No to social spam. If an email address is on a social network, it does not mean that it can be freely used for any purposes. For example, the addressee’s consent is always necessary to send commercial offers.
For these reasons, the Italian Data Protection Authority has prohibited a further processing of email addresses without consent for marketing purposes.
The intervention of the Italian Authority started by a warning of a business consultant company which had reported the sending of many advertising emails to accounts of some of its promoters without the latter having authorized their receipt.
The investigations carried out by the Authority, in collaboration with the Special Privacy Unit of the Italian Finance Police, revealed that the collection of email addresses occurred also through the contacts on LinkedIn and Facebook or searching for them on social networks, as well as through other methods.
Only over the last two years the company has been sending around 100,000 advertising emails.
Therefore, the Authority considered the processing of email addresses to be unlawful also pursuant to the Guidelines of 4 July 2013 which regulated the phenomenon of “social spam”.
The data found on social networks and, more generally available online, cannot be used freely, explained the Authority. In fact, the company asserted with no legal basis that the registration to a social network implies a consent to the use of personal data for the marketing activity. This purpose is not compatible with the purposes of social networks, intended to share information and develop professional contacts, and not for marketing of products and services. This opinion is also supported by European Data Protection Supervisors, which have expressly excluded that the registration to a service on the web involves the legitimacy of the processing of personal data by other participants on the same platform for the purpose of sending commercial information.
In addition to the administrative notification already raised by the Special Unit for data processing without the necessary consent, the Authority has reserved the right to challenge the company for the violation of the obligation to supply the disclosure statement. Finally, the company was required to change the form of request for consent on the website, in order to make the marketing purpose clear.
(From the Newsletter of the Italian Data Protection Authority of 29 November 2017)