Background

The Code is a collection of the many obligations arising from best practices and the Garante's decisions in recent years. In addition to setting the highest standard of protection of personal data, the main purpose is to make it no longer cost-effective to activate contracts with those who have been contacted in violation of data protection regulations. The impact would be on both controllers - in terms of not registering contracts - and suppliers (call centers) - in terms of penalties.

Depending on how successful the Code is (i.e., how many will adhere to it), it could increase the Garante's focus on those who are not part of it.

In the next months, the Garante will likely support and promote adherence to this Code which, in any case, is not mandatory.

In general, also in light of the crystallization of certain principles and best practices in the Code, the attitude of the Garante in case of sanctions on these issues could be increasingly severe.

Scope of application

Objective scope

The Code applies in relation to telemarketing and teleselling activities, i.e., activities promoting and/or offering goods or services via the telephone channel.

In-app promotions and digital advertising, as well as telephone calls for the sole purpose of measuring customer satisfaction, surveys, and/or market research without any commercial purpose are excluded from the scope of application.

All contact techniques developed through channels other than telephone (e.g., SMS) are also excluded.

Subjective scope

It applies in relation to personal data processing activities carried out by persons operating in Italy or abroad, in order to promote and/or offer goods or services through the telephone channel to persons located in the Italian territory. It does not apply to subjects other than natural persons, freelancers, and sole proprietorships.

Obligations for controllers

The controller must adopt a procedure for the selection of suppliers aimed at ensuring that preference is given to those who have become party to the Code. The controller shall implement the following measures and, in the event of total or partial outsourcing, shall require suppliers/processors to:

• ensure that all possible channels where data subjects may send requests are controlled by authorized persons instructed to identify the nature of such requests, whereby such authorized persons shall ensure a prompt and complete response through the most effective channel (without prejudice to the obligation to promptly inform the data controller);
• send the data subject a notice of acknowledgment of the request and grant the possibility to blacklist the data subject's contact data in such a way as to prevent any further contact by the supplier (where the request relates to an objection to receiving marketing calls by the controller); and
• notify that a personal data breach has occurred, where compatible with the nature of the breach, within 24 hours of becoming aware of the breach.

A company which acquires a contact list made by a list provider is obliged to compare it with its own blacklist in order to verify that no persons who have already expressed a specific objection or who have withdrawn their consent are included.

When consulting the Public Opt-Out Registry (RPO), the data controller shall keep track of the results of this consultation, for at least three months.

In order to check whether the suppliers comply with the Code, the data controller should take appropriate measures, including 'bait and switch' numbers, and carry out sample checks.

In terms of training, training for personnel authorized to carry out telemarketing campaigns must take place on a yearly basis. The data controller must require data processors to carry out training consistent with its own.

Further, the controller must set up a platform for the registration of contract proposals that complies with certain authentication requirements (among others, preventing access with the same credentials from multiple locations at the same time or from different IP addresses).

Specific obligations in relation to relations between companies and list providers

In the selection of list providers, companies shall assess that all necessary safeguards have been put in place, including the adoption of proper consent acquisition methods through the check of the privacy notices displayed at the time of data collection, the user experience, and consent requests. Consent is considered to be correctly given when it is adequately documented, by keeping track of such consent by means of IT methods that guarantee that date and source are not modifiable, such as the preservation of both the IP-timestamp pair of the subject who provided consent online by selecting the appropriate boxes, and by sending a message (e.g., SMS) to such subject in order to notify the registration of consent or with so-called double opt-in mechanisms whereby consent acquired online is subsequently confirmed by the subject, by replying to a confirmation message. The verification of consent must be done on a significantly representative sample of the database and must be repeated every time the data controller receives a complaint or a request to exercise data subject rights under the General Data Protection Regulation (GDPR).

The company must check the availability of the supplier (and if the entity is a non-EU one, it is necessary to check whether an establishment or a representative in the EU is present). For databases created as a result of participation in a prize competition, it is a good practice for the company to check the existence of the terms and conditions of the competition.

The company must inform the publisher or supplier, within no longer than 15 days from the day where the data subject expresses their refusal on the collection of consent by the publisher, in order to take such refusal into account when preparing and managing the lists, where the data subject requested so.

List providers collecting personal data as autonomous data controllers shall provide a duly signed declaration that all consent collected is correct, lawful, and up-to-date.

Obligations for suppliers/processors carrying out promotions on behalf of data controllers

The Code essentially reiterates a series of obligations placed on the call center operators (from registration with the Italian Registry of Economic Operators to the obligation to identify the calling line) in addition to a detailed series of more specific obligations: from sending detailed reports to controller within 15 days from the end of individual promotional campaigns to the recording and forwarding to the controller of special blacklists.

Other obligations include the ban to contact the same person (contact means an answered call): i) before 9.00 a.m. and after 8.00 p.m. on Mondays to Fridays; ii) before 10.00 a.m. and after 7.00 p.m. on Saturdays or public holidays; iii) on Sundays or public holidays. A call that is busy or remains unanswered is deemed not to have been made. A tolerance of 15 minutes (before/after) said slots is allowed and any call that is initiated within the aforementioned tolerance is therefore permitted. Commercial contacts expressly agreed with the data subject or requested by the data subject, e.g., through digital advertising, are not covered by this ban.

In addition, suppliers must be able to provide data subjects, during the phone call and without exception, with the information on the processing of personal data and on how to exercise their rights, clearly explaining the roles (data controller/data processor) and their respective obligations.

Suppliers must also adopt technical and organizational measures to enable verification of the compliance with the Code.

Obligations applicable to both controllers and processors

Further to reaffirming certain obligations laid down under the GDPR, the Code provides for a series of so-called common obligations/prohibitions, including:

• the prohibition to collect, directly from the data subjects or from third-party sources or list providers, more data than is reasonably necessary for the proper execution of the marketing communication;
• the obligation to carry out so-called data quality activities to rectify inaccurate data without a request from the data subjects; and
• the obligation to adopt technical and organizational measures (including audits) aimed at tracing the contact chain.

Guarantees within the data processing

Special categories of personal data

The Code prohibits the processing of special categories of personal data for promotional purposes, except when collected in the context of specific existing contractual relationships with data subjects and the explicit and specific consent of the data subject is collected. All members that are party to the Code shall adopt measures to ensure that personal data in special categories is stored separately (physically or logically) from other personal data.

Script and information

The controller shall provide the supplier with a specific script in accordance with the Code, for each telemarketing campaign. This script shall also include a privacy notice in a simplified form explaining in an intelligible manner at least the following elements:

• the identity of the data controller;
• the legal basis applicable to the processing; and
• the source from which the data was collected (e.g., whether consent was given or whether the number is in the telephone public directory and not listed in the RPO).

In the course of the phone call, the operator must be able to indicate, upon request, the details of the data processor (if any), the purposes and methods of processing, an address where the rights under Articles 15 to 22 of the GDPR can be easily and freely exercised, and the channels where the extended privacy notice can be retrieved.

Refusal of consent

The refusal to receive marketing communications expressed during the promotional telephone call or elsewhere, even orally, provided that it relates to an individual who is already identifiable, or who otherwise consents to be identified by providing their personal data, shall be deemed to be a withdrawal of consent or an objection to the processing of the numbering for telemarketing and teleselling purposes. Such refusal/opposition shall be deemed to be limited to the controller that made the communication directly and to the individual who expressed such refusal (for this purpose, in the case of a fixed number, the individual must confirm that they are the owner of the number).

Controlling the supply chain

Members that are party to the Code should:

• carry out regular checks on documents and inspections to verify that the supplier meets the requirements it has declared to comply with; and
• undertake - by including an appropriate provision in the data processing agreement - to allow the data controller to carry out checks and audits, to prohibit the use of sub-processors unless expressly authorized by the controller.

In the latter case, authorization may only be granted for sub-processors which meet the standards laid down in the Code.

Controllers shall adopt technological solutions aimed at the security and guarantee of the relevant contractual transactions. For so-called paper-based contracts, they shall adopt solutions that enable the correct acquisition of the customer's identification data, of the type of offer, etc.

Checking the origin of the contract

Traceability of communications and registration of contracts

It is the duty of data controllers to adopt organizational 'and/or' technical procedures aimed at proving that the data of the data subject/contractor/user have been acquired in compliance with the principles set out in the GDPR, including procedures that prevent the registration of contracts for which certain information (which promotional campaign the contract refers to, which list, which operators were involved) cannot be found.

In the first application of the Code and for the exclusive protection of the data subject, in the event that, as a result of the checks, information above relating to contacts and contracts is not found, such contracts may continue to be executed provided that the company (controller) informs the data subject of the unlawful origin of the contract and that the data subject confirms their willingness to maintain it, without prejudice to residual cases where the company tries to contact the client without any answer.

In other cases, contracts should not be executed. This is not stated explicitly, but seems to be inferable from the wording of the provisions.

Reporting on breaching contracts

The controller shall, at regular intervals of not less than three months, disclose the number of breaching contracts compared to the total number of the sample checked and/or expressed as a percentage. This data will be forwarded to the Garante.

Penalties

Contracts with suppliers must provide for appropriate penalties (of such an amount as to be effectively dissuasive, e.g., three times the agreed fees for each contract) or annulment of fees for each contract arranged in the absence of legitimate consent, without prejudice to the possibility for the company to terminate the contract. Such a sanctioning measure must also cover those cases in which the data subject confirms that they want to enter into the contract, but the contact made by the supplier was unlawful.

Deletion of contact lists

Data controllers shall also put in place effective organizational, contractual, or technological measures to ensure that suppliers delete contact lists once the marketing campaign has ended.

Multi-firm suppliers

Data controllers shall ensure that multi-firm suppliers make contacts by adopting logical separation measures so that the personnel cannot manage contact lists for several contractors at the same time.

Gianluigi Marino Partner
[email protected]
Osborne Clarke, Milan