Limit Call S.r.l.s. – €60,000 Fine (Italy, 2023)

Limit Call S.r.l.s. (the controller) came under the scrutiny of the Italian DPA following a complaint alleging the reception of unsolicited telephone calls without the necessary consent of a complainant. In a previous decision, the DPA had already imposed an administrative fine of €10,000 on the controller for a breach of [https://www.garanteprivacy.it/codice Article 157 of the Italian privacy code], as the controller failed to cooperate with the DPA in the context of the same facts. To investigate further, the DPA conducted an on-site inspection at the controller's registered office on 23 and 24 May 2023. The primary objectives were to determine the origin of the complainants' personal data and evaluate the legal basis for the contested telephone calls. The controller, operating as a call center in the teleselling sector for electricity contracts, asserted that it obtained the complainants' contacts from a list provider in Moldova, from which it obtained a total of 100,000 contacts. Notably, no specific contract was signed with this list provider, prompting questions about the legitimacy of data acquisition. Following the investigation, the Italian DPA found the controller liable for multiple GDPR violations. Firstly, the call script used by the controller during promotional contacts lacked all the essential information required by Article 13 GDPR and Article 14 GDPR, violating data subjects’ rights. The DPA further found that the controller conducted these promotional contacts without the informed consent of the data subjects. Indeed, the controller failed to provide suitable documentation demonstrating the lawfulness of the acquisition of registry lists from the third party. Therefore, the controller breached Article 5(1)(a) GDPR, Article 6(1)(a) GDPR, Article 7 GDPR, and [https://www.garanteprivacy.it/codice Article 130 of the Italian privacy code], since the controller neglected to exercise proper control over the acquired lists, and failed to ensure complia