ENG
  • Home
  • Insights
  • Marketing: the Italian DPA says no to the use of social network user data

Marketing: the Italian DPA says no to the use of social network user data

Published

Oct 27 2021

Written By

adriano dottavio Module
Adriano D'Ottavio

Counsel
Italy

I am a lawyer with a strong passion for new technology. My goal is to provide practical solutions to complex issues.

Related

Practices

Sectors

Trending Topics

Regions

Countries

The Italian DPA recently ordered a company, La Prima Srl (“La Prima”), to pay a fine for using a user’s data on a social network ("LinkedIn”) to contact them and offer its own sales service. This purpose was deemed different and incompatible with those originally referred to in LinkedIn’s T&Cs, and therefore was neither part of the data subject's legitimate expectations, nor based on a valid legal basis (Register of Measures No. 316/2021, available in Italian at the following link https://garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9705632).

The Italian DPA observed that subscribing to a social network involves adhering to T&Cs, and that data subjects’ expectations on how other users will use the platform will be based on these terms. In this case, LinkedIn is a social network whose purpose is to bring together individuals to share the same professional interests, and to promote the exchange of knowledge or job opportunities. The Italian DPA held that it is not intended to send messages to other users with the aim of selling products or services.

In this case, a La Prima employee used LinkedIn to promote a sales service (i.e. by sending a message aimed at proposing real estate services in relation to a property owned by the complainant) to a data subject, which was incompatible with LinkedIn’s purpose, and therefore not part of the data subject’s legitimate expectations. Accordingly, the Italian DPA found a breach of Article 5 of the GDPR.

In particular, the La Prima employee’s actions involved processing data - consisting in the collection of such data and sending a message for promotional purposes – without an appropriate legal basis, since it did not comply with any of those in Article 6(1) of the GDPR. Therefore, it was not possible to justify the processing, as the data subject had not given specific consent to be contacted for promotional purposes in this way - nor could they have done so since such a purpose is not envisaged.

As a result, the Italian DPA declared the processing unlawful pursuant to Article 57(1)(f) of the GDPR. Under Article 58(2)(b) of the GDPR it ordered La Prima to ensure that its processing of personal data complied with the GDPR; and under Article 58(2)(d) it ordered the company to adopt suitable measures to prevent promotional activities carried out in the absence of a suitable legal basis. Finally, due to the size of the company and the absence of other previous proceedings against it, as well as the balance between the rights of the data subjects and the freedom to conduct a business, the Italian DPA decided to apply a fine of € 5,000.00 and make its decision public.

Latest insights

More Insights
headphones and keyboard

Kingdom of Saudi Arabia: Imminent deadline for digital content platforms to comply with new KSA regulations

Oct 03 2024

Read More
digital data security

UK Information Commissioner offers advice to the UK finance sector on how to improve data subject access right processes following increase in complaints

Oct 01 2024

Read More
cloud shape

Long-awaited German judgment by the District Court of Hamburg (Kneschke v. LAION) on the text and data mining exception(s)

Oct 01 2024

Read More
More Insights