Since Regulation no. 2016/679/EU (General Data Protection Regulation or "GDPR") entered into force almost two years ago, the Data Protection Authorities of most European States started an enforcement phase, also applying heavy sanctions for a number of GDPR infringements. Among such Authorities, in Italy the Autorità Garante per la Protezione dei Dati Personali ("DPA") recently issued a very significant sanction (above 20 million) against a telco operator ("Telco Operator"), for certain unlawful personal data processing, mostly related to marketing activities.

There are a number of lessons that could be drawn also beyond the telco arena. In this brief article, we will focus on the main principles that data controllers should take into account when processing personal data for marketing purposes.

The corrective measures imposed by the DPA: what data controllers should take into account in processing personal data

The DPA provided several indications on how to correctly and lawfully process personal data, particularly in relation to marketing activities.

First of all, the DPA highlighted the importance of processing personal data when data subjects have provided a valid consent. The DPA prompted a well-known principle: no processing for marketing purposes can ever take place lawfully in case data subjects had previously refused to receive promotional calls. In addition, data controllers should always ensure that their internal procedures are construed in a way that allows full enforcement of data subjects' rights.

In addition, the DPA focused on the processes that data controllers should always implement when processing their customers' personal data for marketing purposes: before addressing marketing communications, data controllers are required to verify the correctness of the blacklists and to verify whether the data subjects' contact details are listed in the Italian opt-out register.

What are the main criteria the DPA takes into account when issuing sanctions

When deciding whether to impose an administrative fine and deciding on its amount, the European Data Protection Authorities should refer to the criteria set forth under Article 83 of GDPR, namely:

  1. the nature, gravity and duration of the infringement (taking into account the nature, scope or purpose of the processing and the number of data subjects affected as well as the level of damage);
  2. the intentional or negligent character of the infringement;
  3. any action taken by the controller or processor to mitigate the damage;
  4. the degree of responsibility of the controller or processor (taking into account technical and organisational measures);
  5. any relevant previous infringements by the controller or processor;
  6. the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
  7. the categories of personal data affected by the infringement;
  8. the manner in which the infringement became known to the supervisory authority;
  9. where measures referred to in Article 58(2) have previously been ordered against the controller or processor and compliance with those measures;
  10. adherence to approved codes of conduct; and
  11. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

In issuing its fine against the Telco Operator, the DPA referred to the following criteria as main aggravating circumstances:

  • the wide range of processing activities;
  • the significant number of data subjects involved;
  • the seriousness of the breaches identified;
  • the significant duration of the breaches;
  • the willful character of some conducts and the gross negligence of others;
  • the repetition of the breaches; and
  • the existence of significant economic advantages.

As for the main mitigating factors, the DPA took into account:

  • the adoption of measures to mitigate or eliminate breaches during the proceedings;
  • the cooperation provided by the Telco Operator during the investigation and the proceedings;
  • the categories of data processed; and
  • the financial status of the data controller (e.g. margins decrease, etc.).

What to expect now?

In light of the recent indications of the DPA, companies should be particularly aware of the modalities and granularity through which data subjects' consent is collected, always double checking the Italian opt-out register.

Besides commenting upon the sanctions, most commentators highlighted the need for companies in all sectors to receive further and more detailed indications from the DPA on how to process marketing personal data: indeed, most of the guidelines issued by the DPA – and in some instances still applied – do not take into account the amendments introduced by GDPR.

It is no doubt a very interesting time for privacy stakeholders in Italy as many clarifications are yet to come!

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.