Garante per la protezione dei dati personali (Italy) - 9570997: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 78: | Line 78: | ||
}} | }} | ||
The Italian DPA | The Italian DPA imposed a fine of € 4.501.868 on Fastweb S.p.A (an Italian telecommunications company) for having unlawfully processed the personal data of millions of users for telemarketing purposes. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Following hundreds of complaints for continuous and insistent unwanted telephone calls from Fastweb with the aim of promoting its offers, the Italian DPA opened an Investigation. | Following hundreds of complaints for continuous and insistent unwanted telephone calls from Fastweb with the aim of promoting its offers, the Italian DPA ('Garante') opened an Investigation. | ||
The Garante found out firstly, that a large part of the telephone numbers selected came from abusive call centers that process personal data without respecting GDPR. Secondly, the Garante found out a wrongful management of contact lists, provided to Fastweb by external partners, without the latter having acquired the free, specific and informed consent of data subjects to the processing of their data. Thirdly, the Garante also noted the absence of adequate security measures for customer management systems. In fact, many users reported that they had been contacted by false Fastweb operators probably for the purpose of spamming, phishing and for carrying out other fraudulent activities. Other critical issues were found by the Guarantor in the promotional activity carried out by Fastweb in partnership with another party (e.g. Eni Gas e Luce S.p.A.) for using customer lists provided by the latter without consent to the marketing activity. Other violations concerned procedures adopted for the “Call me back” service, which prevented users from giving free, specific and informed consent and from deactivating the service in an automated manner. | The Garante found out firstly, that a large part of the telephone numbers selected came from abusive call centers that process personal data without respecting GDPR. Secondly, the Garante found out a wrongful management of contact lists, provided to Fastweb by external partners, without the latter having acquired the free, specific and informed consent of data subjects to the processing of their data. Thirdly, the Garante also noted the absence of adequate security measures for customer management systems. In fact, many users reported that they had been contacted by false Fastweb operators probably for the purpose of spamming, phishing and for carrying out other fraudulent activities. Other critical issues were found by the Guarantor in the promotional activity carried out by Fastweb in partnership with another party (e.g. Eni Gas e Luce S.p.A.) for using customer lists provided by the latter without consent to the marketing activity. Other violations concerned procedures adopted for the “Call me back” service, which prevented users from giving free, specific and informed consent and from deactivating the service in an automated manner. |
Revision as of 09:16, 28 April 2021
Garante per la protezione dei dati personali - 9570997 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR Article 25 GDPR Article 32 GDPR Article 33(1) GDPR Article 34 GDPR Article 58(2)(d) GDPR Article 58(2)(f) GDPR Article 83(3) GDPR Article 83(5) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 25.03.2021 |
Published: | |
Fine: | 4501868 EUR |
Parties: | n/a |
National Case Number/Name: | 9570997 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Garante Privacy (in IT) |
Initial Contributor: | n/a |
The Italian DPA imposed a fine of € 4.501.868 on Fastweb S.p.A (an Italian telecommunications company) for having unlawfully processed the personal data of millions of users for telemarketing purposes.
English Summary
Facts
Following hundreds of complaints for continuous and insistent unwanted telephone calls from Fastweb with the aim of promoting its offers, the Italian DPA ('Garante') opened an Investigation.
The Garante found out firstly, that a large part of the telephone numbers selected came from abusive call centers that process personal data without respecting GDPR. Secondly, the Garante found out a wrongful management of contact lists, provided to Fastweb by external partners, without the latter having acquired the free, specific and informed consent of data subjects to the processing of their data. Thirdly, the Garante also noted the absence of adequate security measures for customer management systems. In fact, many users reported that they had been contacted by false Fastweb operators probably for the purpose of spamming, phishing and for carrying out other fraudulent activities. Other critical issues were found by the Guarantor in the promotional activity carried out by Fastweb in partnership with another party (e.g. Eni Gas e Luce S.p.A.) for using customer lists provided by the latter without consent to the marketing activity. Other violations concerned procedures adopted for the “Call me back” service, which prevented users from giving free, specific and informed consent and from deactivating the service in an automated manner.
Dispute
The Italian DPA accused the violation of articles 5(1) and (2), 6 (1), 7, 12, 13, 21, 24, 25, 32, 33(1), and 34 GDPR. Fastweb presented defensive writings that were unable to overcome the allegations of violation.
Holding
The Garante ascertained the violation of:
1. Violation of articles 5(1) and (2), 6(1), 7, 24 and 25(1) GDPR, since Fastweb has not proceeded to implement control systems of the "chain" of collection of personal data suitable to exclude with certainty that illegal or unwanted promotional calls have been followed by activations of services or signing of contracts which are then merged into the Fastweb databases.
2. Violation of articles 5(1) and (2), 6(1), and 7 GDPR, since Fastweb S.p.A. acquired lists of personal data from third parties who, in turn, had acquired them as independent data controllers and who have transferred them to Fastweb systems. The data transfer to Fastweb has occurred in the absence of the prescribed consent for the communication of personal data between independent data controllers.
3. Violation of Articles 5, 6, 7, 12, 13, and 21 GDPR in relation to the methods of activation, release of the information and revocation of the "Call me back" service.
4. Violation of Articles 24 and 32 GDPR, in relation to the multiple and systematic accesses to corporate databases containing personal data for failing to implement measures of proportionate effectiveness to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the Regulation, to ensure the confidentiality and integrity of the systems and services on a permanent basis.
5. Violation of Articles 33(1) and 34 GDPR, for failing to submit to the Garante and interested parties the notification of a personal data breach.
6. Violation of Article 5(1)(d) GDPR in relation to the various requests for exercising the rights proposed by the interested parties for whom they have been detected system errors and delays in realigning and correcting data.
7. Violation of Article 5 (1) and (2), 6, and 7 GDPR, in relation to the processing of personal data carried out for promoting products and services, made in the absence of the required consent and pending the unsuitability of the legal base of legitimate interest.
For these reasons the Italian DPA, with the power conferred by Article 58(2)(d) and (f) and Article 83(3) and (5) GDPR, imposed to Fastweb multiple corrective measures and a fine of of € 4.501.868.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
- Garante per la protezione dei dati personali (Italy)
- Italy
- Article 5(1) GDPR
- Article 5(2) GDPR
- Article 6(1) GDPR
- Article 7 GDPR
- Article 12 GDPR
- Article 13 GDPR
- Article 21 GDPR
- Article 24 GDPR
- Article 25 GDPR
- Article 32 GDPR
- Article 33(1) GDPR
- Article 34 GDPR
- Article 58(2)(d) GDPR
- Article 58(2)(f) GDPR
- Article 83(3) GDPR
- Article 83(5) GDPR
- 2021
- Italian