Marketing is an area which can be considered to have experienced one of the most immediate changes in practice in light of the GDPR. With a heavier reliance on consent and an onus to ensure such consent is managed properly, the implications for making errors in planning and execution are starting to be seen. A recent case in Italy has highlighted the real costs generated by basic errors.
The Italian case
An energy company, Green Power S.R.L. hired VinCall S.R.L., which specialises in telemarketing, to try and persuade users to sign new energy provision contracts. VinCall, in turn, outsourced this work to an Albanian call-centre company, Tele It, which used its own marketing lists to undertake the sales programme.
There were several problems as identified by the investigation carried out by the Special Unit of the Italian Police after complaints by two data subjects.
- VinCall did not have a contract that identified it as a Data Processor in relation to Green Power, and as such was deemed by the Italian Supervisory Authority to be a Data Controller in its own right with all the obligations and liabilities that that entails.
- VinCall did not provide a verified contact list to Tele It. Instead Tele It used its own unverified list. Thus, neither VinCall nor Tele It nor Green Power had sampled the list of Data Subjects to ensure they had previously been given a privacy statement and had freely provided consent for the marketing activities.
- Having contacted Data Subjects, any individual willing to enter into a new energy contract had the application form directly filled out by Tele It staff who added a ‘signature’ on behalf of the data subject. Tele It sent this pre-filled and signed contract form to VinCall, which in turn checked to confirm the Data Subject’s purchase before sending it on to Green Power
On the 11th February, the ruling was that “the companies’ conduct was carried out with a clear disregard of the overall legislation on protection of personal data and superficial underestimation of the serious implications arising from the manner of acquiring customers, which relied on informality and unilateral simplification of the framework of formal obligations prescribed by the law”.
The outcome was a fine imposed on VinCall S.R.l. amounting to:
- € 6.000 for each violation (per data subject) under Articles 13 and 161 of the Code (which meant that there was an omission of information or inadequate information)
- € 10.000 for each violation of Articles 23 and 162, par. 2-b of the Code (concerning the violation of the rules of consent)
- The total amount of the imposed sanctions amounted to € 2.018.000.
This figure represents a reduced fine in light of VinCall not having been fined previously and the measures that were implemented to mitigate the damage to the rights of the Data Subjects.
What can be learnt from the case
When involved in hiring or being hired to undertake a marketing/selling campaign, organisations must have adequate contracts in place that comply with Art28 of GDPR. The contracts must:
- identify the (joint) controller/processor relationship, and
- formalise the obligations for all parties to comply with the GDPR and national data protection legislation.
This must also be in place for any sub-processors, which should be pre-approved by the Data Controller in writing.
When using a contact list be very careful of the origin of that list. Data Subjects or ‘prospects’ on that list must be aware of how their data is going to be used. This should be accomplished by presenting each with a Privacy Statement setting out the means and purpose(s) of processing including the sharing of their data with third parties where appropriate.
The Data Subjects on the list should also have given their consent for use of their data for the intended purpose such as marketing and this needs to evidencable. The Italian case makes it clear that before such a list is used, a sample should be taken to verify these requirements have been met. And though it may sound obvious, under no circumstances should staff provide a signature for a contractual agreement on behalf of a Data Subject.
From a business perspective, be aware that the cost/benefit analysis undertaken for any such marketing/selling campaign must now include the cost of effective and reliable consent management and a contingency for when such systems may fail. A recent Verizon data breach report confirms that human error remains a constant source of data breaches.
Trilateral’s advisors can help lower risk by ensuring your contracts, processes and procedures meet requirements under data protection legislation and help to protect the organisation’s reputation by protecting the rights and freedoms of Data Subjects whose data it wishes to process.
Trilateral’s advisors can support you in meeting your compliance needs. For more information visit Trilateral’s Data Governance page and contact our team.