Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante imposes €300,000 fine, warnings, and orders on Ediscom for unlawful marketing practices

The Italian data protection authority ('Garante') announced, on 17 April 2023, in its monthly newsletter, that it had issued, on 23 February 2023, its decision No. 51, in which it imposed a fine of €300,000, two warnings, and two compliance orders on Ediscom S.p.a., for violations of Articles 5(1)(a), 5(1)(b), 5(1)(c), 5(2), 6, 6(1)(a), 7, 7(2), 14, 24, and 25 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and Article 130 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR ('the Code'), following the receipt of complaints.

Background to the decision

In particular, the Garante explained that, on the basis of a number of complaints, it had carried out inspections at Ediscom premises, to examine, among other things, the database used by the same to carry out its marketing activities. More specifically, the Garante noted that Ediscom sent messages received from its clients to the data subjects present in its databases, to carry out promotional campaigns on their behalf via SMS messages, emails, and automated calls. In addition, the Garante specified that the database in question, which contained the personal data of 21 million individuals, consisted of data collected directly by Ediscom through various online portals (by means of news, prize competitions, trivia, cooking recipes), as well as personal information purchased from data brokers.

Findings of the Garante

Further to the above, at the end of its investigation, the Garante found that, in some of its portals, Ediscom employed dark patterns, which, through appropriately designed graphic interfaces and other potentially misleading methods, enticed users to give their consent to the processing of data for marketing purposes and to the communication of data to third parties for the same purpose. Accordingly, the Garante found Ediscom in breach of Articles 5(1)(a), 7(2), and 25 of the GDPR.

Moreover, the Garante found a number of other violations, including:

  • Articles 5(1)(a), 5(1)(b), 5(1)(c), 6, and 7 of the GDPR, owing to the collection of excessive personal data of users relating to purchasing capacity and habits, household, employment, and annual income, among others, leading to processing operations that, depending on their actual implementation, may entail the profiling of data subjects without corresponding specific consent;
  • Articles 6 and 14 of the GDPR, as users were asked to fill in questionnaires and, incidentally, were also invited to provide names and email addresses of third parties potentially interested in subscribing to the same service, without being informed of the content of the messages that would be sent on their behalf, nor of the manner in which the third parties would be contacted; while the third parties themselves, who received the invitation emails were not informed of the processing carried out by Ediscom;
  • Articles 5(1)(a), 6(1)(a), and 7 of the GDPR, in relation to the integration between different services and contextual data registration across portals;
  • Article 5(1)(a) of the GDPR, owing to the incorrect qualification of Ediscom as a data processor, which led to failures in recording withdrawals of consent and the consequent sending of promotional messages to persons who had objected to the same;
  • Articles 5(2) and 25 of the GDPR, for the inadequate checks carried out on marketing lists acquired from third parties; and
  • Articles 6(1)(a) and 7 of the GDPR and Article 130 of the Code for the inadequate collection of declarations of consent for the sending of promotional messages.

Outcomes

In light of the violations ascertained, the Garante imposed on Ediscom:

  • a fine of €300,000;
  • a warning, in relation to the processing operations that may involve the profiling of data subjects without corresponding specific consent;
  • a prohibition on the processing of personal data, in particular of third parties provided by other users, without an appropriate legal basis;
  • a prohibition on the processing of personal data collected through the interaction of services where it is not possible to document valid consent; and
  • a warning, with regard to infringements resulting from the establishment of contractual relations which were not accompanied by a clear definition of the data processing roles.

Finally, the Garante noted that Ediscom had already settled the dispute by paying an amount equal to half of the penalty imposed.

You can read the newsletter here and the decision here, both only available in Italian.

Feedback