On 19 October 2021, the Italian data protection authority (Garante) published its decision to issue a €3.3 million fine to Sky Italia S.r.l.- a company that provides television and radio broadcasting services, for the violations of the General Data Protection Regulation (GDPR). In particular, violation of:
- Article 5(1) (2)– Principles relating to processing of personal data,
- Article 6(1)– Lawfulness of processing
- Article 7 – Conditions for consent
- Article 12(2) – Transparent information, communication and modalities for the exercise of the rights of the data subject
- Article 14 – Information to be provided where personal data have not been obtained from the data subject
- Article 21 – Right to object
- Article 28 – Processor
- Article 29 – Processing under the authority of the controller or processor
Following numerous reports and complaints about receiving unsolicited phone calls, made both directly by Sky and through the call centers of other companies, Garante conducted a complex investigation and discovered many critical issues around the Sky Italia telemarketing campaign.
The Garante found out that promotional calls were conducted without providing adequate information to individuals about the processing and without proper consent, using unverified lists acquired from other companies.
Unlike what Sky believed, the consent given by individuals to the third party company that provided the lists did not authorize Sky to use personal data for promotional purposes.
In addition, the Garante determined that Sky had carried out promotional activities without the necessary prerequisite of lawfulness.
Sky also failed to take action on several objections to the processing from data subjects and without a platform or systems that could support the exercise of data subjects’ rights.
How could Sky Italia prevent €3.3M fine?
In order to carry out the telemarketing activity correctly, Sky should have cross-checked their contacts with the blacklist.
If the individual was not on the black list, Sky should have provided the user with all necessary information at the beginning of the phone call, explaining the origin of the data and, only after obtaining consent, proceed with the commercial proposal.
Also Sky should have a proper system in place for resolving data subject requests.
The Garante ordered Sky to cease any processing of personal data in question, to define data processors where appropriate, and to facilitate the exercise of data subject rights, in particular, the right to object to processing.
When determining final value of the fine, Garante took into consideration the seriousness of the violations and the negligent nature of the violation.