A call center faced € 2 million privacy fine from the Italian data protection authority for lack of provision of a privacy information notice and collection of consent.
The privacy dawn raid of the Italian call center and the relevant challenges
In October 2017, the tax police ran on behalf of the Italian data protection authority a privacy dawn raid at the office of an Italian call center, following the complaints of two individuals.
During the inspection, the tax police found out that the call center was instructed by an energy company to contact potential clients to promote the execution of agreements.
The activity was subcontracted to an Albanian call center, but according to the position of the Italian data protection authority:
- The Albanian call center contacted its list of contacts to check their availability to enter into energy contracts and, once this availability was obtained, the Italian call center was filling in the agreement and phoning the contact again to receive his/her confirmation to accept the contract proposal;
- No privacy information notice was given at the time of the call by the Albanian call center concerning 78 contacts, and this was confirmed by the absence of any script that call center operators had to read during the call;
- No recording or execution of the acceptance of the contract proposal occurred during the call performed by the Albanian call center concerning 155 contacts. Therefore the exemption to the need consent to the processing of personal data could not apply, and in any case, the Italian Privacy Code before the GDPR required that consent had to be “documented in writing”. As a consequence, the data processing activity had been performed in the absence of a valid privacy consent;
- Since the Italian call center had not been formally appointed as a data processor, it could be requalified as an autonomous data controller, and therefore, it was liable for the breach.
Based on the above findings, the Italian data protection authority issued a fine of € 2,018,000 for lack of provision of a privacy information notice and collection of consent to the processing of personal data.
The lessons learned from the privacy fine to be applied under the GDPR
This investigation was performed under the regime in place before the GDPR. But the conclusions reached by the Italian data protection authority can be relevant for some aspects also under the GDPR. In particular,
- Privacy dawn raids by the Italian data protection authority can be quite aggressive, are performed without any prior notice, and companies need to be prepared to handle them;
- As provided by the accountability principle, entities processing personal data need to prove to have complied with privacy law obligations. The burden of proof is on the investigated party, and therefore any action performed to ensure data protection compliance has to be adequately documented;
- If entities processing personal data on behalf of an instructing party cannot prove in writing the appointment as data processors, they are likely to be considered data controllers with the relevant obligations and liabilities.