A collaborator with an IT consulting company recently filed a claim with the Data Protection Authority challenging the unlawful processing of personal data by a franchisor. The claimant stated that the franchisor, together with a company that the franchisor had entrusted to provide IT consulting services, had sent an email to a large number of franchisees – that were part of the same network as the franchisor – inviting them to consult the approved company exclusively for any IT assistance and not to consider other proposals, such as the one contained in a promotional email that the claimant had previously sent to a known franchisee about the economic benefits of the IT services that its company offered.
According to the claimant, the email was sent in breach of Decree-Law 196/2003 (the Data Protection Code), without providing any information or obtaining consent, and thus constituted the unlawful processing of personal data. The claimant then asked the authority to prohibit the franchisor and the company which managed IT services for the franchising network on its behalf from processing any more of its personal data and to order the relevant cancellation of existing data.
The franchisor and its IT services contractor argued that the email was a personal initiative undertaken by a number of the contractor's employees, who had acted as autonomous data controllers with the sole purpose of informing franchisees of the opportunity to avail of IT services that it had previously evaluated. They claimed to have processed no unlawful personal data, as the information in the email had been sent for demonstration purposes only and thus no information or consent was required.
On April 23 2015 the authority admitted the claim, considering the grounds that the claimant advanced to be well founded. The operation carried out constituted a 'communication' pursuant to Article 4(1)(1) of the Data Protection Code, according to which:
"communication shall mean disclosing personal data to one or more identified entities other than the data subject, the data controller's representative in the State's territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data."
According to the authority, in terms of data processed, the franchisor and its contractor had to be considered data controllers and the persons who sent the communication to the franchisees had acted in their capacity as "persons in charge of processing" formally designated by the franchisor and the contractor. Further, the contractor had been appointed by the franchisor as a data processor pursuant to the agreement in force with the franchisor.
Pursuant to the Data Protection Code, data controllers and processors must ensure that parties which process data on their behalf or in their interest comply with the provisions in force with regard to processing data, as well as those related to security matters.
Regarding the behaviour challenged, the franchisor's liability (and that of the contractor) cannot be excluded. The email was sent to franchisees without prior warning and without acquiring their consent, which are necessary requirements for the processing of personal data.
The authority also prohibited the franchisor and its contractor from processing personal data without informing recipients or obtaining their consent and ordered the franchisor to adopt adequate measures to guarantee control over the parties that process data on its behalf.
The decision confirms a franchisor's liability as data controller with regard to the processing of personal data carried out on its behalf by contractors.
If personal data processing is carried out by a franchisor's contractor – which under the contractual relationship may be considered the de facto data processor or the party in charge of processing data, even if not formally appointed – it does not remove the franchisor's liability as data controller or its obligation to ensure that its data processors (or parties in charge of data processing) comply with the Data Protection Code.
Franchisors must be aware of any marketing activities that could be carried out on their behalf.
For further information on this topic please contact Marco De Leo or Beatrice Masi at Rinaldi e Associati by telephone (+39 02 7600 8860) or email (email@example.com or firstname.lastname@example.org). The Rinaldi e Associati website can be accessed at www.rinaldilawf.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.