Background information

• Date of final decision: 27 November 2025
• National case
• Controller:    Verisure Italia srl
• Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 7 (Conditions for consent), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 21 (Right to object)
• Decision: Administrative fine, Compliance order, Erasure order
• Key words: Administrative fine, Principles relating to processing of personal data, Consent,
  Transparency, Right to object, Data retention, Direct marketing, Exercise of data subject rights

Summary of the Decision

Origin of the case  

The Italian Supervisory Authority (SA), received a complaint from a former customer who had continued to receive unsolicited promotional text messages even after objecting to the processing of his data, and a report from a potential customer who, after requesting a quotation, had started receiving advertising calls, emails, and text messages. In both cases, the communications had persisted despite the exercise of the right to object provided for by the GDPR.

Key Findings

The company handled object requests late, beyond the deadlines set out in the GDPR, and did not correctly collect - via the form on its website - the consent of potential customers for direct marketing purposes. In fact, in addition to not providing adequate information, this consent was effectively combined with the potential customer's request for a price quote. In other words, the fact of providing one's telephone number to obtain a personalized quotation was considered by the company as equivalent to consent to receive advertising calls.
Furthermore, the SA considered the period for storing potential customers' data for telesales purposes (12 months) to be excessive, as this was the period within which the company believed it could contact the potential customer again if they did not accept the quote offered.

Decision

In addition to the imposition of a 400 000 EUR fine, the Italian SA prohibited Verisure Italia from further processing the personal data acquired unlawfully, ordered the deletion of data collected without valid consent, and required the company to bring its privacy policy into compliance with GDPR. The company must also notify the SA, within sixty days, of all measures taken to comply with the EU regulations on the lawful processing of personal data.
The Italian SA has taken note of the measures already undertaken by the company during the investigation.

For further information: Marketing indesiderato: Garante sanziona Verisure Italia per 400mila euro