In general terms, all measures issued provide useful insights for regulating the processing of personal data with regard to the relationship between utilities and contracting agencies. However, practical concerns remain regarding the concrete measures to be implemented to comply with the principle of accountability.
The common thread in all the measures issued by the Authority is the complained violation of the well known, and at the same time generic, principle of accountability. This principle requires data controllers, such as utilities, to implement adequate and effective technical and organizational measures to ensure compliance with the GDPR in relation to the processing activities carried out through agencies, which are qualified as data processors.
In detail, among the most recent, the Authority has sanctioned:
a) A company that verified the data processed and entered by agents into the company application by sending a communication to the address provided by the agents themselves. The Authority noted the lack of control over the correspondence of such address to the address where to perform the supply, the lack of traceability of the communication and its receipt, and the absence of an alert system able to detect the duplication of addresses entered by agents (provision No. 427 of 28 September 2023).
b) A company that controlled the data collected by agents by contacting the customer through the contact details provided by the agent, either via SMS/email or through a so-called check call (i.e., a call to verify the customer’s identity). The Authority noted the lack of sufficient certainty about the correspondence of these contact details with the actual user, the absence of a traceability system for the reception of communications, and the lack of an alert system to detect anomalies, such as the insertion of recurring contact details, IP address verification, and the number of contracts signed by a single agency (provision No. 476 of 12 October 2023).
c) A company that allowed agents to acquire customer's ID on the agent’s devices instead of the company’s devices (with the linked risk of a subsequent improper use of these data) and that performed the supply despite the negative outcome of the check call (provision No. 440 of 17 July 2024).
The provisions of the Authority summarized above, remark the difficulties operators have to face while implementing technical and organizational measures to process customers’ personal data in compliance with the GDPR when personal data are collected by agencies.
In any event, with the mentioned provisions, the Authority provides useful indications on the measures to implement in order to ensure that the processing carried out is compliant with the GDPR, even in connection with the relationships with agencies. On this point, the Authority recalls the need to:
a) Map personal data processes.
b) Establish rules for assigning responsibilities.
c) Organize staff formative sessions.
d) Implement procedures to verify the work of the data processors designated under Article 28 of the GDPR.
e) Conduct internal and external audits periodically.
Furthermore, in order to support companies while implementing adequate technical and organizational measures, the Authority refers to specific rules previously indicated with provision No. 231 of 11 December 2019, such as:
a) Implementing a “blocking” check call system for all methods of contract acquisition by agents and agency sellers.
b) The obligation to record the check call if it was successful.
c) Implementing alert systems sensitive to various procedural anomalies (e.g., failed delivery outcomes, inaccuracy or incompleteness of acquired contractual data).
d) With reference to the instructions given by agents and sellers, the introduction of the obligation to collect the potential customer’s identification document.
e) The importance of setting up periodic audit systems to verify the activities carried out by agencies.
f) With reference to the personal data of customers for whom it appears appropriate to suspend contractualisation, the implementation of a system for the timely limitation, waiting for further checks, of any further data processing activity.
In light of the above, important indications arise for utilities to regulate relationships with agencies that contract final customers. However, uncertainties remain regarding the measures to implement in specific cases. In this regard, it is appropriate to proceed with a case-by-case assessment, taking into account, in addition to the measures illustrated here, the latest technological developments. All of it, recalling that ad impossibilia nemo tenetur.
Authors: Francesco Falco, Livia Lo Dico, Chiara Arcidiacono