Garante per la protezione dei dati personali (Italy) - 9964761

Garante per la protezione dei dati personali - 9964761

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 130 of the Italian Privacy Code
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	26.10.2023
Published:
Fine:	10,000 EUR
Parties:	A.C. Group S.r.l.s.
National Case Number/Name:	9964761
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor:	ar

The Italian DPA fined a controller €10,000 for carrying out an unsolicited telemarketing call to the complainant, registered to the Italian Public Opt-out Registry. The DPA found a systematic lack of GDPR compliance, including Articles 5, 6, 13 and 14 GDPR.

English Summary

Facts

On 2 February 2023, a complaint was submitted to the Italian DPA regarding the receipt on 30 December 2022 of an unsolicited telephone call from A.C. Group S.r.l.s. (the controller).

The complainant stated that the controller had contacted him, although his user account was registered in the Italian Public Opt-out Registry (RPO). The RPO is an Italian registry extended to all national phone numbers, which allows citizens to opt-out of unwanted telemarketing calls. The complainant also considered unsatisfactory the controller's response to his request to exercise his rights under Articles 15, 17 and 21 GDPR brought on 4 January 2023.

On 8 February 2023, the DPA requested further clarification, which the controller provided on 23 February 2023.

The controller explained that it had obtained the telephone contact of the data subject from a third party, an American company, which had transmitted through WhatsApp the list of names that could be contacted, including the complainant. The controller stated that this had been an exception since business contacts would normally be provided by Italian companies that guaranteed that the contact lists were checked and ensured that the numbers were not in the RPO. It further added that it did not know that the third party was an American company since it only had its telephone number.

Holding

The DPA noted that the controller carried out its promotional activity without verifying the conditions of lawfulness of the processing, especially without checking whether the complainant had given its consent.

From the information gathered, it had been ascertained that the controller did not consult the RPO to check the lists provided by the third parties, even though it guaranteed to do so. It emerged that the controller had also not verified that the third parties had issued to the persons concerned an appropriate information notice under Article 14 GDPR nor that the third parties had acquired specific consent from the data subjects for the data to be shared with third parties (including the controller) for marketing purposes, with consequent effects on the legitimacy of the promotional activities carried out.

Therefore, the DPA confirmed a breach of Article 5(1)(a) GDPR, Article 6(1)(a) GDPR, Article 7 GDPR and of Article 130 of the Italian Privacy Code for having carried out telemarketing activities without the prior informed consent of the complainant.

Secondly, the DPA noted that the call script used in the promotional contacts contained only an indication of the processing carried out by the controller and a generic reference to the privacy policy to be consulted by accessing its website. However, the text lacked the necessary information on the origin of the personal data and was not enough to make the data subject fully aware of the processing operations carried out by the controller. Moreover, the DPA noted that it was practice for the controller to only accept requests under Article 12 GDPR and provide information under Article 13 GDPR and Article 14 GDPR when the data subjects declared themselves interested in its services. In light of this, the DPA stressed that such practice contravened the requirement of easy accessibility of the information underlying Article 12 GDPR in the broader context of the basic principle of transparency. Thus, the DPA confirmed a violation of Articles 12, 13, and 14 GDPR.

Thirdly, the DPA found a violation of Article 5(2) GDPR and Article 24 GDPR since the controller’s processing of personal data for marketing purposes did not meet the requirements of accountability, as well as a violation of Article 5(1) GDPR given that the data processing was not compliant with the lawfulness, correctness and transparency principles.

Due to the breaches found, the DPA issued a fine of €10,000 on the controller pursuant to Article 83(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9964761]

Provision of 26 October 2023

Register of measures
n. 503 of 26 October 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza, member, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

PREMISE

1. THE INVESTIGATORY ACTIVITY

With the complaint dated 2 February 2023, presented to this Authority pursuant to art. 77 of the Regulation, Mr. XX complained about receiving an unwanted phone call from A.C. on 30 December 2022. Group S.r.l.s. (hereinafter also «A.C. Group» and «Company») on its users registered in the Public Registry of Oppositions (so-called «RPO»), in the absence of prior informed consent. The complainant also considered A.C.'s response unsatisfactory. Group to the request to exercise the rights referred to in the articles. 15, 17 and 21 of the Regulation formulated on 4 January 2023.

In this response, the Company, in ensuring that it had proceeded with the cancellation of the personal data of the interested party, indicated the subject from which it would have acquired the same data - XX (hereinafter "XX" or "supplier") - and from which it would be in possession of only the telephone number used for commercial contacts made via WhatsApp. Therefore, not having further contact details of the supplier and not having, according to it, consent to communicate the same to third parties, the Company did not satisfy the interested party's request to obtain such contact details to exercise the right against XX of opposition to further treatment. Finally A.C. Group, in discussions with the complainant, was able to ascertain that the data provided by XX were not updated, so much so that the residence of the interested party indicated in the list in question dates back to 14 years previously.

On 8 February 2023, the Office - in order to acquire useful elements for a complete assessment of the profiles linked to the lawfulness of the processing - formulated a request for information, pursuant to art. 157 of the Code, to which the Company responded with a note dated 23 February 2023 in the following terms, developing and clarifying much of the contents already expressed in the feedback provided to the complainant.

First of all, the Company has clarified its "modus operandi" consisting of contacting potential customers by telephone to find an interest in the installation of photovoltaic systems and to arrange a possible home demonstration appointment.

The contactable numbers - referring solely to residents of the areas of Rovigo, Bologna, Ferrara and Padua - have been acquired over time by various Italian companies that have guaranteed "exclusively controlled lists" made up of users, both fixed and mobile, not registered with the RPO . These lists, merged into the Company's server and inserted into the "callite" management system, are used by operators for A.C.'s commercial offers. Group intended for residents of the selected area. During the phone call, made using the user visible and referable to the Company, the operator follows the specifically prepared call script.

In the case referred to in the complaint, A.C. Group specified that it had obtained from a third party, operating in the same energy sector, the telephone contact of XX, an American company, which would have sent, via WhatsApp, the list of contactable names, which included the complainant. This circumstance, according to the Company, would represent an exception as the commercial contacts would normally be provided by Italian and not foreign companies. Furthermore, A.C. Group stressed that it did not know that XX was an American company as it only had the telephone number.

Having noted the unreliability of XX regarding the incorrect or updated data of the lists (see the residence of the complainant), the Company, in addition to having acted in civil proceedings through a complaint, ensured that it had undertaken "a different strategy to search for names to contact", deciding to turn in the future "exclusively to established companies in the sector in Italy". Finally, during telephone contacts, he declared that he had prepared an information note to be read at the beginning of the phone call "in order to obtain prior informed consent from the user to process the data for the sole purpose of promoting its products".

2. DISPUTE OF VIOLATIONS

On 24 May 2023, the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation. With this communication (prot. n. 82790/23) A.C. was charged Group the alleged violations of the following provisions:

2.1. articles 5 par. 1 letter a), 6 par. 1 letter a), 7 of the Regulation and art. 130 of the Code, for having made promotional telephone calls without the informed consent of the interested parties;

2.2. art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130 paragraph 3 of the Code, with reference to carrying out telemarketing activities without having consulted the Public Register of Oppositions on a monthly basis or in any case before each promotional campaign;

2.3. articles 12, 13 and 14 of the Regulation, for not having provided adequate information during promotional contacts;

2.4. articles 5 par. 1 and 2, 24 pars. 1 and 2, 25 of the Regulation, for not having adopted adequate organizational measures aimed at keeping track of processing activities and proving compliance with the rules, also with regard to the entire supply chain of commercial partners.

On this point, the Company was invited to communicate how many details acquired from the list providers were registered in the company systems and how many of them the promotional calls were addressed to.

3. DEFENSIVE COMMENTS

The Company, in exercising its right of defence, presented its briefs on 21 June 2023 with which it substantially confirmed what was declared in the response dated 23 February 2023, highlighting how the commercial relationship with XX constituted an exception compared to the usual operating mode.

B.C. In fact, the Group uses only the numbers provided by Italian companies for its marketing activities.

The list acquired by XX in mid-November 2022 "was kept within the management system for about a month and a half" and immediately deleted as soon as Mr. XX's complaint was received. Therefore, according to what the Company asserts, it is not possible to evade the Authority's request regarding the number of personal details acquired by XX registered in its databases since currently the only numbers stored in the company systems, "accompanied by free, explicit and informed”, are those provided by an Italian company and amount to approximately 6,900 names in 2021 and 30,000 in 2023.

B.C. Group also illustrated the initiatives undertaken to "increase the degree of compliance of internal processes [...] with legislation [...] regarding the protection of personal data" claiming to have turned to an external privacy consultancy company for this purpose . In specifying that he registered in the Public Registry of Oppositions on 17 January 2023, he declared that he constantly checks the presence of the contact numbers in it. It revised the call script (of which a copy was produced) and prepared a new text of the information for the processing of personal data. Finally, it reiterated that it had promptly deleted the name of the complainant from its databases, who was promptly informed of it, underlining the uniqueness of the conduct complained of (it was a single phone call lasting a maximum of 30 seconds).

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also based on the Company's statements, for which the declarant is responsible pursuant to art. 168 of the Code, the following legal assessments are formulated.

4.1. Data from list providers and consent of interested parties

The Company's promotional activity was found to have been carried out without verifying the conditions of lawfulness of the processing, with particular reference to the prior consent of the interested parties.

From the analysis of the personal data acquired "exceptionally" by XX and promptly canceled following the proceedings instituted before the Authority, as well as the lists provided by the Italian partner and which currently populate the company database, it did not emerge that A.C. Group has verified the existence of the legal basis of consent that would have legitimized the promotional contacts.

Furthermore, it did not appear that the Company consulted the Public Register of Oppositions in reference to the records provided by XX nor to the additional numbers acquired over the years by the Italian partners, despite having A.C. Group guaranteed to carry out this requirement before carrying out any promotional campaign.

In this regard, it must be noted, first of all, that the documentation produced in support of the defense briefs would only certify the qualification of the Company, as an operator, for the services of updating the lists in the Public Register of Oppositions and not also the consultation of the numbers. provided by XX nor by other partners; moreover, the described authorization was registered in January 2023, therefore after the phone call to the complainant on 30 December 2022.

Therefore, already in the first contact with the interested party, A.C. Group should have submitted the list of records now in its availability for confirmation by the Public Registry of Oppositions; a circumstance which would have allowed the complainant, who had correctly formulated his opposition, to be excluded from the list of contactable subjects. Furthermore, it should have verified that the presence of the users on the list was legitimized by the desire of the interested parties to be contacted for promotional purposes, through the signing of specific consents.

B.C. Group, on the other hand, never mentioned the presence or absence of an original consent that authorized at least the first promotional call but the creation of contacts seemed to be mainly subject to a geographical criterion; therefore the commercial calls were made not on the basis of specific consent but based on the Company's need to contact the users of a specific geographic area/zone. In fact, according to the Company, if the complainant's data had been correct and had indicated his current place of residence, the phone call of 30 December 2022 would not have been made because "it was the intention" of the A.C. Group "contact the names [of] Bologna and not [of] Treviso" (see reply dated 23 February 2023).

The conduct described, as admitted by the Company itself, constitutes the "modus operandi" with which the promotional activity is carried out and was also replicated in reference to the numbers acquired by XX, moreover in the absence of any guarantee, even of a formalistic nature , on the lawfulness of the same.
It emerged, therefore, that A.C. Group did not verify that its partners had issued suitable information to interested parties, pursuant to art. 14 of the Regulation, and acquired specific consent for communication to third parties (including A.C. Group) for marketing purposes, with consequent repercussions on the legitimacy of the Company's promotional activity.

Ultimately, the processing described gave rise to promotional telephone calls being made without the informed consent of the interested parties since the Company did not produce any evidential evidence capable of documenting their acquisition. Nor can this breach be considered overcome by the reassurances offered by the suppliers on the lawfulness of the lists (as in the case of the contract signed in 2023 with the Italian partner - point 2.5 - the only one available), nor, even less, can it reflect the contractual provision of indemnity clauses on the verification of consent (such as that expressed in the aforementioned act in point 2.6) and which has value only with regard to the contractual relationships between the parties and not with respect to the guarantees to be given to the interested party in relation to the processing of his data. Furthermore, the intentions for the new promotional activities proposed by the Company in the response dated 23 February 2023, together with the recent initiatives, are not suitable to overcome the critical issues identified, since the method of requesting consent during the first phone call appears confirmed, without verifying their acquisition before each campaign.

Therefore, the violation of the articles must be confirmed. 5 par. 1 letter a), 6 par. 1 letter a), 7 of the Regulation and art. 130 of the Code, for having carried out telemarketing activities in the absence of the prior informed consent of the interested parties, not only in relation to the case referred to in the complaint, but in the overall processing carried out by A.C. Group.

Furthermore, the violation of the art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130, paragraph 3, of the Code, with reference to the Company's carrying out telemarketing activities without having consulted the complainant's telephone number and the details acquired by XX in the Public Register of Objections.

4.2. Telephone contacts and information

The call script used during promotional contacts - attached to the reply of 23 February 2023 and, in its renewed version, to the defense brief - contains the sole indication of the ownership of the processing by A.C. Group and a generic reference to the privacy policy which can be consulted by accessing the Company's website (http://www.acgrouprovigo.com/).

The text thus formulated, also lacking the necessary information on the origin of the personal data (i.e. the subject from whom the same data would have been acquired), does not allow the interested party to have full knowledge of the processing carried out by the Company. Nor the mere deletion of the complainant's data, as represented by A.C. Group, upon reply, exhausts the data controller's obligations to provide the applicant with all the information that could have allowed the applicant to exercise control over their personal data (see provision dated 27 January 2022, no. 23, web doc. no. 9746068 on www.gpdp.it).

Furthermore, it must be noted that the lack of these elements in the call script cannot be considered overcome by the fact that the data can be known aliunde, nor can a mechanism that forces the interested party to access the website of B.C. Group, or to declare themselves interested in the Company's services, in order to acquire all the information required by the articles. 13 and 14 of the Regulation, thus also contravening the requirement of easy usability of the information underlying the art. 12 of the Regulation, in the broader context of the basic principle of transparency (see provision dated 15 December 2022, no. 429, web doc. no. 9852290; provision dated 27 May 2021, no. 217, web doc. no. 9689375; issued April 13, 2023, no. 183, web doc. no. 9894662, all on www.gpdp.it).

Added to this is the fact that, as represented above, there is no evidence of the release to the interested parties of the information from the list providers, including that of XX, as a necessary prerequisite for the legitimacy of the communication of the data to A.C. Group and subsequent use for promotional purposes, also impacting the validity of any original consent to marketing.

Therefore, the violation of the articles is considered confirmed. 12, 13 and 14 of the Regulation since it appears that suitable information has not been provided to the interested parties, not only in relation to the case referred to in the complaint but in the overall processing carried out by A.C. Group.

4.3. On accountability

The treatments described above give a picture of inadequate control and failure to comply with the rules on the protection of personal data.

B.C. Group has not provided elements to prove the lawfulness of the processing, with particular regard to the obligations of the information and consent. This is in relation both to the Italian partners and to XX with whom the economic terms of the promotional campaign were defined via WhatsApp (see invoice sent via WhatsApp on 11/08/2022), without following up on agreements or directives, even not made explicit in the contractual form, which would have allowed us to reconstruct the legal context in which the processing was carried out and to specifically qualify the roles and responsibilities of the Company and the entire supply chain.

It should also be noted that the Company does not appear to have taken any precautions in choosing the XX supplier with which it would have come into contact through a third party operating in the energy sector, without paying attention to the aspects related to data processing and guarantees. recognized to interested parties. Only after the complainant's request and the observations raised by the latter, the Company was able to ascertain that the data provided by XX were not updated and, therefore, incorrect.

Therefore, the processing of personal data for marketing purposes, carried out using personal data lists obtained from XX, was found to lack the requirements of lawfulness, correctness and transparency identified by the art. 5 of the Regulation.

In the absence of adequate controls on the entire processing chain (from collection to the implementation of the promotional campaign), the marketing activity is in violation of the articles. 5 par. 2 and 24 of the Regulation, which frame the owner's skills with a view to necessary valorisation of the principle of responsibility (accountability) aimed at proving the obligations carried out regarding the protection of personal data, also taking into account the principle of privacy by design ( art. 25 of the Regulation).

5. CONCLUSIONS

For the above, the responsibility of A.C. is considered established. Group regarding the following violations of the Regulation:

- art. 5 par. 2;

- art. 6 par. 1, letter. to);

- art. 7;

- art. 12;

- art. 13;

- art. 14;

- art. 24;

- art. 25;

as well as art. 130 of the Code.

Having ascertained the illicit nature of the Company's conduct described above, it is necessary to:

a) prohibit the processing of personal data collected in the absence of informed, free, specific, documented and unequivocal consent of the interested parties in the marketing activity, pursuant to articles. 6, 7, 12 and 14 of the Regulation, as well as 130 of the Code;

b) order A.C. Group to proceed without delay with the deletion of said data, except for those that are necessary to keep for the fulfillment of legal obligations or for any contractual reasons;

c) order, in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties:

- to adopt suitable procedures aimed at constantly verifying, also through adequate random checks, that personal data are processed in full compliance with the relevant provisions (prior acquisition of free, specific, unequivocal, documented, as well as informed consent from the interested parties for sending commercial communications), pursuant to articles. 6, 7, 12, 13 and 14 of the Regulation as well as art. 130 of the Code;

- to adopt adequate procedures aimed at keeping track of processing activities also within the supply chain and proving compliance with the rules on the protection of personal data (articles 5, paragraph 2, and 24 of the Regulation);

d) with regard to the processing already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation.

6. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

Based on the above, various provisions of the Regulation and the Code have been violated in relation to related processing carried out by A.C. Group, for which art. 83, par. 3, of the Regulation, according to which "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation" with consequent application of only the sanction provided for by the art. 83, par. 5, of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation.

Which circumstances to take into consideration in the specific case must be considered, from the point of view of aggravating circumstances:

1. the seriousness of the violations detected with particular reference to the absence of random checks of the contact numbers acquired by the partners and the related marketing consent issued by their holders, as well as the unsuitability of the information provided during promotional telephone calls, also taking into account that A.C. Group declared that it had only deleted the records provided by XX, instead retaining the additional data obtained from Italian suppliers, considering its actions correct (art. 83, par. 2, letter a);

2. the high number of data currently stored in the company management system and which are being processed for promotional purposes, not only in the absence of consent, but with the total unawareness of the interested parties (art. 83, par. 2, letter a);

3. the discrepancy in the Company's conduct with respect to the consistent regulatory activity of the Authority regarding marketing with particular reference to information and consent (art. 83, par. 2 letter k).

As mitigating elements, it is believed that the following should be taken into account:

1. the absence of previous sanctioning proceedings against the Company (art. 83, par. 2 letter e);

2. of the nature of the data processed, consisting of common personal and contact data, as well as the level of harm caused to the interested party which is considered to be of a minor nature since the conduct complained of in the complaint concerned only one unwanted phone call from the Company ( art. 83, par. 2, letters a and g);

3. the degree of cooperation in interaction with the Supervisory Authority (art. 83, par. 2, letter f);

4. the micro-enterprise nature of A.C. Group S.r.l.s. as well as the 2022 financial statement data provided by the Company (art. 83, par. 2, letter k).

Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1, of the Regulation, taking into account that the maximum applicable in the specific case is 20 million euros (art. 83, par. 5, Reg.) as well as the necessary balance between the rights of the interested parties and freedom of enterprise, also for the purpose to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to A.C. Group the administrative sanction of paying a sum of 10,000.00 (ten thousand/00) euros, equal to 0.05% of the statutory maximum.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, i.e. the phenomenon of unwanted marketing, capable of causing significant damage to the rights and freedoms of interested parties, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at certain data controllers and on which the user's attention is high.

Please remember that, pursuant to art. 170 of the Code, anyone who, being required to do so, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e) of the Regulation.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.

ALL THE WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, letter. f) of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by A.C. Group S.r.l.s., with registered office in Via Luigi Einaudi, n. 99, 45100 Rovigo, VAT number 01609100290, and consequently:

a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibits the processing of personal data collected in the absence of informed, free, specific, documented and unequivocal consent of the interested parties in the marketing activity, pursuant to articles. 6, 7, 12 and 14 of the Regulation, as well as 130 of the Code;

b) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders the Company to delete said data without delay, except for data that is necessary to keep for the fulfillment of legal obligations or for any contractual reasons;

c) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders, in the event that the Company intends in the future to direct promotional activity towards telephone users provided by third parties:

- to adopt suitable procedures aimed at constantly verifying, also through adequate random checks, that personal data are processed in full compliance with the relevant provisions (prior acquisition of free, specific, unequivocal, documented, as well as informed consent from the interested parties for sending commercial communications), pursuant to articles. 6, 7, 12, 13 and 14 of the Regulation as well as art. 130 of the Code;

- to adopt adequate procedures aimed at keeping track of processing activities also within the supply chain and proving compliance with the rules on the protection of personal data (articles 5, paragraph 2, and 24 of the Regulation);

d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, letter. i) of the Regulation, to A.C. Group S.r.l.s., in the person of its legal representative, to pay the sum of 10,000.00 (ten thousand/00) euros, as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 10,000.00 (ten thousand/00) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 26 October 2023

PRESIDENT
Stantion

THE SPEAKER
Stantion

THE GENERAL SECRETARY
Mattei

[doc. web no. 9964761]

Provision of 26 October 2023

Register of measures
n. 503 of 26 October 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza, member, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

PREMISE

1. THE INVESTIGATIVE ACTIVITY

With the complaint dated 2 February 2023, presented to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained about receiving an unwanted phone call from A.C. on 30 December 2022. Group S.r.l.s. (hereinafter also «A.C. Group» and «Company») on its users registered in the Public Registry of Oppositions (so-called «RPO»), in the absence of prior informed consent. The complainant also considered A.C.'s response unsatisfactory. Group to the request to exercise the rights referred to in the articles. 15, 17 and 21 of the Regulation formulated on 4 January 2023.

In this response, the Company, in ensuring that it had proceeded with the cancellation of the personal data of the interested party, indicated the subject from which it would have acquired the same data - XX (hereinafter "XX" or "supplier") - and from which it would be in possession of only the telephone number used for commercial contacts made via WhatsApp. Therefore, not having further contact details of the supplier and not having, according to it, consent to communicate the same to third parties, the Company did not satisfy the interested party's request to obtain such contact details to exercise the right against XX of opposition to further treatment. Finally A.C. Group, in discussions with the complainant, was able to ascertain that the data provided by XX were not updated, so much so that the residence of the interested party indicated in the list in question dates back to 14 years ago.

On 8 February 2023, the Office - in order to acquire useful elements for a complete assessment of the profiles linked to the lawfulness of the processing - formulated a request for information, pursuant to art. 157 of the Code, to which the Company responded with a note dated 23 February 2023 in the following terms, developing and clarifying much of the contents already expressed in the feedback provided to the complainant.

First of all, the Company has clarified its "modus operandi" consisting of contacting potential customers by telephone to find an interest in the installation of photovoltaic systems and to arrange a possible home demonstration appointment.

The contactable numbers - referring solely to residents of the areas of Rovigo, Bologna, Ferrara and Padua - have been acquired over time by various Italian companies that have guaranteed "exclusively controlled lists" made up of users, both fixed and mobile, not registered with the RPO . These lists, merged into the Company's server and inserted into the "callite" management system, are used by operators for A.C.'s commercial offers. Group intended for residents of the selected area. During the phone call, made using the user visible and referable to the Company, the operator follows the specifically prepared call script.

In the case referred to in the complaint, A.C. Group specified that it had obtained from a third party, operating in the same energy sector, the telephone contact of XX, an American company, which would have sent, via WhatsApp, the list of contactable names, which included the complainant. This circumstance, according to the Company, would represent an exception as the commercial contacts would normally be provided by Italian and not foreign companies. Furthermore, A.C. Group stressed that it did not know that XX was an American company as it only had the telephone number.

Having noted the unreliability of XX regarding the incorrect or updated data of the lists (see the residence of the complainant), the Company, in addition to having acted in civil proceedings through a complaint, ensured that it had undertaken "a different strategy to search for names to contact", deciding to turn in the future "exclusively to established companies in the sector in Italy". Finally, during telephone contacts, he declared that he had prepared an information note to be read at the beginning of the phone call "in order to obtain prior informed consent from the user to process the data for the sole purpose of promoting its products".

2. DISPUTE OF VIOLATIONS

On 24 May 2023, the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation. With this communication (prot. n. 82790/23) A.C. was charged Group the alleged violations of the following provisions:

2.1. articles 5 par. 1 letter a), 6 par. 1 letter a), 7 of the Regulation and art. 130 of the Code, for having made promotional telephone calls without the informed consent of the interested parties;

2.2. art. 1, paragraph 11, of law no. 5/2018, in relation to the following paragraph 12 and the art. 130 paragraph 3 of the Code, with reference to carrying out telemarketing activities without having consulted the Public Register of Oppositions on a monthly basis or in any case before each promotional campaign;

2.3. articles 12, 13 and 14 of the Regulation, for not having provided adequate information during promotional contacts;

2.4. articles 5 par. 1 and 2, 24 pars. 1 and 2, 25 of the Regulation, for not having adopted adequate organizational measures aimed at keeping track of processing activities and proving compliance with the rules, also with regard to the entire supply chain of commercial partners.

On this point, the Company was invited to communicate how many details acquired from the list providers were registered in the company systems and how many of them the promotional calls were addressed to.

3. DEFENSIVE COMMENTS

The Company, in exercising its right of defence, presented its briefs on 21 June 2023 with which it substantially confirmed what was declared in the response dated 23 February 2023, highlighting how the commercial relationship with XX constituted an exception compared to the usual operating mode.

B.C. In fact, the Group uses only the numbers provided by Italian companies for its marketing activities.

The list acquired by XX in mid-November 2022 "was kept within the management system for about a month and a half" and immediately deleted as soon as Mr. XX's complaint was received. Therefore, according to what the Company asserts, it is not possible to evade the Authority's request regarding the number of personal details acquired by XX registered in its databases since currently the only numbers stored in the company systems, "accompanied by free, explicit and informed”, are those provided by an Italian company and amount to approximately 6,900 names in 2021 and 30,000 in 2023.

B.C. Group also illustrated the initiatives undertaken to "increase the degree of compliance of internal processes [...] with legislation [...] regarding the protection of personal data" claiming to have turned to an external privacy consultancy company for this purpose . In specifying that he registered in the Public Registry of Oppositions on 17 January 2023, he declared that he constantly checks the presence of the contact numbers in it. It revised the call script (of which a copy was produced) and prepared a new information text for the processing of personal data. Finally, it reiterated that it had promptly deleted the name of the complainant from its databases, who was promptly informed of it, underlining the uniqueness of the conduct complained of (it was a single phone call lasting a maximum of 30 seconds).