Unsolicited e-mail marketing: the Italian Data Protection Authority imposes a fine of EUR 2 million

By an order dated 11April 2019, the Italian Data Protection Authority (“Garante per la protezione dei dati personali”) ruled in a case of unsolicited marketing by imposing an exemplary fine of EUR 2 million on Vincall, a company that provides distance marketing and distance selling services on behalf of different companies.

The case arose from a marketing operation promoted by Edison Energia S.p.a. and carried out by its sales agent Green Power S.p.a., aimed at signing new customers to energy and gas supply contracts. Green Power had tasked Vincall with contacting potential customers by telephone. Vincall, in turn, had delegated this activity to an Albanese company (namely, Tele It), which had used  a proprietary database of  telephone numbers that had not been supplied, or validated, by any of the three companies up the chain. After having obtained their assent to subscribe a contract, Tele It had transferred the personal data of the new clients to Vincall, which had subsequently re-contacted them for a final confirmation. Having obtained this confirmation, Vincall had filled in the paper forms  and placed initials at the bottom, eventually sending the contracts to Green Power, which then forwarded them to Edison.

Following several complaints, the Special Privacy Unit of the Italian Tax & Customs Police carried out an inquiry and eventually charged Vincall with the infringement of the then-applicable rules of the Data Protection Code (in its version prior to the amendments following application of the GDPR) for failure to provide an adequate privacy notice to the data subjects in connection with the telephone calls made through its call centre, and failure to obtain specific consent for the collection and processing of personal data for marketing purposes.

Vincall excused itself by claiming that its role consisted solely of the review of documents sent by Tele It, which should therefore be held liable in its stead. However, the Garante observed that Vincall’s claims conflicted with evidence acquired by the Tax & Customs Police. When Vincall had contacted the customers in order to obtain confirmation of their willingness to subscribe new contracts, it had done so in the absence of a specific appointment as a data processor, thus, in the Garante’s view, acting as an independent data controller: the obligation to provide an adequate privacy notice, as well as to obtain valid consent for the collection and processing of personal data for marketing purposes, fell therefore upon Vincall. In this regard, the inquiry had clearly shown that the new clients had had no chance of receiving a proper privacy notice either through paper forms (which were not signed by them), or by telephone; and that they had never provided written consent to the processing.

In the Garante’s view, the severity of the offences called for an exemplary penalty. The Garante observed in this regard that the conducts in question appear to have been carried out“in a context of marked disregard for the overall legislation on the protection of personal data”and of“superficial underestimation of the serious implications deriving from customer acquisition practices based on informality and on the unilateral over-simplification of the framework of formal obligations prescribed by the law”.