The Standing Committee of the National People’s Congress (NPCSC) of the People’s…
Pursuant to Article 40 of the GDPR, various trade and consumer associations drafted a Code of Conduct on Telemarketing and Telesales. The Code, approved by the Italian Data Protection Authority (“Garante”) on 9 March 2023, and made public on 24 March 2023, will take effect once the accreditation phase of the Monitoring Body is completed with the subsequent publication in the Official Gazette.
There is no other area that engages Data Protection Authorities of Member States as much as telemarketing. In addition to the large penalties imposed, the issue is central in view of the series of initiatives aimed at combating the so-called “wild telemarketing” practices. In this regard, reference is made, inter alia, to: (i) the issue of Law No. 5/2018 – introducing a new RPO (public opt-out registry) model – and subsequent Presidential Decree No. 26/2022 which extended its applicability to mobile numbers; (ii) the electronic service for reporting unsolicited communications to the Garante; (iii) the working table at AGCOM to identify technical measures to combat telephone spoofing; (iv) the OIC-Assocontact procedural code on telemarketing.
The approval of the Code, therefore, determines the completion of the regulatory framework of the sector.
The associations promoting the Code under consideration have attempted to elaborate a text that includes the many interpretations shared by the Garante in the various measures introduced over the last few years in order to promote virtuous behavior in the sector. The primary objective is, therefore, to provide unambiguous clarifications regarding the different interpretative problems that have arisen in an area that, considering the number of operators and the relevance of the interests at stake, is now particularly significant.
Among the main innovations brought about by the Code of Conduct, the obligations for the parties and, especially, for data controllers must necessarily be highlighted.
In particular, Article 5 of the Code prescribes the obligation for data controllers to give preference, when choosing business partners for telemarketing and teleselling activities, to companies adhering to the Code of Conduct.
In confirmation of the significant importance that the Code attaches to the control of the lawfulness of the various operations carried out in telemarketing and teleselling activities, Article 14(2) of the Code requires controllers to ensure full and constant control of all the parties involved in any preliminary or implementation phase of the promotional campaign.
With specific reference to the information notice, Article 11 of the Code admits the possibility of providing, during the marketing contact, simplified information. In this regard, the provision lists the minimum elements to be in any event provided in such information. In addition, before proceeding to the collection of any personal data of the data subject (or at the request of the same), the operator shall indicate where the extended information notice can be found, which must imperatively be provided before concluding any contract.
If the aforementioned checks show the existence of contracts for which the first contact is found to be flawed, the same may continue to be performed provided that the principal informs the data subject of the flawed nature of the contract and the data subject confirms his/her willingness to keep it in place.
2. OBLIGATIONS FOR SUPPLIERS
A central role is played by suppliers, i.e., those individuals who materially carry out the promotion campaign as data processors.
In this regard, Article 7(1) of the Code provides that anyone who engages in telemarketing/teleselling activities (including contact centers and agencies) “is required to enrol in the ROC (Register of Communication Operators) referred to in AGCOM Resolution No. 666/08/CONS of 26 November 2008, also indicating all telephone numbers made available to the public and used for telemarketing and teleselling services”. In addition, with a view to countering the practice of phone spoofing, crucial importance is given to solutions that allow the calling operator to be recontacted.
Among the various obligations to be fulfilled, the supplier must also: (i) provide principals with a detailed report within 15 days of the closure of individual promotional campaigns; (ii) record in special blacklists any requests for deletion of data, revocation of previously given consent, and exercise of the right to object-while also forwarding them to the principal within 24 hours; (iii) send to the principal - within 15 days of the call - the identification data and telephone number of the data subjects who have expressed interest or directly agreed to the promotion.
3. CONSENT
Consent acquired for telemarketing and teleselling purposes - freely given, specific, unambiguous and documentable by means of precise and detailed elements - is deemed valid only if properly informed pursuant to Articles 13 and 14 of the GDPR.
Transposing the approach adopted by the Garante in the injunctive, prescriptive and sanctioning order against Edison Energia S.p.A. of 15 December 2022, Article 12 of the Code provides that refusal to receive marketing contacts expressed during the promotional phone call, even orally, must be understood as revocation of consent or opposition to the processing of the telephone number for telemarketing and teleselling purposes. Such refusal must be promptly recorded, and consequently the corresponding telephone number must be removed from the lists. Hence, the opposition expressed during a telephone call does not need to be further confirmed, as has often been the case in industry practice.
4. RELATIONSHIPS BETWEEN PRINCIPALS AND LIST PROVIDERS
Pursuant to Article 6(1) of the Code, in selecting list providers, principals shall adopt the utmost diligence and assess the presence of all the necessary guarantee elements. In particular, the Code requires principals to assess that the consent is obtained in the correct manner and that it is documented by computerised methods suitable to ensure that the date and origin of the consent cannot be altered.
Therefore, the principal is required to carry out a preliminary activity characterised by a “diligent assessment” of the presence of all the necessary guarantee elements, including a - purely technical - analysis of the adequacy of the IT tool used with respect to the guarantees required by the Code. In this respect, there is an obligation to keep both the IP - timestamp pair of the data subject who gave consent online, and to send said data subject a message notifying the same of the registration of his/her consent (i.e. the adoption of so-called double opt-in mechanisms whereby the consent acquired online is subsequently confirmed by the data subject by replying to a message requesting confirmation).
As regards list providers collecting data as autonomous data controllers, Article 6(3) of the Code lays down the obligation to provide a self-certification attesting to the correctness, lawfulness and up-to-dateness of all consents collected.
5. THE MONITORING BODY
A further novelty introduced by the Code under consideration is the establishment, pursuant to Article 41 of the GDPR, of a Monitoring Body entrusted with verifying compliance with the Code of Conduct by the adhering parties and handling the resolution of complaints.
The Monitoring Body is external to the organisation of the promoting associations and is composed of a maximum of 9 members - identified on the basis of candidacies submitted by the promoting associations - who shall guarantee and maintain the necessary requirements of integrity, independence, impartiality and expertise for the entire duration of the appointment.
In order to ensure full independence and impartiality of the members of the Monitoring Body, the latter will not be subject to any form of control by the parties adhering to the Code. The activities of the Monitoring Body - to be duly recorded - will be financed by each party adhering to the Code.
The Monitoring Body’s duty to handle any complaints that may arise between the parties adhering to the Code and data subjects - or among the parties adhering to the Code - regarding breaches and/or methods of application of the Code, shall not affect the data subjects’ right to lodge a complaint with the Garante and/or to initiate legal proceedings for the protection of their rights pursuant to Articles 77 and 79 of the GDPR.
This article is for information purposes only and is not, and cannot be intended as, a professional opinion on the topics dealt with. For any further information please contact Marco Cappa and Matteo Calì.
