With Injunction Order No. 316 of September 16, 2021 (the “Order”), the Italian Data Protection Authority (Autorità Garante per la Protezione dei Dati Personali – “Garante”) provided clarification on direct marketing through social media platforms in general and LinkedIn in particular.
The Garante initiated a proceeding against La Prima S.r.l. (the “Company”) in response to a complaint filed by a data subject (“Claimant”) who complained of receiving a marketing communication sent by the Company through LinkedIn. The communication offered real estate services for a specific property owned by the Claimant.
The Company justified this practice and claimed it had not infringed any data protection laws on the following grounds:
- Claimant’s LinkedIn profile was set to allow them to receive communication from any other LinkedIn user. This provided reasonable justification for a real estate agent to contact Claimant in what constituted a “free expression of a job opportunity.”
- The Company accessed the public real estate register to verify ownership of the property and since the public registry was created for that very purpose, acquiring the personal data contained therein in no way constituted infringement. The Company simply used the data acquired from the registry to ascertain that Claimant was, indeed, the owner of the property.
The Garante did not accept the Company’s arguments, though, and in rejecting them it provided useful insight into the data protection rules applicable to marketing through social networks.
Firstly, according to the Garante, every user’s expectations for use of a social network by other users are based on that social network’s terms of service, which every user must accept. LinkedIn specifically is a platform whose purpose is to connect users who share the same professional interests or who are seeking job opportunities. LinkedIn is not a platform whose purpose is to send or receive marketing messages for the sale of products and services. With this in mind, according to the Garante, whether Claimant’s LinkedIn profile was set to allow it to receive communications from other LinkedIn users is irrelevant from a data protection standpoint. Indeed, what is significant for such analysis is the purpose for which the communication was sent. Since the communication in this case was sent for promotional purposes, it contravened the platform’s terms of service and, therefore, the Claimant’s legitimate expectations.
In addition, the Garante also found that the processing of personal data acquired via the public real estate register was in breach of article 5 GDPR. The real estate register may be accessed only to verify ownership of a certain property. However, while the acquisition of the data was found to be lawful per se, the Garante criticized the purpose for which that data was used (i.e., a promotional purpose), as that purpose was contrary to the purpose for which that same registry had been created and, therefore, represented infringement of article 5 GDPR.
In light of the foregoing, the Garante found that the Company’s actions led to the processing of personal data—consisting of acquiring the data and sending a marketing communication—undertaken without a proper legal basis as required by article 6, paragraph 1, GDPR.
Notwithstanding the infringement, the Garante chose not to issue a sanction in light of the fact that (i) the Company’s conduct is an isolated case; (ii) the extent of the damage is not significant, since the Company contacted the Claimant only once and the personal data was not disseminated; and (iii) the Company is a micro-enterprise whose business has been strongly impacted by the pandemic. However, the Garante sanctioned the Company with an administrative fine of EUR 5,000, for its conduct during the proceedings, as it did not reply to several of the Garante’s requests for information without providing proper justification for its failure to do so.