The Italian Supervisory Authority (Garante) has acted against a network of telemarketing companies not only by imposing fines but also by physically seizing their databases. We consider the implications of this dramatic sanction.
Background
This action arises out of what the Garante described as “wild telemarketing”. It related to a complicated web of companies who were unlawfully marketing residential energy services with sanctions being imposed on four companies, namely Arnia società cooperativa (for supplying marketing lists), Mas S.r.l and Mas S.r.l.s. (for making marketing calls), and Sesta Impresa S.r.l. (for acting outside its mandate from the relevant energy companies).
The Garante found that these companies operated in the “undergrowth” and used unlawfully produced marketing lists, containing personal data of data subjects who had never given their consent to receive phone calls for marketing purposes in relation to the promotion of certain energy companies’ commercial offers.
Breach and fines
More specifically, each company has been fined for the following GDPR/data protection law infringements:
- Arnia società cooperativa, who were fined Euros 800,000. The Garante concluded they had: (i) created lists containing more than 70,000 contacts of potential clients; (ii) communicated such personal data to Sesta Impresa S.r.l. (and other companies) without providing data subjects with the required privacy notice or having obtained their consent; and (iii) failed to cooperate with the Garante, duly and fully, during the investigation phase.
- Sesta Impresa S.r.l., who were fined Euros 300,000. This was for: (i) processing of personal data on behalf of the energy companies without having been appointed as processor or sub-processor; (ii) failing to appoint its commercial partners ( Mas S.r.l.) as processors authorized to process personal data (as per Article 29 GDPR and art. 2 – quaterdecies of the Italian Privacy Code); (iii) sharing its credentials to access the energy companies’ systems with Arnia società cooperativa, allowing non-authorized accesses; and (iv) processing personal data for marketing purposes without having being appointed as processor as well as for the lack of a proper legal basis that justified this processing.
- Mas S.r.l., who were fined Euros 500,000. This was for (i) using marketing lists without obtaining a proper and valid consent from data subjects or providing them with a privacy notice; (ii) acquiring these marketing lists from several providers, including foreign ones, without having verified the correct collection of the related personal data; and (iii) signing up users to contracts with Enel Energia despite not being appointed as processor or sub-processor. (As a result of the lack of being designated as processor, the Garante has stated that this transfer appeared to have been made by Mas S.r.l. as data controller.)
- Mas S.r.l.s., who were fined Euros 200,000. This was for not having communicated to the data controller the identification of Mas S.r.l. as sub-processor as well as for failing to prepare and make available the record of processing.
Seizure of databases
One of the most striking aspects of this enforcement is the seizure of both the paper and computer systems containing the illegally collected marketing lists.
This is, of course, not a power explicitly provided for under the GDPR as it does not appear in the list of corrective powers in Article 58(2). Instead, this power arises under domestic law in accordance with Article 58(6) which allows Member States to grant additional powers to supervisory authorities. In this case, those powers arise under 166, paragraph 7, of Legislative Decree no. 30 of 2003 June 196 and 20, paragraph 3, of Law no. 689/1981.
Noting that this is a draconian sanction, the Garante justifies its use on the basis that the four companies had set up their operations “in total disregard of the legislation on personal data” and that this was necessary to properly protect data subjects.
Conclusions
The Garante appears to be one of the first supervisory authorities to adopt the drastic sanction of seizure. Alongside the fines issued to the four companies, the seizure of the databases will largely prevent those companies from operating their core business.
This strong enforcement stance echoes the ban to ChatGPT. In that case, the Garante was the first supervisory authority to act on generative AI, highlighting both the risks this technology poses for personal data protection and the fundamental role the supervisory authorities have in regulating new technology. It demonstrates the intention of the Garante to occupy a strategic and leading role at an EU level, marked by the fact that other supervisory authorities took action against ChatGPT immediately after the news of the Italian ban.
The Garante’s action also demonstrates the risks of companies adopting a superficial attitude toward data protection compliance. Han Solo’s position may be: “Never tell me the odds” but that position looks increasing fraught with more muscular enforcement action from supervisory authorities across the EU.
For further information, please contact:
Sonia Cissé, Partner, Linklaters
sonia.cisse@linklaters.com