Italian Data protection Authority, Garante privacy, ordered a company that did not acquire granular consent for marketing from members of its loyalty programs to:

(i)  stop processing personal data for marketing purposes if granular consent for the marketing/mailing was not acquired;

(ii) not start processing personal data for marketing purposes in future without obtaining such granular consent;

(iii) implement adequate organizational and technical measures to guarantee the correct management of the rights of individuals, and in particular the right to object to marketing; and

(iv) communicate, within sixty days from the date of receipt of this decision, appropriate documentation demonstrating implementation of the Garante’s requirements.

Additional Notes:

Failure to comply with the Garante’s requirements may be punished by imprisonment of three months to two years;

Garante rejected as not granular, and mixing promotional and contractual purposes the phrase: “communication to third parties for the purposes of verifying the degree of customer satisfaction and the management of the prizes ”

Read Garante’s full report.