Being respectful against the will of users of being not disturbed, carrying out marketing calls without the preventive specific consent, adopt adequate technical and organizational measures in order to respect the privacy of users.
Those are some prescriptions, in addition to fines, that the Italian Data Protection Authority has imposed to three call center societies that disturb with commercial offers tens of thousands of users.
After sanctions to the phone companies that had commissioned to call center promotional campaigns without specific instructions and control the Authority has carried out some investigations on the work of those telemarketing societies.
By the complex activity and investigation of the Authority surged that three call centers have called a lot of people which where not included into the official lists provided by the customer, by using the so called “out of list”.
Telephone numbers out of the list were related to users who have not provided a free and specific consent to be contacted for commercial promotions or were inscribed into the Register of Public Oppositions. Many of them have expressed several times to operators of call centers or of the commissioner society the will of not being disturbed anymore and to be inserted into the blacklist.
Some telephone numbers used for commercial calls did not belong to “referenced” utilities, which means suggested by some relatives or friend, but have an uncertain origin or not verified and documented.
The Authority has also detected a breach of the principle of privacy by design, which means the lack of an adequate government of data processing necessary for guarantying the respect of rights of data subject mentioned into the European Regulation (GDPR).
While they calculate the amount of the sanction, the Authority has kept in mind, among other things, some aspects, of the different level of seriousness of breaches carried out by the three call centers and the cooperation offered by the Authority, but also of serious period of social-economical crisis connected to the pandemic emergency.
The first call center has committed the highest n umber of breaches. It has disturbed the highest number of people and with a high frequency, as that an user has been contacted despite his opposition, also 155 times in a month. It will have to pay a sanction of 80.000 euros.
Also the second call center has presented some deficiencies of the system, connected in particular to the lack of control of the lawfulness of data included into the contact list bought by third companies, also in relation to the validity of consents provided for the marketing. During the investigation, the call center has affirmed to have carried out the designation of the DPO and to have taken a step towards the complex revision of its commercial strategy and privacy policy. The society has been sanctioned with a fine of 15.000 euros.
The third call center have a minor sanction, having managed the problem of the “referenced” phone utilities by keeping track of some elements like the origin of data and operators that have worked on the specific utilities. The society in the event of termination of the activities and voluntary liquidation, shall pay a sanction of 5.000 euros.
In all three cases, the Authority has not considered validly used the legal basis of the legitimate interest, has forbidden the additional processing of the marketing of data illicitly processed and has prescribed the implementation of necessary and adequate measures to ensure the so called processing, with particular attention to “out of list” data and those one into the black list.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP