On May 22, 2018, the Garante per la Protezione dei Dati Personali, Italy’s Data Protection Authority (DPA), prohibited a company offering a comparison service for light, gas, mobile line, insurance, mortgages (and other services) on its website (Company) to process for marketing and sales purposes the data collected through a pop-up on its website. The pop-up didn’t allow the users to freely give a specific, informed and unambiguous indication of their agreement to the processing of their personal data [doc. web n. 8995274].
The nucleo speciale privacy della Guardia di Finanza, the privacy unit of the Italian police authority investigated the issue after the DPA received some complaints concerning unwanted promotional communications.
The inspections ascertained that the users who would see the pop up wouldn’t have access to the Company’s services if they did not accept – with a single consent – to have their data treated for different purposes (including marketing or data communication to third parties).
Even if the pop up provided for a privacy notice that explained the different purposes for which the data was treated, users were not allowed to express specific and differentiated consents. If the Company still wants to use the pop up to collect data for promotional purposes (or for other purposes), it will have to allow users to freely choose if and which purposes to authorize for process.
The DPA did inflict any sanctions yet even though they will be possible should the Company not comply with the content of the decision.
The full text of Trattamento dei dati raccolti attraverso un pop up – 22 maggio 2018 [8995274] is available (in Italian) at https://www.garanteprivacy.it/…
For more information on this and for advice on GDPR implementation, contact Francesca Giannoni-Crystal and Federica Romanelli.