Update on italian privacy issues: New rules regarding marketing and credit information

Data protection rules are rapidly evolving at a national and European level. The Italian legislator has recently introduced new rules relative to data protection (also in light of the General Data Privacy Regulation1 coming into force) and the Italian Data Protection Authority (“DPA”)2 has introduced new guide-lines.

1. Telemarketing

On 22nd December 2017 the Italian Parliament passed a new law on telemarketing which increases the protection of those who do not wish to receive marketing calls.

1.1 Developments concerning the Register

One of the major changes brought about by the new law is the extension of the opt-out regime for telemarking to mobile phone numbers. Currently, call centres are not allowed to contact any landline number which is listed in the Registro delle opposizioni, a public opposition register (“Register”). After the law comes into force, users who do not wish to be contacted for telemarketing purposes will also be able to include their mobile phone numbers in the Register. In addition, landline numbers that are not published in public phone directories will be automatically inserted in the Register on the basis of the information provided periodically by telecommunication operators.
The new law also provides that the registration will lead to the automatic withdrawal of any prior consent to telemarketing calls that was given by the user, except when consent was given in the case of an ongoing contractual relationship or with regard to a contract which expired in the last 30 days. For the same reason, the use of phone numbers, which have been shared with third parties by controllers on the basis of prior consents, is prohibited.

Contacting individuals that are listed in the Register is a breach of the legislation that can originate heavy fines. Companies should make sure that the Register is consulted before starting a marketing campaign. Agency agreements with promoters and marketing consultants/service providers should contain adequate undertakings and representations by them on their compliance with the above legislation.

1.2 Consent to telemarketing: limited scope

Also after having included his/her phone numbers in the Register, a user can change his/her mind and give consent. Nevertheless, that consent will never have wide-spread repercussions. Even if a user gives consent to the processing of his/her data, it is nonetheless prohibited for the controller to share or transfer such data to third parties for marketing or sales purposes or for carrying out market research or commercial communication activities that are not related to the products or services offered by the controller.

1.3 Sanctions

A sanction ranging between €10,000 and €120,000 might be applied in the case of failure to comply with the opt-out regime, and, in the case of repeated violations, the company’s licence to operate might be suspended or revoked. Furthermore, the controller could be held liable together with the call centre to which he outsourced the marketing campaign, should the latter violate the new law.

As in the case with anti – corruption laws, sanctions are not limited to monetary fines, but extend to revocation/suspension of licenses and authorisations. That represents an additional risk for businesses. As suggested by the EU Commission a through review of “contracts already in place”, “agreements for international transfers” and “overall governance” is appropriate.

1.4 Special telephone numbers for call centres

Finally, the new piece of legislation makes it possible to understand if an incoming call comes from a call centre, since companies contacting consumers for telemarketing purposes will have to use two specific area codes (one for market-research calls and one telemarketing calls) that the Italian Communications Authority is required to set up.

2. Personal data, social networks and social spamming

According to the Italian DPA, the fact that certain personal data is made available through social networks does not mean that such personal data may be used by anyone for any purpose. Such principle has been reiterated by the DPA with decision n. 378 dated 21st September 2017, whereby it has been clarified that the publication of personal data on the social networks does not imply that the relevant data subjects are granting their consent to the further processing of their personal data for purposes other than the participation to such social networks3.
In this case, the DPA investigation was activated by a financial advisory company which complained about receiving marketing communications to the e-mail accounts of its advisors by a company which collected the above mentioned e-mail accounts from social networks, such as LinkedIn and Facebook, without having obtained the advisors prior consent. The DPA took the chance to reiterate that the purpose for which a user registers on a social network site does not consist in being exposed to marketing spamming activities (the so called “social spamming”), but, on the contrary, to connect with other people for personal or professional reasons, depending on the case.

In light of the above, the processing of personal data published on social networks for marketing purposes requires further and ad hoc consent by the data subjects along with a proper – and prior – information notice4 . Companies should make sure that their distribution lists for marketing purposes (and those used by agencies and consultants) have not been created by taking the addresses of the recipients from social networks without consent.

3. Credit Information

With its decision n. 438 dated 26th October 2017, the DPA has set-out some additional principles applicable to the processing of personal data within the framework of credit information systems, that are used by financial institutions in connection with consumer credit activities in order to ascertain a debtor’s reliability before granting credit5.

3.1 The Default Notice

This matter was initially addressed by the DPA within the “Code of conduct and professional practice applying to information systems managed by private entities with regard to consumer credit, reliability, and punctuality of payments” (the “Consumer Credit Code of Conduct”), drawn up in accordance with Article 117 of the Privacy Code.

The Consumer Credit Code of Conduct sets forth adequate measures aimed at protecting debtors’ personal data in context of consumers credit and, in particular, provides, under Article 4, paragraph 76, the obligation of the relevant creditor to communicate to the defaulting debtor the intention to notify his/her personal data to the credit information system (the “Default Notice”).

The wording set forth under Article 4, paragraph 7 of the Consumers Credit Code of Conduct does not expressly set-out the creditor’s obligation to communicate to the credit information system the defaulting debtor’s personal data only after having received confirmation of the fact that the defaulting debtor had actually received the Default Notice. In light of the above, it often happens that the relevant creditor transfers the defaulting debtor’s personal data to the credit information system regardless of the fact that the defaulting debtor might not have received the Default Notice.

With its decision n. 438 dated 26th October 2017 the DPA clarified that a creditor can legitimately transfer to the credit information system a defaulting debtor’s personal data only after having successfully notified to such debtor the Default Notice and it must be able to provide documentary evidence of the receipt of the Default Notice by the defaulting debtor.

3.2 Time limits

In addition to the above, the DPA took the chance to reiterate that, also pursuant to the GDPR, debtor’s personal data cannot be recorded within the credit information system for a period of time exceeding 36 months starting from the expiry of the relevant contractual agreement. If other events occur which are relevant to the payment, said information may be retained for no longer than 5 years as of the date on which the relevant relationship was terminated.

While business methods are rapidly moving towards the so called Industry 4.0, the impact of data protection laws involve reconsideration of various aspects of company’s business and procedures: companies that will face these challenges will not only avoid fines, but will also cope with new legal developments and will guarantee a more competitive position for their business.


1Regulation (EU) 2016/679 of the European Parliament and of the Council.

2Garante per la protezione dei dati personali.

3Such principle has also been confirmed by Article 29 Data Protection Working Party within the “Opinion 15/2011 on the definition of consent” whereby it commented on the risk of ambiguous consent in the on-line world with specific reference to on line games: “Accessing and participating in the game is not tantamount to giving implicit consent to the further processing of their personal information for purposes other than the participation in the game. Participation in the game does not imply the individuals’ intent to consent to processing other than what is necessary to play. This type of behavior does not constitute an unambiguous indication of the individual’s wish to have his/her data used for marketing purposes”.

4Reference is made to (i) the guidelines issued by the DPA through decision n. 330 dated 4th July 2013 on marketing and spam and (ii) the DPA’s resolution on How to Lawfully Email Advertising Messages, dated 29th May 2003.

5Credit can be granted in the form of a payment extension, a loan, or any other similar financial support as per the legislative decree no. 385 of 1st September 1995 (i.e. the Consolidated Statute on Banking and Credit).

6Article 4, paragraph 7 of the “Code of conduct and professional practice applying to information systems managed by private entities with regard to consumer credit, reliability, and punctuality of payments”: “In case of payment delays, the participant shall inform the data subject, also with timely reminders or other notices, that his/her personal data will shortly be recorded in one or more credit information systems. […]”.

Download the document