The Italian supervisory authority (Garante) imposed a penalty on Cribis Credit Management s.r.l. following a complaint filed by an individual.
Cribis Credit Management, acting on behalf of the creditor Sky Italia S.r.l., sent messages calling for the payment of subscription arrears to the address of a third party as part of the so-called soft debt collection. Instead of being sent to the debtor’s mailbox, they went to another employee of the same company with which the complainant worked. As a result, an unauthorised third party found out about his debt.
The debt collector initially tried to contact the complainant by telephone. When these attempts failed, the debt collector’s staff decided to contact the debtor by e-mail using his supposed e-mail address found on the Internet. This e-mail, however, did not belong to the debtor; in fact, it was used by a third party. The Garante found that the creditor had not exercised due diligence, had not ascertained whether the debtor was actually using this address and had thus committed a breach.
Based on the nature of the breach, and taking into account that the controller is a professional in the provision of debt collection services, the supervisory authority imposed an administrative fine and published the content of the decision on its website as an additional sanction for non-compliance with data protection rules.