Last month, Italy’s Sorgenia S.p.A. was fined €676,956 for violating the General Data Protection Regulation (‘GDPR’) relating to promotional calls. In addition to the fine, the Italian supervisory authority (Garante Per la Protezione Dei Dati Personali) applied other corrective measures to be implemented within 40 days after the decision notification.
The fine related to unsolicited marketing and promotional calls, including people registered with Italy’s do-not-call register. Sorgenia also allegedly failed to respond to data subject requests. After receiving numerous complaints about the company in 2020, the supervisory authority carried out an investigation.
Initially, Sorgenia argued that it was not responsible for the unsolicited marketing calls that had been made to consumers. The company claimed that the calls were made by third parties imitating its brand, and that this had damaged Sorgenia’s reputation.
The company also argued that its failure to comply with data subject rights requests (including under the “right to erasure” and the “right to object”) was a result of technical problems with its internal organisational network.
However, the Garante felt that these circumstances were not enough to relieve Sorgenia of its GDPR obligations. The supervisory authority explained that the large number of complaints about unsolicited communications from Sorgenia demonstrated a lack of oversight by the company. Overall, the Garante emphasised that Sorgenia was responsible for all the relevant data processing activities, and found that the company had failed to demonstrate that it was not liable for the non-compliant marketing calls.
Along with the €676,956 fine, the Garante further ordered Sorgenia to:
- Implement technical measures to get consent for telemarketing;
- Put in place access control mechanisms for the system used to manage contracts, and provide tools to block or suspend contractual offers resulting from scam calls; and
- Develop a new system for managing data subject rights requests.
Sorgenia was given 40 days to start implementing the measures, after which the company will need to provide documented feedback about its initiatives.
HewardMills recommends that organisations implement a robust privacy and data protection programme control, along with a well-structured governance framework to ensure its oversight and effectiveness. This not only helps prevent organisations from receiving complaints, and punitive measures from competent authorities, but also demonstrates compliance.
The Garante decision n. 181 issued on April 14, 2023, can be found in Italian here.