Telemarketing, Guarantor: the user’s “no” must be registered immediately
If the user says “no” to the unwanted commercial call, the call center or the company that contacted him must immediately note his wishes and delete the name from the lists used for telemarketing. The opposition expressed during the phone call does not have to be confirmed by email or other methods, as operators are often asked to do, and is also valid for future promotional campaigns.
The principle was affirmed by the Privacy Guarantor who, at the end of a complex preliminary investigation, detected various illicit conduct carried out by Edison Energia spa against a significant number of users. The Authority therefore ordered the company to adopt a series of measures to comply and ordered it to pay a fine of 4 million and 900 thousand euros.
Within the established deadline, the company availed itself of the right to settle the dispute and paid an amount equal to half of the fine imposed.
The serious irregularities emerged during the investigations carried out by the Authority following various reports and highlighted: the receipt of telephone calls without consent; failure to respond to requests to stop receiving unwanted phone calls; the impossibility of expressing free and specific consent for different purposes (promotional, profiling, communication of data to third parties) within the site or app, the presence of deficient or inaccurate information.
The Guarantor therefore ordered Edison to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to provide feedback, without delay, to requests, including those relating to the right to object.
A right which – the Authority specified – can be exercised “at any time” (even during the promotional phone call) and the user’s will must be correctly recorded.
The Guarantor has also prohibited the company from any further processing for promotional purposes carried out using contact lists prepared by other companies that have not acquired free, specific, informed and documented consent to the communication of user data. If the company wishes, in the future, to use telephone numbers provided by third parties for promotional activities, it will have to constantly verify, also through adequate random checks, that the data is processed in full compliance with privacy legislation.
Finally, the company was prohibited from processing data for marketing and profiling purposes collected without free and specific consent and was ordered to provide users with correct information, in which only the processing activities actually carried out are indicated.
Healthcare: greater guarantees are needed for cross-border prescriptions.
The indications of the Privacy Guarantor to the Ministry of Health
For cross-border prescriptions, greater guarantees are needed and the Guarantor for the protection of personal data is ready to offer its collaboration to the Ministry of Health for a privacy-proof cross-border assistance system.
This is the content of the opinion that the Authority gave to the Ministry of Health on a draft decree that defines the methods of access to prescriptions for medicines issued in Italian territory to patients who intend to use them in another Member State of the European Union .
The Guarantor first of all underlined that health data, due to their particular nature, requires strengthened protection and must comply with the specific legislation on data protection, respecting its principles. He therefore gave precise indications to the Ministry to overcome the various critical issues currently present in the text. In particular, it will be necessary to reformulate and better clarify the relationships between the various subjects (prescribing doctors, Ministry of Health, Ministry of Economy and Finance, etc.) involved in the process of generating and using the cross-border prescription, specifying the ownership of the treatments data. The template must better specify the information to be provided to the interested party and indicate the correct legal basis and the reason of relevant public interest that allow the processing of the data and must specify the operations that can be performed and the appropriate protections provided for the fundamental rights of the interested parties.
The Ministry will also have to make compliant with the indications of the Guarantor, also made with a previous opinion (22 August 2022, n. 294), the methods through which the Health Card System makes data available to Electronic Health Records and pharmaceutical dossiers through the national infrastructure. Finally, the subjects who can access it and for what purposes must be specified. In order to guarantee the quality and security of the information, appropriate measures must also be adopted, such as, for example, preventive impact assessment.
Cloud in the PA: the EU Authorities ask for respect for privacy
The European Data Protection Board (EDPB) has adopted a report on the results of its first coordinated enforcement action relating to the use of cloud services by the public sector.
The Report is the result of the activity of 22 privacy authorities of the European Economic Area which, within the framework of the Coordinated Enforcement Framework (CEF), have started coordinated investigations on the use of the cloud in public administrations, interviewing around a hundred entities, active in crucial sectors such as healthcare, tax and education, but also purchasing centers and ICT suppliers.
In the report, the EDPB highlighted the need for public bodies to act in full compliance with the GDPR, providing PAs with a series of recommendations, starting with the renegotiation of cloud contracts, with the involvement of the data protection officer. The European Committee also invites Data Protection Authorities to promote the compliance of cloud solutions, through the publication of non-binding opinions (or recommendations) on the obligations of data controllers and on the importance of conducting an impact assessment.
The Privacy Guarantor also participated in the investigation. From the Italian context emerges a general “lack of awareness” on transfers to third countries and on requests for access to data stored in the European Economic Area by public authorities of third countries, as well as on any further processing of data carried out by suppliers of cloud services via telemetry (used to monitor the functioning of the infrastructure). Another delicate aspect concerns auditing: some entities have complained that cloud providers do not allow verification and inspection activities to be carried out and that it is difficult to agree on specific clauses.
“The report – commented Andrea Jelinek President of the EDPB – provides a useful yardstick and I am confident that it will become an important point of reference for administrations looking for cloud services compliant with the European Regulation” .
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9857857