By order No. 4 of 12 January 2017, the Italian Data Protection Authority set out the discipline on personal data processing for marketing purposes, finding the unlawfulness of both the processing of data collected through forms available on websites and the processing of data (namely, telephone numbers) autonomously collected on the Web.
By order No. 4 of 12 January 2017, the Italian Data Protection Authority (hereinafter the “Authority”) ruled again on data processing for marketing purposes. Said decision involved a company engaged in the sector of IT services, which, through a form available on its website to be submitted for obtaining an estimate for its services, first collected and then processed customers’ data with a view to, inter alia, transmitting promotional material. From the Authority’s investigation it emerged that the customers’ data collected in such a way (which, in the majority of cases, concerned legal entities or other persons having a VAT number such as one- man businesses or liberal professionals) had been processed without first obtaining the specific consent of the parties concerned to the sending of automated promotional information. It was moreover ascertained that the company in question, with a view to acquiring new customers and promoting its services, contacted telephone numbers autonomously extracted from the contact section of the websites of the companies, liberal professionals and businessmen concerned, without giving any notice thereof or requesting any specific consent thereto. Before examining the Authority’s decisions as to the aforesaid types of processing, it is worth ascertaining to what extent the provisions of Legislative Decree No. 196/2003 (hereinafter the “Privacy Code”) apply to legal entities.
1. The protection afforded to legal entities under the Privacy Code
As is known, as a result of the amendments brought by Article 40, paragraph 2, a), of Decree Law No. 201 of 6 December 2011, converted with amendments into law No. 214 of 22 December 2011 (so-called “Salva Italia”), the processing of data on legal persons is, in the majority of cases, no longer subject to the Privacy Code rules. Exceptions to the general rule are however laid down in specific provisions on “unsolicited communication”. Article 130, paragraph 1, of the Privacy Code indeed provides as follows: “Without prejudice to Articles 8 and 21 of Legislative Decree No. 70 of 9 April 2003, the use of automated calling or communication systems without human intervention for the purposes of direct marketing or sending advertising materials, or else for carrying out market surveys or interactive business communication shall only be allowed with the subscriber’s or user’s consent”. Paragraph 2 in turn reads: “Paragraph 1 shall only apply to electronic communication by email, facsimile, MMS (Multimedia Messaging Service) or SMS (Short Message Service) or other means for the purposes referred to herein”. It is plain from the wording of such provision that the same applies to subscribers or users, and not to the parties concerned (i.e. the individuals to whom personal data relates). Article 4, paragraph 2, f) and g), of the Code defines, respectively, a subscriber as “a natural or legal person, body or association who or which is party to a contract with the provider of publicly available electronic communication services for the supply of such services, or is anyhow the recipient of such services by means of pre-paid cards” and a user as “a natural person using a publicly available electronic communication service for private or business purposes, without necessarily being a subscriber to such service”. So, whenever a legal entity acts as a subscriber – within the meaning specified above –, the processing of its data for the purpose of sending automated promotional communication shall only be allowed if its prior consent has been asked and obtained. The Authority commented further on this through its Guidelines on Marketing and against Spam of 4 July 2013. Paragraph 2.5 of the Guidelines reads: “Processing for promotional purposes, where performed by way of automated or similar tools, falls within the scope of Section 130(1) and (2) of the Code; accordingly, such tools may only be used for marketing purposes with the contracting party’s or user’s prior consent (opt-in requirement). In terms of making sure that a promotional communication is sent legitimately, it is therefore unlawful to inform recipients that they can object to further communications at the time such a promotional communication is first sent or to request their consent to the processing of their personal data for promotional purposes jointly with such a communication”.
2. The decisions made by the Authority
Turning now again to the case addressed in the order under examination, the Authority found the unlawfulness of both the processing of data collected through the form available at the company’s website and the processing of data (i.e. telephone numbers) autonomously collected by the company on the Web. Said decision was arrived at, respectively, as to the first type of processing, on the ground that the processing was done without first asking and obtaining the specific consent of customers (nominal and legal persons) to the sending of automated promotional communication, as required by Articles 23 and 130, paragraph 1, of the Code, and, as to the second type of processing, on the ground that the processing of personal data of professionals and one-man businesses was done without prior notice and consent (thus breaching Articles 13 and 23 of the Code). The circumstance of the data being autonomously collected on the Web is, moreover, irrelevant. The online availability of phone numbers to the general public does in no way allow their unrestricted and unconditional use for purposes other than those requiring their online publication. On the other hand, as stated by the Authority in the Guidelines on Marketing and against Spam of 4 July 2013, “the sending of promotional communications via the above-mentioned instruments [telephone calls, faxes, emails, mms-messaging, sms-texting and the like] is not allowed without prior consent, even if personal data is taken from public registers, lists, websites, instruments or documents publicly known or knowable”.