With Order No. 321 of July 18, 2023 (“Order”), the Italian Data Protection Authority (Garante per la protezione dei dati personali–“Garante”) issued a sanction, accompanied by corrective measures, against Italian telecommunications company Tiscali Italia S.p.A. (“Tiscali”).

The Order stems from a general investigation launched by the Garante in relation to the marketing and profiling activities undertaken by telecommunications operators. The Garante’s investigation of Tiscali was varied and covered (i) policies and consent mechanisms for processing personal data; (ii) call-back services through pop-ups; (iii) the use of the “soft-spam exemption” provided in Article 130(4) of Legislative Decree No. 196/2003 (Italian Data Protection Code); (iv) managing denials of and objections to processing; and (v) retention of personal data for marketing and profiling purposes.

The Order provides various legal insights into the relationship between the GDPR and the processing activities of telecommunications operators with reference to the practices listed above.

The most important conclusion reached by the Garante concerns the amount of time personal data collected for marketing purposes can be retained. According to the Garante, “Retaining personal data for marketing purposes until such time as the data subject revokes their consent for the processing, in accordance with Article 7 of the GDPR, is inappropriate, given that the data subject may well never change their preference or may leave it unchanged for years”.

To support this, the Garante cited the cornerstone loyalty card decision of February 24, 2005 (“Loyalty Card Order”), a parameter used in the years following its adoption. According to the Loyalty Card Order, personal data could be retained for a maximum of 12 or 24 months, respectively for profiling and marketing purposes related to loyalty card activities. In the Order, the Garante expressly stated that even though the Loyalty Card Order is no longer binding, it should still be used as a guideline, as should the data retention periods prescribed therein.

In light of the above, the Garante’s reasoning is that when the principle of accountability is applied to a sensitive matter such as data retention and balanced with the other fundamental principles in the GDPR, the data controller cannot adhere to that principle while deviating widely from the prescriptions of the Loyalty Card Order. In other words, the Garante sees retaining personal data for marketing purposes until the data subject revokes their consent under Article 7 GDPR as incompatible with the principle of retention limitation.

The Order seems to mark a change in the Garante’s approach to data retention for marketing purposes and could potentially significantly affect market operators significantly. Only time will tell whether this will be a standalone decision, or if it is poised to become the Garante’s consolidated approach to such processing activities.