The Italian Data Protection Authority, Il Garante, published new Guidelines regarding the use of cookies and other tracking technologies on 10 July.  The new guidelines are a hot topic in Italy, as they put the data practices of all Italian companies under a scrutinizing spotlight. 


From January 10, all companies who have failed to become compliant risk incurring severe penalties. 


In this article we look at some of the main requirements from the Garante on the use of cookies, as well as 3 fines recently inflicted on Italian companies. What were they doing wrong? And how can you avoid your company being next? Carry on reading to find out.






The main changes made by the Garante concerning data processing 


On July 10, the Italian Data Protection Authority published a set of Guidelines on the use of cookies and other tracking tools. They highlighted certain requirements for compliant data processing. For example, the Garante no longer accepts legitimate interest as a legal basis for data processing, and gives greater importance to consent. A failure to comply can result in large fines, as we will see later in this article. 


Here are 4 main changes in consent collection:


  • Consent must be obtained by means of a free and specific act of the individual;

  • The person concerned must be able to withdraw their consent easily and at any time; 

  • The owner of the website or application must respect the principles of privacy by design and privacy by default; 

  • The owner of the website or application must respect data storage periods, i.e. 2 years for marketing purposes.


€16,729,600 fine on Wind Tre S.p.A:  Unlawful data processing for promotional purposes


On 9 July 2020, the Garante Privacy imposed an almost €17 million fine on Wind Tre S.p.A, one of the largest telephone companies in Italy, for unlawful processing of data for promotional activities. 


So, what exactly was unlawful about Wind Tre S.p.A’s data processing?


  • Sending promotional contacts via sms, phone, email, fax or automated calls, despite the user having refused beforehand to receiving such communications;

  • Collecting consent for different processing purposes at each new access of the user on the app, except to allow revocation within 24 hours;

  • Publishing an unclear privacy notice that easily misled the user into giving their consent; 

  • Blocking navigation if the user did not first accept tracking on the cookie banner of the website.


The above mentioned practices cannot be considered lawful and the collected consent cannot be considered valid because it was not freely given by the user.


The Italian Data Protection Authority prohibited Wind Tre S.p.A. from using user data without prior consent, and ordered them to implement solutions that respect user privacy and wishes not to be disturbed by unsolicited promotional activities.


Concerned Wind Tre S.p.A was not the only phone company involved, the Garante launched a campaign of further checks on other telecom companies. Further penalties were imposed for unsolicited commercial offers…


Wind Tre’s cookie banner, which is non-compliant as it does not provide the user with the possibility to make a choice.


€8,500,000 fine to Eni Gas e Luce: Insufficient legal basis for data processing


Eni Gas e Luce, a leading gas and electricity provider, received a €8,500,000 fine from the Garante for sending promotional calls without the individuals' prior consent or after the individuals’ opposition to receiving such calls.


Eni Gas e Luce carried out various unlawful behaviors:


  • Lack of checks on their data to be sure that they were correctly collecting users data with consent; 

  • Unlawful marketing activities through undesirable calls made to persons who had not given their consent; 

  • No consideration was given by the company to the refusal of data subjects to allow their personal data to be processed; 

  • Retention of personal data for longer than is necessary for the purposes for which they were collected, i.e. for more than 2 years;

  • Failure to respect privacy by default, i.e. when only data strictly necessary for each specific purpose of the processing are processed by default (without the intervention of the user). 


The Italian Garante ordered Eni Gas e Luce to implement systems to check the status of users' consents before proceeding with any kind of promotional activity. The Garante also ordered Eni Gas e Luce to stop using data provided by other providers and to review its data storage periods for marketing purposes.


Eni Gas e Luce’s cookie banner, which could be perfectly compliant if  only it gave the user a "refuse" option on the first layer of the banner.


€2,856,169 fine to Iren Mercato S.p.A.: Unlawful collection of personal data 


On 13 May 2021, the Privacy Garante imposed an almost €3,000,000 fine on Iren Mercato S.p.A., one of the largest electricity companies in Italy, for having carried out unlawful direct marketing activities for promotional purposes without first obtaining user consent. Millions of people were implicated. 


The sending of information and commercial offers was also carried out by third parties, who collected data on their websites and then sent them to Iren.


Iren Mercato S.p.A. did not comply with several principles described in the Garante Guidelines, including: 


  • The principle of accountability, i.e. you are required to take responsibility for the ways in which your company uses personal data. You must have appropriate measures and records in place to be able to demonstrate compliance; and 

  • The principle of privacy by design, which requires that companies prioritize personal data protection in the way they use technology.


It appears that Iren contested these remarks by justifying the treatment of personal data as  “legitimate interest”. However, using legitimate interest as a legal basis for its marketing activities is no longer accepted by the Garante.


Iren’s cookie banner, which is compliant as it gives the user the choice between accepting or refusing cookies and provides the user with a link to a second layer where he/she can indicate his/her preferences on a more granular level.


Ensure compliance with Didomi 


The Italian Garante is the second most active European authority in terms of sanction enforcement. All companies are involved, both small and large. An example is Deliveroo, one of the largest online food delivery companies, who received a €2,500,000 fine for illegally processing around 8,000 users’ personal data and for other GDPR violations. 


By 10 January 2022, the Garante aims to fine all website and application owners who fail to comply with their Guidelines. For this reason, it is a good idea to arrive prepared - don’t wait until the last minute to comply. 


Discover Didomi for Compliance


Gartner estimates that, by 2023, 65% of the world’s population will have its personal data covered by bespoke regulation, mostly to address growing concerns around privacy and national sovereignty. 


Company data processing practices are becoming increasingly scrutinized. Didomi offers consent and preference management solutions that are in constant evolution, complying with local regulations. So, don't hesitate to contact us to kick-start your compliance journey today with one of our GDPR & Garante experts. 


  Request a demo