The legality of disclosure by transmission of personal data for direct marketing purposes under Italian data protection law

In today’s data-driven economy, direct marketing has become increasingly essential in companies’ business strategies. This type of marketing includes sending advertising material, commercial communications, direct selling or conducting customer satisfaction surveys.

While these marketing practices can prove valuable to a business, their success is highly dependent on their compliance with applicable legal requirements. Failure to meet these requirements generally turns direct marketing into what is commonly referred to as spam. An example of a illegal practice of direct marketing when a market participant shares the personal data of a data subject with several others who do not meet regulatory requirements.

The following paragraphs have the dual purpose of (i) clarifying the legal requirements for personal data to be shared with third parties so that they can process it for stand-alone promotional purposes and (ii) understanding how the third party can properly launch direct marketing activities once they have acquired the personal data (so-called “prospecting”).

The requirements of the Italian Data Protection Authority (“GPDP”) in the current regulatory framework

The main requirements for the activity of transferring personal data to third parties and acquiring leads can be found in the Marketing and Anti-Spam Guidelines (hereinafter, only “Guidelines”), which are to be interpreted in the light of the current legal framework as well as the most recent decisions rendered by the GDPR, which have clarified their scope[1]. In particular, reference should be made to three specific GDPR decisions which have clarified the legality of marketing practices in the context of data protection, namely: decision against Enel Energia Spa; decision against Iren Mercato SpA; finally, Sky Italia decision.

Transfer of data to third parties

According to the guidelines[2]cross-border data transfers to third parties for direct marketing purposes can only be lawful if the transferor:

  1. adequately describes this purpose in its privacy notice;
  2. indicates, in its privacy notice, each of the third party recipients of the data or, alternatively, the economic or product categories to which they belong (for example, finance, publishing, clothing, etc.);
  3. acquires specific consent, of the data subject, for the disclosure by transmission of personal data to third parties for promotional purposes. It is important to note here that the consent to the transfer of data is distinct from the consent required by the data controller to carry out promotional activities alone.;
  4. provides proof of consent collected for the transfer of personal data[3].

It should be noted that the wording of “third party”, under (2), is intended to be defined both broadly and with particular reference to cases where the third party assignee belongs to the same business group as the assigning data. controller. Indeed, as the GPDP has repeatedly stated[4]entities belonging to the same group of companies should be considered – as a general rule – as autonomous and separate data controllers[5]. In this sense, it would not suffice to indicate in the privacy statement that the transferee companies also include companies belonging to the same business group as the transferor company; in fact, it is necessary that the company name or, alternatively, the economic or product categories to which they belong, are also indicated for these entities[6].

In addition, under (3), it is important to recall the GDPR position that a data subject’s consent to the processing by a controller of their personal data (for promotional activities) or their transfer to a third party does not extend to onward transfers to other data controllers. Indeed, these secondary transfers would not be based on the necessary, specific and informed consent of the person concerned.[7].

Lead acquisition

In order to analyze the obligations required for prospecting activities, keep in mind that the focus is now on the entity that receives the personal data from the transferor (i.e., assignee) and their obligations.

Information obligation

In order to carry out a lawful prospect acquisition activity, the persons concerned, who have been previously informed by the transferor – in accordance with Article 13 of the GDPR – of the transfer of data to third parties for autonomous marketing purposes, must also be informed by the assignee of the subsequent processing operations that they will carry out on their data. In fact, recipients will only be permitted to send promotional communications to data subjects after issuing their own privacy notice in accordance with Article 14 of the GDPR. This privacy notice must provide an indication as to the source from which the personal data originates so that each data subject can address (for example, to object to the processing) the data controller who processed and communicated the data in first place.[8].

Legal basis

With regard to the legal basis on which the processing activities of the assignee are based, the GDPR has clarified, in the light of the legislation currently in force, the possibility for the assignee not to require additional consent for the exercise of direct marketing activities. This possibility, not to obtain additional consent, only applies in situations where the transferee intends to use automated tools to carry out direct marketing campaigns such as e-mail, SMS, MMS, etc. . As a result, the assignee is only required to obtain additional consent when sending marketing communications via non-automated contact tools such as telephone, paper mail[9].

Responsibility: The need to ex-post ratings

In parallel to the responsibility principle, and to avoid an endless “chain” of responsibilities in data processing[10], the GDPR has underlined that it is necessary for a data controller to provide proof of the overall assessments carried out on the characteristics of the processing activities, on the associated risks and on the effectiveness and adequacy of the measures adopted on a case-by-case basis. case. case basis. Such effectiveness and appropriateness cannot be tested and demonstrated without structured and systematic evaluation mechanisms.

The assignee is therefore required to adopt safeguards to prove that the personal data and related consents have been collected by the assignor in full compliance with the respective data protection provisions.including guarantees allowing to testify and control over time the proper management of consents[11]. Specifically, the assignee must verify that the data subjects have correctly received the privacy notice – in accordance with the procedures described above -, consented to receive promotional communications from third parties (unless these communications are sent by automated means) and that they have not registered complaints in the “Registro Pubblico delle Opposizioni”[12] or opposed to the processing in question by the controller. These controls must be carried out by means of specific procedures for filtering contact lists.

Finally, the assignee is advised to request the sharing of the consents collected by the assignor in order to be able to demonstrate the lawfulness of its processing activities, more specifically, its sending of marketing communications.


The interventions of the GPDP mentioned in this letter make it possible to reconstruct, with regard to the legislation currently in force, the framework of the main requirements that must be met to share/transfer personal data for direct marketing purposes. Among the most significant measures put forward by the GDPP, it seems appropriate to retain the following points of attention:

  • assignees may conduct promotional activities without requiring new consent – in addition to the consent previously obtained from the transferor for the transfer to third parties for direct marketing purposes – only when using automated tools. Therefore, when carrying out promotional activities through non-automated tools, a new consent must be obtained from the data subject;
  • the transferring companies are required to ensure greater transparency on the economic and product categories of the third party recipients of the data, even if they are companies belonging to the same group of companies.

Source link

Previous The market for direct marketing services is booming worldwide
Next Global direct marketing services market 2022 Current scope – Rapp, Epsilon, Wunderman, FCB – business ethics