Italian Data protection Authority, Garante privacy, ordered a company that did not acquire granular consent for marketing from members of its loyalty programs to:
(i) stop processing personal data for marketing purposes if granular consent for the marketing/mailing was not acquired;
(ii) not start processing personal data for marketing purposes in future without obtaining such granular consent;
(iii) implement adequate organizational and technical measures to guarantee the correct management of the rights of individuals, and in particular the right to object to marketing; and
(iv) communicate, within sixty days from the date of receipt of this decision, appropriate documentation demonstrating implementation of the Garante’s requirements.
Additional Notes:
Failure to comply with the Garante’s requirements may be punished by imprisonment of three months to two years;
Garante rejected as not granular, and mixing promotional and contractual purposes the phrase: “communication to third parties for the purposes of verifying the degree of customer satisfaction and the management of the prizes ”