On March 24, 2023, the Italian data protection authority (“Garante”) approved a Code of conduct (“Code”) on telemarketing and telesales activities. The Code was promoted by various Italian industry and consumer associations, pursuant to Article 40 of GDPR.
The Garante notes that the Code reflects broad industry consensus, and welcomes it as an important step to ensuring the lawful performance of the covered activities. The Garante have been historically active in regulating telemarketing and telesales companies, and has applied some of its largest fines to this sector. We provide below an overview of the Code’s key provisions and obligations.
Scope of Application
The Code will apply to companies operating in Italy and abroad, which market and/or promote (telemarketing) or sell directly (telesales) goods and services to individuals located in Italy, when such activities are conducted through direct phone calls to national fixed and mobile numbers. Any telemarking or telesales operator (both buyers and suppliers) may adhere to the Code.
The following activities are explicitly excluded from the Code’s scope of application:
- in-app promotions and “digital advertising” (any paid form of display (personalized or not) of ideas, goods and services with informational or commercial purposes, via the Internet and digital tools, such as apps, websites, online platforms and newspapers, chats and social networks);
- telephone contacts with the exclusive purpose of measuring customer satisfaction, or of conducting surveys or market research, without any commercial purpose;
- contacts made through other channels, such as SMS; and
- contacts and other linked activities addressed to subjects other than natural persons, freelance professionals, and sole-proprietorships.
Roles. The Code clarifies that (1) operators maintaining directly or outsourcing telemarketing or telesales campaigns, regardless of the source of the data, and of whether they have access to it; and (2) operators that autonomously collect and share data, with the aim of creating and selling lists of contact data (so-called “list providers”), act as controllers.
Controller obligations. Controllers should carefully select their commercial partners, and should prefer operators that adhere to the Code. They should adopt a vetting process, and formalized procedures to (1) respond to data subject requests, create and maintain opt-out lists where individuals object; and (2) handle data breaches promptly.
Controllers that acquire contact details from a list provider or publisher must check, against their own opt-out list, to ensure that the list does not include any individuals who have already objected or withdrawn their consent. Prior to launching a promotional campaign, they must verify that contacts are not registered in the Italian “do-not-call” list (“Registro pubblico delle opposizioni”), among other things.
Obligations of call centers and similar operators. Operators are required to enroll in a specific register, and disclose their telephone numbers. Operators who act exclusively as processors must, among other things, (1) provide detailed reports of their calling activities; (2) record the names of any contacts who object, request deletion or withdraw consent, within 24 hours; and (3) observe “quiet hours”.
Special categories of data. Such data cannot be processed for promotional purposes, unless collected in the context of a specific existing contractual relationship, and on the basis of explicit consent.
Notice. At the start of the phone call, a simplified privacy notice must be communicated, containing, in an understandable form, at least the following: (i) details of the controller; (ii) applicable legal basis; and (iii) the source of the data. The caller must be able to provide, upon request, the details of any processors, the purposes and modalities of processing, and contact details so that data subjects can easily exercise their rights for free. Before collecting any other data, the caller must inform the individual where they can find the full privacy notice, which must be delivered before any contract is concluded.
Consent. The Code refers to the GDPR conditions for consent, and offers some examples of invalid consent. Moreover, it clarifies that profiling for marketing purposes requires a distinct and specific consent to consents obtained for promotional activities. Specific consent is not required to classify or segment individuals into categories, such as according to age group, gender or nationality.
The Code lists some examples of methods that can be used to validly collect consent, such as clicking on a certain digit, or stating orally “I agree”, after having received the notice. But, if an individual objects or refuses to provide consent, this should be promptly recorded and given effect within the ongoing campaign.
Sharing data with third parties. Personal data may only be disclosed to third parties with the individual’s consent. Controllers may publish on their websites an updated list containing the details of all third party recipients, informing individuals.
Compliance throughout the supplier chain. Operators should implement measures to ensure compliance throughout the entire supplier chain, verify that stated conditions are met, and conduct audits.
Monitoring. An independent expert body will be set up and accredited in accordance with Article 41 of GDPR. The body will monitor compliance with the Code by its signatories.
Once the monitoring body is accredited, the Code will enter into force fifteen days after its publication in the Italian Official Gazette.
Covington’s Data Privacy and Cybersecurity Team regularly advises companies on EU and national requirements for a variety of marketing practices. Our team is happy to assist with any inquiries.