same Department that deals with privacy, appointing a DPO authorized to liaise directly with the CEO of the Company, further reviewing and standardizing information, corresponding consents, procedures and documentation between Tiscali and Linkem.
8. NOTE TO THE COMPANY'S FINANCIAL STATEMENTS DATED MAY 30 U.S.
With a note dated 30 May 2023, Tiscali finally represented that, "despite the critical economic and financial condition of its balance sheets, finally confirmed also on the occasion of the approval of the financial data for the 2022 financial year, and of the telecommunications market in the current historical context in which all the main operators have announced redundancies involving thousands of jobs, has responsibly opted to safeguard its employees by not reducing surplus staff; and which, following the merger, internalized the staff contracted for services at some call centers, as well as relocated without any redundancy the staff from the IT business branch leased (to another company), and returned at the end of 2022".
The Company also reiterated that the processing indicated in the information with the term 'aggregate profiling' "consists of a data processing activity aimed at strategic orientation analyzes carried out by the Company, which can be qualified using recently coined terminology. , as 'aggregate analysis' or 'classification' and which consists in analysing, in a general and aggregate manner, the personal and purchasing information of the entire database of its customers to create strategic business models and improve its products and services, without making assessments, forecasts or drawing conclusions regarding specific natural persons”; that the said classification responds to the definition most recently found in the Code of Conduct for telemarketing and teleselling activities approved by this Authority on March 9th.
Finally, the Company, due to the represented need to "safeguard its workers and business continuity, in the unlikely event that a sanction was imposed on the same", asked to be able to "defer the due payment even in the event of a immediate of the sanction itself. "
9. LOGICAL-LEGAL OBSERVATIONS OF THE AUTHORITY.
9.1. Information and legal bases for processing.
With specific regard to information compliance, believing that the defenses formulated are not sufficient to exempt the Company from administrative liability, it is deemed necessary to confirm the violation of the principles of 'correctness' and 'transparency' (art. 5, par.1 , letter a, and 12, par.1), as well as art. 13 of the Regulation, in light of the arguments set out above with the dispute. Furthermore, it does not note, unlike what is claimed by the Company, that "despite the presence of an outdated data retention policy, Tiscali (has) always operated in compliance with the relevant information without causing any type of prejudice towards the interested party" , since, based on the combined provisions of the articles. 12 and 13 of the Regulation, the inappropriate fulfillment of the fundamental obligation of complete disclosure and transparency is sanctionable, based on the art. 83, par. 5 of the Regulation, regardless of any related detrimental consequences.
Regarding the possible legal basis of the profiling activity (individual or aggregate), understood, pursuant to art. 4, par.1, letter. d) of the Regulation, as "any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation, the health, personal preferences, interests, reliability, behaviour, location or movements of the said natural person", it should be highlighted that the Company, in particular with the aforementioned notes of 22 March and 30 May 2019, has clarified that, in reality, its activity consists of a general and aggregate analysis by macro-criteria (such as age or sex) without any evaluation or impact for the interested parties, and that therefore - despite the terminology used in the information - cannot be assimilated to profiling.
In light of the above, this Authority - considering the function of mere segmentation and generic classification of the customer base - can exclude the recurrence, in this case, of a profiling activity and, therefore, believes it can dismiss the violation contested at the time .
9.2. Call back service via pop-up.
Considering the complex arguments put forward by the Company (and, in particular, the merely formal nature of the violation in question and the absence of actual harm to the interested parties), it is believed that the related dispute can be dismissed (articles 5, par.1, letter a, and 12, par.1).
9.3. The use of soft spam.
The Authority, recalling what has already been highlighted in this regard during the dispute, believes that the arguments put forward by the Party cannot be considered sufficient to overcome the complaint made, since - it is worth repeating - that of the art. 130, paragraph 4, is an exceptional rule, therefore insusceptible of analogical application.
Considering this, the violation of the aforementioned provision is to be considered confirmed.
9.4. Management of refusals and objections to treatment.
Finally, the Company has demonstrated that it is aware of the objections received since the Regulation was fully operational, producing the relevant black lists, but has added nothing, compared to what emerged during the inspection, regarding the failure to implement a "CRM function or other corporate system to return the dates, channels or other circumstances relating to the variations expressed in privacy consents over time by the individual interested parties" and to their current setting of the black list, capable only of keeping "track of the most desired option recent and current".
It should be highlighted that the owner must be able to substantiate the various manifestations of consent and refusal, in such a way as to be able to adequately identify the requests of the interested parties pursuant to the articles. 15-22 of the Regulation as well as the investigative requests of the Authority as part of its supervisory activity.
It is therefore deemed necessary to confirm the violation of the articles. 5, par.2, and 24, of the Regulation and also to order the Company to implement a procedure suitable for returning, within the aforementioned terms, the changes in privacy consents formulated over time by the individual interested parties.
9.5. Storage times.
As claimed by the Company, the provision of the Guarantor of 24 February 2005 "Fidelity cards" and guarantees for consumers", although no longer of a binding nature, is still to be considered applicable with a guideline value and therefore so is the timescale provided therein (24 months for marketing data; 12 months for profiling data). Furthermore, while valorising the principle of accountability, also with reference to the delicate matter of data retention, one certainly cannot come to the conclusion that an owner, on the basis of this principle which needs to be reconciled with the other fundamental principles envisaged by the Regulation, can deviate excessively from the aforementioned provisions, without incurring a violation of the principle of limitation of conservation (see art. 5, par.1, letter d) of the Regulation). For example, it is considered inappropriate to retain marketing data until the date of revocation of consent to processing, pursuant to art. 7 of the Regulation, also considering that the interested party may never change his/her will or keep it unchanged for years.
Furthermore, no relevance can be given to the precedents cited by the Company (see provisions, 24 April 2013, web doc. 2499354 and 30 May 2013, web doc. n.254783) adopted by the Guarantor in different conditions and referring to storage times of data relating to the purchase of luxury goods, i.e. in relation to cases that cannot be adapted to the specific case.
10. CONCLUSIONS.
For the above overall, Tiscali's responsibility for the following violations of the Regulation is deemed to be established:
articles 5, par. 1, letter. a), b) c) and e) as well as par. 2; 12, par. 1; 13, par. 2, letter. to); 24;
as well as the art. 130, co. 4, of the Code.
Having ascertained the illicit nature of the Company's conduct described above, it is necessary to order it to:
- establish and apply differentiated retention times, in relation to the categories of interested parties (active customers; terminated customers; leads), in compliance with the principle of conservation limitation (art. 5, par.1, letter e) of the Regulation), distinguishing between marketing and classification treatments, and deleting, or anonymizing, the data that is retained beyond the established terms (see, similarly, the recent provisions of 20 October 2022; 27 April 2023; 8 June 2023).
- implement a procedure suitable for returning the dates, channels or other circumstances relating to changes in privacy consents possibly expressed over time by the individual interested parties.
With regard to the treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation.
11. Injunction order for the application of the administrative fine
The violations confirmed above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against La Tiscali spa of the pecuniary administrative sanction provided for by the art. 83, par. 4 and 5 of the Regulation. However, since various provisions of the Regulation and the Code have been violated in relation to related processing carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the less serious violations.
Specifically, the aforementioned violations - also having as their object the principle of 'limitation' of conservation (art. 5 of the Regulation) - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in the art. 83, par. 5, of the Regulation.
For the purposes of quantifying the administrative sanction, the aforementioned art. 83, in establishing in par. 5, the statutory maximum in the sum of 20 million euros, specifies the methods for quantifying the aforementioned sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying to this end, a series of elements, listed in par. 2, to be assessed when quantifying the relevant amount.
Since there are no aggravating elements among those indicated in said provision in this case, on the other hand, the following circumstances emerge as mitigating circumstances to be taken into consideration:
1) the timely adoption of corrective measures, some of which started immediately after the conclusion of the inspections, such as to distinguish Tiscali within the telephone sector (letter f);
2) the constant and fruitful collaboration with this Authority (letter f);
3) the purely national dimension of its activity and the relatively marginal role within the telephony market (letter k);
4) the serious socio-economic crisis underway and its serious repercussions also on the economic-financial situation of the Company ("... 9 of the last 10 financial years with a highly negative net result"), which, however, at the same time, has decided to keep its workforce unchanged and has taken steps to internalize staff from other companies, who would otherwise be destined for dismissal (letter k).
Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Tiscali - taking into consideration similar cases, such as the provision. October 20, 2022, doc. web no. 9825667 - the administrative sanction of the payment of a sum of €100,000.00, equal to 0.5% of the maximum statutory sanction.
In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the sensitivity of the matter under investigation (data retention for marketing and profiling purposes; obligation of impact assessment for invasive and large-scale treatments) as well as the need for non-discrimination compared to similar cases (see provision 20 October, cit.).
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.
ALL THE WHEREAS, THE GUARANTOR
a) pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by Tiscali Italia S.p.A., with registered office in Cagliari, Località Sa Illetta, SS 195 Km 2,300, Code. Tax VAT number: 02508100928; and for the effect;
b) pursuant to art. 58, par. 2, letter. d), of the Regulation, enjoins the establishment and application of differentiated retention times, in relation to the categories of interested parties (active customers; terminated customers; leads), in compliance with the principle of limitation of retention (art. 5, par.1, letter e) of the Regulation), distinguishing between marketing and classification treatments and deleting, or anonymizing, the data that is retained beyond the established terms;
c) pursuant to art. 58, par. 2, letter. d), of the Regulation, enjoins the implementation of a procedure suitable for returning the dates, channels or other circumstances relating to changes in privacy consents possibly expressed over time by the individual interested parties;
d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation;
ORDER
pursuant to art. 58, par. 2, letter. i), of the Regulation, to Tiscali Italia S.p.A., in the person of its legal representative, to pay the sum of 100,000 (one hundred thousand/00) euros, as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
ORDERS
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 100,000.00 (one hundred thousand/00) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the 'art. 27 of law no. 689/1981;
HAS
as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 18 July 2023
PRESIDENT
Stantion
THE SPEAKER
Ghiglia
THE GENERAL SECRETARY
Mattei
SEE ALSO Newsletter of 11 September 2023
[doc. web no. 9920942]
Provision of 18 July 2023
Register of measures
n. 321 of 18 July 2023
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");
HAVING SEEN the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;
SPEAKER Dr. Agostino Ghiglia;
1. INSPECTION ACTIVITIES CARRIED OUT BY THE AUTHORITY AT THE COMPANY HEADQUARTERS AND RELATED RESULTS.
1.1. Premise
As part of the control activity of the marketing and profiling activities conducted by the telephone companies, an inspection was carried out, on the dates 3-5 May 2022, at Tiscali Italia S.p.A. (hereinafter also: “Tiscali” or “the Company”).
The latter sent a note on 20 May dissolving the reservations contained in the inspection reports and a further note on 23 June, with specific reference to the corrective actions undertaken on the basis of some critical issues that emerged during the on-site assessment. This was followed, on 14 October and 9 December 2022, by this Authority sending a request for information and supplementary documents to better understand the treatments under investigation and the stage of progress of the changes made by the Company , also in consideration of the development of the incorporation process by merger of the Linkem company, operating in the same sector. The Company provided complete feedback with a note dated January 13th. (to which the reader is referred in full for further details).
The following emerged from the examination of the inspection documents.
1.2. Information and consent for data processing
With reference to data retention times, the Company's Privacy Policy (annex 5 to the minutes of 4 May), identical for the company website as for the shops - in particular in the paragraph "Right to delete personal data", is limited to declare “We keep user data only for the time necessary to provide the requested service or to comply with legal obligations.”, adding that: “If it is believed that we are keeping them for a longer period of time than necessary, to first of all it will be advisable to verify that the contract with Tiscali has ended. If you have no longer been a customer for at least 6 months and there is no active billing object and/or credit situations, fraud, complaints open with Tiscali, the user can also request the deletion of their data, so as not to make them more visible in the Tiscali IT systems. However, even in this case and under certain conditions, we may still be obliged not to permanently delete your data for: reasons of public safety; the establishment, exercise or defense of a right in court or for the fulfillment of a legal obligation". The privacy policy, issued by the Company on the website and in stores, essentially presents a similar formulation, which contemplates only contractual purposes and those envisaged by the legislator.
Therefore, no reference time limit is envisaged, much less distinguished by type of method and purpose (in particular for marketing and profiling), as well as based on the type of data processed, therefore the aforementioned information texts do not provide interested parties with sufficient elements to allow interested parties to be aware of this fundamental aspect of the processing, with the risk of also invalidating any consent given. The gap appears even more serious with respect to the data of prospect subjects and lead subjects recalled as part of the call-back service, whose data are retained, respectively, for 5 years and 2 years (see, below, par. 1.6 of this act).
1.3. Call back service via pop-up.
The Company highlighted that "the only marketing activity carried out on the contacts (leads) collected on the said site as part of the call back service, via pop up, is that relating to the callback for the proposition of the related Tiscali services and that the contact he is not included in lists for future generic contacts, instead being included "in a specific call-back system, which only serves to manage callbacks".
With specific reference to one of the comparators ("friendly bill"), the following formulation of consent acquisition - useful was found in the pop-up: "Read the privacy information pursuant to Legislative Decree 196/03 and Regulation (EU) 679/2016 (GDPR) by clicking on "Call me for free" I consent to the processing of personal data in order to be contacted in order to obtain commercial information regarding this Tiscali service". However, in response to this formula, the following notice was present which can be reached via the provided link: "If you have given optional consent for marketing purposes, we inform you that your contact details may be used for sending by of Tiscali of information, communications and commercial offers, advertising and information material, via automated tools (sms, email, whatsapp) or traditional channels (paper mail and telephone calls with operator) relating to all Tiscali services."
Upon specific request from the Authority's staff, the Company confirmed that the aforementioned wording contained in the information refers to the consent referred to in the pop-up. In this regard, the inconsistency between the consent acquired through the call-back pop-up and that explained in the information was already highlighted during the inspection; inconsistency of which the Company has taken note for possible modifications (see minutes of 4 May).
1.4. The use of the so-called “soft spam”.
With regard to what is indicated in point 2 of the information on the website and the paper forms, and, in particular, to the so-called communications soft spam, directed at existing customers who have not expressed their consent to the promotional activities, the Company confirmed that it has "also used the SMS in a residual and episodic manner to send commercial communications on products/services similar to those already purchased by the Tiscali customers. In the period 2021-2022…. carried out 2 promotional campaigns via SMS, following the logic ex 130, 4th Co., of the Code. The first involved 70,000 customers, between October and November 2021. The second involved 95,000 customers, between December 2021 and February 2022.” In this regard, the Company added that it had carried out "an assessment based on which the SMS was considered similar to the email for mobile customers, in terms of invasiveness, taking into account that the telephone number is the only data certain issued by customers during the signing of the contract."
1.5. Management of refusals and objections to treatment.
The Company, in specifying that it does not currently carry out telemarketing campaigns, instead making use of e-mail and, occasionally, SMS messages for the same promotional purposes (see paragraph 1.4 "The use of soft spam"), has specified that " considers the consent given valid for 10 years from the date of termination of the contract, unless revoked. In this regard, ... keeps track of revocation requests, with regards to prospects, in a specific black-list, consisting, to date, of 975 lines, evaluated starting from 2018" (Annex 4, minutes of 3 May) and “… in the event of revocation by a former customer, the relevant consent in the CRM is updated.”
With regard to the management of denials and the black-list, possibly used in the period in which the company carried out teleselling activities, Tiscali declared that it was not able ("at the moment", i.e. on the date of the inspection in question), "to provide documentation and information, due to the changes in personnel and systems that have occurred in recent years. Even with regard to the black list, the company is not able to find the previous list, which is additional to the one already provided to the Authority, the first additions of which are in 2019". Tiscali added that: “Previously, denials were certainly recorded, but at present the company cannot provide documentation in this regard; since 2019 the privacy function has begun to include refusals to processing in the current blacklist, in a reduced number as the company no longer carries out telemarketing. To strengthen this aspect, a CR is in the works to automate the black-listing process and have the CRM and black-list relating to prospects communicate directly.”
At the specific request of the inspection staff regarding the possible function of the CRM or other corporate system to return the dates, channels or other circumstances relating to the changes in privacy consents possibly expressed over time by the individual interested parties, the Company represented "that it does not have this type of function, but which nevertheless has traces of the most recent and current option of will".
1.6. Data storage for marketing and profiling purposes
From the analysis of the "Data retention policy" (annex 6, minutes of 3 May) the following critical aspects emerged:
- to carry out marketing and profiling activities, all data ((including the "history of purchases of Tiscali products and services") are kept for 10 years, both in relation to inactive customers as well as customers, from the date of " last purchase” or “last interaction”;
- for the same purposes, the data (including the "purchase history of Tiscali products and services; personal and contact data such as name, surname, email address, information acquired from the public profile on social media, etc.") are kept for 5 years. ) of prospect subjects. As the initial term of conservation, the Company has identified the date of the "last interaction" (in this case providing for some exemplary hypotheses "participation in an event or competition), with respect to marketing and that of the "collection of consent", with respect to profiling .
Furthermore, in the said Policy relating to the management of lead lists, for the purposes of the call-back service, a retention period of 2 years is indicated (see, for the same term, the processing register, with reference to the relevant section) .
Furthermore, the number of interested parties assumes a significant amount; for example, as regards inactive and suspended customers, "the result of the query refers to 2,926,458 rows in which the customer's identification data have been subject to anonymisation, in line with Tiscali's data retention criteria" (see . note 20 May 2022).
2. CORRECTIVE ACTIONS IMPLEMENTED BY THE COMPANY.
On 23 June 2022 Tiscali sent a note - to which reference is made in full - in which it set out some corrective actions also taking into account the critical issues that emerged during the inspection. In particular, it also represented: that it had made the wording of the cookie banner clearer, also in relation to the declaration of consent to the purposes of the processing as well as the acceptance formula of contractual terms and privacy information, separating the relevant boxes proposed to users when registering on the website.
Furthermore, the Company, regarding the inconsistency noted above, informed that "on 19/5/22 the Company instructed its Engineering data controller, by means of an ad hoc ticket...., in order to remedy the anomaly detected during the inspection and realign the Siebel and MyTiscali tools. This activity was concluded by Engineering on 03/06/22", attaching, "to prove this, a screenshot relating to the conclusion of the positive processing".
With regard to "soft spam", the Company has produced the amended information with reference to this promotional activity towards those who are already customers (until they object), by e-mail, asking the Authority to evaluate, "even with the recourse to an interpretation of the art. 130, co. 4 of the Privacy Code based on the so-called "living right", if what is foreseen therein regarding soft spam can be considered - based on current technological and social evolution - also extendable to communication via SMS. This is in consideration of the fact that, to date, SMS has a significantly reduced range compared to the past (also due to the advent of new instant messaging systems). However, please note that following the last campaign carried out in February 2022, the Company had already suspended these soft spam activities.".
Tiscali also represented that the real-time alignment between the black list and the CRM was being worked on, again by the IT company responsible for the processing.
3. INTEGRATION OF THE INVESTIGATION.
In consideration of the completion of the incorporation operation into the Tiscali group of Linkem (now: Opnet S.p.A.), as well as the corrective activities implemented by the Company, it was deemed necessary to address a request to the latter for elements and documents, on 14 October 2022 - renewed on 9 December having received no response - in order to verify the roles of Tiscali Italia spa and Linkem spa in the processing of customer/prospect data; quantity and quality (types) of data acquired following the merger; data retention policy; information released to interested parties, as well as any corrective measures undertaken in relation to possible critical issues that emerged during the inspection or independently detected by the Company.
Tiscali - with a delay allegedly due to technical problems in the management of the certified mail service - provided feedback, with a note dated January 13th. (to which reference should be made for the details of the various profiles examined), representing first of all that: "The extraordinary operation completed on 1 August 2022 consisted of a series of corporate operations which ... led to the incorporation by Tiscali of the branch retail business of Linkem S.p.A. and the consequent takeover of Tiscali, in accordance with the provisions dictated by the articles. 2501 et seq. c.c., in a variety of active and passive relationships of Linkem S.p.A.”. In particular, on 22 July 2022 the deed of merger by incorporation between Tiscali S.p.A. was formalized. (today, Tessellis S.p.A.), holding company of the Tiscali Group (incorporating company) and Linkem Retail S.r.l. (incorporated company) with effect from 1 August 2022; at the same time, the Company proceeded with an internal reorganization of its group, in order to centralize all retail activities within itself, taking over "As of 1 August 2022 ... ownership of all activities included in the retail branch, including including those for the processing of personal data of only active customers on 31 July 2022, previously carried out by Linkem ... On the contrary, the processing of data of Linkem customers which ceased before 31 July 2022 ... remained with Opnet S.p.A. (then Linkem S.p.A.).”
The Company added that it had "sent a communication to customers by email dated 28 July 2022 also containing the information on the processing of personal data (Attachments 1 and 2, to the aforementioned acknowledgment note); communication made available on the website dedicated to the Linkem service and still available on the page https://www.linkem.com/associazione-linkem-tiscali.”
As regards data retention, following the Extraordinary Operation, the Company represented that it had started the necessary internal analysis aimed at "a complete mix of the databases previously owned by Linkem S.p.A. within their systems. Since this objective has not yet been achieved, ... holds the personal data of acquired customers .... on different and additional systems - also acquired in the (said corporate matter) - compared to those used to carry out the personal data processing activities already subject to the (inspection) activities".
Furthermore, with particular regard to the storage terms, the Company has recalled those expressly provided for in the aforementioned privacy policy.
Regarding these terms, specifically, it emerges from the analysis of the said policy that, similarly to Tiscali customers, the retention of personal data collected and processed for marketing purposes relating to active customers is envisaged "until the (possible) revocation of consent ”.
Although expressly indicated in the aforementioned information among the purposes of the processing, there was no trace of the storage of the personal data in question for profiling purposes.
Lastly, on 28 January 2023 this Authority asked the Company to specify the following quantitative data: - number of customers (active and terminated) and - leads, distinguishing between the two brands "Tiscali" and "Linkem". The Company, providing feedback on February 7th, stated that, with reference to the Tiscali brand, there are 17,808,080 active customers; those terminated 1,384,029 8,076; leads 19,576; with reference to the Linkem brand: active 530,614; 47,474 terminated; leads 19,576.
4. THE DISPUTE MADE BY THE AUTHORITY.
4.1. Information and consent for data processing
The aforementioned gaps in the information highlighted the alleged violation of the principles of 'correctness' and 'transparency' (art. 5, par.1, letter a, and 12, par.1), as well as art. 13 of the Regulation.
Recalling what was said in par. 2 of this provision, the retention times for the albeit invasive marketing purposes (even targeted) and the underlying profiling were not indicated, not allowing interested parties to evaluate whether and which data to release or possibly unsubscribe from the company website. The conditions for the violation of the principles of transparency (art. 5, par.1, letter a) and 12, par.1 of the Regulation) and of adequate information (art. 13, par.2) were therefore recognizable. letter a) of the same Regulation.
Furthermore, this was also in conflict with the Guidelines of the European Data Protection Committee pursuant to the Regulation (wp260rev.01), in www.edpb.europa.eu, which, in coherence with the aforementioned legislation, expressly enhance the information fulfillment in terms of simplicity, clarity, immediate intelligibility, also taking into account the most vulnerable categories (such as the elderly and people with disabilities), and in particular characterized by a lower capacity for discernment.
With limited reference to customers who purchase Tiscali products and/or services, the possible violation has emerged - moreover in relation to invasive processing such as profiling - of the art. 6 of the Regulation, as the use of a correct legal basis is not recognized: in fact, it does not appear that said processing is based on the consent of the interested party (par.1, letter a), nor on legitimate interest (par.1, letter f ), the application of which, as is known, should have been based - a circumstance which is not in the documents - on a prior specific balancing test between the interest of the owner and that of the interested parties or even of third parties (see Group Guidelines ex art. 29 on this specific assumption; see also provision dated 15 January 2020 n.7, web doc. n.9256486).
4.2. Call back service via pop-up.
The inconsistency that emerged between the consent acquired through the call-back pop-up and that explained in the information - not allowing the interested party to understand which promotional initiatives he is giving consent to - appeared to be in conflict with the principle of correctness and transparency (articles 5, par.1, letter a, and 12, par.1, of the Regulation).
4.3. The use of the so-called “soft spam”,
The sending of promotional text messages - instead of e-mails - to individuals who were already customers, who had not given consent to the marketing, constituted a possible violation pursuant to 130, 4th co., of the Privacy Code, which, in allowing the use of e-mail for promotional purposes towards subjects who have already purchased a product or service regulates an exception - not susceptible to extensive application - compared to the general rule of prior, specific, provable and unequivocal consent. Furthermore, it is necessary to consider the high number of interested parties involved (70,000 customers, between October and November 2021; 95,000 customers, between December 2021 and February 2022).
4.4. Management of refusals and objections to treatment
With regard to the lack of a suitable procedure for returning (possibly since the establishment of the Company) the dates, channels or other circumstances relating to the variations in privacy consent expressed by the individual interested parties over time, the conditions for the violation of the principle of accountability (art. 5, par. 2 and 24, of the Regulation), given that the Company has not been able to demonstrate adequate management of the fundamental right of the interested party to self-determination (also pursuant to the aforementioned art. 6, par. 1 letter a of the Regulation) with respect to your sphere of personal data.
4.5. Data storage for marketing and profiling purposes
Regarding the retention terms, as highlighted in par. 1.6. of this act (specifically, therefore, referring to the data of active customers, terminated customers and leads), as well as the term ("until the (possible) revocation of consent" - provided for in the aforementioned paragraph 3 "Integration of preliminary investigation "in relation to "personal data collected and processed for marketing purposes relating to active customers" - the probable conflict with the principles of 'purpose, minimization and limitation of conservation' emerged, pursuant to art. 5, par. .1, letter b), c), and e) of the Regulation. The aforementioned terms, even assuming that they have been identified by the Company in the exercise of its accountability, nevertheless appear excessively extended. In fact, based on the provision. general 24 February 2005 [doc. web 1103045] the general rule applies regarding retention times, it is a maximum of 2 years for data relating to marketing and 1 year for data relating to profiling.
Furthermore, it was remembered that there are some exceptional cases in which the term (in particular, that relating to profiling activity) has been increased (in any case up to 7 years and not up to 10 or to the possible revocation of consent), but this is the term used as reference by brand companies belonging to the luxury sector, authorized by the Guarantor, however in a very different socio-economic and technological context, following a specific prior checking request and a specific investigation. It should be added that, as far as is in the documents, it was not considered that the type of products offered for sale by the Company was similar to that marketed by such companies (such as: Bulgari, Ferragamo; see provisions ti, 24 April 2013, doc. web 2499354 and 30 May 2013, web doc. n.2547834).
5. NOTIFICATION OF ALLEGED VIOLATIONS PURSUANT TO ART. 166, PARAGRAPH 5, OF THE CODE.
Based on the above, it was necessary to notify the Company of the alleged violation of the following provisions of the Regulation:
articles 5, par. 1, letter. a), b) c) and e) as well as par. 2; 6, par.1, letter. to);
12, par. 1, and 13, par. 2, letter. to);
24;
as well as the art. 130, co. 4, of the Code.
The start of the procedure for the possible adoption of the measures referred to in article 58, par. 2, of the Regulation and for the possible application of the pecuniary sanctions referred to in the art. 83, par. 4 and 5 of the Regulation.
6. DEFENSIVE MEMORY.
Through its defense statement dated 22 March 2023, the full text of which is referenced, the Company represented that:
6.1. Information and consent for data processing.
Regarding the "failure to indicate the terms of data retention for marketing and profiling purposes in the information addressed to customers", the Company represented "how, following the Extraordinary Merger Operation between Tiscali and the business unit retail of Linkem S.p.A., the Company has updated the information on the processing of personal data pursuant to art. 13 of the Regulation addressed to customers of Linkem branded Tiscali services, inserting within the same the precise indication of the terms of conservation of personal data with respect to each processing purpose pursued, including marketing ones ("until the revocation of consent by You expressed pursuant to art. 7 of the GDPR and/or until your opposition to the processing pursuant to art. 21 of the GDPR" ) and general profiling based on legitimate interest ("12 months" from collection). The same changes will also be made to the contractual privacy information aimed at customers of Tiscali brand services". The Company also highlighted that "the absence of any complaint included in this proceeding is further proof that, despite the presence of an outdated data retention policy, Tiscali has always operated in compliance with the relevant information without causing any type of prejudice towards the interested party".
Coming to the profiling activity, the Company represented: "how the processing indicated in the information with the term "aggregate profiling" consists of a data processing activity aimed at strategic orientation analyzes carried out by the Company, which can be qualified , using recently coined terminology, such as “aggregate analysis” or “classification”. The aforementioned processing, in reality, consists in analyzing, in a general and aggregate manner, the personal and purchasing information of the entire database of its customers to create strategic business models and improve its products and services, without carrying out evaluations, forecasts or draw conclusions regarding specific natural persons.
“Unlike profiling understood in the terms of art. 4 of the Regulation", the Company also specified that "no attribute and/or profiled marker is associated with the details of the customers present in the database. The personal data of the Company's customers are, therefore, used to carry out aggregate business intelligence processing which leads to high-level information not referring to individual customers, allowing the Company to know the number of how many (and not who) have benefited from specific services in a specific geographic area in a given period of time. Typical cases of aggregate business intelligence processing carried out are, for example, the general analyzes of the offers of its services through which it is verified, through aggregate evaluations, how many customers of the entire database have signed up to a specific promotion in a given period and/or or geographical area; or even the general analysis of the entire customer base aimed at knowing at a statistical level the targets that distinguish the customer base (for example, statistical evaluation of the percentage of women and men, percentage distribution by age group, geographical area, etc. ). The general analysis activity carried out by Tiscali - unlike the profiling activity - as defined pursuant to art. 4 of the GDPR - does not therefore imply any personalized impact on customers, as it is not directly and functionally aimed at the implementation of targeted and personalized commercial or advertising actions. The aforementioned analysis activity, projecting itself into the dimension of the Company's strategic choices, is directly functional to the satisfaction of a typically entrepreneurial interest of the same; the resulting data processing can therefore be based on the legitimate interest pursuant to art. 6, par. 1, letter. f) of the Regulation...".
6.2. Call-back service via pop-up.
In this regard, Tiscali represented that: "During the inspection activity (see minutes of 4 May 2022), it emerged that - in the context of the inbound marketing activity carried out following a collection of leads by third parties suppliers of offer comparison services in the telecommunications market - exclusively for one of these suppliers ("friendly bill"), the commercial consent formula to be given to be contacted again (call back) was misaligned with what is provided for in the relevant information call back privacy. The Company reiterated that "this is a mere material error in alignment and/or updating of the text, given that for the other comparators analyzed during the Inspection Activity, said inconsistency is absent... as indicated in the note dated 20 May 2022; (has) corrected/aligned ... this call back information regarding "friendly bill" so that the references to consent therein coincided with the aforementioned consent formula, which provides for specific commercial recontact for the advertised Tiscali service only. As further confirmation of the mere material error and as proof that this had no concrete impact on the interested parties, the Company added that: "- on the one hand, the data collected for the call back phase did not flow into the company CRM but rather in a specific call back system (see appendix 8 of the minutes of 4.5.22 with the screenshots of the call back system). Therefore, the risk of a commercial contact outside of the consent to recontact for the single Tiscali service was excluded... Only the administrators of the call back system had visibility of the numbers archived "up to a maximum of 30 days before". The data was verified and confirmed during the inspection, which took place from 3 to 5 May 2022, where it emerged that the oldest data referred to 24 April 2022 so that it was evidently kept for a period of no more than 30 days". Tiscali then stated that: "from the evidence of the systems collected in the Inspection Activity it was ascertained that said error had no impact on the systems and, therefore, even less so on the interested parties"; at the same time highlighting that "pursuant to art. 3 (general principles) of Regulation 1/2019 ... the Authority must take into account "the nature and seriousness of the offenses to be ascertained in relation to the related effects and the extent of the damage that they may cause for one or more interested parties, the probability to prove its existence, as well as the available resources."
6.3. The use of soft spam.
The Company represented "how this method of sending campaigns concerned exclusively two promotional campaigns and was subsequently definitively interrupted at the end of the second campaign in February 2022 ... the activity concerned only two campaigns for a small customer base compared to to the entire customer base communicated to this Authority".
6.4. Management of refusals and objections to treatment.
The Company preliminarily observed, reiterating what was declared during the inspection, that it had not carried out telemarketing and teleselling activities before 2018. "Consequently, the oppositions from prospects collected in the blacklist are made up only of cases of "generic" oppositions, valid that is, communications sent by interested parties without distinction to the main electronic communications operators (including Tiscali) to oppose any campaigns, and not following specific teleselling/telemarketing campaigns launched by Tiscali at least from 2018 onwards directly and/or indirectly ...has not even activated an Agency channel for the direct proposition of commercial contracts. For this reason, the content of the blacklist contains a relatively small number of oppositions.” The Company also documented that "the blacklist was shared including approximately 350 oppositions registered simultaneously at 00:00 on 25 September 2019, which are the result of a massive upload of all the oppositions previously collected and coming from another database, to date, at least, from 25 May 2018, the date of application of the GDPR. ... has recovered all the blacklists previously collected before 2019 up to 2018.. As can be easily verified through a comparison, all the names present in these blacklists coincide with the approximately 350 oppositions..."
6.5. The storage of data for marketing and profiling purposes.
With reference to the data retention policy relating to customers, the Company stated "first of all that the version shared with the Authority was not updated and is currently being revised also following the aforementioned Extraordinary Operation. As demonstrated during the inspection activity through evidence also collected on the systems...: - Tiscali does not carry out profiling activities; - as regards marketing towards prospects, it is important to remember how these subjects represent the so-called "lead" and, therefore, as per the relevant information viewed in Inspection Activities, said data was kept exclusively for 30 days.".
The Company then stated that the "criticism made regarding the retention times of data for marketing and profiling purposes, according to the orientation of the provision of 24 February 2005, according to which "the retention times of data relating to the details of purchases with reference to customers should be identified in 24 months (starting from registration) for marketing purposes and in 12 months (starting from registration) for profiling purposes - it does not appear to be applicable. According to the Company, it would in fact be up to the Data Controller, by virtue of the principle of responsibility, "the burden of carrying out every most appropriate assessment, adopting adequate technical-organizational measures in order to guarantee compliance of the processing with the Regulation", recalling "certain provisions of the Authorities who have recognized the possibility of extending the retention period for the processing of data relating to purchase details even up to a period of 10 years and this not only in favor of companies/brands belonging to the fashion/luxury sector (see ., for example, provision no. 274 of 9 May 2018 [web doc. no. 8998319], provision no. 297 of 12 June 2014 [web doc. no. 3315156], provision no. 329 of 22 May 2018 [web doc. n.9022048]). “
6.6. Overview of the improvement measures adopted.
The Company represented that it had spontaneously implemented a set of improvement actions, as proof of its accountability, both already started and/or concluded, also as a measure of further collaboration with this Authority. Among these:
- the correction of the call-back privacy information with reference to the "friendly bill" comparator;
- further clarification of the marketing consent formula;
- the separation, via a different and specific flag, of having read the information from the contractual conditions;
- the "refinement of the customer privacy information, through the use of even simpler and more effective terms in representing the marketing purpose and eliminating references to soft-spam via SMS";
- the implementation of a technical automation that aligns the opposition blacklist with the CRM in real-time; - the standardization of call-back information, following the said merger.
6.7. Conclusions formulated by the Company.
In light of all of the above, Tiscali, in the memorandum in question, requested the dismissal of the proceeding and, alternatively, to apply a sanction in its minimum statutory value, taking into account: (1) the measures adopted by the data controller to mitigate any damage suffered by the interested parties; (2) the degree of responsibility of the data controller taking into account the technical and organizational measures implemented by it; (3) the degree of cooperation with the Supervisory Authority in order to remedy the violation and mitigate its possible negative effects.
The Company has also documented, in detail, its condition of serious economic and financial crisis such as to have "closed 9 of the last 10 financial years with a highly negative net result to which must be added the widespread difficulty of all the small and medium telecommunications."
7. THE COMPANY HEARING.
During the hearing, held on 27 April, the Company, in recalling what was already represented in the defense brief, added that in the context of the said merger procedure with Linkem, data protection has been taken on as an increasingly central value in the scope of the corporate reorganization, establishing new functions (IT and compliance) in the same Department that deals with privacy, appointing a DPO authorized to liaise directly with the CEO of the Company, further reviewing and standardizing information, corresponding consents, procedures and documentation between Tiscali and Linkem.
8. NOTE TO THE COMPANY'S FINANCIAL STATEMENTS DATED MAY 30 U.S.
With a note dated 30 May 2023, Tiscali finally represented that, "despite the critical economic and financial condition of its balance sheets, finally confirmed also on the occasion of the approval of the financial data for the 2022 financial year, and of the telecommunications market in the current historical context in which all the main operators have announced redundancies involving thousands of jobs, has responsibly opted to safeguard its employees by not reducing surplus staff; and which, following the merger, internalized the staff contracted for services at some call centers, as well as relocated without any redundancy the staff from the IT business branch leased (to another company), and returned at the end of 2022".
The Company also reiterated that the processing indicated in the information with the term 'aggregate profiling' "consists of a data processing activity aimed at strategic orientation analyzes carried out by the Company, which can be qualified using recently coined terminology. , such as 'aggregate analysis' or 'classification' and which consists in analysing, in a general and aggregate manner, the personal and purchasing information of the entire database of its customers to create strategic business models and improve its products and services, without making assessments, forecasts or drawing conclusions regarding specific natural persons”; that the said classification responds to the definition most recently found in the Code of Conduct for telemarketing and teleselling activities approved by this Authority on March 9th.
Finally, the Company, due to the represented need to "safeguard its workers and business continuity, in the unlikely event that a sanction was imposed on the same", asked to be able to "defer the due payment even in the event of a immediate of the sanction itself. "
9. LOGICAL-LEGAL OBSERVATIONS OF THE AUTHORITY.
9.1. Information and legal bases for processing.
With specific regard to information compliance, believing that the defenses formulated are not sufficient to exempt the Company from administrative liability, it is deemed necessary to confirm the violation of the principles of 'correctness' and 'transparency' (art. 5, par.1 , letter a, and 12, par.1), as well as art. 13 of the Regulation, in light of the arguments set out above with the dispute. Furthermore, it does not note, unlike what is claimed by the Company, that "despite the presence of an outdated data retention policy, Tiscali (has) always operated in compliance with the relevant information without causing any type of prejudice towards the interested party" , since, based on the combined provisions of the articles. 12 and 13 of the Regulation, the inappropriate fulfillment of the fundamental obligation of complete disclosure and transparency is sanctionable, based on the art. 83, par. 5 of the Regulation, regardless of any related detrimental consequences.
Regarding the possible legal basis of the profiling activity (individual or aggregate), understood, pursuant to art. 4, par.1, letter. d) of the Regulation, as "any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation, the health, personal preferences, interests, reliability, behaviour, location or movements of the said natural person", it should be highlighted that the Company, in particular with the aforementioned notes of 22 March and 30 May 2019, has clarified that, in reality, its activity consists of a general and aggregate analysis by macro-criteria (such as age or sex) without any evaluation or impact for the interested parties, and that therefore - despite the terminology used in the information - cannot be assimilated to profiling.
In light of the above, this Authority - considering the function of mere segmentation and generic classification of the customer base - can exclude the recurrence, in this case, of a profiling activity and, therefore, believes it can dismiss the violation contested at the time .
9.2. Call back service via pop-up.
Considering the complex arguments put forward by the Company (and, in particular, the merely formal nature of the violation in question and the absence of actual harm to the interested parties), it is believed that the related dispute can be dismissed (articles 5, par.1, letter a, and 12, par.1).
9.3. The use of soft spam.
The Authority, recalling what has already been highlighted in this regard during the dispute, believes that the arguments put forward by the Party cannot be considered sufficient to overcome the complaint made, since - it is worth repeating - that of the art. 130, paragraph 4, is an exceptional rule, therefore insusceptible of analogical application.
Considering this, the violation of the aforementioned provision is to be considered confirmed.
9.4. Management of refusals and objections to treatment.
Finally, the Company has demonstrated that it is aware of the objections received since the Regulation was fully operational, producing the relevant black lists, but has added nothing, compared to what emerged during the inspection, regarding the failure to implement a "CRM function or other corporate system to return the dates, channels or other circumstances relating to the variations expressed in privacy consents over time by the individual interested parties" and to their current setting of the black list, capable only of keeping "track of the most desired option recent and current".
It should be highlighted that the owner must be able to substantiate the various manifestations of consent and refusal, in such a way as to be able to adequately identify the requests of the interested parties pursuant to the articles. 15-22 of the Regulation as well as the investigative requests of the Authority as part of its supervisory activity.
It is therefore deemed necessary to confirm the violation of the articles. 5, par.2, and 24, of the Regulation and also to order the Company to implement a procedure suitable for returning, within the aforementioned terms, the changes in privacy consents formulated over time by the individual interested parties.
9.5. Storage times.
As claimed by the Company, the provision of the Guarantor of 24 February 2005 "Fidelity cards" and guarantees for consumers", although no longer of a binding nature, is still to be considered applicable with a guideline value and therefore so is the timescale provided therein (24 months for marketing data; 12 months for profiling data). Furthermore, while valorising the principle of accountability, also with reference to the delicate matter of data retention, one certainly cannot come to the conclusion that an owner, on the basis of this principle which needs to be reconciled with the other fundamental principles envisaged by the Regulation, can deviate excessively from the aforementioned provisions, without incurring a violation of the principle of limitation of conservation (see art. 5, par.1, letter d) of the Regulation). For example, it is considered inappropriate to retain marketing data until the date of revocation of consent to processing, pursuant to art. 7 of the Regulation, also considering that the interested party may never change his/her will or keep it unchanged for years.
Furthermore, no relevance can be given to the precedents cited by the Company (see provisions, 24 April 2013, web doc. 2499354 and 30 May 2013, web doc. n.254783) adopted by the Guarantor in different conditions and referring to storage times of data relating to the purchase of luxury goods, i.e. in relation to cases that cannot be adapted to the specific case.
10. CONCLUSIONS.
For the above overall, Tiscali's responsibility for the following violations of the Regulation is deemed to be established:
articles 5, par. 1, letter. a), b) c) and e) as well as par. 2; 12, par. 1; 13, par. 2, letter. to); 24;
as well as the art. 130, co. 4, of the Code.
Having ascertained the illicit nature of the Company's conduct described above, it is necessary to order it to:
- establish and apply differentiated retention times, in relation to the categories of interested parties (active customers; terminated customers; leads), in compliance with the principle of conservation limitation (art. 5, par.1, letter e) of the Regulation), distinguishing between marketing and classification treatments, and deleting, or anonymizing, the data that is retained beyond the established terms (see, similarly, the recent provisions of 20 October 2022; 27 April 2023; 8 June 2023).
- implement a procedure suitable for returning the dates, channels or other circumstances relating to changes in privacy consents possibly expressed over time by the individual interested parties.
With regard to the treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation.
11. Injunction order for the application of the administrative fine
The violations confirmed above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against La Tiscali spa of the pecuniary administrative sanction provided for by the art. 83, par. 4 and 5 of the Regulation. However, since various provisions of the Regulation and the Code have been violated in relation to related processing carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the less serious violations.
Specifically, the aforementioned violations - also having as their object the principle of 'limitation' of conservation (art. 5 of the Regulation) - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in the art. 83, par. 5, of the Regulation.
For the purposes of quantifying the administrative sanction, the aforementioned art. 83, in establishing in par. 5, the statutory maximum in the sum of 20 million euros, specifies the methods for quantifying the aforementioned sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying to this end, a series of elements, listed in par. 2, to be assessed when quantifying the relevant amount.
Since there are no aggravating elements among those indicated in said provision in this case, on the other hand, the following circumstances emerge as mitigating circumstances to be taken into consideration:
1) the timely adoption of corrective measures, some of which started immediately after the conclusion of the inspections, such as to distinguish Tiscali within the telephone sector (letter f);
2) the constant and fruitful collaboration with this Authority (letter f);
3) the purely national dimension of its activity and the relatively marginal role within the telephony market (letter k);
4) the serious socio-economic crisis underway and its serious repercussions also on the economic-financial situation of the Company ("... 9 of the last 10 financial years with a highly negative net result"), which, however, at the same time, has decided to keep its workforce unchanged and has taken steps to internalize staff from other companies, who would otherwise be destined for dismissal (letter k).
Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Tiscali - taking into consideration similar cases, such as the provision. October 20, 2022, doc. web no. 9825667 - the administrative sanction of the payment of a sum of €100,000.00, equal to 0.5% of the maximum statutory sanction.
In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the sensitivity of the matter under investigation (data retention for marketing and profiling purposes; obligation of impact assessment for invasive and large-scale treatments) as well as the need for non-discrimination compared to similar cases (see provision 20 October, cit.).
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.
ALL THE WHEREAS, THE GUARANTOR
a) pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by Tiscali Italia S.p.A., with registered office in Cagliari, Località Sa Illetta, SS 195 Km 2,300, Tax Code VAT number: 02508100928; and for the effect;
b) pursuant to art. 58, par. 2, letter. d), of the Regulation, enjoins the establishment and application of differentiated retention times, in relation to the categories of interested parties (active customers; terminated customers; leads), in compliance with the principle of limitation of retention (art. 5, par.1, letter e) of the Regulation), distinguishing between marketing and classification treatments and deleting, or anonymizing, the data that is retained beyond the established terms;
c) pursuant to art. 58, par. 2, letter. d), of the Regulation, enjoins the implementation of a procedure suitable for returning the dates, channels or other circumstances relating to changes in privacy consents possibly expressed over time by the individual interested parties;
d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation;
ORDER
pursuant to art. 58, par. 2, letter. i), of the Regulation, to Tiscali Italia S.p.A., in the person of its legal representative, to pay the sum of 100,000 (one hundred thousand/00) euros, as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
ORDERS
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 100,000.00 (one hundred thousand/00) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the 'art. 27 of law no. 689/1981;
HAS
as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 18 July 2023
PRESIDENT
Stantion
THE SPEAKER
Ghiglia
THE GENERAL SECRETARY
Mattei
