For several months now there has been a high level of legal uncertainty in Italy with regards to the applicability of the provisions of the Italian Privacy Code (Legislative Decree no. 196/2003) concerning unsolicited marketing communications to legal entities (i.e. companies, corporations, associations, etc.). A few days ago the Italian Data Protection Authority issued an interpretative decision, shining a light on the issue.

Before considering the Authority’s decision, it may well be useful to briefly summarise what happened:

  • Section 130 of the Italian Privacy Code regulates (i) the use of automated calling systems without human intervention for marketing purposes, and (ii) the transmission of unsolicited marketing communications via e-mail, fax, SMS and MMS;
  • the original text of Section 130 of the Italian Privacy Code applied to “data subjects”, meaning any individual or legal entity; 
  • in December 2011 a Decree (no. 6/2011) issued by the Italian Government amended the Italian Privacy Code (Legislative Decree no. 196/2003), excluding legal entities from the definitions of “personal data” and “data subject”, which now refers solely to individuals only;
  • in light of such reform, several enterprises started to send unsolicited marketing communications to legal entities via email, fax, SMS and MMS, relying on the assumption that such communications were out of the scope of the Italian Privacy Code;
  • notwithstanding the reform of 2011, legal entities continued to benefit from the possibility to register with the Italian Robinson List (Registro delle Opposizioni), i.e. the opt-out list of “contracting parties” of an electronic communication service who do not wish to receive telemarketing and mail marketing communications, as (i) the definition of “contracting party” contained in the Italian Privacy Code included both legal entities and individuals and (ii) the provisions of the Italian Privacy Code regulating the Robinson List apply to any “contracting party” (so including legal entities);
  • in May 2002 a Legislative Decree (n. 69/2012) issued by the Italian Government amended Section 130 of the Italian Privacy Code, replacing the words “data subjects” with the words “contracting parties” in order to extend protection to legal entities against the use of automated calling systems without human intervention for marketing purposes and the sending of unsolicited marketing communications by e-mail, facsimile, SMS and MMS.

Following several requests for clarification sent by enterprises and citizens, the Italian Data Protection Authority has clarified that, in light of the last reform of 2012, Section 130 of the Italian Privacy Code applies to legal entities again.

On the basis of such interpretation, by way of example, an Italian enterprise, acting as data controller, which intends to contact a company via email to advertise its product or services, should (i) provide such company with a privacy information notice compliant with Section 13 of the Italian Privacy Code and (ii) obtain the prior, express, specific and freely given consent of such company.

Nevertheless, the Authority has pointed out that, although legal entities shall continue to be protected against such forms of unsolicited communications, they may no longer be able to enforce their rights under the Italian Privacy Code. Indeed, many of the rights granted by the Italian Privacy Code (including the possibility to make a claim for privacy breach before the Authority) are reserved to “data subjects” only and as a consequence solely to individuals and not legal entities.

There is also another inconsistency caused by the recent reforms. As above clarified, the provisions of the Italian Privacy Code regulating the Italian Robinson List only apply if the contact data (telephone numbers or mail addresses) are extracted from the public telephone directories. Therefore, should data controllers be able to prove that contact data have been obtained from other sources (e.g. Internet sites, public registers, commercial documents), legal entities would have no protection whatsoever against telemarketing and mail marketing.

The Authority has called on the Italian Parliament to fix such criticalities and implement further changes to the Italian Privacy Code.