Garante per la protezione dei dati personali (Italy) - 9570997

From GDPRhub
Garante per la protezione dei dati personali - 9570997
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
Article 33(1) GDPR
Article 34 GDPR
Article 58(2)(d) GDPR
Article 58(2)(f) GDPR
Article 83(3) GDPR
Article 83(5) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 25.03.2021
Published:
Fine: 4501868 EUR
Parties: n/a
National Case Number/Name: 9570997
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA imposed multiple corrective measures and a fine of €4.501.868 on an Italian telecommunication company for unlawfully processing the personal data of millions of users for telemarketing purposes.

English Summary

Facts

Following hundreds of complaints for continuous and insistent unwanted telephone calls from Fastweb with the aim of promoting its offers, the Italian DPA opened an Investigation.

The Garante found out firstly, that a large part of the telephone numbers selected came from abusive call centers that process personal data without respecting GDPR. Secondly, the Garante found out a wrongful management of contact lists, provided to Fastweb by external partners, without the latter having acquired the free, specific and informed consent of data subjects to the processing of their data. Thirdly, the Garante also noted the absence of adequate security measures for customer management systems. In fact, many users reported that they had been contacted by false Fastweb operators probably for the purpose of spamming, phishing and for carrying out other fraudulent activities. Other critical issues were found by the Guarantor in the promotional activity carried out by Fastweb in partnership with another party (e.g. Eni Gas e Luce S.p.A.) for using customer lists provided by the latter without consent to the marketing activity. Other violations concerned procedures adopted for the “Call me back” service, which prevented users from giving free, specific and informed consent and from deactivating the service in an automated manner.

Dispute

The Italian DPA accused the violation of articles 5(1) and (2), 6 (1), 7, 12, 13, 21, 24, 25, 32, 33(1), and 34 GDPR. Fastweb presented defensive writings that were unable to overcome the allegations of violation.

Holding

The Garante ascertained the violation of:

1. Violation of articles 5(1) and (2), 6(1), 7, 24 and 25(1) GDPR, since Fastweb has not proceeded to implement control systems of the "chain" of collection of personal data suitable to exclude with certainty that illegal or unwanted promotional calls have been followed by activations of services or signing of contracts which are then merged into the Fastweb databases.

2. Violation of articles 5(1) and (2), 6(1), and 7 GDPR, since Fastweb S.p.A. acquired lists of personal data from third parties who, in turn, had acquired them as independent data controllers and who have transferred them to Fastweb systems. The data transfer to Fastweb has occurred in the absence of the prescribed consent for the communication of personal data between independent data controllers.

3. Violation of Articles 5, 6, 7, 12, 13, and 21 GDPR in relation to the methods of activation, release of the information and revocation of the "Call me back" service.

4. Violation of Articles 24 and 32 GDPR, in relation to the multiple and systematic accesses to corporate databases containing personal data for failing to implement measures of proportionate effectiveness to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the Regulation, to ensure the confidentiality and integrity of the systems and services on a permanent basis.

5. Violation of Articles 33(1) and 34 GDPR, for failing to submit to the Garante and interested parties the notification of a personal data breach.

6. Violation of Article 5(1)(d) GDPR in relation to the various requests for exercising the rights proposed by the interested parties for whom they have been detected system errors and delays in realigning and correcting data.

7. Violation of Article 5 (1) and (2), 6, and 7 GDPR, in relation to the processing of personal data carried out for promoting products and services, made in the absence of the required consent and pending the unsuitability of the legal base of legitimate interest.

For these reasons the Italian DPA, with the power conferred by Article 58(2)(d) and (f) and Article 83(3) and (5) GDPR, imposed to Fastweb multiple corrective measures and a fine of € 4.501.868.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Press release:

Aggressive telemarketing: the Privacy Guarantor fines Fastweb for 4 and a half million euros

The action of the Privacy Guarantor continues against the phenomenon of unwanted promotional calls. The Authority ordered Fastweb to pay a fine of over 4 million and 500 thousand euros for illegally processing the personal data of millions of users for telemarketing purposes.

This concludes a complex investigation started following hundreds of reports and complaints from users who complained about continuous promotional calls of telephone and internet services offered by Fastweb made without their consent.

The investigations carried out by the Authority highlighted important "system" criticalities, attributable to the complex of treatments carried out by Fastweb towards both the company's entire customer base and the wider range of potential users in the electronic communications sector.

During the investigation, an alarming recourse to the use of fictitious numbers or numbers not registered in the Register of Communication Operators (Roc) emerged. This phenomenon, as already highlighted by the Authority, seems to be attributable to an "undergrowth" of abusive call centers that carry out telemarketing activities in total disregard of the provisions on the protection of personal data. Further violation profiles concerned the correct management of the contact lists, provided to Fastweb by external partners, without the latter having acquired the free, specific and informed consent of the users to communicate their data.

The security measures of the customer management systems were also inadequate. The Authority had in fact received numerous reports that reported undue contacts by self-styled Fastweb operators who were trying to acquire, via Whatsapp, the identity documents of the contracting parties, probably for the purpose of spamming, phishing and for carrying out other fraudulent activities. Other critical issues were identified by the Guarantor in the promotional activity carried out by Fastweb in partnership with another subject for having used customer lists provided by the latter without consent to the marketing activity. Other violations concerned procedures adopted for the "Call me back" service that prevented users from giving free consent,

Taking into account the offenses found, the Guarantor applied a fine of € 4,501,868.00.

The Authority therefore ordered Fastweb to adapt the telemarketing treatments in order to provide and prove that the activation of offers and services and the registration of contracts takes place only following calls made by the sales network through registered telephone numbers and enrolled in the Roc. Furthermore, the company will have to strengthen security measures to prevent unauthorized access to its databases.

Finally, Fastweb will no longer be able to use the data contained in the personal data lists provided by third party partners, without the latter having acquired a specific, free and informed consent from the interested parties to communicate their data to third parties.

The provision against Fastweb follows those already adopted against Eni Gas and Luce, Tim, Wind Tre, Iliad Italia and Vodafone, which resulted in the application of sanctions for a total amount of approximately 70 million euros.

Rome, April 2, 2021


-------------------------------------------------------------------------------

[doc. web n. 9570997]

Injunction order against Fastweb SpA - March 25, 2021

Register of measures
n. 112 of 25 March 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");

GIVEN the documentation in the deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000, adopted by resolution of June 28, 2000;

Rapporteur dr. Agostino Ghiglia;

1. THE EDUCATIONAL ACTIVITY CARRIED OUT

1.1. Premise

With act no. 44174/20 of 20 November 2020 (notified on the same date by certified e-mail), which must be understood here as fully reproduced, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures pursuant to art. 58, par. 2, of the Regulations towards Fastweb SpA (hereinafter “Fastweb” or “the Company”), in the person of the pro-tempore legal representative, with registered office in Milan, Piazza Adriano Olivetti 1, CF and VAT number: 12878470157.

The proceeding originates from a complex investigation launched by the Authority following the receipt of hundreds of reports and complaints sent by interested parties who complained, and still complain today, continuous unwanted telephone contacts made by Fastweb and its sales network to promote the services of telephony and internet offered by the same.

The phenomenon of unwanted promotional calls and contacts is known to the Company, which, over the last ten years, has been the recipient of various prescriptive and inhibitory measures, as well as numerous administrative sanctions, most of which are defined briefly. In particular, provisions no. 300 of 18 October 2012 (in www.gpdp.it, web doc. N. 2368171 ), n. 235 of 18 April 2018 (on www.gpdp.it, web doc. 9358243 ) and no. 441 of 26 July 2018 (in www.gpdp.it, web doc. N. 9040267), which have imposed prescriptions, processing bans and administrative sanctions in relation to millions of contacts via telephone and SMS, which Fastweb and its sales network have put in place without acquiring suitable consent from the subjects contacted.

Despite the extensive provisional activity and constant dialogue between the Guarantor and the telephone companies of the recent past, from December 2018 to February 2020, Fastweb was the recipient of four cumulative requests for information (prot. Nos. 36218/18, 8975 / 19, 34440/19 and 5725/20), which examined 131 files, each of which referred to the receipt of one or more unsolicited promotional telephone calls made on behalf of the Company, for a total of 236 reports. If we also consider the complaints presented pursuant to art. 77 of the Regulation, which the Guarantor has dealt with, in the preliminary phase, individually and the reports received after the latest requests for information, the Office has opened, overall, over the last two years starting from the entry into force of the Regulation, 283 files against Fastweb, mostly relating to telemarketing activities and the sending of promotional messages by or on behalf of the Company. In the period considered, the dialogue with whistleblowers and complainants as well as with Fastweb itself resulted in the registration of 508 incoming messages in the Authority's protocol.

The above data testify to the strong impact that the marketing and teleselling practices carried out by Fastweb assume in the overall activity of the Office and confirm the opinion of the Authority with respect to the methods of carrying out these practices conducted by the generality of the telephone companies, expressed several times also in recent measures (see, among other things, measures no.232 of 11 December 2019, in www.gpdp.it, web doc. no.9244365 ; no.7 of 15 January 2020, in www .gpdp.it, web doc. 9256486 ; n. 143 of 9 July 2020, at www.gpdp.it, web doc. 9435753 ; and 224 of 12 November 2020, at www.gpdp.it, web doc. no. 9485681 ).

1.2. The request for information and the presentation of documents, pursuant to art. 157 of the Code, of 23 September 2020, and the feedback provided by Fastweb

1.2.1. The Office has taken steps to identify the most recurring criticalities in Fastweb's findings and sent the Company, on 23 September 2020, a request for information and presentation of documents, pursuant to art. 157 of the Code, containing some questions relating to the methods of carrying out telemarketing activities.

First of all, in relation to Fastweb's statements according to which the promotion agencies, in order to increase their business, would assume "autonomous behavior [i]" with respect to the instructions on the treatments given by their clients, and this would lead to promotional contacts towards interested parties who have not expressed their consent to the processing of their data for marketing purposes, the Company was asked to specify these behaviors, indicating the agencies that have put them in place as well as the measures adopted by the Company to counter such conduct. Fastweb was therefore requested to provide a summary document of any penalties applied to the aforementioned promotion agencies and to describe, more generally,

Secondly, starting from the data that emerged from the cumulative requests in relation to the considerable number of promotional calls (166 compared to 236 reports, equal to over 70% of the calls) that Fastweb declared not to have been made by numbers of its own network sale, the Company was asked to indicate which measures had been put in place in order to exclude that contracts or Fastweb users were then finalized from contacts originating from these numbers, as well as to indicate on the basis of which company procedures the Company had verified that each activation of user or service, put in place directly or through the help of the network of its partners, agents, call-centers, dealers or telesellers,had occurred following a contact with the customer or potential customer operated on lists provided or authorized by Fastweb.

Thirdly, with regard to the use of personal data lists for carrying out promotional contact activities, it was requested to clarify the procedure adopted for the formation of the numbering lists potentially contactable by Fastweb partners, and to represent the methods of consultation and extraction of the data present in the lists, by the agencies, for the performance of promotional activities. It was also requested to indicate all the companies from which Fastweb acquires lists of personal data intended for promotional contacts, specifying, for each of them: whether it carries out the activity of list editor or list provider; any designation as data processor; and the legal status according to which each company carries out the data processing.

With reference to the lists of personal data from third parties, it was asked to indicate the methods by which Fastweb verified the correct acquisition, by the aforementioned subjects, of the consent of the interested parties for commercial purposes and for communication to third parties as well as the distribution responsibilities in the context of the related processing. It was also requested to indicate the number of promotional contacts made, during 2019, through the use of these lists, as well as the number of contracts and activations made following the aforementioned contacts.

In addition, with reference to the contacts made for the management of the service called "Call me back" (described in detail below), the Company has been asked to provide information on the methods of recontacting and any repetition of the contacts themselves.

Finally, the Company was asked to integrate, clarify and / or provide further documentation regarding some specific reports.

1.2.2. Fastweb responded to the Authority's request for information on 12 October 2020.

In the first place, the Company indicated the unlawful conduct detected by virtue of the checks carried out by the same on the work of its sales network and the agencies to which such conduct is attributable where it was possible to identify the perpetrator. These illegal activities were grouped into the following categories: “call to a so-called Off-List contact; use of uncensored caller numbering; use of the 'referee'; use of undisclosed lists; use of no longer authorized lists; need to train collaborators ".

The Company then indicated, in a summary document produced in the annex, the measures taken by the latter against the aforementioned agencies. Specifically, the Company highlighted that, in the two-year reference period (ie from October 2018 until 12 October 2020, hereinafter the “Two-year period”), the latter transmitted: “14 massive communications”; “12 formal references”; "51 sales warnings"; and “44 requests for information”.

In addition, again in the two-year period, the Company: "imposed 33 penalties" in relation to "33 conduct that did not comply with the provisions of the mandate, which resulted in the application of penalties of € 125,000.00 towards 26 commercial partners"; "From November 2018 to August 2020 [...] did not pay any amounts for commissions and incentives for a total of approximately € 566,487.00"; it "contested 3 contractual resolutions for non-compliant conduct in carrying out telephone business contacts"; and it "interrupted the agency relationship" with "13 agencies that received one or more of the previous measures - formal or criminal appeals".

Secondly, with regard to the measures adopted by the Company in order to exclude that contracts or Fastweb users are then finalized from contacts originating from unknown numbers, the Company has declared that the "telephone or data services [...] assume a true and its character of public utility ". Recalling the previous communications of January 10, 2019 and April 8, 2019, the Company declared that it has adopted "a mechanism" that allows "not to pay the amounts due for contracts originating from contacts not present in the authorized list" and "an analysis process and denunciation ”of the calling numbers not recognized by Fastweb through the intervention of the judicial authority.

With regard to the first measure, namely the "non-payment of PDA [Purchase Proposals] out of the list", the Company declared that it carries out "detailed analyzes on the activation requests to verify that they match the contacts on the lists and, if any, case, not to pay the amounts due for contracts originating from contacts not present in the authorized list ". This system of checks and controls - the Company found - "also includes the development of the newly developed Log analysis tool" as well as "the implementation of a mechanism through which [...] also automatically and preventively inhibit the loading of orders for new contracts where the contact numbers or other personal information do not match the data in the contact lists ".

As for the "process of reporting unrecognized caller numbers", the latter provides that "interested prospects or existing customers can contact Fastweb to report and / or ask for clarification, regarding the receipt of unsolicited promotional calls on behalf of Fastweb through various channels made available to you ". Subsequently, the reported numbers are checked by the Company and if they are attributable to its authorized agencies, Fastweb will proceed with the provision of a provision; otherwise, "the list of unrecognized calling numbers is prepared" and this list is then sent "for reporting". Fastweb declared that it had reported, as of 12 October 2020, "over 200 numbers".

Thirdly, with reference to the use of personal data lists for carrying out promotional activities, Fastweb provided feedback by highlighting that the formation of a contact list involves the creation of a database consisting of three repositories, based on the different sources from which the personal data can be received. The database power sources consist of: i) the DBU numbers acquired by Fastweb; ii) from the mobile numbers that Fastweb acquires directly from third parties; and iii) from the fixed and mobile numbers that Fastweb acquires from its partners, who in turn acquire them from their suppliers. The validity of the lists is usually established in one calendar month (coinciding with the duration of a so-called "planning",

With regard to the lists of personal data referred to in point ii), i.e. relating to the mobile telephone numbers that the Company acquires from third parties, Fastweb found that "they all carry out the activity of direct list editors, since they collect personal data independently from their sites ". The companies therefore assume the legal role of "data controllers" who communicate the data in their possession to Fastweb on the basis of the specific consent that the interested parties have provided to them. As part of the process of acquiring the personal data, the latter requires companies that they acquire consent for the transfer of data to third parties, as an optional option, and that Fastweb is indicated in the related information as the subject to which the data may be sold.

With regard to the lists of personal data referred to in point iii), ie relating to the fixed and mobile telephone numbers that the Company acquires through the partners, who in turn acquire them "independently from their own supplier", Fastweb found that agencies are required to request "an authorization" from the Company "before being able to use them", providing a series of elements: the contract signed between the parties with an indication of the time duration of the same; the information provided by the owner to the interested party; and an indication of the methods of obtaining consent. In particular, Fastweb verifies that: the collection of consent for the transfer of data to third parties takes place through a separate box; the information is in any case accessible to the interested parties; and that this information indicates the possible transfer of data to third parties with the express indication of Fastweb among them. In the event that the analyzes carried out by Fastweb provide a positive result, the partner is authorized to upload the personal data in his possession to carry out the matching with the Fastweb black lists and with the public register of objections as well as for deduplication operations, so that they are used in the current month's schedule. The list is also subjected to sample checks on the basis of a mechanism of random extraction of names about which the partner is asked to provide evidence of the consents acquired. Agencies can use telephone contact lists during each planning month. Once a schedule is finished, the lists used are stored in the Invoice system and no longer accessible for use for commercial purposes. The Company specified that the number of promotional contacts made through these lists during the year 2019 "amounted to 7,542,000".

Finally, with reference to the contacts made for the management of the so-called "Call me back", Fastweb noted that this service allows customers and potential customers to be called back by a Fastweb operator, following a "click" on the "Call me back for free" button. The Company specified that "the re-contacts that arise [...] are carried out on the basis of precise rules that establish the time intervals within which the system routes a subsequent call to the person who has proved to be interested and, ultimately, they manage to close the contact in case of reaching a limit of unanswered calls ". For example - the Company found - "it is expected that [...] if the number is busy for 20 calls it will be closed [...] As regards a free numbering, in a school hypothesis in which the CRM is not required to manage other calls, the user would be called up to a maximum of 4 times in an hour at a distance of 15 minutes each for a total of 20 attempts maximum during the day " . It was then added that "in the information mirror relating to consent for commercial purposes, there is a specific link that refers to the privacy policy [in which] all essential information on the availability of the service is provided until the consent itself is revoked and in any case for a maximum period of 24 months ".

1.3. Complaints instructed individually

In addition to the reports referred to in the four cumulative requests indicated in the Introduction, the Authority received further reports and numerous complaints against Fastweb, each subject to independent investigation and subsequent unitary discussion with the main proceeding, based on the provisions of Articles . 10, paragraph 4, of the Regulations of the Guarantor's Office n. 1/2019 and 8, paragraph 2, of Regulation no. 2/2019.

Complaints and reports subject to joint treatment with the main proceedings can be divided into different groups based on the issues and arguments raised.

1.3.1. A first group of complaints and reports relates to the management of data assets by Fastweb. In this context, the Authority found the cases concerning a rather widespread phenomenon, reported by numerous whistleblowers and complainants, who, often following the reporting of a malfunction to Fastweb, complained of having been contacted by call-centers that proposed alternative commercial offers on behalf of the latter or other telephone companies, and / or required customers to send a copy of an identity document via Whatsapp message. In particular: the files nos. 147286 and 154212, in which the whistleblowers complained that, following their request for assistance from Fastweb for a "failure", they were contacted by call centers apparently attributable to other telephone companies, which proposed the migration of their users to the reporting persons. In this regard, the Company declared the "total extraneousness of Fastweb" with respect to these calls, adding, in relation to file 154212, that such extraneousness would be confirmed "i) by the content of the same - undoubtedly aimed at obtaining the migration of the customer to another operator […]; ii) from the fact that on the customer number […], as emerges from Invoice, there are no contacts made by Fastweb or arranged by it and made by the sales network; iii) from calling numbers […] not referable to Fastweb or its structures "; files nos. 146491, 146238, 146260 and 148138, in which the complainants complained that, following their request for assistance from Fastweb for problems with the Internet service, they were contacted by a call center operator apparently attributable to Fastweb, who invited them to send a double-sided copy of their identity document for the resolution of the problem. In all cases, the complainants declared that they had sent a copy of their identity documents, believing that this request came from Fastweb's customer service, as the operators were "perfectly aware" of the "technical problems [...] of the time of the telephone appointment for the management of technical reports "and" technical details [...] that only the Fastweb service could know ". In this regard, Fastweb provided similar feedback to the previous ones, reiterating, among other things, that the contacts reported are "the work of unknown persons, who presumably act to the detriment of the [Company], for possible purposes of theft of customers" and that "in any case, Fastweb does not in any way provide for the sending of identity documents of its customers in the circumstances described by you "; dossier no. 139824, in which the complainant complained that, following the stipulation of an "internet supply contract [...] with Fastweb", he was contacted by telephone by a call-center operator who was aware of his "personal details and 'supply address for which [a] he had requested Internet activation from Fastweb ", an address that does not correspond to" [his] address of residence or domicile ". The operator, after having feared possible problems with the activation of the contract for alleged “problems with the exchanges”, he invited the complainant to enter into a contract for the “internet supply through another operator” and to “send photos of the documents via whatsapp”. Not having received the required documentation, the operator tried twice more to get in touch with the complainant using different numbers for the calls.

With a letter dated 10 February 2020, with reference to the overall phenomenon mentioned above, Fastweb represented that it had "already filed several complaints against unknown persons to the Postal Police [...] and has launched a series of awareness and information activities regarding and protecting its customers and the market ". With these complaints, the first of which dates back to August 2019, "the over 50 mobile numbers used to request a copy of identity documents [...] on the instant messaging system whatsapp were brought to the attention of the Judicial Authority ”To the detriment of the Company and approximately 170 people contacted, who were“ mainly Fastweb customers ”. Furthermore, Fastweb highlighted that “the checks carried out on the individual illegal contacts made it possible to identify a common trait. In particular, Fastweb found that its customers receiving the aforementioned request for documents all had access technology for the use of fixed services which involves leasing part of the network [from another telephone company]. The [Company] therefore ascribed the conduct to a more complex illegal activity, probably aimed at distracting Fastweb Spa customers from another operator, an activity evidently carried out using the information which, due to the peculiar structure of the national network, is in the sphere of ownership of the infrastructure manager ". The Company claimed that it "brought to AGCOM's attention also countless evidences of illegitimate behavior attributable to the management of the main infrastructure both with periodic reports and [with other communications]".

1.3.2. A second group of complaints and reports relates to the management of requests for the exercise of the rights guaranteed by Articles 15-22 of the Regulations by Fastweb and "manual errors", "system errors", delays in realigning and correcting data by the Company. In particular: files no. 136409, and 146607 relate to reports and complaints with which customers complained of receiving communications from Fastweb presumably addressed to other customers. In both cases, the Company has shown that the problems have been generated by incorrect associations, even “manual”, of the personal data. In one of the two cases, the problem was solved three years after the report; dossier no. 148287, in which the complainant complained of having transmitted to Fastweb, in November 2019, a request for portability and deletion of his personal data to Fastweb, and that this request, in March 2020, had not yet been satisfied. Fastweb found in August 2020, representing that "the technical times for remediation of the systems and the overlapping of a cancellation request did not, however, allow the portability to be completed" and argued that "the portability requests entered by the reporting party are not successful due to a specific misalignment of the systems that precluded the receipt of the e-mail containing the link to download your data "; dossier no. 147619, in which the complainant represented that he had sent Fastweb, in September 2019, a request for rectification of his personal data incorrectly registered in the MyFastweb personal area (ie, home address), and that "after more than a year of requests and reminders" despite Fastweb's assurances, "incorrect data was still present" with the "unacceptable" consequence that the correspondence addressed to him was "still sent to [ other] address ". In this regard, Fastweb stated that it had “repeatedly entered the modification of personal data internally. These changes were successful, but due to a misalignment of the systems, they did not have a decisive effect, reporting in some circumstances the incorrect pre-existing data "; dossier no. 152006, in which the complainant complained that she had "tried repeatedly" to "unsubscribe [yes] from the Fastweb mailing list", or "to request the cancellation of [her] data through [...] the form reserved for former customers". Nonetheless, your request was not accepted due to a problem with your tax code. In this regard, the Company argued that “due to a misalignment […] the objections exercised were not correctly propagated on the systems”; dossier no. 137155, in which the reporting party complained of receiving unwanted calls on his mobile user. In this regard, Fastweb replied that this contact "occurred erroneously" by one of its agencies, "due to a technical malfunction of the CRM managed by the same company, which called the number again, despite being inserted in black list ". the Company argued that “due to a misalignment […] the objections exercised were not correctly propagated on the systems”; dossier no. 137155, in which the whistleblower complained of receiving unwanted calls on his mobile user. In this regard, Fastweb replied that this contact "occurred erroneously" by one of its agencies, "due to a technical malfunction of the CRM managed by the same company, which called the number again, despite being inserted in black list ". the Company argued that “due to a misalignment […] the objections exercised were not correctly propagated on the systems”; dossier no. 137155, in which the reporting party complained of receiving unwanted calls on his mobile user. In this regard, Fastweb replied that this contact "occurred erroneously" by one of its agencies, "due to a technical malfunction of the CRM managed by the same company, which called the number again, despite being inserted in black list ".

1.3.3. A third group relates to complaints and reports concerning unwanted promotional contacts made on behalf of Fastweb, but not recognized by the latter. In particular, with regard to the unwanted contacts subject to the complaint (files nos. 117698, 144450, 152962, 138241, 151747, 154404, 144577, 149829, 150096, 150853, 151543, 152330, 152792 and 154231), the Company has represented that calling numbers cited by the interested parties, would not be attributable to Fastweb, nor used by the same and / or its partners for commercial purposes.

1.3.4. A fourth group refers to complaints and reports concerning unwanted promotional contacts made on behalf of Fastweb on the basis of legitimate interest. In particular: files no. 149390 and 153360, in which the complainants complained of receiving unwanted promotional calls from some operators for "a discount on the Fastweb bill if [they] signed a contract with Eni Gas e Luce", despite both having expressly denied their consent to receive promotional contacts. In this regard, the Company replied that the purpose of the contacts was "to submit a promotion that the [Company] dedicates to its customers, and which allows them to have a significant reduction in the telephone account in the event of activation, at advantageous conditions, of a user with Eni.

1.4. The closure of the investigation and the start of the procedure for the adoption of corrective measures

Having examined the feedback provided by the Company, the Office, pursuant to art. 166, paragraph 5, of the Code, adopted the act of initiation of the procedure referred to in the introduction, with which it accused Fastweb of the following violations:

1. violation of articles 5, para. 1 and 2, 6 par. 1, 7, 24 and 25, par. 1, of the Regulation, since Fastweb SpA has not implemented control systems of the "supply chain" for collecting personal data from the moment of the first contact of the potential customer, suitable to exclude with certainty that illegal or unwanted promotional calls have been made activation of services or signing of contracts which are then merged into the Fastweb databases. The violation involves the entire customer base of the company and the complaints referred to in files 117698, 144450, 152962, 138241, 151747, 154404, 144577, 149829, 150096, 150853, 151543, 152330, 152792, and 154231;

2. violation of art. 5, para. 1 and 2, of art. 6, par. 1, and of art. 7 of the Regulation, since Fastweb SpA acquired lists of personal data from third parties (the partners of its sales network) who, in turn, had acquired them as independent data controllers and who transferred them to Fastweb's systems . The transfer of data to Fastweb took place in the absence of the required consent for the communication of personal data between independent data controllers. The violation involved at least 7,542,000 interested parties in 2019;

3. violation of art. 5, 6, 7, 12, 13 and 21, in relation to the procedures for activating, releasing the information and revoking the "Call me back" service;

4. violation of art. 24 and 32 of the Regulation, in relation to multiple and systematic accesses to company databases containing personal data, telephone numbers, telephone traffic and payment data, for failing to implement measures of proportionate effectiveness to guarantee, and be able to demonstrate that the processing is carried out in accordance with the Regulations, to ensure the confidentiality and integrity of the processing systems and services on a permanent basis and to test, verify and regularly evaluate the effectiveness of technical and organizational measures in order to guarantee the security of processing (files 147286, 154212, 146491, 146238, 146260, 139824, 148138);

5. violation of art. 33, par. 1, and 34 of the Regulation, for failing to submit to the Guarantor and to the interested parties the notification of a violation of personal data, with reference to the multiple accesses referred to in the preceding point;

6. violation of articles 5, par. 1, lett. d), with reference to the principle of "accuracy" of the data processed, in relation to art. 15-22 of the Regulation, in relation to the various requests for exercising the rights proposed by the interested parties for which system errors and delays in the realignment and correction of data were found (files 136409, 146607, 148287, 147619, 152006, 137155);

7. violation of art. 5, para. 1 and 2, 6 and 7 of the Regulation, in relation to the processing of personal data carried out for promotional purposes of its products and services, carried out in the absence of the required consent and pending the inadequacy of the legal basis of the legitimate interest (files 149390, 153360) .

The aforementioned objections were formulated by the Office on the basis of the observations which are summarized below.

1.4.1. With reference to the dispute referred to in point 1), in the act of initiation of the procedure, the Company's failure to implement controls of the chain of personal data acquired in the phase of promoting suitable services to "exclude that from contacts originating from [unknown] numbers, contracts were then finalized or Fastweb users activated ".

With regard to the controls described by the Company when responding to requests for information, it was noted that these controls do not appear suitable for providing the guarantees that could instead be ensured if, at the time of activation of the services, they were indicated, for example , in addition to the contact list used (with the time validity constraints consistent with the date of the first contact): i) the partner who made the first and subsequent contacts; ii) the calling telephone numbers (duly registered in the ROC, register of communication operators); and iii) the call script and the information read by the call center operator.

As already observed by the Authority in previous measures referred to in the introduction (see, among other things, provision no.224 of 12 November 2020, in www.gpdp.it, web doc. No. 9485681 ), the consequences related to the failure to exploit the above information, (and the others that, uniquely, would allow the promotional contacts and the related service activations to be traced back to a correct telemarketing activity), cannot be substituted by the adoption of "dissuasive and sanctioning actions" , but they must be able to foresee, due to the potential illegality of the treatments, the usability of the data and therefore the impossibility of proceeding with the activation of the services and the registration of contracts.

It was highlighted that the absence of initiatives as outlined above, in particular in the presence of such a significant number of disavowed calls, reveals a serious flaw in Fastweb's accountability, as well as in some key elements of the privacy by design criterion (such as prevention, functionality, security, transparency of processing and the centrality of the interested party), which can be wisely exploited by "unofficial" brokers to occupy market spaces, generating an induced without guarantees for users and capable of determining further unlawful consequences (for example with regard to the labor and tax aspects of the sector).

It was then noted that, at the time of the conclusion of the preliminary activities, at least 70% of the reports still resulted from commercial contacts resulting from an autonomous initiative not authorized by the Company.

With regard to the measures adopted by Fastweb in relation to illicit commercial contacts made by the agencies belonging to its sales network, the inconsistency and inadequacy of the same to ensure that the processing is carried out in accordance with the Regulations as well as the lack of systematicity were found. in the application of these measures.

Specifically: with regard to the extent of the "exclusion of compensation", the latter appeared inadequate since it is undisputed that the Company proceeds to upload orders for new contracts even with respect to customers procured outside the customer list dedicated to an agency and / o outside the area assigned to it, so that the Company would profit from the usability of data acquired on its behalf unlawfully in violation of the relevant legislation on the protection of personal data; as for "massive communications", "formal warnings", "sales warnings", being devoid of coercive character, it was considered that they had a limited deterrent effect; as for the extent of "penalties", from the analysis of the documentation produced by Fastweb, the inadequacy of this measure was found both in that its application is not proportional to the number of abusive conduct found in the documentation produced by the Company (not even 1% of the illegal conduct was sanctioned through the application of a penalty) both because the amount of the sanction applied is negligible compared to the number of violations committed by an agency and / or compared to its turnover; as regards the measures of "contractual termination" or "interruption of relations with agencies", the inconsistency and contradiction of the Company was noted also in the application of these measures.

1.4.2. With reference to the dispute referred to in point 2), in the act of initiation of the procedure some critical issues were highlighted regarding the process of acquiring the master data lists from suppliers or partners.

On a preliminary basis, a review of the contractual and operational conditions that bind the various commercial partners to Fastweb was carried out.

With regard to the acquisition of the personal data lists relating to mobile telephone numbers that Fastweb acquires directly from the list editors (who collect these personal data from their sites), the Authority observed that overall the model followed appears to be correct: these companies assume the legal status of data controllers who communicate the data in their possession to Fastweb on the basis of the specific consent that the interested parties have provided to them.

However, this model does not appear correctly configured with reference to the eGentic "list editor", which would result in acquiring the data from the companies belonging to its business group, Naturvel Pte Ltd. and Tooleado Gmbh: the intermediation of eGentic in fact is not highlighted in the 'information provided by the aforementioned companies, neither among the subjects to whom the data may be communicated, nor among those who may become aware of it in the context of any intra-group communications.

With regard to the lists of personal data provided by the partners of the Fastweb sales network, following acquisitions made by them as independent data controllers, it was found that these lists have merged into the circuit of treatments for promotional purposes for which the Company is owner, without the partners having acquired a free, specific and informed consent from the interested parties for the communication of their data, but only on the basis of the original consent that the interested parties have given to the list editors.

1.4.3. With reference to the dispute referred to in point 3), relating to the methods of activation, release of the information and revocation of the "Call me back" service, it was noted that, from the procedure described by Fastweb and from a verification carried out on the site www.fastweb.it, some critical issues have emerged.

First of all, the lack of ad hoc information in relation to the aforementioned service was highlighted, in which the operation of the service, the methods of processing personal data and contacting the user were explained. In particular, in the concise notice placed near the service activation button, Fastweb limits itself to informing the user that "by clicking on 'Call me back for free'", he gives his "consent to the processing of personal data to receive telephone contacts. on Fastweb offers exclusively in the time slots [...] indicated ", without providing any indication of the" re-contacts that arise [...] after clicking on the 'call me free' button "if the first call is not successful (in this sense , the user is unaware, for example,

Also the privacy information available on the Fastweb website, regarding the consent given by the user for the processing of personal data in order to receive future telephone contacts for the proposition of commercial offers relating to Fastweb, appeared to be lacking in this respect.

Secondly, the lack of a system was highlighted that would allow the user to interrupt the flow of calls deriving from his "click" on the "Call me back free" button with equal ease. Indeed, if to activate the service it is sufficient to "click" on the "Call me free" button, for its deactivation the user is invited to "send a communication" by e-mail.

1.4.4. With reference to the disputes referred to in points 4) and 5), in the initiation of the procedure it was noted that, in relation to the overall affair relating to the contacts addressed to Fastweb customers aimed at acquiring identification documents or proposing migrations of users telephone, during 2019 Fastweb received several notifications of "data breach" but none of them appears to be attributable to the specific violation, brought to the attention of the Authority by the Company with the note of 10 February 2020.

The general vulnerability of Fastweb systems in the light of the declarations of the complainants and also of what is reported by the Company itself, seems not to have been addressed "taking into account the state of the art and the costs of implementation, as well as the nature, object, context and the purposes of the processing, as well as the risk of varying probability and gravity for the rights and freedoms of natural persons "as provided for by art. 32, par. 1, of the Regulation. In particular, no measures of proportionate effectiveness have been put in place with reference to the ability to ensure the confidentiality and integrity of the processing systems and services on a permanent basis (Article 32, paragraph 1, letter b) but , above all, to the procedures for testing,

Furthermore, with reference to the circumstances indicated in the report of 10 February 2020, from the searches carried out at the protocol of the Office, the notification provided for by art. 33, par. 1, of the Regulation.

1.4.5. With reference to the dispute referred to in point 6), in the act of initiating the procedure it was noted that the generic indication of generic errors at the basis of an undue contact or an unsuitable response, is not suitable for eliminating Society, provided that an adequate structuring of systems, organization and work cycles.

It should be added that, in some complaints and reports, even years have elapsed for the resolution of the problems raised (where they have been resolved), and only following multiple requests and / or reports by the complainants. As is known, a violation of personal data can, if not addressed in an adequate and timely manner, cause individuals to lose control of their personal data or limit their rights.

1.4.6. With reference to the dispute referred to in point 7), in the act of initiating the procedure it was noted that the legal basis of the legitimate interest, pursuant to art. 6, par. 1, lett. f), of the Regulations, cannot simply replace that of consent in telemarketing.

The Regulation itself admits it only "provided that the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data do not prevail". The interests and fundamental rights of the data subject may in particular prevail over the interests of the data controller if the personal data are processed in circumstances in which the data subjects cannot reasonably expect further processing of the personal data. The application of the legal basis of legitimate interest therefore presupposes the prevalence of the latter over the rights and freedoms of the interested parties (among which, in the case of marketing, the right to data protection and the right to individual peace of mind are recognizable first of all. interested party), and it is also necessary, in compliance with the principles of responsibility and transparency, the concrete implementation of adequate measures to guarantee the rights of the interested parties, such as in particular that of opposition. Moreover, the data controller cannot retroactively resort to the basis of legitimate interest in the event of problems in the validity of the consent. Since he has the obligation to communicate in the information issued to the interested party the legitimate basis at the time of the collection of personal data, the data controller must have decided on the legitimate basis before the data was collected. the data controller cannot retroactively resort to the basis of legitimate interest in the event of problems in the validity of the consent. Since he has the obligation to communicate in the information issued to the interested party the legitimate basis at the time of the collection of personal data, the data controller must have decided on the legitimate basis before the data was collected. the data controller cannot retroactively resort to the basis of legitimate interest in the event of problems in the validity of the consent. Since he has the obligation to communicate in the information issued to the interested party the legitimate basis at the time of the collection of personal data, the data controller must have decided on the legitimate basis before the data was collected.

For these reasons, it was considered that, in the cases subject to complaint, the treatments were carried out by Fastweb in the absence of an appropriate legal basis, and this in particular, in violation of the provisions of art. 5, par. 2, 6 and 7 of the Regulation.

2. DEFENSIVE OBSERVATIONS AND AUTHORITY ASSESSMENTS

2.1 The defense brief and the Fastweb hearing

On 20 December 2020, Fastweb sent the Authority the defense brief required by art. 166, paragraph 6, of the Code. On the basis of the same provision, on 21 January 2021, at the request of the party and via videoconference, the hearing for which a specific report was drawn up was held. Both documents are to be understood here as fully recalled and reproduced.

2.1.1. On the checks carried out in the contract signing process (see point 1 of the dispute), Fastweb represented the following.

Firstly, the Company has strengthened the controls on the external sales structures which it uses to carry out telemarketing campaigns (also by reducing the number of such structures by approximately 50%), and has introduced new sanction mechanisms. The Company, "confirming its ever-increasing accountability", also signaled its intention to further expand the control system by: i) increasing the level of assessment on the structures; ii) the use of the control log tool; and iii) the new technological implementation on order blocking. In addition, during the hearing, the Company expressed its intention to proceed, in the next 12-18 months, to a tendency to dismiss the agencies' outbound calls channel, possibly maintaining relationships only with the more structured ones that provide suitable guarantees of compliance. The Company then noted that, in any case, in order to obtain the definitive interruption of this phenomenon "it is necessary to involve external actors" such as, for example, "the Judicial Authority".

Secondly, with regard to the obligation proposed by the Authority not to proceed with the activation of contracts where the Company is unable to guarantee that customer data have been acquired lawfully, the Company argued that "the activation of services [i] of telephone or data [...] assume a real character of public utility "and that, even following the adoption of the automatic blocking system in the insertion of contracts," there will still be subjects who [...] they will receive incorrect commercial contacts and that […] will be persuaded by callers to take out a subscription with Fastweb. The latter, however, cannot be loaded on the company's systems due to the new technological implementation. The situation that arises from this is singular. Although the subject was contacted by means of an illicit promotional call, the same did not become unwanted, so much so that it prompted him to sign a contract, which however will not be activated. In these cases Fastweb will have to make contact with the subject to explain what happened and, if the will persists, it will still be activated ".

The Company also noted that “on a civil and regulatory level […] in the face of the continuing will of the interested party, Fastweb would have no right to refuse such activation. Nor would the principle of 'unusability' in art. 2-decies of the legislative decree n. 196/2003 ". According to Fastweb, “this principle […] certainly concerns the data used for the purpose of contact but cannot be extended to the same data that the interested party then asked to be sent to Fastweb through the contract proposal. The latter could not be considered treated 'in violation' […] as an expression of a request by the interested party and therefore covered by an autonomous legal basis pursuant to art. 6, par. 1, lett. b) of the regulation ".

Fastweb then noted that "the complex system adopted to date has contributed in any case to important reductions". According to the Company, given that the contractors who operate "parallel" to the Fastweb sales network "certainly act out of a spirit of profit, with the hope of being able to enter in one way or another the final section of the sales network and therefore indirectly receive compensation ”, Fastweb has envisaged“ a first radical measure: that of not recognizing commissions for unlisted contacts ”. It would be irrelevant that the Company then profits through the stipulation of contracts deriving from the illegal activity carried out by these brokers, since "the problem is to remove the incentives for these external parties, not for Fastweb". He then represented that,

Finally, on the Authority's objection regarding the generic nature, inconsistency and lack of systematic nature of the measures adopted by Fastweb, the latter replied that “differentiated treatments are proof of the proportionality, albeit perfectible, already in use”.

The Company noted that on 11 November 2020 it had started a working table with the main consumer associations (Altroconsumo, Udicon, Adocn, Federconsumatori) "for the implementation of a synergistic system to combat the phenomenon of unwanted calls" the performance of which will be updated by the Guarantor.

2.1.2. On the purchase of personal data lists through partners of its own sales network (see point 2 of the dispute), the Company has represented the following.

First of all, with regard to the lists acquired independently by the eGentic list editor which would result, in turn, acquire the data from the companies belonging to its group (i.e. Naturvel Pte Ltd. and Tooleado Gmbh), the Company has found that eGentic, as the holding company of the group, it would never acquire ownership of the data, but would limit itself to treating them "as a manager on behalf of Toleadoo and Nturvel with the purpose indicated by them". This would emerge from the information relating to the personal data of Toleadoo and Naturvel, which would expose "to the interested parties the very fact that their personal data may be processed 'on behalf of the Data Controller as External Data Processors'". Specifically, eGentic would have a “mere intermediary role”. According to Fastweb,

Secondly, with regard to the methods of autonomous acquisition of the lists of personal data by the partners of the Fastweb commercial network - according to the Company - "the person who proceeds with the purchase does not do so as the owner, but as the data processor on behalf of Fastweb, subject for which it is physically carrying out the activity ". Indeed, "In the agency contract signed with its partners, Fastweb assigns them the task of promoting, without representation, business in its interest, expressly appointing them as responsible for the processing of personal data [which] receive in a detailed and complete manner the 'indication of what tasks and activities they will have to carry out ". In Fastweb's opinion, the agencies would operate as "independent entrepreneurs on the civil law", but from the point of view of data processing "the agencies have no space to decide independently the 'essential means' on which data, for how long and for which categories of data subjects". Therefore, “purchasing autonomy” would exist “on a purely commercial level” and not “from the point of view of the GDPR”.

2.1.3. On the “Call me back” service (see point 3 of the dispute), the Company replied as follows.

In the first place - according to Fastweb - the information "specifies [va] that consent was given to the processing of personal data in order to receive telephone contacts on Fastweb offers exclusively in the time slots [...] indicated". The aspects relating to the “number of contacts that could potentially be carried out or what would have happened in the case of free numbering […] do not concern the purposes […] but rather the technical methods for their pursuit”.

Secondly, Fastweb would have adopted "a simple and easy deactivation system" of the "Call me Back" service, so the interested parties "can act by simply sending an email", or by "answering the call back request, to communicate that you are no longer interested in receiving support ".

The Company deduced that "under both profiles" there would not have been a "violation of the consent of the interested parties", both because "pursuant to recital 42 - also referred to by par. 3.3.1. of the Guidelines on consent, WP259rev.01-, it was sufficient that the interested parties were informed of the 'purposes of the processing', which happened ", and because" always pursuant to the aforementioned recital 42, it is not a condition for the validity of the consent that there are procedures for revocation exactly mirroring those for release ". However, the Company, "as proof of the constant search for improvement pursued", has made available "a new information [...] which illustrates the methods of operation of the service, related data processing and recontact as well as revocation policies" .

Finally, with regard to the disputed files, Fastweb indicates that it finds correspondence with the management carried out only for the files 138241, 149829, 150096, 151543, 152330, 152792 and 154231, which in any case would not be evidence of the disputed.

2.1.4. On the security of Fastweb databases and the data breach declaration (see points 4 and 5 of the dispute), the Company represented the following.

Preliminarily, Fastweb deduced that it did not detect, "in the majority" of the disputed cases, unauthorized access or other anomalies on the systems and that "the cases reported mainly involved services provided under access and interconnection agreements by of third party operators […], to whom the data are legitimately communicated to allow the normal functioning of the network ”.

Specifically: in the cases referred to in files nos. 154212, 146238, 139824, it was necessary to request an intervention by another telephone operator (in the first two, for the resolution of the inefficiencies complained of by customers, while in the last one for the completion of the activation of the line requested by the customer) and all the contacts complained of by customers - the Company reiterated - were made “only after the involvement of [this operator]”.

As for the events referred to in files nos. 147286, 146260, 146491, and 148138, the events referred to in the first three files, were reported to the Postal Police. For files nos. 147286 and 146260, in addition, the Company added that customer data and events occurring on the network were also visible to the “third party with respect to Fastweb, owner of the network”. Finally, in the cases referred to in files nos. 146260, 146491.148138, the Company found that “the analyzes did not lead to highlighting anomalies on the systems used for similar operations, nor did it emerge that the data was subject to illegal extraction”.

In light of the above, "The Company [...] considered it reasonable to assume that the data leakage was located outside the systems of its own pertinence".

In this regard, Fastweb referred to AGCOM resolution 321/17 / CONS, noting that "the access and interconnection relationships between operators are subject to regulation by AGCOM and the existing contractual models, approved by AGCOM, lead to the belief each of the parties as an 'independent owner' with reference to the processing of personal data relating to their competence ".

In the opinion of the Company, “in the presence of a distinct ownership in the processing, the communication of Data Breach […] can only be the responsibility of the 'owner' strictly sensu in relation to the perimeter of processing that is his responsibility. This is already evident from the letter of these provisions and is consistent with the type of reactions that are required of the owner, who assume the direct governance of the processing methods ".

In any case - claimed the Company - Fastweb would not have neglected the above phenomenon, “it uses [ndosi] in AGCOM tables” and presenting “multiple complaints to the Judicial Authority” as well as taking care of the relationship with its customers.

As for the lack of security on Fastweb systems in violation of articles 24 and 32 of the Regulations, the Company reiterated: that there are no elements common to all reports of illegal calls; that compared to the hundreds of thousands of support requests that Fastweb receives every month, the reports received by the Authority correspond to a negligible percentage; and not to have detected anomalies that could suggest unauthorized access.

Fastweb then illustrated the activities carried out to protect the security of the systems. In particular: “further cleaning of profiles with elimination of the functionality […] of massive download to customer care operators”; "For all those who still have the right to view and extract, the contact details have been blocked from all reports"; "Several dashboards managed on a single system have been implemented which allow the monitoring of any accesses, of the customer card views, of the use of reporting faculties and of export always referred to CRM in an increasingly efficient manner"; "Masking in the display of contact data" and "training on the use of reporting and massive export".

The Company also highlighted the "awareness raising activity also carried out towards its network of customers to [...] prevent scams against Fastweb customers, protecting the security of their personal data, informing them on how to avoid delivering their documents to unauthorized persons, who appear in the name or on behalf of Fastweb illegally ".

2.1.5. On system errors, delays in realigning and correcting data (see point 6 of the dispute), the Company represented the following.

Preliminarily, Fastweb argued that "adhering to the accountability logic on which the new Regulation is structured - leaving out the sanctioning system of the old Code based on the fact-sanction dichotomy - these events [...] represent isolated and obviously unsystematic cases that they can happen precisely because of manual insertion errors or communication difficulties between computers / systems ". The few reports are to be considered an extremely limited number compared to “an average of 40,000 requests for updating personal data, contact data, address” that are processed by the Company. There have been no violations relevant to the sanctioning purposes of Articles from 15 to 22 of the Regulation since the exercise of the rights would have "always been promptly guaranteed" to the interested parties and, where delays occurred, "there were the 'justifications' for the delay contemplated precisely as a possibility by the legislator itself" in Articles 16 and 17.

As for the individual disputed reports, the Company recalled the answers already provided for each individual case and added, among other things, the following: for file no. 147619, “Due to a misalignment of the systems, the management was completed only on 19.08 […] the disservice is documented […] The proof of the sporadic anomaly that occurred on the systems is given by the presence of […] processing tickets”; and for issue no. 152006, “the cause of the delay is proven by task 50897” related to a problem with the social security number.

2.1.6. On the processing for promotional purposes carried out without consent or on the basis of legitimate interest (see point 7 of the dispute), Fastweb represented the following.

In general, the Company observed that the data collected for "specific, explicit and legitimate purposes" can also be processed for other purposes, if the processing is compatible with the purposes for which the personal data were initially collected. In that case, a separate legal basis other than that which allowed the collection of personal data would not be required. Therefore, "the analysis on the legitimate interest as an autonomous basis of the treatment - in particular for treatments carried out in the context of a contractual relationship and with different purposes but connected to those of the execution of the contract and therefore 'reasonably foreseeable' by the interested party - it also absorbs the compatibility of the new purpose ".

With regard to the contacts subject to the complaint referred to in files nos. 153360 and 149390, on a preliminary basis, the contacts were made as the complainants had not expressed (file no. 153360) or had not "yet" expressed (file no. 149390) at the day of the contact, "opt out on the legitimate interest "And were directed" solely to Fastweb customers [...] in relation to partnership promotions that would allow them to have discounts or other concrete advantages on services 'already active' with Fastweb ". Indeed, according to the Company, "the circumstance that the interested parties had not given their consent for commercial processing could not implicitly reveal an opposition to contacts based on legitimate interest".

With reference then to the information provided to both complainants at the time of the contract, the Company emphasized that both the subject of legitimate interest and that relating to consent for commercial purposes are clearly indicated in the information itself. For these reasons, Fastweb noted that "the choice of the 'legitimate basis' was made before the data was collected" and that "there is no overlap between the two types of legal bases, nor has Fastweb resorted to legitimate interest to compensate lack of consent ".

With regard to the right of opposition recognized to the interested parties, Fastweb noted that "it has ensured an easy right to exercise the right [...] in line with what is expressly reported in the information", where it is specified that the interested party will be able to manage his consents and objections "independently through the dedicated page in the [...] MyFastweb customer area", or else you can "call Customer Service or go to the Fastweb Flagship Stores".

In support of its statements, the Company has reported a screenshot of the "consent and contact preferences" section available in the Myfastweb area of ​​each customer, highlighting that "the customer can exercise his right to opt out by clicking on the box 'I do not wish to receive information'".

At the conclusion of its defense brief, the Company recalled the previous arguments and communications, asking the Authority to "positively end the procedure established in its favor"; or, “in the alternative”, not to order “the application of sanctions pursuant to art. 58 and 83 of the Regulations "; or, “in a further subordinate way” to “reduce [the] to the applicable minimum [the sanction] and the generic and specific extenuating circumstances undoubtedly demonstrated are recognized”.

2.2. Considerations in fact and in law

The aforementioned defensive arguments, together with that represented by the Company during the preliminary investigation, do not allow Fastweb to be held liable for the violations subject to dispute, the content of which is referred to in full, for the reasons set out below.

As a preliminary point, it is noted that the conduct described in the field of telemarketing represents proof and confirmation of the alarming context in which the phenomenon of illicit contacts and unwanted promotional calls must be framed. This phenomenon, as already highlighted in the several times mentioned by the Authority, also adopted in recent times, has been the subject, for over fifteen years, of social alarm on the part of citizens and of attention from the legislator and the Guarantor. There have been numerous regulatory interventions aimed at regulating the sector. These interventions were accompanied by constant control activities by the Authority on the various aspects of the phenomenon: from the relationships between the various parties involved, to the correct acquisition of the lists of contactable interested parties, from the management of telephone directories and the register of oppositions, to the use of call centers. The numerous measures adopted on the matter by the Guarantor before the entry into force of the Regulation, the subject of debates among experts in the sector and attention from the press, did not lead to a reduction of the phenomenon, so that the Authority, in April 2019, sent a general information to the Public Prosecutor's Office at the Court of Rome aimed at highlighting the criminal consequences of the telemarketing activities carried out in violation of the provisions on the protection of personal data. Also in light of this context, it now appears necessary to make full reference to the new principles laid down in the Regulation,

2.2.1. With reference to the dispute referred to in point 1), the existence of the contested violation of Articles 5, para. 1 and 2, 6 par. 1, 7, 24 and 25, par. 1, of the Regulations, in relation to the entire customer base of the Company, as well as the complaints referred to in files 117698, 144450, 152962, 138241, 151747, 154404, 144577, 149829, 150096, 150853, 151543, 152330, 152792, and 154231 .

From the analysis of the reports and complaints received by the Authority as well as the related feedback provided by Fastweb, it emerged that for a considerable number of illegal promotional calls made on behalf of the Company (at least 70%), numbers not belonging to the Fastweb sales network and, in almost all circumstances, not registered in the ROC (ie the Register of Communication Operators).

Generally speaking, it must be assumed that the strengthening measures adopted by the Company and the further initiatives undertaken - among which there is also the intention to reach a tendential disposal of the outbound call channel of the agencies and the participation in the work table started with the main consumer associations - certainly demonstrate the awareness by the latter of the seriousness of the phenomenon of illicit promotional calls, and the will to stem it.

However, the limits and criticalities encountered with regard to some of the aforementioned measures cannot fail to be highlighted.

In the first place, with reference to the control mechanisms, in the act of initiating the procedure it was noted that the checks carried out by the Company on the numbers and the results of the contacts processed uploaded by the partner on the Invoice portal (including the outcome of the PDA, as well as those ex post on the traceability even at different times to contact lists authorized by Fastweb of the numbers called), do not provide any guarantee on the correct conduct of the promotional phase, as they merely verify that the contact of the called party falls within a list authorized by Fastweb without carrying out any checks on the calling numbering.

This may allow unknown subjects and in any case not attributable to the sales circuit officially recognized and authorized by Fastweb to make promotional calls on behalf of the Company through numbers that do not belong to the Fastweb sales network, in order to unlawfully collect the personal data of users. who, in the mistaken belief of speaking with a Fastweb sales agent, in some cases confer them by adhering to promotional offers. These personal data then flow into the company databases through the subscription proposals (the so-called “PDAs”) which are loaded on the Company's systems and activated.

This phenomenon, as highlighted in the notice and in the aforementioned recent Authority measures, can be stemmed or even radically eliminated by Fastweb, configuring its systems in such a way as to be able to block the procedures for activating offers or services where the Company is not able to guarantee that the promotional activity was carried out in compliance with the rules and rights of the interested parties, from the moment of the first contact. In this sense, for each activation, the Company's systems, in addition to requiring the indication of the contact list used (with the time validity constraints consistent with the date of the first contact), should require additional elements necessary to determine the correctness of the conduct of promotional contact (e.g., indication of the partner who made the first and subsequent contacts; indication of the calling telephone numbers - duly registered in the ROC, register of communication operators; call and information script read by the call-center operator).

The consequences related to the failure to exploit such information should in any case be able to foresee, due to the potential illegality of the processing, also the usability of the data (pursuant to art. 2-decies of the Code) or the "blocking" of the activation of contracts that do not meet certain requirements.

In this regard, Fastweb's approach according to which the latter "would have no right to refuse such activation" is not considered acceptable even where the contracts were originated by unlawful promotional calls since "the activation of telephony services o data […] take on a real character of public utility ”.

In similar cases, the Authority clarified that "that of not proceeding with the activation of offers or services when there is no proof that they have been correctly proposed to the user on the basis of the provisions governing the procedures of promotional contacts, does not constitute a mere faculty of the data controller but a specific obligation dictated by the combined provisions of articles 5, para. 2, 6 and 7 of the Regulation and of the articles 2-decies and 130 of the Code. According to the rules of the Regulation, in fact, the owner is required to prove that the treatments carried out by the same, also through managers, comply with the principles of lawfulness, transparency and correctness (in particular with reference to consent), principles which, in scope of promotional contacts are declined by art. 130 of the Code,

The same considerations can take place "on a civil level", it being excluded that in the aforementioned cases a free and autonomous will has formed by the parties to perfect a contract: the same, in fact, would have been conveyed by a subject not provided with the essential requirements to be the Company (and, consequently, to collect the data of the other contracting party) and brought to the attention of a person who expresses his consent to the subscription in the erroneous belief that he is speaking with Fastweb.

The thesis put forward by the Company, according to which even after the adoption of the automatic blocking system in the insertion of new contracts, "in the face of the persistent will of the interested party, Fastweb would have no right to refuse this activation also appears to be of no value" .

As a preliminary point, it is noted that Fastweb's thesis according to which there is a distinction between an "illegal" call and an "unwanted" call does not find any regulatory confirmation, since, as is obvious, the considerations in terms of the "desirability" of a telephone contact. On the contrary, promotional calls made without a suitable legal basis (Article 130 of the Code and Articles 6 and 7 of the Regulation) can be defined as unwanted (i.e. illegal). Nor is the defensive thesis on the alleged "autonomous legal basis" acceptable, given that the processing of the Company would fall within the scope of the activity carried out by the unknown third party.

In this regard, it has already been pointed out that “the entire system of the Regulation is supported by the accountability of the data controller. These, due to the fact that the personal data of the subjects contacted who have subscribed to the promotional offers are destined to flow into the company databases, should adopt particular guarantee measures in order to prove that the contracts and activations registered in their systems originate from contacts made in full compliance with the provisions on the protection of personal data, in particular those referred to in Articles 5, 6 and 7 of the Regulation relating to consent "(see the aforementioned provision no. 143 of 9 July 2020).

We confirm what is represented in the notice of dispute regarding the fact that the absence of initiatives as outlined above (i.e. systems that require additional elements for each activation in addition to the indication of the contact list), in particular in the presence of a data so significant in relation to the disavowed calls, it caused a serious flaw in Fastweb's accountability, as well as in some key elements of the privacy by design criterion.

As for the procedure that the Company intends to adopt following the implementation of the new technology, it is noted that any "persistent will" of the interested party to sign a subscription with Fastweb, in any case, could not be verified by the Company through a recontact telephone number of the user. This operation would follow up on the illegal promotional activity started by the unauthorized third party, putting in place a further processing of data acquired illegally in order to carry out promotional activities. To preserve the expression of will of the potential customer, it could possibly be considered the possibility of sending a short message to the same, informing him of the problems that prevent the registration of the contract and the activation of the service,

Secondly, also with reference to the new sanction mechanisms adopted by Fastweb, it was noted in the notice that the measures adopted by the Company, (including "non-payment of non-listed PDAs"), are not suitable for undermining the phenomenon. described above since they act exclusively on the "official" sales network and are not able to affect in any way what has been repeatedly defined as the "undergrowth" of telemarketing.

In particular, with regard to the aforementioned "compensation exclusion" measure, the latter appeared inadequate, first of all, because it allows in any case the loading of orders for new contracts even with respect to customers procured outside the customer list dedicated to an agency and / or outside the area assigned to it, thus determining the use of data acquired illegally by unknown persons in violation of the relevant regulations on the protection of personal data. Furthermore, since Fastweb would also profit from this use (the example of the 5543 contacts made to non-listed numbers from which 5543 activation orders for Fastweb could potentially derive), the choices made by the same in order to exclude commissions and remunerations would be legally attackable by the agencies involved, as indeed highlighted by the Company during the hearing. Furthermore, the aforementioned measure does not seem to prevent remuneration from being paid to those who procure customers whose contacts are contained in lists authorized by Fastweb but who use uncensored calling numbers (an activity that could potentially be carried out directly by an agent of the Fastweb sales network, or by the latter through the intermediation of an unknown third party).

As for the process of reporting unrecognized caller numbers implemented by Fastweb "to contrast the use of illegal numbers", although useful as it is aimed at blocking the numbers being reported, this mechanism also does not provide any guarantee on the correct conduct of the promotional phase . Indeed, it is a measure characterized by a very limited scope, given that it is activated only following the receipt of unsolicited promotional calls by the interested party (therefore following the violation of his personal data), and only where the recipient of the call unlawful submits a report to the Company or to the Authority (the measure, therefore, may not be activated or, in any case, it would be activated only in relation to the limited number of promotional calls reported).

As for the additional measures adopted by the Company "in the event that it was possible to identify the author" of illegal promotional calls, ie the application of "penalties", "contractual termination" and "interruption of relations with agencies" , confirms what emerged in the notice regarding the non-systematic nature and inconsistency in the application of the measures with respect to similar situations. On the extent of "penalties", the inadequacy of this measure was noted in the act of contestation both in that its application is not proportional to the number of abusive conduct detected by the documentation produced by the Company (less than 1% of the illegal conduct has been sanctioned through the application of a penalty) and because the amount of the sanction applied is modest compared to the number of violations committed by an agency (as well as to its turnover). With regard to the measures of "contractual termination" or "interruption of relations with agencies", the inconsistency and contradictory nature of the Company's conduct was noted where the latter chose to terminate or interrupt relations with some agencies and to continue them with others,

Thirdly, with reference to the measures adopted by Fastweb which are currently under development, the following is noted.

Although Fastweb's intention to undertake a path that arises, at least partially, in the wake of the Authority's indications, is appreciable, both through the use of the "tool log" (which allows the ex-post controls to be extended also to the numbering callers and the set of promotional calls made by agencies), and through the new technology implementation (which makes it possible to inhibit the possibility of loading orders referring to subjects not present in the authorized contact lists), both measures present the same critical issues where they do not provide the exclusion of contract proposals illegally acquired from the Company's information assets, as they would be required to provide for the reasons already amply illustrated above.

Lastly, the defensive arguments expressed by Fastweb relating to the limited number of reports and complaints, in the face of the large number of promotional contacts made by the Company, are not relevant. The Company is well aware that the 236 reports brought to the attention of the Guarantor correspond only to a minimal part of the illegal promotional activity that is carried out daily by the sales agencies (just consider that only with reference to the "contacts made by the agencies to numbers not listed ", the same Company declared that in less than two years 5,543 illicit contacts were made). It is clear that the majority of users, victims of multiple illegal promotional calls, do not contact the Authority with reports and complaints, despite the fact that telemarketing is often perceived as an invasive phenomenon, even beyond all tolerance limits. What is relevant, in addition to the number of cases reported, is the degree of effectiveness of the responses provided by the Company to such reports and complaints, in order to prevent the activity carried out by the sales agencies on behalf of Fastweb from overriding the confidentiality of others. Well, if in the case of Fastweb, in the face of 236 reports, the Company has denied the origin of at least 166 phone calls, thus providing the interested parties with a completely ineffective response to their requests. Therefore, it must be concluded that also from a numerical point of view, the problem brought to the attention of the Authority is extremely serious. What is relevant, in addition to the number of cases reported, is the degree of effectiveness of the responses provided by the Company to such reports and complaints, in order to prevent the activity carried out by the sales agencies on behalf of Fastweb from overriding the confidentiality of others. Well, if in the case of Fastweb, in the face of 236 reports, the Company has denied the origin of at least 166 phone calls, thus providing the interested parties with a completely ineffective response to their requests. Therefore, it must be concluded that also from a numerical point of view, the problem brought to the attention of the Authority is extremely serious. What is relevant, in addition to the number of cases reported, is the degree of effectiveness of the responses provided by the Company to such reports and complaints, in order to prevent the activity carried out by the sales agencies on behalf of Fastweb from overriding the confidentiality of others. Well, if in the case of Fastweb, in the face of 236 reports, the Company has denied the origin of at least 166 phone calls, thus providing the interested parties with a completely ineffective response to their requests. Therefore, it must be concluded that also from a numerical point of view, the problem brought to the attention of the Authority is extremely serious. in order to prevent the activity carried out by the sales agencies on behalf of Fastweb from overriding the confidentiality of others. Well, if in the case of Fastweb, in the face of 236 reports, the Company has denied the origin of at least 166 telephone calls, thus providing the interested parties with a completely ineffective response to their requests. Therefore, it must be concluded that also from a numerical point of view, the problem brought to the attention of the Authority is extremely serious. in order to prevent the activity carried out by the sales agencies on behalf of Fastweb from overriding the confidentiality of others. Well, if in the case of Fastweb, in the face of 236 reports, the Company has denied the origin of at least 166 phone calls, thus providing the interested parties with a completely ineffective response to their requests. Therefore, it must be concluded that also from a numerical point of view, the problem brought to the attention of the Authority is extremely serious.

In light of the above, it emerged that the Company, although it has "committed" and has "invested" in the phenomenon of disavowed calls, has not fully exercised its powers, which correspond to the duties of accountability and privacy by design identified by 'art. 5, par. 2, and 25 of the Regulation, failing to introduce forms of control of the "chain" of acquisition of personal data that prevent the acquisition of new customers if it is not proven that they were initially contacted by a person included in the processing responsibility chain, which has put in place all the precautions envisaged by the regulatory and ethical framework of reference.

2.2.2. With reference to the dispute referred to in point 2), at the outcome of the investigation it emerged that Fastweb acquired lists of personal data from third parties (the partners of its own sales network) who, in turn, had acquired them as of independent data controllers and who have poured them into Fastweb systems. The transfer of data to Fastweb took place in the absence of the required consent for the communication of personal data between independent data controllers. Therefore, the disputed violation which involved at least 7,542,000 interested parties in 2019 is confirmed.

Based on Fastweb's reconstruction, the personal data lists can be acquired, among other things, by direct list editors (Chebuoni, Impiego24, ClickAdv, Bakeca and eGentic, which in turn acquires them from the subsidiaries Naturvel Pte Ltd. and Tooleado Gmbh), and from its partners who in turn acquire them independently from their suppliers and subsequently obtain authorization to use them from Fastweb.

With reference to the lists of personal data relating to mobile telephone numbers that Fastweb acquires directly from the list editors, the model followed appears to be correct overall. It has been noted that, in the aforementioned case, the companies assume the legal role of data controllers who communicate the data in their possession to Fastweb on the basis of the specific consent that the interested parties have provided to them. As part of the process of acquiring the personal data, Fastweb requires companies that they acquire consent for the transfer of data to third parties, as an optional option and that Fastweb is indicated, in the related information, as the subject to which the data can be transferred. . Fastweb verifies that the data acquired directly from the list editors come from its own sites or from autonomous initiatives and not from the aggregation of different sources. Therefore, the model provides for a communication of data from owner (list editor) to owner (Fastweb) supported by a specific and informed consent, suitable to allow the interested party to exercise full control over the fate of the data that the same has given to the original owner: this control can be easily exercised also through the indications that Fastweb provides in the telephone contact.

Also with reference to the lists of personal data that the Company acquires through the company eGentic, which in turn acquires the data from the companies belonging to its entrepreneurial group, Naturvel Pte Ltd. and Tooleado Gmbh, from the documentation produced by the Company and from the investigation carried out it emerged from the Authority that the data processing was carried out correctly.

With regard to the lists of personal data provided by the partners of the Fastweb sales network, following acquisitions made by them independently from one of their suppliers, the Company's thesis according to which the agencies would operate as data controllers is not acceptable.

In fact, it has been noted that these lists are acquired by the agencies "independently", or "by themselves" and used "upon request and authorization [...] by the Fastweb owner". In response to the request for information, the Company pointed out that in order to use these lists, the agency is required to request authorization from Fastweb, providing a series of elements that will be subject to verification by the latter. In the event that the analyzes carried out by Fastweb provide a positive result, the partner is authorized to upload the personal data in its possession so that they can be used in the planning of the current month.

The investigation shows that the agencies acquire the lists of personal data "autonomously", being able to abstractly use them not only for Fastweb's promotional campaigns but also for other subjects. It follows that, at the time of the acquisition of the personal data lists, they operate not as data processors (as Fastweb claims), but as independent data controllers.

It therefore emerges that the lists of personal data provided by the partners of the Fastweb sales network, following acquisitions made by them as independent data controllers, have merged into the circuit of treatments for promotional purposes of which the Company is the owner, through a transfer between autonomous owners. This transfer cannot be disguised or evaded by the subsequent designation of the same partners as Fastweb's data processors. The partners in question therefore transferred these lists to Fastweb only on the basis of the original consent that the interested parties gave to the list editors, a consent which, however, is unsuitable for allowing further data communications.

As noted in several recent Authority measures (see, among other things, measures no.232 of 11 December 2019, in www.gpdp.it, web doc. No.9244365 and no.224 of 12 November 2020 , in www.gpdp.it, web doc. 9485681 ), this method of communicating data is unsuitable for allowing the data subject to exercise full control over them. Therefore, the business model adopted to allow partners to use their own personal data lists to carry out promotional activities on behalf of Fastweb violates the provisions of the Regulation on accountability and consent (Article 5, paragraphs 1 and 2, art. 6, par. 1 and art. 7).

2.2.3. With reference to the dispute referred to in point 3), the violation of Articles 5, 6, 7, 12, 13 and 21, in relation to the methods of activation, release of the information and revocation of the "Call me back" service.

It has been noted that the “Call me back” service follows a well-defined procedure that allows a planned re-contact of the customer following a request.

However, from the investigation carried out by the Office, it emerged that the Company has not prepared an ad hoc information in relation to this service, which explains its operation, the methods of processing personal data and contacting the user again. . Indeed, the concise notice inserted near the service activation button simply warns the user that, by activating it, he gives his "consent to the processing of personal data to receive telephone contacts on Fastweb offers exclusively in the time slots. […] Indicated ".

In this regard, the defensive arguments according to which "it was sufficient for the interested parties to be informed of the 'processing purposes', which happened", while "the number of contacts that could potentially be carried out or what would have happened in the case of free numbering" they are “aspects that do not pertain to the aims […] but to the technical modalities for their pursuit”.

It should be noted that, when the "technical procedures" are particularly invasive as in the present case, in which the user could potentially be "called back [...] 4 times in an hour at a distance of 15 minutes each for a total of 20 attempts [...] throughout the day "before" the contact [is] closed ", these become an integral part that is a very characteristic of the treatment, of which the user must be informed in advance before giving his consent, precisely in reason for their particular pervasiveness. Think, for example, of the reports of users who complained of "telephone persecution" following the activation of the service.

Even the new information prepared by Fastweb, although explicit the functioning of the service, suggesting to the user that following the activation of the same will follow "subsequent attempts" to call, appears generic where it merely states that "in case of unsuccessful contact we will try to call you back in the following days until the expiry of the useful attempts which vary according to the impediment found (line busy, no response) and the operators available. In any case, subsequent attempts to follow up on your request will be carried out in compliance with the time slot originally chosen ".

There is also a lack of a system that easily allows the user to deactivate the service with the same simplicity with which it is possible to activate it. In this regard, Fastweb's arguments according to which, for the deactivation of the service, it would be enough for the interested parties to “reply [ndir] to the requested re-contact call” do not appear to have merit. Indeed, the object of the dispute is precisely the absence of a system that allows the interested party to easily interrupt the flow of calls if he is unable (or simply no longer intends) to answer the calls. Nor does the procedure for deactivating the service "by simply sending an email" appear to be a proportionate measure compared to the activation procedure which requires a simple "click".

The reported cases, if brought back to the system through the indications provided by Fastweb, highlight how the lack of adequate information and the lack of adequate procedures for the withdrawal of consent have prevented the interested parties (i) from giving free, specific and informed, through an unequivocal positive action; (ii) to interrupt the flow of calls, hindering them from exercising their rights.

The fact that Fastweb has not adopted a system that "facilitates the exercise of the rights of the data subject" including the right to object as well as the non-compliance with the information provisions constitutes a violation of the related provisions of the Regulation, contained in articles 5, 6, 7, 12, 13 and 21.

2.2.4. With reference to the disputes referred to in points 4) and 5), the violation of articles 24 and 32 of the Regulation, in relation to multiple and systematic accesses to company databases containing personal data (including personal data, telephone numbers, telephone traffic and payment data), for failing to implement measures of proportionate efficacy to the in order to: guarantee (and be able to demonstrate) that the processing is carried out in accordance with the Regulation; ensure the confidentiality and integrity of the processing systems and services on a permanent basis; and regularly test, verify and evaluate the effectiveness of technical and organizational measures to guarantee the security of the processing (files 147286, 154212, 146491, 146238, 146260, 139824, 148138). The violation of art. 33, par. 1, and 34 of the Regulation, for failing to submit to the Guarantor and to the interested parties the notification of a violation of personal data, with reference to the multiple accesses mentioned above.

It is undisputed that the Company has been aware since July 2019 of the phenomenon which involved hundreds of Fastweb customers, who were recipients of illicit contacts by unknown persons who, pretending to be Fastweb operators, requested to send a copy via Whatsapp of their identity documents, which a significant number of users have actually done. As stated by the Company itself, the phenomenon has wider dimensions and this can also be inferred from the high number of reports received by Fastweb which have been the subject of a complaint by the Company to the competent Authorities, also originating from reports of technical failures to the proposals divisions of the Company.

In this regard, the measures adopted by the Company including the process of reporting against unknown persons to the Postal Police, the awareness and information activity towards and to protect its customers and the market, or the activities carried out on the security of the systems, are not considered effective. and adequate with respect to the purpose of protecting customer data and verifying, also through analysis of log files, the existence of illicit access.

In the face of a substantial number of episodes brought to the attention of the Company, the interventions carried out do not seem to have constituted a serious contrast to the attempts to exfiltrate data from the company databases, considering that these episodes have also occurred in very recent periods.

In this regard, the Guarantor in the aforementioned provision of 12 November 2020 n. 224 noted that, “while within the previous regulatory framework, privacy security could be considered formally ensured with the application of the minimum security measures indicated in Articles 33 and ss. of the Code, in the formulation prior to the changes introduced by Legislative Decree no. lg. n. 101/2018, and of the rules referred to in the related technical specification, regardless of the functional and dimensional configuration of the systems, the judgment of adequacy of the aforementioned measures remaining limited to the assessment of the owner's civil liability in the event of destruction or loss, even accidental. , of the data itself, of unauthorized access or processing that is not permitted or does not comply with the purposes of the collection, with the current structure dictated by the Regulation, it is precisely the events described above that determine, due to the risks to the rights and freedoms of individuals, a first and qualifying judgment of adequacy on the security measures adopted. This in particular, as indicated in recital 75 of the Regulation, with reference to treatments likely to cause physical, material or immaterial damage, in particular: if the treatment may involve discrimination, theft or usurpation of identity, financial losses, prejudice to reputation […] or any other significant economic or social damage; […] If the processing concerns a significant amount of personal data and a large number of interested parties' ". in view of the risks to the rights and freedoms of individuals, a first and qualifying judgment of adequacy on the security measures adopted. This in particular, as indicated in recital 75 of the Regulation, with reference to treatments likely to cause physical, material or immaterial damage, in particular: if the treatment may involve discrimination, theft or usurpation of identity, financial losses, prejudice to reputation […] or any other significant economic or social damage; […] If the processing concerns a significant amount of personal data and a large number of interested parties' ". in view of the risks to the rights and freedoms of individuals, a first and qualifying judgment of adequacy on the security measures adopted. This in particular, as indicated in recital 75 of the Regulation, with reference to treatments likely to cause physical, material or immaterial damage, in particular: if the treatment may involve discrimination, theft or usurpation of identity, financial losses, prejudice to reputation […] or any other significant economic or social damage; […] If the processing concerns a significant amount of personal data and a large number of interested parties' ". with reference to treatments likely to cause physical, material or immaterial damage, in particular: if the treatment may involve discrimination, theft or usurpation of identity, financial losses, damage to reputation [...] or any other significant economic or social damage ; […] If the processing concerns a significant amount of personal data and a large number of interested parties' ". with reference to treatments likely to cause physical, material or immaterial damage, in particular: if the treatment may involve discrimination, theft or usurpation of identity, financial losses, damage to reputation [...] or any other significant economic or social damage ; […] If the processing concerns a significant amount of personal data and a large number of interested parties' ".

It is clear that, given the seriousness of the events reported by the complainants, and the potential prejudice that ensues for the rights and freedoms of the interested parties, the Company should have promptly intervened with drastic and suitable measures to prevent the occurrence of similar episodes. This did not happen. On the contrary, from the documentation on file it appears that, despite the first reports had been received by the Company as early as mid-2019, still in October 2020 users reported that they had been contacted by unknown subjects who presented themselves as Fastweb operators and made they request a copy of their identity documents.

Nor would the circumstance that "the leakage of data [would be located] outside the systems of its pertinence" exclude liability. Even if Fastweb's assumptions were proved, it is undisputed that the subject of illicit contacts were all Fastweb customers, so that the possible "presence of a distinct ownership in the processing" would not exempt the Company from the burden of protecting data security personal data of its customers (for which there is no doubt that the Company is the data controller), or from the burden of communication of data breach pursuant to art. 33 and 34 of the Regulation, in relation to the violation of personal data relating to its customers.

2.2.5. With reference to the dispute referred to in point 6), the observations expressed by Fastweb in the context of the exercise of the right of defense confirm the existence of the Company's responsibility for non-compliance with the principle of data accuracy (violation of art. 5, paragraph 1, letter d) in relation to arts. 15-22 of the Regulation, since system errors and delays in realigning and correcting the data were found in various instances of exercising the rights proposed by the interested parties (files 136409, 146607, 148287, 147619, 152006, 137155).

On the aforementioned reports and complaints, it must be pointed out that the generic indication of a "manual error" and / or an undocumented system error is not suitable for eliminating the Company's responsibility for undue contacts and / or inadequate management of requests for the exercise of rights, since, also on the basis of the principles established by art. 3 of the law n. 689/1981 on the subject of good faith, the error on the lawfulness of the fact can be detected as a cause for exclusion of administrative liability only when it is inevitable, and for this purpose a positive element is needed to induce such an error, which cannot be remedied by the interested party. with ordinary diligence. This element was not provided by the Company. Furthermore, based on what is established in general terms by art. 25 of the Regulation and, more specifically, from art. 12, par. 1, in terms of transparency, an adequate structuring of systems, organization and work cycles should lead to the exclusion of the recurrence of this type of errors.

It should be added that, as already noted in the dispute, in some of the aforementioned cases, even years have elapsed for the resolution of the problems raised.

In the cases as identified above, the existence of the violation of the provisions of Articles 5, par. 1, lett. d), with reference to the principle of "accuracy" of the data processed, in relation to art. 15-22 of the Regulation.

With regard to the number of disputed cases which would represent a modest percentage compared to the amount of requests to exercise the rights that Fastweb processes monthly, it is reiterated that: i) the number refers only to the cases brought to the attention of the Authority, not clearly excluding that there are many others; ii) the reports are examples of a problem detected in the Fastweb feedback system, which could potentially involve hundreds of thousands of users; iii) in any case, this element cannot eliminate the need to ensure the individuals concerned the individual protection that the Regulation provides, through the adoption of corrective and sanctioning measures.

Nor is Fastweb's thesis acceptable, according to which "having changed the sanction mechanism", "one would no longer reason [ere] in terms of 'micro-sanctions'" based "on individual 'micro-obligations'" but "of penalties calculated on the total turnover of the company ”based“ on the overall vision of accountability ”. Contrary to what Fastweb claims, the new sanctioning system does not prohibit at all (let alone prohibited it in the past) from reasoning for a single violation, and at the same time, for violation of the systems. There is a tool, art. 83 par. 3 which allows to unify the violations, making sure that the individual conducts can be relevant for the overall assessment of the sanction.

2.2.6. With reference to the dispute referred to in point 7), the violation of articles 5, para. 1 and 2, 6 and 7 of the Regulation, in relation to the processing of personal data carried out for promotional purposes of its products and services, carried out in the absence of the required consent and pending the inadequacy of the legal basis of the legitimate interest (files 149390, 153360) .

With regard to Fastweb's defensive observations, we agree with what is represented in relation to the fact that "the consent for commercial processing [...] concerns proposals identified in the product categories [...] that [...] must not be linked to services already offered to the customer "and that" could also be independent of the existence of an ongoing contractual relationship "; otherwise, contacts based on legitimate interest can only concern commercial proposals linked to services already offered to the customer, and cannot ignore the existence of an ongoing contractual relationship.

However, the reconstruction proposed by the Company appears to be contradicted by the cases in question. In such cases, the promotional activities are carried out in partnership with another subject for which they cannot be included or among those compatible with the original purpose of the collection (the execution of a contract of which the interested party is a party), nor among those for which the legal basis of legitimate interest can be used. The operators, in fact, do not limit themselves to presenting commercial proposals linked to services already offered to the customer, but to promote commercial initiatives even for other subjects. The aforementioned activities are therefore only lawful in the presence of the data subject's express consent to the processing of their data for marketing purposes which, in the cases highlighted, it does not appear to have been released. It should be added that the interested parties, precisely because they have expressly denied consent to the processing aimed at promotional contacts, could not have any "legitimate expectation" of being the subject of promotional contacts in addition to referring to products and / or services of different subjects. In this regard, the prospect of a discount in the services already signed with Fastweb appears to be a mere commercial expedient which cannot in any way determine the change in the legal basis of the above treatments. they could not have any "legitimate expectation" of being the subject of promotional contacts in addition to referring to products and / or services of different subjects. In this regard, the prospect of a discount in the services already signed with Fastweb appears to be a mere commercial expedient which cannot in any way determine the change in the legal basis of the above treatments. they could not have any "legitimate expectation" of being the subject of promotional contacts in addition to referring to products and / or services of different subjects. In this regard, the prospect of a discount in the services already signed with Fastweb appears to be a mere commercial expedient which cannot in any way determine the change in the legal basis of the above treatments.

As for the information (including that transmitted to all customers since February 2019), although it has not been the subject of specific disputes by the Authority, for completeness of the discussion it should be noted that it does not appear, with reference to the indication of the basis legal basis of the legitimate interest and the methods of opposition, sufficiently clear and directly understandable to the interested party in accordance with principles of correctness and transparency of personal data identified in articles 5, par. 1, lett. a, and 12 of the Regulations.

In addition, also in the content, the information indicates treatments whose legal basis would reside in the legitimate interest and which do not seem to be attributable, for the above reasons, to this institution (eg., The use of contact details for "for inform you of [...] our promotions or those of our partners that allow you to have discounts and other advantages on already active services ") provided that the mere recognition of a discount referring to already active services does not constitute a relevant link to allow you to bind the new ones promotions to the overall customer profile, even less in the case of promotions relating to third parties.

3. CONCLUSIONS

For the foregoing, Fastweb's responsibility is deemed to be ascertained in relation to the following violations:

1. violation of articles 5, para. 1 and 2, 6 par. 1, 7, 24 and 25, par. 1, of the Regulation, since Fastweb SpA has not implemented control systems of the "supply chain" for collecting personal data from the moment of the first contact of the potential customer, suitable to exclude with certainty that illegal or unwanted promotional calls have been made activation of services or signing of contracts which are then merged into the Fastweb databases. The violation involves the entire customer base of the company and the complaints referred to in files 117698, 144450, 152962, 138241, 151747, 154404, 144577, 149829, 150096, 150853, 151543, 152330, 152792, and 154231;

2. violation of art. 5, para. 1 and 2, of art. 6, par. 1, and of art. 7 of the Regulation, since Fastweb SpA acquired lists of personal data from third parties (the partners of its sales network) who, in turn, had acquired them as independent data controllers and who transferred them to Fastweb's systems . The transfer of data to Fastweb took place in the absence of the required consent for the communication of personal data between independent data controllers. The violation involved at least 7,542,000 interested parties in 2019;

3. violation of art. 5, 6, 7, 12, 13 and 21, in relation to the procedures for activating, releasing the information and revoking the "Call me back" service;

4. violation of art. 24 and 32 of the Regulation, in relation to multiple and systematic accesses to company databases containing personal data, telephone numbers, telephone traffic and payment data, for failing to implement measures of proportionate effectiveness to guarantee, and be able to demonstrate that the processing is carried out in accordance with the Regulations, to ensure the confidentiality and integrity of the processing systems and services on a permanent basis and to test, verify and regularly evaluate the effectiveness of technical and organizational measures in order to guarantee the security of processing (files 147286, 154212, 146491, 146238, 146260, 139824, 148138);

5. violation of art. 33, par. 1, and 34 of the Regulation, for failing to submit to the Guarantor and to the interested parties the notification of a violation of personal data, with reference to the multiple accesses referred to in the preceding point;

6. violation of articles 5, par. 1, lett. d), with reference to the principle of "accuracy" of the data processed, in relation to art. 15-22 of the Regulation, in relation to the various requests for exercising the rights proposed by the interested parties for which system errors and delays in the realignment and correction of data were found (files 136409, 146607, 148287, 147619, 152006, 137155);

7. violation of art. 5, para. 1 and 2, 6 and 7 of the Regulation, in relation to the processing of personal data carried out for promotional purposes of its products and services, carried out in the absence of the required consent and pending the inadequacy of the legal basis of the legitimate interest (files 149390, 153360) .

Also ascertained the unlawfulness of the Company's conduct with reference to the treatments examined, it is necessary:

- prescribe Fastweb SpA, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt the telemarketing treatments in order to provide and prove that the activation of offers and services and the registration of contracts takes place only following promotional contacts made by the Company's sales network through registered telephone numbers and registered in the ROC - Register of Communication Operators;

- prescribe Fastweb SpA, pursuant to art. 58, par. 2, lett. d) of the Regulations, to reformulate the information relating to the "Call me back" service, specifically indicating the methods for re-contacting Fastweb SpA and, again in relation to the aforementioned service, to provide for an automated method for deactivating the service;

- prescribe Fastweb SpA, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt the security measures for accessing their databases in order to eliminate or in any case significantly reduce the risk of unauthorized access and processing that does not comply with the purposes of the collection;

- to impose, pursuant to art. 58, par. 2, lett. f) of the Regulations, Fastweb SpA is forbidden from any further processing for promotional and commercial purposes carried out through lists of personal data of third parties who have not acquired free, specific and informed consent from the interested parties for the communication of their data to Fastweb SpA;

- to impose, pursuant to art. 58, par. 2, lett. f) of the Regulations, Fastweb SpA is forbidden from any further processing of products or services in partnership with the company Eni Gas and Luce SpA towards interested parties who have not given free, specific and informed consent to the processing of their data for purposes promotional by Fastweb SpA;

- adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application to Fastweb SpA of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation.

4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application to Fastweb SpA of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulations (payment of a sum up to Euro 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous year, whichever is higher).

For the determination of the maximum legal sanction of the pecuniary sanction, it is considered necessary to refer to the turnover of Fastweb SpA, in accordance with the previous provisions adopted by the Authority, and therefore to have to determine this maximum edict, in the case in question, in Euro 90,037 .367.00; 

To determine the amount of the sanction, the elements indicated in art. 83, par. 2, of the Regulations;

In the case in question, the following are relevant:

1. the seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation) with reference to the complaints referred to in points 1), 2), 4), 5), and 7) due to the particular pervasiveness illicit contacts in the context of telemarketing activities (potentially damaging to various fundamental rights and, in particular, in addition to the right to the protection of personal data, the right to individual peace of mind and the right to privacy); the level of damage actually suffered by the interested parties, who with reference to the violations referred to in point 1) were exposed to nuisance calls; of the growing difficulties they encounter in stemming the phenomenon; the multiplicity of conducts implemented by Fastweb SpA in violation of several provisions of the Regulation and the Code; 

2. as an aggravating factor, the duration of the violations (Article 83, paragraph 2, letter a) of the Regulation), due to the permanent and still existing nature of the violations referred to in points 1), 2), 3) , and 7) as well as for a duration exceeding six months of the violations referred to in points 4), 5) and 6);

3. as an aggravating factor, the very high number of parties involved (Article 83, paragraph 2, letter a) of the Regulation) which, for the violation referred to in point 1) must take into account the entire Fastweb customer base SpA and for the violation referred to in point 2) includes more than 7 million interested parties present in the lists acquired from third parties;

4. as an aggravating factor the significantly negligent nature of the conduct (Article 83, paragraph 2, letter b) of the Regulations) in consideration of the wide and constant dialogue with the Guarantor on all aspects of telemarketing, as well as the relevant provisional activity of the Authority, elements that should have constituted a valid support in the organizational choices of the Company but which instead, in particular with reference to the violations referred to in points 1), 2) and 7), were largely disregarded. The violations referred to in points 4) and 5) also assume a significantly negligent nature due to the serious vulnerabilities found in the company databases, not yet fully resolved, and the serious delay in the notification of an important "data breach";

5. as aggravating factors the specific reiteration of the conduct (Article 83, paragraph 2, letter e) of the Regulation) and the previous adoption by the Authority of similar corrective and sanctioning measures with reference to treatments of the same type (art. 83, par. 2, letter i) of the Regulation);

6. as a mitigating factor, the adoption of measures aimed at mitigating the consequences of violations (Article 83, paragraph 2, letter c) of the Regulation), with particular reference to the activities of control and containment of anomalies in contacts promotions operated by the sales network; the implementation of new platforms to adapt the processing for promotional purposes to the legislation and the indication of the Authority; the gradual disposal of telemarketing activities that do not have reliability requirements; the strengthening of security measures for access to company databases; and the adaptation of the information and the procedures for responding to the interested parties;

7. as a mitigating factor, cooperation with the Authority (Article 83, paragraph 2, letter f) of the Regulation) during the preliminary investigation;

8. as a mitigating factor, participation in round tables to combat phenomena attributable to wild marketing activities (Article 83, paragraph 2, letter j) of the Regulations) during the preliminary investigation;

9. as additional factors to take into consideration to parameterize the sanction (Article 83, paragraph 2, letter k) of the Regulation), the large time margin granted to all data controllers in order to allow them to complete and consistent adaptation of systems and procedures to the new European legislation, in force since 25 May 2016 and fully operational from 25 May 2018; the particular attention that the legislator has dedicated to the regulation of the telemarketing phenomenon, also with recently adopted regulatory interventions (e.g., law no. 5/2018); the significant market position of Fastweb SpA in the telecommunications sector and the overall economic value of the Company.

On the basis of all the elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, in the initial application of the administrative pecuniary sanctions provided for by the Regulation, also in order to limit the economic impact of the sanction on the organizational, functional and of the Company, it is believed that the administrative sanction of the payment of a sum of Euro 4,501,868.00 equal to 5% of the maximum legal sanction should be applied to Fastweb SpA, in line with the recent measures adopted by the Authority in the field of telemarketing.

In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the conduct of the Company, its partners, as well as the high number of subjects potentially involved in the treatments examined;

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL OF THIS GIVEN THE GUARANTOR

a) prescribes to Fastweb SpA, pursuant to art. 58, par. 2, lett. d) of the Regulations, within 30 days from the notification of this provision, to adapt the telemarketing treatments in order to provide and prove that the activation of offers and services and the registration of contracts takes place only following promotional contacts carried out by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators;

b) prescribes to Fastweb SpA, pursuant to art. 58, par. 2, lett. d) of the Regulations, within the same term referred to in point a), to reformulate the information relating to the "Call me back" service, specifically indicating the methods of contacting Fastweb SpA and, again in relation to the aforementioned service, to provide an automated way to deactivate the service;

c) prescribes to Fastweb SpA, pursuant to art. 58, par. 2, lett. d) of the Regulations, within the same term referred to in point a), to adapt the security measures for access to their databases in order to eliminate or in any case significantly reduce the risk of unauthorized access and processing that does not comply with the purposes of the collection ;

d) imposes, pursuant to art. 58, par. 2, lett. f) of the Regulations, Fastweb SpA is forbidden from any further processing for promotional and commercial purposes carried out through lists of personal data of third parties who have not acquired free, specific and informed consent from the interested parties for the communication of their data to Fastweb SpA;

e) imposes, pursuant to art. 58, par. 2, lett. f) of the Regulation, Fastweb SpA is forbidden from any further processing of products or services in partnership with the company Eni Gas and Luce SpA towards interested parties who have not given free, specific and informed consent to the processing of their data for purposes promotional by Fastweb SpA;

f) orders Fastweb SpA, pursuant to art. 157 of the Code, to communicate to the Authority, within the same term indicated above, the initiatives undertaken in order to implement the provisions and prohibitions adopted; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction envisaged by art. 83, paragraph 5, of the Regulation.

ORDER

to Fastweb SpA, in the person of its pro-tempore legal representative, with registered office in Milan, Piazza Adriano Olivetti 1, CF and VAT number: 12878470157, to pay the sum of Euro 4,501,868.00 (four million five hundred one thousand eight hundred sixty-eight / 00) as a pecuniary administrative sanction for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed prescriptions and the payment, within thirty days, of an amount equal to half of the sanction imposed.

INJUNCES

to the aforementioned company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 4,501,868.00 (four million five hundred and one thousand eight hundred and sixty-eight / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent acts executive pursuant to art. 27 of the law n. 689/1981

HAS

the application of the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 152 of the Code and 10 of Legislative Decree n. 150/2011, against this provision, opposition may be proposed to the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, March 25, 2021

THE PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei