Direct- and Telemarketing in Italy: before and after GDPR.

Marketers making use of such techniques should be extremely careful!

What’s going on day after day.

I am sure, over the last months everybody has gone through an exciting experience:  it’s Saturday (late afternoon), after a tiring week you finally have a chance to relax, to sit down with a drink, looking forward for the newest episode of your favorite TV series to start. Exactly when the episode begins, your phone rings and – answering with several curses in your head, however trying to behave as a civilized person – you find yourself talking to someone working at a call center and praising an irresistible offer for a phone, Internet connection, investment or retirement plan. Despite your firm argument that you are not interested at all, it is difficult to close the phone call as the person on the line insists in telling that is just stupid to refuse a clear benefit to you. When you finally succeed in terminating the conversation, you have lost the first ten minutes of the episode and struggle to catch what has happened to the main character in the meantime.
Later, while lying in bed, you wonder whether those interruptions are correct and whether there are no rules governing such marketing practices. Haven’t you been told about a recent regulation (applicable throughout the European Union but also worrying businesses in the US and outside Europe)?
Let’s have a look at what marketers should consider when relying on direct- or telemarketing to promote – or increase the sales of – their products or services.
Common sense suggests bearing in mind an obvious rule of thumb: an annoyed individual is unlikely to turn into a prospect customer. Hence, the first thing to do, is working with your in-house marketing experts (or outside consultants) to come up with a clear strategy how to use a telemarketing campaign. Before giving it a ‘GO’, you will need to practice, to change and adapt and, finally, to provide adamant instructions on how the callers should act. While working on such strategy, you will also need to be aware of the legal/regulatory framework relevant to the practice to be sure about both, what cannot be done as well as what should not be done.

The local rules before the GDPR.

Back in 2013 the Italian Privacy Commissioner released specific guidelines to offer the Direct Marketing industry useful indications about how to make its practices compliant with the criteria and requirements set by the Privacy Code.
Businesses active in this sector were recommended to comply with a strictly ‘opt-in’ approach and to follow some ‘golden rules’ when drafting and performing their marketing strategies:
(1) Opt-in requirement:  Commercial offers and promotional material of any kind may be delivered via automated systems (such as: pre-recorded phone messages, e-mail, fax, SMS, mms) exclusively on targeted subject’s informed, specific and freely expressed consent (where such consent on request had to be substantiated by written documents),
(2) Control obligations: Companies adopting direct marketing strategies and relying on third parties for organizing and handling promotional campaigns, are called to exercise proper control in order to avoid that incorrect conduct is performed by such third parties in charge of contacting potential clients.
(3) Social Networks and Messaging Services: Specific in-advance consent is also required for automated delivery or ‘viral’ and ‘targeted’ marketing directed to users of social networks as well as of messaging services. The fact that users’ data may be available and accessible on such platforms (e. g. on a Facebook wall, or chat rooms) does not exempt from seeking such consent.
(4) Word of Mouth: Consent is not required for informing friends via e-mail or SMS about commercial offers.
(5) Promotional e-mails to existing clients: Such commercial communication (so-called ‘soft spam’) was allowed without further requirements, provided it related to a product or service identical to that object of a previous commercial relationship.
(6) Promotional initiatives towards brand ‘fans’: Commercial offers to ‘followers’ on social networks may be freely delivered if from their registration to a company page clearly emerges their interest in – and consent to – receiving promotional messages about a brand and its products or services.
(7) No need to seek for ‘multiple’ consent: Once correctly achieved, consent covered both,  all forms of marketing (e. g. delivery of promotional material as well as performance of market research or tests) as well as all kind of possible uses (e. g. calls performed by phone operators, distribution of hard copies of promotional material), even transfer of personal data to third parties, provided that in-advance notice offered to data subjects on the purposes of collection specifically indicated and contained the contact information of such third parties.
(8) Non-compliance: The Privacy Commissioner reminded individuals affected by undue spam that they may access the Authority at any time and solicit intervention for sanctions to be applied on the spammer (in certain cases the maximum amount of such sanctions could reach Euro 500.000).
(9) Legal entities: Even though not having a standing in the proceedings before the Privacy Commissioner, companies could flag spamming practices to the Authority’s attention (while in serious cases action before a Civil or Criminal Court was also always available).           

The GDPR’s impact on direct marketing.

Article 6 of the GDPR (i.e. the EU Regulation no. 679 of 2016) lists among the requirements for legitimately processing an individual’s personal information the following two: data subject’s consent and controller’s legitimate interest. With respect to the latter requirement Recital no. 47 of the Regulation holds: “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing” and indicates that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Obvious question arising from the provisions above is whether ‘legitimate interest’ offers direct marketers a free pass for all of their practices and, especially, whether their meaning could be stressed to the point where they could simply do without worrying about consent? A positive answer to the question would result in a hasty – and risky – assumption for several reasons.
First, marketers need to keep in mind that the Recital is absolutely clear in stating that controller’s data processing to pursue a ‘legitimate interest’ cannot outbalance data subjects’ rights and freedoms.
Hence, such basis for processing necessarily involves an in-advance assessment on whether a marketer can rely on the respective exemption from the consent requirement. As such exemption was already contained in EU Directive no. 46 of 1995, it will be wise to refer to the indications offered in Opinion (WP 217) no. 6 of 2014 of the Article 29 Data Protection Working Party on the concept of ‘legitimate interest’. According to the Opinion “to be considered as 'legitimate' and be relevant…, the interest will need to be lawful, that is, in accordance with EU and national law. It must also be sufficiently clearly articulated and specific enough to allow the balancing test to be carried out against the interests and fundamental rights of the data subject. It must also represent a real and present interest - that is, it must not be speculative”.
The WP has also dealt with ‘legitimate interest’ to processing in its Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251rev) of October 3, 2017 (last revisited and adopted on February 6, 2018) repeating that the legitimate interest requirement is not ‘self-sustaining’ as it always involves a balancing test in relation to data subject’s interests, rights and freedoms, where the following aspects must be taken into consideration: “ (i) the level of detail of the profile (a data subject profiled within a broadly described cohort such as ‘people with an interest in English literature’, or segmented and targeted on a granular level), (ii) the comprehensiveness of the profile (whether the profile only describes a small aspect of the data subject, or paints a more comprehensive picture), (iii) the impact of the profiling (the effects on the data subject), and (iv) the safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process.”
In line with such criteria, in its Guide to the GDPR the British Information Commissioner summarizes its view on the issue by explaining that the in-advance assessment on legitimate interest involves basically three inquiries, i.e. (a) a purpose test (are you pursuing a legitimate interest?), (b) a necessity test (is the processing necessary for that purpose?), and (c) a balancing test (do the individual’s interests override the legitimate interest?).
Furthermore, the GDPR clarifies that the ePrivacy Directive (i.e. EU Directive no. 58 of 2002) remains valid and in force and continues to govern concerning the processing of personal data and the protection of privacy in the electronic communications sector. In fact, according to Article 95 of the GDPR, “this Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.”
Therefore, the ban (Article 13 of the ePrivacy Directive) for automated (‘cold’) approaches (through unsolicited phone calls, fax machines or electronic communication) to prospect customers for direct marketing purposes continues to stay. The same goes for the opt-out option to be offered to customers with whom marketers have a business relation in place, allowing to refuse further receipt of promotional messages for direct marketing purposes. The consent requirement (set in Article 9/1) for processing users’ location data also remains in place.

National specificity in implementing GDPR.

Though resulting the GDPR immediately binding for all Member States to the EU, it allows a little bit of flexibility on a national level. Therefore, marketers will always need to check whether some ‘surprise’ is buried in the national implementing provisions of the GDPR.
In Italy, such implementation was performed through an adjournment of the previously in force Privacy Code (a Consolidated Act harmonizing all provisions adopted over the years to govern the processing of personal information).
The adjourned Privacy Code contains several provisions affecting direct marketing services:
- If user’s device allows for caller identification, then the provider of a publicly accessible electronic communication service must offer – free of charge – a function enabling the user to block contacts originating from certain numbers.
- Users’ location data different from those strictly relating to traffic may be collected and processed only if anonymized or on in-advance notice about the collection’s nature and scope and on user’s in-advance consent (so the system is strictly opt-in).
- Users receiving annoying calls may ask the provider of a publicly accessible communication service to monitor (and to collect evidence) of such calls over a period not exceeding 15 days. The data collected are made available to the recipient of the annoying calls, who may use such data exclusively to defend his right to privacy.
- With respect to unsolicited communications, the Code confirms that the strictly opt-in system set by the implementing provisions of the ePrivacy Directive is maintained and that such requirement applies to all electronic communications performed to the purpose of market research or marketing purposes via e-mail, fax, Mms (Multimedia Messaging Service), Sms (Short Message Service) or other means.
- Allows using the phone or ordinary (paper) mail for the purpose of sending marketing material, of promoting direct sales and of performing market research or commercial communication, provided the targeted individual has not made known his/her opposition to such practice by registering with a specific do-not-call / do-not-send register. Section 130 of the Privacy Code then details the characteristics and functions of such register as well as the powers assigned to the Privacy Commissioner in order to grant compliance.

Some more national specificity.

In January 2018 – several months before the adjournment of the Privacy Code, the local lawmakers had already taken issue with overly aggressive practices of telemarketing through Law no. 5 of 2018.
This Law:
- allows all holders of a phone connection – be it a fixed or a mobile one – to register all of their phone numbers with a public do-not-call list in order to prevent contacts performed for marketing or direct sales purposes a well as those intended to pursue the scope of market research or of commercial communication in a broader sense,
- sets that the enrollment in such list makes void any consent previously given – in any form, through any mean and to any subject – for the purposes mentioned above (exempting from such effect only permit given in the context of an existing – or terminated for less than 30 days – contractual agreement for the delivery of products or services (resulting however necessary to offer such clients an opt-out option),
- strictly bans the communication to third parties, the transfer and the diffusion of all data contained in the do-not-call list,
- provides for fines in cases of infringement of its provisions (repeated incompliance can lead to suspension or revocation of the infringer’s business license),
- puts on all businesses making use of telemarketing or tele-sales techniques (or performing market research or commercial communication) the specific burden of conducting a monthly check (and another one prior to the launch of a new promotional campaign) on the do-not-call list,
- all companies making use of such techniques are held to provide the Privacy Commissioner with two specific caller identifying codes allowing to immediately distinguish contacts performed for statistical purposes from those intended to pursue marketing or sales scopes or market research intents (call center services – even if outsourced – must apply to the local Communication Commissioner to receive dedicated prefixes and numbers, making the contacted individuals aware of the scope of the call),
- sets a complete ban with respect to the use of automated calling systems even with respects to individuals not registered with the don-not-call list,
The Law, while in force since February 8, 2018, is not entirely effective as some implementing regulations have still to be prepared and issued.  

We are not yet finished here! There is also an Ethic Code to consider.

Article 40 of the GDPR encourages associations and other entities representing categories of data controllers or processors to prepare and adopt codes of conduct to assure compliance with the Regulation of the activities of their members as far as they involve the processing of personal information.
Following up on such recommendation, ASSOCONTACT (the Italian association gathering the companies delivering contact services in outsourcing) has prepared – in cooperation with some of the most relevant local consumer protection associations – a code of conduct (to be intended as a self-regulation standard for all companies adhering to the association).
The Code – among other provisions – sets several principles to be respected when companies interact with consumers. In detail, the Code calls for:
- correct and transparent behavior (expressly banning any ambiguous, incorrect, misleading practice),
- phone contacts to be performed ‘at reasonable hours’ (i.e. from Monday to Friday: not before 9.00 am and not after 9:00 pm – on Saturday not before 10:00 am and not after 7:00 pm – never on Sundays or on Festivities),
- the consumer being immediately informed (at the beginning of the contact) about the callers ID, the scope of the call, the subject on behalf the call is performed, the main characteristics of the promoted product or service, its price (inclusive taxes and delivery costs), terms and conditions for payment, post-sales assistance, guaranties, way of personal data’s processing as well as the source where such data have been drawn, right of withdrawal,
- on consumer’s request the contact must be terminated immediately,
- contact service providers must make sure that the targeted individual has not registered with the do-not-call list,
- their staff is required to maintain a courteous and polite attitude during the entire conversation, to use clear and easy to understand language, restrain from ‘insisting’, to inform whether – and to which purpose – the conversation is recorded, to comply with the specific in-advance information requirements set for distance sales, ascertain that the contacted person is major of age and is in his/her full capacity.


Even in today’s digital environment direct marketing remains a valuable tool for promoting products and services. However, it is a marketing technique which can easily bring a company onto swampy ground for various reasons. Marketers will need to carefully consider the risk that overly aggressive practices may easily involve the boomerang effect of having prospect customers terribly annoyed. Therefore, companies relying on direct marketing must be smart in choosing an appealing and appropriate approach to their prospect consumer base. But – over all – they must avoid the many traps local regulations set for such promotional technique.