Unsolicited Telephone Services: Enhancing the Safeguards for Citizens - 16 February 2006 
(Provision of 16 February 2006, as published in Italy's Official Journal no. 54 of 6 March 2006)
[doc. web n. 1290823]
[ doc. web n. 1242592]
Unsolicited Telephone Services: Enhancing the Safeguards for Citizens
(Provision of 16 February 2006, as published in Italy´s Official Journal no. 54 of 6 March 2006)
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having regard to the Personal Data Protection Code (legislative decree no. 196 of 30 June 2003);
Having regard to the records on file;
Having regard to the considerations made by the Secretary General pursuant to Section 15 of the Garante´s Rules of Procedure no. 1/2000;
Acting on the report submitted by Mr. Giuseppe Fortunato;
The Garante has received several claims, reports and enquiries pointing to the occurrence of repeated violations of the right to the fair, lawful use of personal data in the provision of electronic communications services.
The said violations are related to the unauthorised activation of unsolicited telephone contracts, cards and/or services, which appears to have occurred on a large scale also based on several complaints lodged with the Garante.
Taking account of the number of issues and entities involved, the Garante has considered it necessary to issue a general provision in order to lay down framework safeguards ensuring respect for citizens´ fundamental rights and freedoms.
This is meant to draw the attention of all the entities that process personal data in providing goods or services as well as to set out the necessary guidance to bring such processing operations into line with the DP Code.
The allegedly unlawful conduct of dealers located in the Italian territory and/or electronic communications service providers (hereinafter, the "providers") is only taken into consideration insofar as it falls under the scope of competence of the Garante. This is without prejudice to such other rights and remedies as are available to data subjects under contract laws and/or criminal law as well as by having regard to administrative law in respect of the appropriate performance of the services delivered by a provider or dealer on the basis of licences, authorisations and/or concessions.
1. The Problems at Stake
1.1 Mobile Phone Cards Activated on behalf of Unwitting Data Subjects
Several reports concern the undue processing of data related to individuals who appear to be the holders of mobile phone cards – at times hundreds of them – activated without their being aware thereof. In some cases the Garante was contacted directly by the judicial authorities investigating the unsolicited activation of such cards within the framework of criminal proceedings.
The cases considered show that the holders have become aware of the activation of those cards either belatedly or in a limited number of cases, at times exclusively because they had lodged requests for accessing their personal data with the provider(s). Meanwhile, the cards were being used for activities that at times entailed unpleasant consequences to the holders; in some cases, the latter have actually been the subjects of criminal investigations in connection with interceptions on and/or the telephone traffic related to the unlawfully registered card(s), or else because the card(s) have been used by other individuals within the framework of criminal activities. Some of the cards have actually been registered under the names of deceased persons.
1.2 Activation of Unsolicited Carrier Pre-Selection
The records on file show that some personal data concerning subscribers have been processed by (or on behalf of) another provider without informing the subscribers as per the law and/or obtaining their prior consent.
The aforementioned processing is carried out in order to activate routing towards a provider other than the original one by means of the so-called carrier pre-selection (hereinafter, "cps"). Some data subjects have been contacted by phone and/or via home visits and the unsolicited cps has been activated even though the provider – or the entity acting on the provider´s behalf – had only described allegedly advantageous tariffs to the data subjects in question, or had merely requested their consent to the delivery of information and/or advertising materials. Unsolicited activations have also been undertaken in cases where the data subjects had clearly signified their objection to the initial contact.
The data subjects have often realized that they had become customers upon receiving various communications by the relevant operators, consisting at times in invoices and/or payment notices related to supposedly provided services, or else in payment injunctions sent by credit factoring companies.
1.3 Additional Telephone Services Activated by One´s Provider or by Another Provider
Other personal data concerning subscribers have been found to be processed inappropriately, also by providers other than the one subscribed to, in order to activate additional telephone services such as automatic answering services, flat tariffs, or fast Internet navigation. This has happened without providing the required information notices and obtaining the data subjects´ consent.
2. The Investigations Performed
In order to carry out an in-depth assessment, the Garante requested information from and carried out inspections at both the providers involved and the dealers stipulating contracts and activating mobile phone cards. Special attention was paid to the categories of data at issue, the purposes, mechanisms, and logic of the processing operations, and the arrangements made to protect data subjects´ rights and respect personal data protection legislation.
The documents in question show that a considerable number of violations have resulted from the additional inappropriate use of the personal data by entities that at times fail to be identified – in such cases the data subjects´ signatures appear to have been forged – or else from typos or other mistakes made by dealers and providers.
Finally, it appears that several phone cards have been activated by using the data taken from ID documents the data subjects had been requested to produce in order to register only the cards they had actually applied for. In some cases this practice has been followed to activate the greatest possible number of prepaid cards from a given provider in connection with the "incentive plans" addressed to dealers, who are remunerated and/or granted other benefits depending on their capability to sell a given amount of cards.
3. The Personal Data at Issue and Their Collection Mechanisms
The names and other data related to both subscribers and holders of pre-paid cards – including their phone numbers – are to be regarded as personal data since they relate to identified and/or identifiable entities; hence, they fall under the scope of the DP Code´s provisions (Section 4(1), letter b)).
This means that all the entities involved in processing such data are required to ensure that the data are collected and stored for specific, explicit and legitimate purposes and processed, also thereafter, fairly and lawfully by complying with the provisions contained in the DP Code as well as with any other relevant legislation as related to data processing – including the requirement to identify subscribers to and purchasers of pre-paid mobile phone cards before activating the respective services, i.e. at the time the electronic cards are delivered and/or made available. Based on this requirement, providers must also take all the necessary measures to ensure acquisition of the identification data reported on the ID document produced by a purchaser, including the respective type and number and a copy thereof (as per Section 55(7) of the Electronic Communications Code – legislative decree no. 259 of 1 August 2003 as amended by Act no. 155 of 31 July 2005 ).
4. The Checks to Be Carried out Concerning Multiple Activated Prepaid Cards
As for the activation of prepaid mobile phone cards, it is necessary for the providers to devise ad-hoc procedures – as partly already done by some of them, albeit in accordance with different mechanisms – to allow more timely detection of cases in which several cards have been registered by the same provider under the same individual´s name.
By having regard to the practice followed so far by the providers, it is appropriate for the new procedures set out herein to apply to those cases in which more than four and seven cards are registered under the names of natural and legal persons, respectively.
If the above thresholds are exceeded, the provider must authorise activation of additional cards by following a more accurate check procedure to establish the registrant´s actual intention, whereby a suitable declaration to that effect must be obtained directly from the said registrant and records of the declaration must be kept also by the provider.
Regarding the activations already performed as of the date on which this provision is issued, all providers should carry out the aforementioned checks whenever the number of registrations is in excess of the above thresholds and also lay down mechanisms to expeditiously obtain declarations by the registrants confirming the said registrations; additionally, the providers should keep records of the said declarations.
5. Information Notices to be Provided upon Service Activation
Promotional calls and communications aimed at activating new services via call centers may only be made in respect of individuals whose personal data may be lawfully processed, in particular by respecting their rights as set out in the new provisions concerning universal service telephone directories and/or specialised phone directories (see Provisions by the Garante of 15 July 2004 and 14 July 2005).
It is necessary to provide data subjects, or prove that data subjects have been provided, with suitable, unambiguous, effective information including, as per the law, a reference to the possibility for them to object to the processing, the consequences in case they do not provide the data, and the identification data concerning data controller and processor (see Section 13(3) of the Code).
Providers and call center managers must also specify the source of the data ever since the promotional call and/or communication is made, in order to allow the contacted individual to immediately appreciate which entity has provided and/or holds the data and the respective details. This should be done irrespective of whether a request is made to that effect by the recipient.
6. Data Subjects
The relationships between providers and the dealers and/or entities in charge of managing information and customer care activities (so-called "call centers") are often far from unambiguous in particular as for the role played by the individual entities in respect of the processing.
This results into a blurred picture and makes it quite difficult for data subjects both to detect who activated unsolicited cards and services without being authorised and to quickly remedy those situations by applying to a well-defined data controller and/or processor.
Where a provider does not directly manage the provision of goods, services and other activities, he or she must clarify – both within the respective organisation and in respect of data subjects – the role played by dealers and other external collaborators in connection with the processing.
If the latter entities are appointed as data processors, such appointment must correspond to the relationships actually existing as for the data protection aspects, and it must go hand in hand with continuous (sample) checks on the activities carried out in concrete – with particular regard to agents and dealers.
Agents and dealers are to be regarded as data controllers in respect of the processing of the data used for service activation if, based on the arrangements applying to their activities, they are empowered to autonomously and concretely decide on the mechanisms and purposes of the processing carried out within the respective scope of activity (see Section 4(1), letter f), of the Code). In that case, they must abide by the obligations set out in the Code, in particular those referred to above concerning the provision of information notices, the acquisition of consent, where necessary, and the adoption of suitable security measures. At all events, providers may not fail to comply with the requirement to verify as appropriate all the external entities that, possibly in their capacity as autonomous data controllers, might have a stake in the unsolicited activation of services.
7. Data Security
On account of the risks to data subjects, all the entities involved in the processing (data controllers, data processors, and persons in charge of the processing) must ensure a high data security level; this also applies to call centers.
In addition to adopting the minimum security measures referred to in Section 33 and subsequent ones and in Annex B to the Code, it is necessary to keep and store the lawfully collected personal data by means of security measures that can minimise the risk of unauthorised access and/or processing operations that are unlawful or inconsistent with the purposes for which the data were collected (Section 31 of the Code).
In order to protect data subjects in case of claims, data controllers must develop or enhance tools – including computerised tools – that can identify the person in charge of the processing who is responsible for the activation at issue.
8. Exercise of Data Subjects´ Rights
Data controllers must take suitable organisational measures to make available simple tools in order for data subjects to exercise their rights (Section 7 and Section 10 of the DP Code).
Where a person, after being contacted, objects, also directly, to the use of his/her data with a view to activating the service proposed and/or to additional promotions, also of a different nature, the provider´s internal or external call center must immediately record the person´s signified intention and take the appropriate measures in order to comply with the person´s request.
When replying to a request for information on the source of the personal data at issue, the controller must include information on identity and specific contact details of the dealer that activated the unsolicited service and/or subscription.
Similarly, if fixed telephony services and/or subscriptions are activated following a merely promotional call or communication that was made not by the provider, but by the entity managing a call center on the provider´s behalf, the data subject must be enabled to know the said manager´s identity and specific contact details.
Finally, after performing the required checks, if any, the requests to have the data rectified and/or the services or subscriptions discontinued must be complied with promptly and free of charge to the data subject, where his/her data have been processed inappropriately, irrespective of whether a new telephone line must be activated with the original provider (see the decision taken by the Authority for Communications Safeguards on 2 April 2003 concerning carrier pre-selection).
The high number of cases entailing unsolicited service activation requires quick implementation of safeguards applying to data subjects; those set out herein, where not already provided for expressly in the DP Code and/or other legislative instruments, must be implemented by the relevant data controllers by May 31, 2006.
BASED ON THE ABOVE PREMISES THE GARANTE
a) in pursuance of Section 154(1), letter c), of the Code, orders data controllers to adopt, under the terms referred to in the premises, the measures required in order to bring the processing of personal data related to the provision of electronic communication services into line with the principles set out herein. In particular, the Garante orders the aforementioned entities to take the following measures:
- making available, in connection with the activation of prepaid mobile phone cards, specific procedures to allow more timely detection of cases in which several cards are registered under the name of the same person (at least four cards if natural persons are concerned, and at least seven cards with regard to legal persons), and authorise activation of new cards on the basis of more accurate checks to establish the registrant´s actual intention and obtain direct confirmation from the registrant via suitable mechanisms;
- verifying whether multiple cards were activated in the past and setting out procedures to deal with the cases in which the thresholds referred to under 1) are found to have been overstepped;
- carefully assessing the relationships between dealers and/or managers of information and customer assistance services, on the one hand, and data controller/processor, on the other hand, and ensuring more adequate checks on all external entities;
- specifying the source of the data during a promotional call and/or communication performed by staff and managers of call centers, irrespective of whether this is requested by the recipient;
- developing or enhancing tools suitable for identifying the person in charge of the processing that activated the service;
- immediately recording, at the internal and/or external call center, the contacted person´s signified objection to the use of his/her data for activating the service proposed and/or for additional promotions, and adopting suitable procedures to ensure compliance with that objection;
- taking suitable organisational measures to facilitate exercise of data subjects´ rights and comply with the requests concerning the source of the personal data at issue, by also providing the identification data of the dealer that activated unsolicited services and/or cards, or of the entity that carries out call center services on the provider´s behalf;
b) in pursuance of Section 154(1), letter c), and Section 157 of the Code, orders the providers of electronic communications services to comply with the requirements set out in letter a) by no later than May 31, 2006 and inform the Garante of their compliance by the said deadline;
c) orders that a copy of this provision be sent to the Ministry of Justice – Publishing Department in order for it to be published in the Official Journal of the Italian Republic under Section 143(2) of the Code, as well as to the Authority for Communications Safeguards.
Done in Rome, this 16th day of February 2006
THE SECRETARY GENERAL