Garante per la protezione dei dati personali (Italy) - 9949453

From GDPRhub
Garante per la protezione dei dati personali - 9949453
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 15 GDPR
Article 21 GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 25 GDPR
Article 130 Codice Privacy
Type: Complaint
Outcome: Upheld
Started: 31.05.2023
Decided: 12.10.2023
Published: 08.11.2023
Fine: 70,000 EUR
Parties: Scionti Selezioni Superiori S.r.l.
National Case Number/Name: 9949453
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: GARANTE PER LA PROTEZIONE DEI DATI PERSONALI (in IT)
Initial Contributor: Luca Brocca

The Italian DPA fined a controller €70,000 for unsolicited telemarketing calls, including to individuals registered to the Italian Public Opt-out Registry. The DPA found a systematic lack of GDPR compliance including Articles 5, 6, 12, and 13 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Scionti Selezioni Superiori S.r.l. (the data controller) faced scrutiny following numerous complaints received by the Italian DPA in 2022. The complaints highlighted unauthorised phone calls promoting the "Caffè Scionti" brand, particularly targeting individuals registered in the Italian Public Opt-out Registry (RPO). The RPO is an Italian registry extended to all national phone numbers, which allows citizens to opt-out of unwanted telemarketing calls.

Following the DPA's request of 22 November 2022 for information, the controller explained that the unauthorised phone calls happened due to random typing errors. In this regard, it explained that its development and turnover are based on word-of-mouth marketing of customers, as well as by carrying out telephone promotional activities 'in manual mode', which it admitted to have an average of 8 to 12 errors of typing monthly.

In early 2023, the DPA received more complaints related to unsolicited phone calls by the controller. Thus, on 24 February 2023, the DPA requested the controller to provide more information for a complete evaluation of its processing activities.

The controller confirmed that the database at its disposal for marketing purposes contained data obtained from third parties who, in turn, had been advertising the Scionti brand. But it also complained that its brand had been used by third parties without any authorisation and that it was unable to register to the RPO as an operator and therefore keep track of the existing objections to telemarketing.

Holding[edit | edit source]

On the basis of the information provided, the DPA found a systematic lack of compliance with GDPR provisions by the controller.

The DPA began by explaining that pursuant to Article 4 GDPR a phone number randomly dialled and called for telemarketing purposes can be considered personal data. Hence, the GDPR and the Italian Privacy Code apply. In light of this, the controller's acquisition of the personal data by word-of-mouth could not be considered valid since the person who provided the data was not entitled to give any valid consent on behalf of the data subject to whom the promotional communication was addressed. Thus, DPA assessed that the controller violated Article 5(1)(a) GDPR, Article 6 GDPR, Article 7 GDPR, Article 13 GDPR and Article 130 of the Italian Privacy Code also for not providing any information concerning the data processing to the data subjects.

In relation to this, the DPA stated that the controller violated Article 5(1) GDPR, Article 5(2) GDPR, Article 6(1)(a) GDPR and Article 7 GDPR for having utilised personal data acquired from third parties without having verified the existence of the requirements for lawful processing, so the acquisition of the free, specific, documented and informed consent of the persons concerned.

The DPA also found a breach of Article 5(1)(a) GDPR, Article 6(1)(a) GDPR, as well as Article 7 GDPR and Article 12(1) GDPR for not having published on its website a transparent information notice regarding the data processing operations conducted, as telemarketing activities were not clearly indicated.

It further established a violation of Article 12 GDPR, Article 15 GDPR and Article 21 GDPR as the controller failed to comply with the access requests made by certain data subjects. In some cases, the controller did not provide a full reply to the requests since it limited its answer to explain that the numbers were dialled randomly and that it would remedy the mistake by creating a 'no-go list' of numbers, although such list was never provided to the DPA. In addition, the controller failed to consider the objection requests made by some data subjects.

Moreover, the DPA also stated that the controller breached Article 130(3) of the Italian Privacy Code for having conducted telemarketing activities without having consulted the RPO.

Lastly, the DPA found a violation of Article 5(2) GDPR, Article 24(1) GDPR, Article 24(2) GDPR and Article 25 GDPR for failing to take adequate measures against any third parties that would unlawfully use the Scionti name, although the DPA also alleged that the promotional activity of third parties, allegedly external to the controller, could have been advantageous for the latter.

Consequently, the controller was ordered to stop processing personal data for marketing activities without proper consent, was instructed to promptly delete unlawfully obtained personal data, and was mandated to adopt stringent procedures and measures to ensure GDPR compliance in future promotional activities. Additionally, an administrative fine of €70,000 was imposed on the controller, taking into account the seriousness of the violations, inadequate cooperation, and the need for an effective deterrent.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 8 November 2023

 

[doc. web no. 9949453]

Provision of 12 October 2023

Register of measures
n. 479 of 12 October 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;

SPEAKER the lawyer. Guido Scorza;

PREMISE

With deed of 31 May 2023, n. 86294/23 (notified on the same date by certified email), which must be understood as fully referenced and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards Scionti Selezioni Superiori S.r.l., (hereinafter “Caffè Scionti” or “Company”), in the person of the legal representative pro tempore, with registered office in Rome, via Gregorio VII n. 396, C.F. 15932241001.

1. THE INVESTIGATORY ACTIVITY

Following some complaints (reports and complaints) received by the Authority in 2022 - which complained about the receipt of several unwanted phone calls made for the promotion of the "Caffè Scionti" brand and addressed to users mostly registered in the Public Register of the Oppositions (so-called “RPO”) - on 22 November 2022, a first request for information was formulated, pursuant to art. 157 of the Code (ref. protocol no. 68715/22), against Caffè Scionti to whom the aforementioned telephone contacts can be traced. On the same date, the Company provided feedback, claiming to have contacted the interested parties, whose personal data it did not hold, on the basis of a mere "random typing error" in the numbers receiving the promotional communications. In this regard, it specified that it bases "its development and turnover on customer word of mouth [...] and on digital information collected through sponsored links", carrying out telephone promotional activities "manually" and producing a monthly average of "8 to 12 errors of typing".

Considering that in the first months of 2023, and also after the start of the investigation, there was a significant increase in reports to the Authority of similar content to those described above, a new request for information was formulated on 24 February 2023 ex art. 157 of the Code (ref. protocol no. 34224/23). In this note it was stated that the telephone activity complained of would have been carried out, sometimes in an insistent and concentrated manner, using calling numbers (nos. 0678563355, 0681925529) registered to the Company, as verified in the Register of Communication Operators - so-called. ROC -, i.e. making use of users not regularly registered in the aforementioned ROC and presumably produced through "telephone spoofing".

On this occasion, the Office asked the Company to provide all useful elements for a complete evaluation of the processing carried out, with particular regard to: the origin of the contact details of the interested parties, specifically "word of mouth" and the website; the methods of carrying out promotional communications; to the consents and information given to the recipients of the telephone calls; to the registration of the opposition expressed by users during telephone contacts and through formal requests to exercise rights, producing a copy of the so-called “wrong list” (which is mentioned in some feedback that Caffè Scionti provided to interested parties before the Authority's investigation began).

With the response dated March 29, 2023, the Company confirmed that it does not hold the personal data of the interested parties and, in some cases, that it has not contacted them while acknowledging that it is the owner of the calling telephone numbers used for this purpose.
In one case (file no. 185551), he assured that he had "promptly" deleted from the database the details of the interested party who was found to be a customer of the Company "from 03/08/2022".

Furthermore, in reiterating that it carries out telephone promotional activities "manually" and that it obtains data through "customer word of mouth", it represented, as far as can be understood, that the database it has at its disposal for marketing purposes is implemented by "lead generation" (data acquired from third parties who, via the Internet, advertise the Scionti brand), attaching, in this regard, "an example of lead tracks received" (Attachment E_response).

Finally, it complained that the "Caffè Scionti" brand had been unduly spent by third parties and that it had not been able to register in the Public Register of Oppositions as an operator.

2. DISPUTE OF VIOLATIONS

On May 31, 2023, with act no. 86294/23 mentioned above, the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation. With this communication - which also concerned data processing via the website - the alleged violations of the following provisions were attributed to Caffè Scionti:

2.1. articles 5 par. 1 letter a), 6, 7, 13 of the Regulation and art. 130 of the Code, for having made promotional telephone calls in the absence of information and consent;

2.2. articles 12, 15 and 21 of the Regulation, for not having satisfied the requests to exercise the rights formulated by some interested parties and for not having proven the registration of the relevant opposition;

2.3. art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130 paragraph 3 of the Code, for having carried out telemarketing activities without having consulted the Register of Oppositions on a monthly basis or in any case before each campaign;

2.4. articles 5 par. 1 and 2, 6 par. 1 letter a), 7 of the Regulation, for having entered into the company systems lists of personal data from third parties for marketing purposes without having verified the acquisition of free, specific, documented and informed consent from the interested parties;

2.5. articles 12 par. 1, 5 par. 1 letter a) of the Regulation, for not having provided transparent information on the website on the actual treatments carried out, as the marketing activity was not clearly indicated, even though it was actually carried out;

2.6. articles 5 par. 1 letter a), 6 par. 1 letter a), 7 of the Regulation, for not having acquired specific marketing consent regarding the processing of personal data collected via the website;

2.7. articles 5 par. 2, 24 par. 1 and 2, 25 of the Regulation, for not having adopted adequate organizational measures aimed at keeping track of the processing activities together with the inability to comply with the obligation to prove compliance with the rules.

Furthermore, with the same communication dated 31 May 2023, the Company was invited to clarify the conditions of lawfulness of the processing of the former customer's data which it mentioned in the response dated 29 March 2023 (origin, consent and information) as well as to communicate how many details have been registered in the company systems following the completion of the online form on the website.

3. DEFENSIVE ARGUMENTS

The Company did not present defensive writings but asked to be heard by the Authority. During the hearing, which took place on 8 June 2023, Caffè Scionti clarified that it does not have a dedicated call center but uses, for telemarketing activities, an office within the company "in charge of telephone sales and assistance" to users. Among the channels used for customer acquisition (word of mouth; online form; inbound) the Company has also indicated the so-called "co-sponsors", or "advertisers" and "list providers", who, in advertising the Scionti brand through advertisements on their websites, collect, via online forms, users' personal data and transmit them, upon payment economical, to Caffè Scionti for carrying out the promotional campaign of its brand. The Company would have obtained guarantees from these advertisers/list providers regarding the lawfulness of the details that would come "from consented contacts".

With reference to telemarketing activity in inbound mode, i.e. relating to telephone calls coming directly from users interested in completing a purchase order for Scionti products, the Company represented that the data collection form filled out by the telephone operator during the contact, of which a facsimile has been produced, "is valid for the purposes of proving privacy consent".

Furthermore, it claimed that the opposition to further processing for marketing purposes expressed by users is recorded by inserting the number concerned into a specific black-list also containing data "relating to undelivered orders due to problems related to the postal or delivery address". customer availability”; this "to identify potentially unreliable customers [and] to prevent unfair competitive practices by third parties". On this point, the Company complained about the undue spending of the Scionti brand by abusive third parties who, in order to promote and sell their products and services, even used numbers registered in the name of Caffè Scionti regularly registered with the ROC. To confirm this, a copy of a warning email was provided to a company with which Caffè Scionti had a collaborative relationship in the past, which was later terminated, and which it would have used, for the promotion of its products, some customer numbers unduly removed from the Company's database.

Finally, the latter represented that it had not checked the users to be contacted in the RPO due to the technical problems that would have prevented the relevant consultation, producing in this regard the statement of failed attempts.

With communication dated 22 June 2023, Caffè Scionti produced further documentation, requested during the hearing, including the contracts signed with advertisers from which it acquired lists of personal data used for marketing activities.

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also based on the Company's statements, for which the declarant is responsible pursuant to art. 168 of the Code, the following legal assessments are formulated.

4.1. Telephone contacts, information and consent

The reports and complaints received, considered as a whole, give a picture of inadequate control of the rules on the protection of personal data. The answers provided by the Company both to the interested parties before the investigation and to the Office after the start of the procedure did not clarify the legality conditions that would have legitimized the telephone contacts, attributing some of the phone calls complained of to the random dialing of the numbers contacted.

In this regard, it should be clarified that it can be considered "personal data", pursuant to art. 4 of the Regulation, also the number randomly dialed and called by telephone for promotional activities (see provision of 3 December 2009, in www.gpdp.it, web doc. n. 1679436). Therefore, also with reference to numbers dialed randomly for telephone contacts, the rules dictated by the Code and the Regulation must be considered applicable which identify the prior informed and specific consent of the interested party as the legal basis for the marketing activity, furthermore considering it unlikely “random” combination of a telephone number, entered incorrectly, with the name of the real holder (see, in particular, files nos. 186650 – 187981 – 188286). It follows, therefore, that the telephone calls in question were made without the consent of the interested parties.

The additional methods of acquiring personal data described during the hearing (word of mouth; online form; inbound) were also found to be carried out in the absence of an appropriate legal basis.

Specifically, the acquisition of personal data through word of mouth from customers cannot be considered valid as the person who provided it is not (as a rule) entitled to give any valid consent on behalf of the interested party receiving the promotional communication. Nor can the "legitimate interest" of the Company be invoked as a legal basis together with the presumed interest of the person involving the friend or relative in the promotion, as already supported by the Guarantor in Measure no. 7 of 15 January 2020 (in www.gpdp.it, web doc. no. 9256486). The customer e-mail addressed to Caffè Scionti, containing the contact details of potential buyers of the promotional offer, cannot replace the necessary fulfillment of the obligation of prior acquisition of specific, documented and unequivocal consent from the interested party. This circumstance was, moreover, characterized by a certain systematicity since, as represented in the feedback, compared to "3,000/4,000 emails per week" addressed to customers with the request "INTRODUCE A FRIEND", the Company receives " approximately 100/120 registrations [...] per week" (see Attachment A of the response dated 29 March 2023).

Similarly, the purchase order form filled out by the telephone operator when contacting the user interested in Scionti products (inbound mode) cannot in any way be considered as proof of express consent to the processing of personal data for promotional purposes. In fact, this form contains only the registration of the user's desire to purchase certain products of the Company and not the consent to use the data for promotional purposes. What is guaranteed in this circumstance is only the civil context of the contract and its characteristics, without a proactive approach emerging to protect the complex of rights not only of the consumer (pursuant to Legislative Decree no. 205 of 6 September 2006 - «Code of Consumption") but also of the interested party. This form, therefore, has value only with regard to the contractual relationships between the parties and not with respect to the guarantees to be given to the interested party in relation to the processing of his data. It should also be remembered that, based on the provisions of art. 7, par. 2, of the Regulation, "if the interested party's consent is given in the context of a written declaration which also concerns other matters, the request for consent is presented in a way that is clearly distinguishable from other matters, in an understandable and easily accessible form, using a language simple and clear”, an element not present in the purchase order form presented by the Company.

It follows from this incorrect approach that all subjects qualified as customers - in that they adhere to the commercial offer by completing the coffee pod purchase form (as in the case referred to in file no. 185551) - constitute a wealth of data on which to draw for the Company's promotional communications, even in the absence of express marketing authorization.

Therefore, since the telephone contacts for marketing purposes concerned users found with the described methods (random dialing of telephone numbers, word of mouth from customers and inbound methods), it is believed that what was observed in the document initiating the proceedings in this regard is confirmed to the existence of the violation of the articles. 5 par. 1 letter a), 6, 7, 13 of the Regulation and 130 of the Code for not having acquired the prior consent of the interested parties nor for having provided the latter, on the occasion of the aforementioned telephone calls, with the necessary information regarding the processing of data.

4.2. Data coming from List Provider and consent of interested parties

To supplement the defense arguments provided during the hearing, on 22 June 2023 the Company sent, by way of example only, a copy of one of the contracts for the supply of personal data for telemarketing activities.

Relying on the contractual guarantees and counting on the positive results of the collaboration established with the list providers, it does not emerge that the Company has requested from the partners (nor, consequently, examined) the documentation proving the existence of the requirements of lawfulness of the processing; for example, it does not appear that Caffè Scionti has ever asked the list providers it uses to document the origin of the data, as well as the legal basis underlying their processing for marketing purposes, elements already considered essential in the Guarantor's Provision no. 349 of 20 October 2022 (in www.gpdp.it, web doc. no. 9827153).

Consequently, the failure to verify the presence or absence of original consent, together with the absence of evidentiary evidence capable of documenting its acquisition, reverberates their effects on the legitimacy of the Company's promotional activity. It is therefore believed that it is necessary to confirm the violation of the articles. 5 par. 1 and 2, 6 par. 1 letter a) and 7 of the Regulation.

4.3. Online data processing

With regard to the data acquired via the website, it is believed that the findings that emerged during the preliminary investigation are confirmed - for the details of which, for reasons of economy, please refer to the full content of the relevant documents.

However, it should be noted that, from the analysis of the privacy information found at the link https://www.caffescionti.com/privacy-policy/, direct marketing - not mentioned among the purposes pursued by the Company (mainly referring to the execution of services requested by the interested parties) - constitutes, in reality, the company's core business which can be achieved through the various data acquisition tools (so-called "multi-channel"), which includes the website (as also confirmed by Caffè Scionti during the hearing – see page 1 of the relevant minutes).

Therefore, the Company is attributable to non-compliance with the obligation to provide transparent information that is effectively suitable for making interested parties aware of what is being done with their data, as it was not clearly indicated, in the aforementioned information text, marketing activity while actually being carried out. Nor did it emerge that specific consent was obtained from the interested parties for this purpose.

In light of the above, the violation of the articles is considered to be complete. 5 par. 1 letter a), 6 par. 1 letter a), 7 and 12 par. 1 of the Regulation.

4.4. Exercise of rights

Since the reasons expressed in this document in point 2.2 have been fully recalled here, and considering the defense arguments of the party, it is believed that the violation of the articles is confirmed. 12, 15 and 21 of the Regulation, for not having provided a complete response to the request to exercise the right of access presented by some interested parties, the Company limiting itself to tracing the complained conduct to the random dialing of the numbers contacted and trying to remedy it through verbal assurances regarding the inclusion of the names and related users in the "wrong list" of which, however, no evidence was given despite the explicit request of the Office in the note dated 24 February 2023, nor after the start of the procedure. Nor yet, in one case (see file 186650), does it appear that the opposition expressed during the telephone contacts was adequately acknowledged by the Company given the further telephone activity towards the interested party's users.

In addition, this "wrong list" was not even mentioned during the hearing, nor at the dissolution of the reservations of 22 June 2023. The Company instead referred generically to a "black-list" (of which, also in this case, no copy was produced) in which the opposition expressed by the interested parties is recorded.

Since the Company did not provide a copy of the aforementioned lists, as requested by the Authority, it was not possible to verify whether they have been adequately implemented, or whether they contain detailed elements (date of refusal, of inclusion in the list, the identity of the 'user) such as to allow us to correctly reconstruct the methods and times of acquisition and revocation of consent and, consequently, to ascertain the lawfulness of promotional contacts and the correct management of the opposition expressed by interested parties (see provision of 15 December 2022, on www.gpdp.it, web doc. no. 9856345).

4.5. Telephone contacts without prior consultation of the Public Registry of Oppositions

It must necessarily be taken into consideration that the Company should have submitted the list of records in its availability for confirmation by the Public Register of Objections, which would have allowed some of the interested parties, who had correctly formulated their opposition, to be excluded from the list of contactable subjects. However, it appears that the response to the RPO was not carried out, revealing the technical problems connected to the registration of the Company in the list of operators who are allowed to consult the Register. In fact, this registration must be considered as a pre-condition to be able to correctly carry out telemarketing activities and the technical impossibility of consulting the Register can only determine the impossibility of starting any promotional campaign for which the use of telephone means is envisaged. The violation of the art. is therefore considered complete. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3, of the Code.

4.6. Accountability

The facts described cannot be qualified as exceptional in nature but appear to denote a systematic lack of organizational and control measures by the Company also with reference to the obligation to prove compliance with the rules (accountability of the owner).

Firstly, the traceability of some of the calling numbers (nos. 0678563355, 0681925529) to the list of those in use by Caffè Scionti, which confirmed its ownership, raises doubts regarding the non-involvement invoked in relation to the contacts complained of in the complaints being examined by the Authority. Even considering the circumstance represented by the Company which complained of having suffered the undue subtraction of its database by a third party, a former partner, for promotional activities of the latter, it is not possible to hypothesize that this occurred using regularly calling numbers registered at the ROC and registered to Caffè Scionti.

This being said, with the exception of the sole warning not to use the Caffè Scionti database against the company's former unfaithful partner, there are no further initiatives in this sense; nor, from the context represented, is there evidence of the adoption of suitable and decisive concrete measures against any abusive subjects who would fuel the illicit market through the undue use of the Scionti name (for example, reports to the competent authorities, or the adoption of technical and organizational measures worthy of appreciation). Furthermore, it cannot be ruled out that the promotional activity of third parties, allegedly parallel and external to the Company, cannot derive advantages for the latter in terms of the activation of services or the signing of new contracts.

Therefore, the violation of the articles is considered confirmed. 5 par. 2, 24 par. 1 and 2, and 25 of the Regulation, which frame the owner's skills in a perspective of necessary valorization of the principle of responsibility (accountability) aimed at proving compliance with the rules on the protection of personal data.

5. CONCLUSIONS

For the above, Caffè Scionti's responsibility for the following violations of the Regulations is considered established:

- art. 5 par. 1 letter a) and 2

- art. 6

- art. 7

- art. 12

- art. 13

- art. 15

- art. 21

- art. 24 par. 1 and 2

- art. 25

as well as art. 130 of the Code.

Having ascertained the illicit nature of the Company's conduct described above, it is necessary to:

a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibit the processing of personal data collected in the absence of informed, free, specific, documented and unequivocal consent of the interested parties in the marketing activity, pursuant to articles. 6, 7 and 12 of the Regulation, as well as 130 of the Code;

b) pursuant to art. 58, par. 2, letter. d) of the Regulation, order Caffè Scionti to delete said data without delay, without prejudice to that which is necessary to retain for the fulfillment of a legal obligation or for any contractual reasons;

c) in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties, pursuant to art. 58, par. 2, letter. d) of the Regulation, order:

- to adopt suitable procedures aimed at constantly verifying, also through adequate random checks, that personal data are processed in full compliance with the relevant provisions (prior acquisition of free, specific, unequivocal, documented, as well as informed consent from the interested parties for sending commercial communications), pursuant to articles. 6, 7, 13 and 14 of the Regulation as well as art. 130 of the Code;

- to adopt adequate technical and organizational measures to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the relevant requests, including the right to object which can be advanced "at any time ” by the interested party (art. 21, par. 2, of the Regulation);

- to provide interested parties with suitable information in which all the elements required by the articles are indicated. 12 and 13 of the Regulation, as well as, with reference to the website, the processing operations actually carried out by Caffè Scionti;

- to adopt adequate procedures aimed at keeping track of processing activities also within the supply chain and proving compliance with the rules on the protection of personal data (articles 5, paragraph 2, and 24 of the Regulation);

d) pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation, with regard to the processing already carried out, adopt an injunction order for the application of a pecuniary administrative sanction.

6. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations confirmed above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Caffè Scionti of the pecuniary administrative sanction provided for by the art. 83, par. 4 and 5 of the Regulation.

However, since various provisions of the Regulation and the Code have been violated in relation to related processing carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the less serious violations. Specifically, the aforementioned violations are to be traced back, pursuant to art. 83, par. 3 of the Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in the art. 83, par. 5, of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation.

Which circumstances to take into consideration in the specific case must be considered, from the point of view of aggravating circumstances:

1. the seriousness of the violations detected (art. 83, par. 2, letters a) and b) of the Regulation) with specific reference to the particularly invasive nature of illegal telemarketing as well as the high number of interested parties involved and the multiplicity of conduct in discrepancies in the Regulation and the Code, such as to suggest that Caffè Scionti intended to plan and implement marketing campaigns while accepting the risk of determining significant circumvention of the legislation on the protection of personal data;

2. the inadequate cooperation with the Authority since the Company - despite the repeated requests of the Office both in the preliminary investigation phase and after the start of the procedure - provided partial and inadequately documented feedback, therefore not allowing, a complete verification and evaluation of the processing, in particular with reference to the consistency of the databases as well as the actual existence of "wrong-lists" and/or "black-lists" and the correct implementation of the same for the purposes of a timely and effective response to requests to exercise the rights of interested parties (art. 83, par. 2, letter f) of the Regulation);

3. the discrepancy in the Company's conduct with respect to the consistent regulatory activity of the Authority regarding marketing with particular reference to information and consent (art. 83, par. 2, letter k) of the Regulation);

As mitigating elements, it is believed that the following should be taken into account:

1. the absence of previous proceedings initiated against the Company (art. 83, par. 2, letter e) of the Regulation);

2. the nature of the data processed, consisting of common personal and contact data (art. 83, par. 2, letter g) of the Regulation).

Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Caffè Scionti the administrative sanction of the payment of a sum of 70,000.00 euros (seventy thousand/00), equal to 0.35% of the statutory maximum.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, i.e. the phenomenon of unwanted marketing, capable of causing significant damage to the rights and freedoms of interested parties, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at certain data controllers and on which the user's attention is high.

Please remember that, pursuant to art. 170 of the Code, anyone who, being required to do so, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e) of the Regulation. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.

ALL THE WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, letter. f) of the Regulation declares unlawful, within the terms set out in the justification, the processing carried out by Scionti Selezioni Superiori S.r.l., with registered office in Via Gregorio VII, n. 396, 00165 Rome, VAT number 15932241001, and consequently:

a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibits the processing of personal data collected in the absence of informed, free, specific, documented and unequivocal consent of the interested parties in the marketing activity, pursuant to articles. 6, 7 and 12 of the Regulation, as well as 130 of the Code;

b) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders Caffè Scionti to delete said data without delay, except for data that is necessary to keep for the fulfillment of a legal obligation or for any contractual reasons;

c) pursuant to art. 58, par. 2, letter. d) of the Regulation, in the event that the Company intends in the future to direct promotional activity towards telephone numbers provided by third parties, enjoins:

- to adopt suitable procedures aimed at constantly verifying, also through adequate random checks, that personal data are processed in full compliance with the relevant provisions (prior acquisition of free, specific, unequivocal, documented, as well as informed consent from the interested parties for sending commercial communications), pursuant to articles. 6, 7, 13 and 14 of the Regulation as well as art. 130 of the Code;

- to adopt adequate technical and organizational measures to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the relevant requests, including the right to object which can be advanced "at any time ” by the interested party (art. 21, par. 2, of the Regulation);

- to provide interested parties with suitable information in which all the elements required by the articles are indicated. 12 and 13 of the Regulation, as well as, with reference to the website, the processing operations actually carried out by Caffè Scionti;

- to adopt adequate procedures aimed at keeping track of processing activities also within the supply chain and proving compliance with the rules on the protection of personal data (articles 5, paragraph 2, and 24 of the Regulation);

d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.

ORDER

to Scionti Selezioni Superiori S.r.l., in the person of its legal representative, to pay the sum of €70,000.00 (seventy thousand/00), as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €70,000.00 (seventy thousand/00) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 12 October 2023

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei