The Italian supervisory authority prevented a society and a related association from sending promotional emails to professional without their consent, using their certified electronic mail address.
From the exams – ordered by the authority after several highlightings and performed with the help of the Privacy Special Body of the Italian Financial Guard -, it came to light that some volunteer collaborators of the Association and a third society found online the certified electronic mail addresses of lawyers mainly and also of accountants, labor consultants and notaries using different manual and automatic methods violating the fundamental principle of purpose, lawfulness and correctness of the personal data processing. Then, the company sent to more than 800,000 professionals many emails containing the news of the publication of a notice of selection for “reputational consultant”, the invitation to attend webinar and articles related to the sender company. The certified electronic mail addresses were not only used without the consent but they were also found unlawfully on the Ini-Pec register, the National Index of digital domiciles, on the website www.registroimprese.it and on some lists published by provincial orders. The law maintains that the extraction of Certified electronic mail addresses included in the register of the undertakings, in the rolls or lists is allowed “to the Public Administrations only and for communications concerning administrative obligations under their competence”. In a case, the mails turned out to be sent even after that the addressee formally opposed to the processing of its personal data, exercising the right given to him by the privacy code.
The justifications given by the society and the association were useless. They even thought not to be asked for the preventive request of the consent grounded on the presumed “institutional” nature of the communications. As the Authority clarified, the mails were promotional as they promoted the activities of the association connected to the figure of a “reputational consultant” therefore they should have been sent complying to the rules in the privacy code and in the guidelines of the Authority dealing with the promotional activity and against Spam. As a result, the Authority denied the company and the association the further illicit professionals data processing and decided its cancellation with the possibility to evaluate possible sanctions.
(From the Newsletter of the Italian Data Protection Authority No. 438 of 28 February 2018)