The Italian DPA recently ordered a company, La Prima Srl (“La Prima”), to pay a fine for using a user’s data on a social network ("LinkedIn”) to contact them and offer its own sales service. This purpose was deemed different and incompatible with those originally referred to in LinkedIn’s T&Cs, and therefore was neither part of the data subject's legitimate expectations, nor based on a valid legal basis (Register of Measures No. 316/2021, available in Italian at the following link https://garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9705632).
The Italian DPA observed that subscribing to a social network involves adhering to T&Cs, and that data subjects’ expectations on how other users will use the platform will be based on these terms. In this case, LinkedIn is a social network whose purpose is to bring together individuals to share the same professional interests, and to promote the exchange of knowledge or job opportunities. The Italian DPA held that it is not intended to send messages to other users with the aim of selling products or services.
In this case, a La Prima employee used LinkedIn to promote a sales service (i.e. by sending a message aimed at proposing real estate services in relation to a property owned by the complainant) to a data subject, which was incompatible with LinkedIn’s purpose, and therefore not part of the data subject’s legitimate expectations. Accordingly, the Italian DPA found a breach of Article 5 of the GDPR.
In particular, the La Prima employee’s actions involved processing data - consisting in the collection of such data and sending a message for promotional purposes – without an appropriate legal basis, since it did not comply with any of those in Article 6(1) of the GDPR. Therefore, it was not possible to justify the processing, as the data subject had not given specific consent to be contacted for promotional purposes in this way - nor could they have done so since such a purpose is not envisaged.
As a result, the Italian DPA declared the processing unlawful pursuant to Article 57(1)(f) of the GDPR. Under Article 58(2)(b) of the GDPR it ordered La Prima to ensure that its processing of personal data complied with the GDPR; and under Article 58(2)(d) it ordered the company to adopt suitable measures to prevent promotional activities carried out in the absence of a suitable legal basis. Finally, due to the size of the company and the absence of other previous proceedings against it, as well as the balance between the rights of the data subjects and the freedom to conduct a business, the Italian DPA decided to apply a fine of € 5,000.00 and make its decision public.