The Italian Data Protection Authority (Garante) has launched an investigation into Lusha Systems Inc., a U.S. company that offers corporate profiling services through an online platform accessible from Italy. The company is accused of selling email addresses and phone numbers of dubious origin, including those of Italian citizens and institutional representatives. This investigation was triggered by reports of unsolicited promotional calls based on data acquired through Lusha's services.
In a formal request for clarification sent to Lusha, the Garante highlighted the potential risks posed to individuals, especially those residing in Italy. The authority has mandated that Lusha respond within 20 days, detailing several crucial aspects of its data practices. Specifically, Lusha must provide information about the number of data points collected or processed that relate to people living in Italy, the methods used for data collection, and the sources that populate its database.
Furthermore, Lusha is required to clarify if and to what extent it processes personal data of users who do not actively use its platform. The Garante is particularly interested in the origins of the email addresses and phone numbers in Lusha's database. Key questions include whether Lusha obtains consent for commercial communications, advertising, or market research, as well as the purposes for which this data is shared with users.
This scrutiny is not new for the Garante, which has been monitoring the illegal collection and commercialization of personal data for some time. Since January 2025, several real estate agencies have faced sanctions for promoting services using phone numbers sourced from third parties operating similarly to Lusha.
The Garante's concerns stem from numerous complaints received regarding unsolicited calls. Reports indicate that individuals have received promotional or commercial calls, suggesting that their contact information may have been accessed through Lusha's services.
In its communication, the Garante emphasized the importance of protecting personal data and ensuring that companies like Lusha adhere to legal standards. "The platform is accessible from Italy, and its services are provided to users connecting from Italy," the Garante noted. This accessibility raises significant questions about data privacy and the responsibilities of companies operating in the European market.
As the investigation unfolds, it remains to be seen how Lusha will respond to the Garante's requests. The outcome could have broader implications for the company and its operations in Europe, particularly regarding compliance with the General Data Protection Regulation (GDPR) and other local data protection laws.
Data protection experts have pointed out that the use of personal data without proper consent is a growing concern in the digital age. The Garante's actions reflect a commitment to enforcing privacy laws and protecting citizens from potential abuses in data handling.
The investigation into Lusha is part of a larger trend in which regulatory bodies worldwide are increasingly scrutinizing companies that deal with personal data. As digital platforms continue to expand their reach, the importance of transparency and accountability in data practices has never been more critical.
In conclusion, the Garante's investigation into Lusha Systems Inc. underscores the ongoing challenges and responsibilities associated with data privacy in today's interconnected world. As consumers become more aware of their rights, companies must navigate the complex landscape of data protection laws to maintain trust and compliance.
