Garante per la protezione dei dati personali (Italy) - 9870014

Summary

The Italian Data Protection Authority (Garante) fined Ediscom S.p.A. €300,000 for multiple GDPR violations in its marketing business, which involved collecting and processing personal data from over 21 million contacts via SMS, email, and automated calls. Violations included use of dark patterns to manipulate consent, excessive data collection without proper legal basis, failure to provide privacy policies, and requesting personal data of third parties without valid consent. The DPA found breaches of Articles 5, 6, 7, 13, 14, 24, and 25 GDPR across both directly collected data and data acquired from third-party databases.

Full text

Help Garante per la protezione dei dati personali (Italy) - 9870014: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:51, 25 April 2023 view sourceMg (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators1,174 editsmTag: Visual edit← Older edit Latest revision as of 18:34, 27 April 2026 view source Carloc (talk | contribs)696 editsm Tag: Visual edit Line 97: Line 97: In one of the websites examined, there was no privacy policy and no statement concerning the identity of the controller. This entailed a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 13 GDPR|13 GDPR]]. In one of the websites examined, there was no privacy policy and no statement concerning the identity of the controller. This entailed a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 13 GDPR|13 GDPR]]. Finally, Ediscom asked the user to provide personal data of “friends” potentially interested in the same services. These questions concerning unaware third data subjects, despite not mandatary, could not rely on any valid legal basis and consequently violated [[Article 6 GDPR|Articles 6]] and [[Article 14 GDPR|14 GDPR]].Finally, Ediscom asked the user to provide personal data of “friends” potentially interested in the same services. These questions concerning unaware third data subjects, despite not mandatory, could not rely on any valid legal basis and consequently violated [[Article 6 GDPR|Articles 6]] and [[Article 14 GDPR|14 GDPR]]. ''Data collected through the sharing of third parties’ databases''''Data collected through the sharing of third parties’ databases'' Latest revision as of 18:34, 27 April 2026 Garante per la protezione dei dati personali - 9870014 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25 GDPR Type: Investigation Outcome: Violation Found Started: Decided: 23.02.2023 Published: Fine: 300.000 EUR Parties: Ediscom S.p.A. National Case Number/Name: 9870014 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: Garante (Italy) (in IT) Initial Contributor: mg The Italian DPA fined Ediscom S.p.A. € 300.000. The controller violated several provisions of the GDPR when collecting personal data for marketing purposes both directly on its websites and from third parties. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The controller – Ediscom S.p.A. – was a marketing company whose business consisted in contacting potential customers on behalf of third vendors through sms, emails and automated calls. In order to conduct this activity, the company made use of an extensive database including contact details of more than 21 million people. Personal data were collected both directly by Ediscom and by third parties. In general, Ediscom acknowledged to act as a controller. However, in some cases, Ediscom rented databases from third parties with an aim of monetising them. Although costs and profits were shared, Ediscom considered itself a processor on behalf of the owners of such databases. Ediscom regularly received withdrawals of consent and erasure requests. As Ediscom relied on several databases with partial overlap of data, it usually put these requests in blacklists in order to avoid to reimport the same data from another source – and use them again. Whenever it considered to operate as a processor, Ediscom notified the original controller about erasure or withdrawal of consent requests. Some data subjects claimed to have objected to the processing for marketing purposes. However, they still received calls and messages from Ediscom. In the context of these complaints, the Italian DPA started a broader investigation about the Ediscom’s business practices. The investigation concerned both the websites used by the controller to directly collect personal data and personal data disclosed to Ediscom by third parties. On several websites managed by the Ediscom, users were invited to take part to lotteries or to subscribe to cooking or health newsletters. Theoretically, users could choose whether the Ediscom was allowed to use and share their data for marketing purposes. In practice, the supervisory authority identified numerous GDPR violations. Several GDPR infringements could also be found with regard to personal data originally collected by third parties. Holding Data directly collected by the controller The DPA found that the websites managed by Ediscom made large use of prohibited dark patterns in the collection of consent. Typically, once the user had already denied their consent to marketing purposes, a new window popped up asking again for the same consent. Moreover, when exploring some of the websites, users had the option to click on a link which brought them to another website managed by Ediscom. In clicking on the link, the data subject imported all their data to the second website, where consent denied in the first one was automatically given. For these reasons, the DPA identified violations of Articles 5(1)(a), 6(1)(a), 7(2) and 25 GDPR. Data collected by the websites were also excessive in light of purpose limitation and data minimisation. As a matter of fact, Ediscom asked a lot of unnecessary questions, such as users’ annual income, family status or job. Some of these questions were mandatory, while in other cases the option to ignore or skip them was not clearly visible. According to the supervisory authority, such a technique was clearly used to profile data subjects in lack of specific consent for targeted advertising. Therefore, Articles 5(1)(a) to (c), 6 and 7 GDPR were violated. In one of the websites examined, there was no privacy policy and no statement concerning the identity of the controller. This entailed a violation of Articles 5(1)(a) and 13 GDPR. Finally, Ediscom asked the user to provide personal data of “friends” potentially interested in the same services. These questions concerning unaware third data subjects, despite not mandatory, could not rely on any valid legal basis and consequently violated Articles 6 and 14 GDPR. Data collected through the sharing of third parties’ databases Concerning the role played by Ediscom in the processing of data obtained from third parties, the Italian DPA found that its self-qualification as a data processor was inappropriate. Indeed, the company determined purposes and means of the processing even when managing third parties’ databases. Moreover, when denying its responsibility as a controller, Ediscom did not allow users to exercise their rights under Articles 17 and 21 GDPR, with the result that data subjects that already objected to the processing – at first put in a blacklist – were contacted again because in a third party’s database. Ediscom claimed it could not comply with the data subjects’ requests and merely shifted responsibility on a different company, which in turn denied to be the controller. The DPA also found that the control performed by Ediscom on the lists provided by third parties was not adequate. Such a control should guarantee that consent on which processing relied was valid. However, among other deficiencies, Ediscom chose to rely only on IP addresses provided by third parties in order to ascertain that consent was validly collected. A more effective option – the DPA stressed – would have been to rely on confirmation emails sent by the original controller to the people involved. In any case, the complaints from which the investigation originally started showed that Ediscom’s control did not achieve its goal. Thus, the controller infringed Articles 5(2) and 24 GDPR. In light of all the above, the Italian DPA fined Ediscom €300.000. Comment Share your comments here! F

Entities