Telemarketing activities in compliance with GDPR and Italian regulations

In a press release dated June 9, 2023, the Italian Data Protection Authority (the "Italian DPA") announced the adoption of a new package of corrective and punitive measures aimed at addressing the practices of unwanted telemarketing calls by certain companies operating in the energy and telecommunications sectors (orders n. 181, 182, and 183, available only in Italian).


Telemarketing is a form of direct marketing that involves selling products or services through telephone contact with potential customers. The main objective of telemarketing is to generate sales or acquire customers through phone interactions.

Telemarketing activities can be carried out by companies managing their marketing internally or by specialized telemarketing companies, also known as call centers. Companies use telemarketing to reach a wide audience of potential customers directly and efficiently.

The main types of telemarketing are:

  • Outbound telemarketing: in this approach, sales representatives make active calls to phone numbers listed in directories or databases. The goal is to establish contact with potential customers, present the products or services offered by the company, and try to generate sales or set up appointments for further discussions.
  • Inbound telemarketing: here, potential customers call a dedicated number provided by the company to request information, make purchases, or receive assistance. Sales representatives handle these incoming calls, providing answers to customers' questions, offering advice, and attempting to conclude sales or provide support.

Telemarketing practices can be used for various purposes, such as selling products or services, generating leads of potential customers, conducting market research, promoting events, or providing post-sales support.

Considering that telemarketing activity is increasingly considered unwanted and aggressive by consumers and can be perceived as annoying, several authorities have adopted specific regulations and measures aimed at regulating telemarketing practices. These regulations may include explicit consent from consumers to be contacted or compliance with restrictions on call times.

For example:

  • the Ministry of Economic Development provides a free public service called the "Registro Pubblico delle Opposizioni" (“RPO”), which is a public opt-out registry available to citizens. Since July 27, 2022, the RPO has been extended to include mobile phone numbers. The RPO aims at preventing, in case of registration, being contacted by telemarketing operators unless they have obtained specific consent to use the data after the registration date to the RPO or within an existing contract or one that has ceased no more than thirty days ago, relating to the supply of goods or services, for which the possibility of revocation must still be ensured through a simplified procedure. It is an opt-out of unwanted telemarketing calls by revoking consent to advertising, and of the transfer to third parties of previously provided personal data. Telemarketing companies must consult the RPO monthly and, in any case, before carrying out advertising campaigns by telephone. The opt-out may also refer to paper advertising if the address is in public telephone directories.
  • the code of conduct for telemarketing and teleselling, approved by the Italian DPA on March 24, 2023, at the conclusion of a public consultation procedure, aims at curbing behaviors that conflict with the regulations on the protection of personal data and infringe on fundamental rights and human dignity. The aim is to stimulate consumers' confidence in telemarketing promotional activities conducted over the phone.

Orders by the Italian DPA

The investigations were started by the Italian DPA following various complaints and reports from data subjects regarding critical issues identified in the course of telemarketing activities that had already been subject, in some cases, to previous corrective measures issued by the Italian DPA itself.

The main critical issues that arose from the different measures taken by the Italian DPA include:

  • Repeated receipt of promotional phone calls by companies, in some cases to private phone lines and, in other cases, to numbers registered in the RPO.
  • Failure or delay in responding to requests to exercise the rights of data subjects according to Articles 15 to 22 of the EU Regulation 2016/679 (“GDPR”).
  • Inability to access the privacy notice during online purchases.

The main purpose of the package of measures issued by the Italian DPA, as stated by the Authority itself, was to put an end to all unwanted telemarketing practices and to highlight, once again, the need for adequate control by the companies that commission the entire chain of operations leading to the conclusion of a contract.

In particular, at the conclusion of each investigation initiated by the Italian DPA against different companies, and after analyzing the replies provided by the companies, even though they defended themselves by claiming their innocence in the violations, the Authority started proceedings for the adoption of corrective and punitive measures due to the violations, specifically regarding the following provisions of the GDPR:

  • Articles 5(2) and 25(1) of the GDPR: the violation of the principle of accountability and privacy by design, for failing to effectively counteract the phenomenon of improper promotional contacts made on their behalf, exercising (and being able to demonstrate) their attributions, which correspond to the duties of accountability and privacy by design (through elements of prevention, functionality, security, transparency of processing, and the centrality of the data subject).
  • Articles 12(3), 17, and 21 of the GDPR: for failing to fulfill the obligation to respond to requests to exercise the rights of data subjects, made in accordance with Articles 17 and 21 of the GDPR, even though it is a duty of the data controller to assess the correct receipt of requests from data subjects and provide appropriate responses.

Furthermore, in injunction no. 183 issued on April 23rd, the Italian DPA concluded that it is illegal to process the order of a customer contacted with a commercial phone call if the customer has not given prior consent to receive it. In this regard, the company is required to rectify the situation by acknowledging the original violation to the customer and asking if, despite this, the customer intends to confirm the order. This conclusion leads to severe contractual consequences for unwanted telemarketing calls.


The Italian DPA’s measures clearly demonstrate increasing attention towards telemarketing activities and, in particular, unwanted telemarketing calls, as well as aggressive and invasive practices against consumers. The actions taken by the Italian DPA to protect data subjects’ personal data and ensure compliance with regulations are essential to provide consumers with more confidence.

Indeed, although telemarketing is an important direct marketing strategy, it can be perceived as annoying and invasive by consumers. For this reason, several measures have been introduced to regulate this practice and protect users, such as the need for explicit consent from consumers to be contacted and compliance with restrictions regarding the call times.

In conclusion, the new package of measures adopted by the Italian DPA represents a significant step towards higher consumer protection and the strengthening of rules for telemarketing activities in compliance with the GDPR. Companies involved in this marketing approach must be aware of existing regulations and implement appropriate measures to protect personal data and ensure an ethical and effective approach to their operations. Only in this way can companies establish a relationship of trust with consumers and contribute to the construction of a marketing environment that respects regulations and citizens’ rights.