The Italian Data Protection Authority issued a two million fine for an unlawful telemarketing campaign

The Italian Data Protection Authority  (the “Garante”), with the decision no. 95 of April 11th , 2019, fined a telemarketing operator with a sanction of 2 million euros for the violation of the Legislative Decree no. 196/2003 (the “Italian Privacy Code”) regarding, in particular, the obligations (i) to provide the addressees of a marketing campaign with proper information on the purposes and modalities of the data processing and (ii) to collect a valid consent by the data subjects.

The sanction was issued applying the former Italian legislation and therefore the provisions of the Italian Privacy Code, that implemented the Privacy Directive (Directive 95/46/EC). Indeed, the facts were assessed before the applicability of the EU Regulation 2016/679 (the “GDPR”).

In a nutshell, the issue concerns a telemarketing campaign carried out by Vincall s.r.l.s, a telemarketing operator, through an Albanian call centre, on behalf of Green Power s.r.l., an agent of the multinational energy company Edison Energia S.p.A.

Vincall instructed an Albanian call centre to contact prospect customers by telephone using lists of telephone numbers collected directly by the call centre, that were not provided or validated by the three Italian companies involved in the telemarketing campaign. After the first contact by the call centre, the subjects who expressed an interest to sign a contract were called back directly by Vincall for the undersigning of the contract application form.

As a result of the investigations, the  Special Privacy Unit of the Guardia di Finanza assessed that Vincall:

  • with reference to 78 contracts, did not provide the data subjects with the mandatory information provided for by the Italian Privacy Code; and
  • with reference to 155 contracts, failed to collect a valid consent in order to process personal data for marketing purposes.

In deed, according to the Italian Privacy Code,  the Italian telemarketing company – before contacting the prospect customers - should have verified that all the data subjects contacted by the Albanian call centre: a) received a privacy notice compliant with the Italian Privacy Code; b) expressed their consent to the processing of their data or, in any case, to enter into a contract with Edison; consent that Vincall should have properly documented.

Conversely, there was no evidence that a privacy notice was given to the data subjects and the relevant consent collected.  This circumstance was also confirmed by the fact that no scripts containing the privacy notice to be read to the data subjects during the calls were found.

In addition, in terms of liabilities, the Garante outlined that, for such processing operations, Vincall was not appointed as data processor by Green Power s.r.l. and/or by  Edison Energia S.p.A. and, therefore, acted as an autonomous data controller.

As mentioned above, the sanction issued by the Garante refers to the former Italian legislation, before the application of the GDPR. In particular, the authority held applicable Article 161 of the Privacy Code that punishes violations committed in relation to the mandatory information to be rendered to data subjects with an administrative fine from € 6.000 to € 36.000 and Article 162(2-bis) ( Articles 161 and 162 of the Privacy Code have been abolished by the Legislative Decree no 101/2018 that harmonized the national privacy legislation to the EU GDPR.) of the Privacy Code that punishes the unlawful data processing with an administrative fine from € 10.000 to € 120.000.

In this respect, it should be noted that with regard to the quantification of the sanctions, according to Article 11 of the Law No. 689/1981, the Garante must take into account four factors when determining the amount of fines (between the minimum and the maximum provided by law): (i) the seriousness of the violation; (ii) the personality of the offender; (iii) the economic conditions of the offender; and (iv) the work performed by the agent to eliminate or mitigate the consequences of the violation.

Such criteria are in line with the ones listed by Article 83 of the GDPR, to be taken into consideration by any national authority before imposing an administrative fine and deciding its amount.

With regard to the seriousness of the infringement, it is important to point out that the Garante considered that Vincall’s operations “were carried out in a framework of significant disregard for the data protection legislation and of superficial underestimation of the serious implications arising from the use of methods of customer acquisition based on informality and unilateral simplification of the formal obligations prescribed by the law”.

On the other hand, the authority assessed, as positive elements (i) with regard to the conduct of  Vincall, that the company  cancelled a number of contract application forms with the consumers, before the inspection of the Guardia di Finanza and (ii) with regard to the personality of the author of the violations, that the company was not previously fined by the Garante.

In the light of such elements, the Garante limited the basic sanction to a minimum: (i) 6.000 euros for the failure to provide the mandatory information; and (ii) 10.000 euros for the failure to collect a valid consent.

Notwithstanding the above, the final fine issued by the Italian Data Protection Authority results to be extremely high, because the Garante, with an approach that is not so common, excluded the possibility to apply an unique sanctions for the above mentioned conducts and, therefore, multiplied the basic sanction for each one of the numerous data subjects involved in the telemarketing campaign.

It is worth outlining that it is not the first time that the Garante issued very high sanctions. In fact, in the past year the Italian Data Protection Authority fined two primary telco operators for 960.000 euros and 600.000 euros.

It cannot be excluded that such a recent approach of the Garante takes into consideration also the severity of the new fines provided for by the GDPR.

 Massimiliano Pappalardo

Partner Ughi e Nunziante


Pasquale Distefano

Associate Ughi e Nunziante


From 1 July 2019 D&P studio legale becomes part of a larger and more structured entity joining Ughi and Nunziante, an Italian law firm of historical reputation, with offices in Milan and Rome, and with a deep-rooted international vocation. While celebrating its 50 years of activity the firm this year has started a phase of profound renewal with the acquisition of seven new partners, with the aim of getting ready to digital transformation with all necessary skills

2. Juli 2019