On June 15 2011 the Italian Data Protection Authority issued a resolution on controllership for companies that use agents for promotional and marketing activities, published on the authority’s website on July 3 2011.
The authority examined some of the data processing activities carried out by outsourcing service providers, on behalf of outsourcers, for the purposes of communicating advertising materials, direct selling or telemarketing.
The resolution clarifies the concepts of ‘data controller’[1] and ‘data processor’.[2] In the authority’s opinion, in order to comply with the Data Protection Code[3] outsourcing service providers must be formally appointed as data processors if this is their role in practical terms. The authority identified significant factors in assessing such a role: the measure of detail in the instructions to outsourcing service providers, the degree to which outsourcers monitor compliance with such instructions and the contractual terms agreed between the parties.
Rules for telemarketing
Italy’s rules on telemarketing are relatively recent. Article 20bis of Law 166/2009 amended Article 130 of the Data Protection Code to allow companies to contact any user whose number is published in public telephone directories for telemarketing purposes, unless the user has registered his or her wish not to be contacted – this is termed an ‘opt-out’ principle.[4] The register, which entered into force on January 31 2011,[5] lists the details of telephone subscribers who do not want their numbers to be used for telemarketing purposes. Companies may not contact a user on the register unless they can prove that they have obtained the user’s specific prior consent.
The register for telemarketing was created by the Fondazione Ugo Bordoni, an institution which is supervised by the Ministry for Economic Development.
The opt-out principle applies only to the processing of personal data (ie, phone numbers and postal addresses) in subscriber directories by means of non-automated calls or direct mailing for the purpose of sending advertising materials, performing direct selling activities or conducting market surveys or promotional communications campaigns. Processing activities that use other communication tools, such as email, facsimile and text messaging, are subject to the opt-in principle – that is, they require the data subject’s explicit consent.[6]
Investigations
The authority received several complaints from telephone subscribers who, despite being on the register, received unsolicited phone calls for promotional or marketing purposes.
The authority’s investigations revealed that the companies which sold or provided the goods and services in question outsourced their promotional or marketing activities to external companies on the basis of certain agreements (usually agency agreements). The agreements set out the external company’s tasks, which typically consisted of performing promotional or marketing activities within a designated territory. This generally involved contacting potential clients, submitting commercial proposals, collecting details of potential customers on forms provided by the outsourcer and transmitting the data to the outsourcer, as well as attending training activities.
The authority found that although the external companies acted on the basis of detailed and up-to-date instructions from outsourcers, including in respect of the processing of subscribers’ personal data, they had not been appointed as data processors – this finding applied to BT Italia SpA, Wind Telecomunicazioni SpA, Vodafone Omnitel NV and Teletu SpA, among others.
The outsourcers maintained that the external companies should be considered data controllers, rather than data processors, on which basis the external companies were solely liable for breaches of the Data Protection Code (eg, unsolicited promotional calls to subscribers in the register). It seems clear that the outsourcers had an interest in identifying the external companies as data controllers rather than data processors, since data controllers are liable for the processing activities carried out by processors on their behalf.
Authority’s statement to data controllers
In the authority’s opinion, the external companies did not exercise sufficient autonomy to qualify as data controllers. In particular, the authority held that:
- the promotional contacting was carried out on the outsourcers’ behalf. Therefore, the data subjects had a reasonable expectation that the promotional activities were carried out directly by the outsourcers;
- the external companies acted on the basis of detailed instructions on the purposes and means of processing and the tasks assigned, and were contractually bound to comply with the Data Protection Code;
- the external companies had no autonomy in carrying out the promotional or marketing activities – they were required to follow the outsourcers’ instructions, conveyed in circulars and at meetings, and to use the forms prepared by the outsourcers.
The authority found that the outsourcers met the criteria for data controllers, as they:
- determined the purposes of the processing;
- provided external companies with binding instructions of the type normally given to a data processor; and
- monitored the external companies’ activities.
On this basis the authority ordered the outsourcers formally to appoint the external companies as data processors.[7]
The authority referred to an April 2009 decision which examined the relationship between Poste Italiane SpA and a number of contracting companies which managed postal services. The authority found that Poste Italiane acted as the data controller, while the companies acted as data processors, since they were subject to Poste Italiane’s instructions and control.
Similarly Opinion 1/2010 of the Article 29 Data Protection Working Party, which considers the concepts of ‘controller’ and ‘processor’ clarifies that if it is unclear whether an entity is acting as a data controller, it is possible to look beyond the terms of the contract and consider other factors, such as:
- the degree of actual control exercised by a party; and
- apparent status as perceived by data subjects and their reasonable expectations and assumptions on this basis.
Comment
The concepts of ‘data controller’ and ‘data processor’ – and the interaction between the two – play a crucial role in the application of the Data Protection Code, since they determine responsibility for compliance with data protection rules.
According to the code, the appointment of one or more data processors is not mandatory;[8] rather, this depends on the data controller’s organizational and business choices. However, as the authority’s recent resolution has confirmed, if a natural or legal person performs the role, it should be formally appointed as data processor.
Endnotes
[1] Defined by Article 4(1)(f) of the Data Protection Code as a natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine the purposes and methods of the processing of personal data and the relevant terms on which this is done, including security.
[2] Defined by Article 4(1)(g) of the code as a natural or legal person, public administration, body, association or other agency that processes personal data on the controller’s behalf.
[3] Legislative Decree 196 of June 30 2003.
[4] Article 130, paragraph 3bis, of the code.
[5] The register was created by Presidential Decree 178 of September 7 2010.
[6] Article 130(1) and (2) of the code.
[7] According to Article 142(1)(b) of the code, the authority may order to data controllers to take the necessary and appropriate measures to bring processing into compliance with the code.
[8] Article 29(1) of the code. If appointed, the data processor shall be selected from among entities that can appropriately ensure competence and reliability, based on their experience, thorough compliance with the provisions applicable to processing, including security matters (Article 29(2) of the code).
