The Italian data protection authority ('Garante') published, on 19 October 2021, its decision 317 of 16 September 2021, in which it imposed a fine of €3.3 million to Sky Italia S.r.l., for violations of Articles 5(1) and (2), 6(1), 7, 12(2), 14, 21, 28 and 29 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

In particular, the Garante outlined that, following numerous reports and complaints, it had found that Sky had processing personal data obtained indirectly from third-party companies to carry out telemarketing activities, noting that, while the consent given by the data subjects to these companies constituted an appropriate legal basis for the transfer of their data, the same did not apply to the subsequent processing carried out by Sky, which also failed to provide the recipients of the promotional calls with adequate information about the processing. Additionally, the Garante highlighted that Sky did not carry out checks on the contact lists acquired from the abovementioned companies, nor did it verify the same against its register of oppositions, resulting in several data subjects receiving promotional calls despite having previously exercised their objection to the same. Moreover, the Garante found that Sky had also signed advertising contracts with various suppliers for the performance of promotional activities on its behalf, and considered, among other things, that Sky had breached the principle of accountability, had failed to appoint the abovementioned suppliers as data processors and to check the information provided by the same to the data subjects at the time of first contact, and did not adopt procedures for filtering the contact lists in the availability of the suppliers.

In addition, the Garante determined that Sky had carried out promotional activities in the absence of the necessary prerequisite of lawfulness, having failed to take into account several objections received from data subjects through its certified email address, and without adopting a system that facilitates the exercise of data subjects' rights.

Furthermore, the Garante, among other things, ordered Sky to cease any processing of the kind in question, to designate its partners and suppliers as personal data processors where appropriate, and to facilitate the exercise of the right of opposition by providing among the channels for receiving the related requests including its certified email address. Finally, in determining the amount of the sanction, the Garante took into account as aggravating factors the seriousness of the violations, which were deemed rooted in Sky's corporate procedures, and the significantly negligent nature of the conduct, given that its presence on the market for many years should have allowed it to acquire sufficient experience and competence to adopt basic choices in compliance with the law.

You can read the announcement here, and the decision here, both only available in Italian.