The Italian Data Protection Authority Limits the Sending of Advertising and Promotional Contents to Fidelity Cards Holders


For the first time, the Italian Data Protection Authority has exercised its power of "warning" provided by the GDPR, through which it has prohibited the unconditional sending of unsolicited advertising contents to fidelity cards holders.

With measure no. 9124420, published in the newsletter no. 456 on 22nd July 2019, the Italian Data Protection Authority (Authority) has determined the unlawfulness of sending advertising and promotional contents to fidelity cards holders, which had not expressed their specific and free consent for the processing of their data for marketing purposes.

The measure was adopted following the alerts reported by some customers of an important electronic store chain (“Company”), who complained about the continuous and unsolicited receipt by e-mail of commercial offers from the Company, after having subscribed to its fidelity card program. Moreover, the data subjects had repeatedly asked the Company, either by telephone or e-mails, to delete their address from the advertising mailing list, without any result.

During the investigation procedure carried out by the Authority with the help of the special privacy unit of “Guardia di Finanza”, the Company justified itself by stating that it had not been able to block the sending of advertising e-mails because of problems related to its databases - containing data of over ten million customers - which, at that time, were subject to a migration procedure to another data processing platform.

The inspection revealed further problems concerning the processing of customer personal data. More specifically, it was found that the consent to data processing for sending commercial communications - acquired through the old forms of subscription to the fidelity program - could not be considered valid, since customers were forced to release it, in order to obtain the services offered by the fidelity card. In fact, it resulted that the consent for the data processing was acquired with a unique flag, including both contractual and advertising purposes (such as: communication to third parties for the purpose of verifying the customer satisfaction and management of awards program).

This implied that the personal data collected by the controller for the supply of certain services, were in fact processed for an additional purpose, namely the sending of promotional messages, in violation, therefore, of the principles of free and specific consent, and lawfulness of data processing.

In addition, the Company's information system was not able to adequately track and manage the requests made by the data subjects to exercise their right to object to data processing for marketing purposes, and to interrupt, as a result, the sending of spam.

It was found, in particular, that the email address contacted by the data subjects in order to exercise their privacy rights, was assigned to an employee whose employment relationship ended in 2014; as a result, the sending of requests to this address, which was found to have been disabled and removed from the computer systems, did not allow the delivery of the object to processing advanced by the data subjects.  

Therefore, the Authority has prescribed measures to comply with the new provisions on the protection of personal data and, exercising for the first time the new corrective powers offered by the GDPR, has "warned" the Company to (i) no longer use, for marketing purposes, the personal data collected through the forms of the fidelity card object of the alerts, and also (ii) to implement adequate organizational and technical measures, in order to guarantee the proper management of the requests submitted by the data subjects.

Through this measure, the Authority has exercised for the first time its powers of "warning" under Article 58, paragraph 2, letter (b) of the GDPR, which provides the possibility for national privacy authorities to "issue reprimands to a controller or a processor where processing operations have infringed provision of the Regulation”. This warning represents a kind of “yellow card” that is preparatory to a possible sanction in case of further violations.


Article provided by: Chiara Agostini (R&P Legal, Italy)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.