Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
There is a comprehensive set of rules governing direct marketing, resulting from the combined application of the EU General Data Protection Regulation (GDPR) (2016/679), the Personal Data Protection Code (specifically, the parts transposing the EU Directive on Privacy and Electronic Communications (2002/58/EC)) and the Data Protection Authority’s Guidelines on Marketing and Against Spam of 4 July 2013.
As a rule, data controllers may contact users for direct marketing purposes with the user’s prior consent. This rule applies to communications performed by means of automated calling or communications systems without human intervention or by email, fax or text message. Consent – provided that it satisfies the validity requirements of Articles 4(11) and 7 of the GDPR – needs to be given only once to enable marketing activities using different means of communication, provided that the data subject can opt out at any time from one or more of the data controller’s means of communication.
Further, when the personal data is drawn from publicly available papers or electronic directories, data controllers may contact users only by telephone or mail, provided that users have not exercised their right to object (the opt-out mechanism by means of an online platform maintained by the Fondazione Borboni, which is the Italian version of the so-called ‘Robinson list’).
Finally, where a data controller uses, for direct marketing of its own products or services, electronic contact details for emails supplied by a data subject in the context of the sale of a product or service, it need not request the data subject’s consent, provided that the services are similar to those that were the subject of the sale and the data subject, after being adequately informed, does not object to the use either initially or in connection with subsequent communications (the so-called ‘soft spam’ exception).
Further, where personal data is processed for direct marketing purposes, the data subject must have the right to object at any time to processing of his or her personal data for such marketing, including profiling to the extent that it is related to direct marketing.
So-called ‘technical cookies’ are exempt from this requirement. Technical cookies are used only to transmit a communication over an electronic communications network or in order for a service provider to deliver a service that has been explicitly requested by the subscriber or user. Under the Data Protection Code, technical cookies may be used without the user’s consent, provided that the user is informed as required.
Click here to view the full article.