Garante per la protezione dei dati personali (Italy) 10105764
From GDPRhub
| Garante per la protezione dei dati personali - 10105764 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 7 GDPR Article 24 GDPR Article 28 GDPR Article 32 GDPR Article 33 GDPR d. lgs- 196/2003 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 24.12.2024 |
| Published: | |
| Fine: | 347,520 EUR |
| Parties: | Wind Tre |
| National Case Number/Name: | 10105764 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | GPDP (in IT) |
| Initial Contributor: | Carloc |
The DPA fined the telecom company Wind Tre €347,520 for its aggressive marketing practices, i.e. using contact data from consumers who had no previous interaction with the company without their consent.
English Summary
Facts
In 2020 the Italian DPA fined telecom Wind Tre, the controller, €16,729,600 for the unlawful processing of personal data and unauthorised marketing communications to customers. The authority also ordered the controller to stop processing data acquired without consent[1].
Months later the DPA started a follow-up investigation of the company’s compliance with their orders. In particular, the DPA investigated the controller’s reliance on marketing subcontractors, its use of “cold lists”[2] of contact data, and the collection and documentation of consumer's consent.
Additionally, the decision addressed several complaints against the controller over aggressive marketing practices.
The ex-officio investigation (procedure 178557)
The ex-officio investigation started in 2022 as a follow-up to the DPA’s 2020 decision against the controller. The DPA investigated the controller’s premises and requested information over certain features of its marketing systems and over the operations of its subcontractors.
The DPA found that 15 contracts were finalized with different numbers from those targeted by the controller’s campaign. These contracts were finalized by three different contractors (all of which qualified as processors under the GDPR). By hiring each processor, the controller violated several provisions of the GDPR. First, the controller was unable to prove that the data subjects were contacted with their consent. Second, two processors violated the controller’s established storage periods for customer data. Finally, one of the processors was established in Moldova and did not have an EU representative.
The use of cold lists bought from third-party websites raised compliance issues. The controller was unable to prove the consent to the use of numbers bought for third-party websites. Additionally, a single phone number was bought without the data subject’s consent.
Over time the data controller implemented several measures to bring its marketing activities into compliance, including:
- a new campaign management system to better track the operations of contractors;
- a quality control system to ensure compliance along the value chain;
- more rigorous selections and auditing of contractors;
- measures to protect its customers from CLI spoofing calls.
Crucially, the controller also stopped using “cold lists” for consumer marketing in December 2022.
The first complaint (procedure 133372)
The first complaint comes from a customer of the data controller, the data subject. When she activated the controller’s services, she denied all consents to marketing communications.
The data subject later consented to direct marketing from a third party, the processor. The controller had engaged this third party as a data processor. As a result, the data subject still received marketing communications for the controller’s services despite having denied her consent to the controller.
The second complaint (procedure 25395)
In 2021, a data subject received an unwanted SMS. He reached out to the controller and asked for his number to be blacklisted but kept receiving messages afterwards.
The controller claimed that it blacklisted the data subject and that the unwanted communications were caused by an unpredictable human error. It also claimed that its new Campaign Management system would prevent similar incidents in the future.
The third complaint (procedure 262138)
A misconfiguration in the controller’s Customer Relationship Management system resulted in a data breach on the controller’s website: a customer logged into another customer’s personal area after accidentally using the wrong client code.
The controller immediately fixed the vulnerability but did not notify the breach to the authority.
Holding
With regards to the ex-officio investigation and to the first and second complaints, the DPA held that the controller violated Articles 5(2) , 6(1), 7, 24, and 28 GDPR as well as Article 130 d. lgs. 196/2003[3] by failing to collect and document consent along the data processing chain. Additionally, in relation to the first complaint, the DPA held that the data subject’s refusal, communicated to the data controller when she activated the service, prevailed over the consent she later gave to the processor.
With regards to the third complaint, the authority held that the controller violated Article 5(1)(f) GDPR and Article 32 GDPR by failing to implement appropriate security measures. Additionally, the controller violated Article 33 GDPR by failing to notify the authority.
The data controller was fined €347,520. The authority considered, among other things, that the data controller cooperated with the authority, radically changed its marketing practices, and no longer relied on “cold lists” for direct marketing.
Comment
The main investigation is part of the Garante's efforts to curtail aggressive marketing practices. See, for instance, Garante per la protezione dei dati personali (Italy) - 9256486 (Tim S.p.a.), 10086536 (Illumia S.p.a.), and 10097012 (E.ON).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Newsletter of February 28, 2025 [web doc. no. 10105764] Measure of December 12, 2024 Register of measures no. 774 of December 12, 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Members, and Dr. Claudio Filippi, Deputy Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”); CONSIDERING the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018 no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the “Code”); CONSIDERING the documentation in the files; CONSIDERING the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Dr. Agostino Ghiglia; WHEREAS With files no. 158162 of 25 November 2023 (file 178557), no. 25394 of 29 February 2024 (file no. 173400) and 158163 of 25 November 2023 (file no. 262138), which must be considered fully recalled and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5 of the Code, three proceedings for the adoption of the provisions referred to in art. 58, paragraph 2 and the administrative pecuniary sanctions referred to in art. 83, paragraphs 4 and 5 of the Regulation against Wind Tre S.p.A., (hereinafter “Wind Tre” or “the Company). In particular, the first proceeding (file no. 178557) originates from an official verification aimed at controlling the processing activities carried out for promotional purposes within the more general activities to combat wild telemarketing. The other two proceedings instead originate from two complaints relating, in one case, to the sending of promotional communications without consent (file 173400) and, in the other, to a violation of personal data (file 262138). The three proceedings, initiated separately against the same owner, concern issues of the same nature (the processing of data for promotional purposes and the adequacy of technical and organizational measures) therefore, in order to promote their organic examination and implement the principles of economy and speed referred to in art. 9 of internal regulation no. 1/2019 (in www.gpdp.it, web doc. no. 9107633), it was deemed appropriate to jointly deal with the documents pursuant to and for the purposes of the subsequent art. 10 of the same regulation. In this case, moreover, joint handling appeared more suitable to guarantee the right of defense and the need not to aggravate the proceedings. PROCEDURE 178557 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT The proceeding originates from an investigation initiated ex officio by the Authority within the scope of the supervisory tasks identified by art. 57, par. 1, letter a) of the Regulation, in direct connection with the results of provision no. 143 of 9 July 2020 (in www.gpdp.it, web doc. no. 9435753) with which, among other things, the Company was given instructions pursuant to art. 58, par. 2, letter d), of the Regulation. In particular, as part of the investigations launched to combat the phenomenon of illicit telemarketing, an inspection was carried out at Wind Tre on 10 and 11 October 2022. During these investigations, the Company described the measures adopted to implement telemarketing campaigns, noting that the current operating methods would soon be replaced by more stringent procedures with the aim of obtaining total control of the supply chain and avoiding the implementation of promotional activities that were not permitted and unknown to the data controller. The activity made it possible to verify, by directly accessing the systems, the functioning of the procedures in place starting from specific contracts activated in the previous month, for which documentation of the lawfulness of the related contacts was requested; furthermore, some numbers reported to the Guarantor were verified; in particular, during the inspection, the Authority officials delivered to Wind Tre all the reports received in the period October 2021 - September 2022, asking the data controller to provide observations in this regard. Some checks were carried out on site on a small sample of these reports. Some elements were acquired directly during the inspection days while for other aspects the Company reserved the right to produce subsequent additions (presented with note no. 845.22 of 4 November 2022). Subsequently, the information was updated and integrated due to the progressive implementation of the planned improvement measures or in response to requests for information from the Office. In particular, with note prot. 55088 of 31 March 2023, the Office asked Wind Tre to provide a list of purchase proposals from its sales network that led to the activation of electronic communication services in the period from 6 March 2023 to 13 March 2023 inclusive, divided between "consumer" and "business" detailing some specific elements; at the same time, the Company was asked to provide some clarifications regarding what was acquired during the inspection and the subsequent integration of the reserves. From this overall investigation, some profiles emerged that the Office deemed potentially configurable as illicit processing of personal data. The profiles found and the outcome of the assessments carried out after the defensive phase are summarized below, referring for details to the act of initiation of the proceeding of 25 November 2023, prot. no. 158162, as well as to the defensive brief presented by Wind Tre on 12 January 2024 and to the hearing minutes of the party of 5 September 2024 which are considered to be fully recalled here. 1.1 Use of numbers not registered in the ROC (Register of Communication Operators) During the inspection (see minutes of 10 October 2022) Wind Tre declared that the partners, before being contracted, are subjected to a pre-qualification procedure and, subsequently on an annual basis, are monitored with a self-assessment questionnaire and any audits. Subsequently, the Company, at the specific request of the Office, described the methods of acquisition and verification of the numbers used by partners to make promotional calls (see annex 2, letter h of the note of 5 May 2023): - telesellers must communicate in advance the numbers used and Wind Tre will verify them at the ROC; the number is then acquired in the CM (Campaign Management) system with autonomous entry by the partner; - the points of sale upload the outgoing numbers together with a document certifying registration with the ROC; subsequently the system "performs a check directly with the ROC blocking the upload for numbers that do not comply with the checks". In the same note of 5 May, the Company provided feedback to the Office's request to produce the list of purchase proposals from its sales network that led to the activation of electronic communication services in the period from 6 March 2023 to 13 March 2023 inclusive. The Office verified the data reported in the consumer customer file, noting that many of the calling numbers were not present in the ROC by querying the search system available at the link https://www.agcom.it/numerazionicallcenter. Therefore, with note prot. 92564 of 13 June 2023, the Office requested to "produce the documentation certifying registration in the ROC (with indication of the registered numbers with respective dates)" for 19 specific partners. The Company provided a response with note no. 544.23 of 27 June 2023, attaching "the documentation certified by the ROC, produced by the partners". From an examination of this documentation, many of the numbers used by the partners were registered in the ROC on dates subsequent to those on which the promotional calls that led to the activation of the contracts were made. In the defense phase, however, the Company clarified that the documentation produced only contained the latest registration present in the ROC since the consultation of said register does not show the history of previous registrations but only the latest update. Therefore, it proceeded to attach, for each of the partners in question, the documentation certifying the original registration, which occurred prior to the telephone contacts. The clarifications and documentation produced in the defense phase allow us to overcome the objections raised in the act of initiation of the proceeding. Therefore, for this profile, no violations are found. 1.2 Ability to prove the consent of the interested parties for promotional purposes and validity of the registered consents During the inspection (see minutes of 11 October 2022), a list of contracts activated by the partners in September 2022 was examined starting from cold lists; finding that 15 of these contracts were activated on numbers other than those envisaged for the promotional campaign, clarifications were requested. The Company provided feedback with the note of integration of the reserves of 4 November 2022 (in the document called “Annex G”) indicating, for each of the 15 numbers, the partner who had made the call, the date of the last contact and the calling number; for each number it also attached IP timestamps to document the consent. In order to ascertain the lawfulness of the processing connected to the acquisition of such data by the partners, the Office requested to provide "also the legends relating to the timestamps, to interpret the consent fields reported in the tables, as well as the respective formulas for requesting consent and the information provided to the interested parties at the time of collection of said consents". The Company provided feedback on 5 May 2023, reporting, for each number contacted, the legend of the relative timestamp without, however, attaching a copy of the formulas for requesting consent and the information provided to the interested parties at the time of collection; the Company was therefore asked to integrate this information, which was finally transmitted with a note dated 27 June 2023. The examination of the aforementioned Annex G revealed the following: 1.2.1 evidence of partner XX Points 1 to 5 of Annex G showed that partner XX had activated contracts by telephone contacting 5 numbers extracted from a list created by XX S.r.l. with registered office in Moldova through the website www.listeprofilate.com. On 22 February 2024, the Office verified the website www.listeprofilate.com and the related privacy policy, finding that the data controller, XX S.r.l., had not appointed a representative in the EU as required by art. 27 of the Regulation; this verification was carried out by accessing the website www.listeprofilate.com both in the version published online on 22 February 2024, and in the version that was present on www.webarchive.org on previous dates (29 January 2022 and 9 June 2023). Furthermore, the information indicated the retention periods of 24 months for promotional purposes and 12 months for profiling, but the timestamp in point 1 of Annex G reported an “expire” date of 3 years after collection. The data, acquired between July and December 2020, were in fact used to activate contracts in September 2022. Having identified these critical issues, the Office, with a note dated 31 March 2023, requested to "describe the checks carried out on partner XX both during the accreditation phase and at the time of authorization of the lists used for the promotional campaign that led to the activation of the contracts relating to the [5] numbers". The Company responded on 5 May 2023 (see attachment 2 to note no. 379.23, point e) declaring that it had acquired documentation from the partner before authorizing the use of the cold list. The Office therefore, with a note dated 13 June 2023, asked Wind Tre to exhibit the documentation relating to these checks. With a note dated 27 June 2023 (see attachment 7 to note no. 544.23), the Company produced information which, however, related to the Company XX SAS with headquarters in Aix-en-Provence (France), contractual documentation relating to agreements with XX S.r.l.s. and evidence of consent collection relating to websites other than www.listeprofilate.com (documentation which therefore had no relevance to the list acquired by XX S.r.l.). The Office therefore contested Wind Tre, with the act initiating the procedure, that the consents of the interested parties were not adequately proven and that the critical issues identified on the data collection site would have been easily verifiable also by Wind Tre during the preliminary accreditation of the partner. In the defense phase, the Company, with regard to the use of numbers after 24 months from collection, declared that the partner XX would have provided proof of the "renewal of consents for the indicated numbers" and attached in this regard the new timestamps of the partner from which the dates of issue of consents between 13 December 2021 and 28 November 2022 result. Instead, with regard to the contested unsuitability of the partner due to the lack of a representative in Europe, the Company transmitted the privacy information of the website www.listeprofilate.com provided by the partner in which the representative in Europe is indicated. However, this information does not report any date and is therefore not suitable to prove that this requirement was present at the time of accreditation of the partner by Wind Tre, also taking into account the fact that the official checks had in any case found this deficiency. For these reasons, the objections raised against the Company in the act of initiation of the proceeding cannot be overcome and the violation of articles 5, par. 2, 24 and 28 of the Regulation due to the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and for the inadequate control over the person responsible for the processing aimed at carrying out promotional campaigns. Furthermore, in consideration of the fact that the consents thus collected by the partner could not be considered lawful, the violation of articles 6, par. 1 and 7 of the Regulation, as well as art. 130 of the Code, is also confirmed. 1.2.2 evidence of XX partners Points 6 to 8 of the aforementioned Annex G reported three numbers used by XX S.r.l. for the activation of contracts and the list formed from the site https://... was indicated as the source of the data; for one of these numbers, consent was acquired on 04/16/2020; according to what is indicated in the information, the data should have been stored for 24 months but the numbering had been contacted by the partner on 09/30/2022. Also in this case, the Office asked Wind Tre to "describe the checks carried out on the partner XX Srl at the time of authorization of the lists used for the promotional campaign that led to the activation of the contracts relating to the numbers: XX, XX, XX". The Company responded on 5 May 2023 (see attachment 2 to note no. 379.23, point f) declaring that it had acquired documentation from the partner before authorizing the use of the cold list. At the request of the Office, with a note dated 27 June 2023 (see attachment 8 to note no. 544.23) the Company produced the privacy information of XX S.r.l. and the images relating to the consent collection screens used on the web. In the defense phase, the Company stated that the privacy policy of XX authorized by Wind Tre in 2020 was different from the one currently published and indicated that the consent was valid until revoked by the user. Also in this case, it is highlighted that the Company was not able to provide immediate evidence of the processing carried out: in fact, several discussions were necessary to obtain the documents but only in the defense phase was the information presented to the user at the time of data collection produced. Moreover, such a generic formulation of the data retention times cannot be considered adequate because the consent for marketing purposes is, yes, valid until revoked but still within the retention time limits established by the owner and made known through the information. For these reasons, the objections raised against the Company in the act of initiation of the proceeding cannot be overcome and the violation of articles 5, par. 2, and 24 of the Regulation due to the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and for the inadequacy of the checks carried out before acquiring the list of the partner, taking into account that the unlawfulness relating to the data retention period was easily detectable by the owner. Furthermore, considering the fact that the consents thus collected by the partner could not be considered lawful, the violation of articles 6, par. 1 and 7 of the Regulation, as well as art. 130 of the Code, is also confirmed. 1.2.3 evidence of partner XX Partner XX was found to have used data acquired through the website www.vincosubito.it for which XX srl was the owner. The information present on that website did not indicate the data retention period for promotional purposes; in fact, it stated that "Your personal data will be retained for a period of time not exceeding the purposes for which they were collected. We may retain your data for up to 10 (ten) years, or for the longest applicable limitation period, to demonstrate that we have obtained your consent, unless it is essential to retain such data for a longer period and in compliance with the applicable legislation. In any case, we will not process your data for marketing purposes for the entire period. You can exercise your rights indicated below at any time”. In defense, Wind Tre stated that the partner confirmed the retention times described in the information and added that in any case the Company used them for a period not exceeding 24 months. Also in this case, it must be noted the inadequacy of the wording which, by not allowing the interested party to have correct information, determines the invalidity of the consent given by the latter. For these reasons, the objections raised against the Company in the act of initiation of the proceeding cannot be overcome and the violation of articles 5, par. 2, and 24 of the Regulation due to the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and for the inadequacy of the checks carried out before acquiring the partner's list, taking into account that the unlawfulness relating to the data retention period could easily be detected by the owner. In consideration of the fact that the consents thus collected by the partner could not be considered lawful, the violation of Articles 6, paragraph 1 and 7 of the Regulation, as well as Article 130 of the Code, is also confirmed. 1.2.4 numbering without confirmation Among the numbers subject to verification, Wind Tre was asked to document the consent also for the number XX; however, this user was not reported in the aforementioned Annex G and therefore Wind Tre was accused of not having documented the existence of a prior consent to make the call. In defense, the Company stated that it had omitted the information due to a mere material error and produced a statement from partner XX S.r.l. containing the timestamp of the consent given by the user. In this document, there is a "third party consent" item with two boxes set to "yes" but, since it lacks the relative legend, there is no certainty about the meaning of this documentary source nor was any useful documentation provided for this purpose. For these reasons, despite the late feedback provided, the objections raised against the Company in the act of initiation of the proceeding are not entirely surmountable and the violation of articles 5, par. 2, and 24 of the Regulation is confirmed due to the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability). Furthermore, taking into account that the document produced shows that the data was acquired through the portal www.vincosubito.it, referring to what is described in the previous point, the violation of articles 6, par. 1 and 7 of the Regulation, as well as art. 130 of the Code, is also confirmed. 1.2.5 Validity of IP timestamps In the initiation of the proceeding, the Company was challenged that the documents proving consent, included in Annex G, contained IP timestamps that presumably attested to the registration dates on the respective sites from which the data had been collected but did not necessarily also document the date of issue of the individual consents (which were in any case differentiated by purpose). In fact, if the granting of consent can be contextual to registration on a website, it is always possible that such consent may subsequently be revoked or that a consent not granted at the time of registration may be modified at a later date; this circumstance occurred in the case, described above, of partner XX, for which the Company declared that the consents had been used beyond the 24-month deadline because they had been "renewed" by the partner. There was no trace of such possible changes in the date of consent in the documents produced, nor could it have been otherwise since there were no fields capable of distinguishing the date of individual consents from the date of registration to the service or website (the fields only report a YES/NO value). Therefore, these documents attested, at most, the date of data collection but were not suitable for demonstrating with certainty the date of individual consents. Moreover, as seen in relation to the evidence produced by partner XX, the user's consent had been renewed at a time subsequent to that documented with registration and no record of this circumstance had been kept. It should be noted, however, that if the date of issue of consent cannot be ascertained, it is not even possible to document that it was present at the time of promotional contact since the documentation produced appears to be only a static photograph of what was present in the systems at the time of extraction. In this regard, the Company, in its defense, limited itself to declaring that "all partners have confirmed that the date in the Time Stamp is the same as the date of entry of data into the site by the user who gave consent to commercial contact. In fact, for these types of hot leads, no prior registration to any site or portal is required". However, this statement seems to be probably the result of a misunderstanding since the numbers under examination - referring exclusively to those given in the aforementioned Annex G and in subsequent discussions - were all extracted from cold lists as declared by Wind Tre itself and as is evident from the documentation produced: the sites from which the data were collected are sites that require - at least apparently - registration to obtain a service or to participate in competitions and the date of collection of personal data (which, as mentioned, was sometimes even more than 24 months) is not compatible with the 72-hour deadline imposed by Wind Tre for making calls to so-called "lead" numbers. However, it must be taken into account that, according to what was declared by Wind Tre, as of December 1, 2022 - only for consumer customers - the Company has suspended the purchase of prospect lists (cold lists) by suppliers (purchased independently or from third parties as list providers); consequently, to date, the Company carries out promotional campaigns only on the customer base (customers and former customers) or on lead lists (hot lists), i.e. generated by interactions on the web and on social media to collect contacts of subjects interested in the Company's products and services. In the latter case, the contact must take place within 72 hours of the user's expression of interest and the collection of a lead contact is followed by an SMS to the user to ascertain their awareness. For these reasons, the objections raised against the Company in the act of initiation of the proceeding cannot be overcome and - for the conduct described - the violation of articles 5, par. 2, and 24 of the Regulation due to the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and due to the inadequacy of the checks carried out before acquiring the list of the partner, taking into account that the unlawfulness relating to the documentation of the consent could easily be detected by the owner. Furthermore, in consideration of the fact that the consents thus collected could not be considered lawful, the violation of articles 6, par. 1 and 7 of the Regulation, as well as art. 130 of the Code, is also confirmed. 1.3 Promotional communications made in the absence of consent During the on-site activity, some numbers of subjects who had submitted reports to the Guarantor were verified, the results of which are reported in the minutes of 11 October 2022. On some positions, the Company provided clarifications during the investigation. In one case (file 133372 - reporting party XX), the defense arguments were not sufficient to overcome the objections raised. In fact, the contact to the reporting party was found to be present in the system, having been made by partner XX with subsequent blacklisting of the number; Wind Tre was therefore asked to document the preliminary checks carried out on this partner, providing evidence of the original consent of the interested party. With a note dated November 4, 2022, Wind Tre communicated that in its systems all consents relating to the interested user were denied since the activation date; the number had been used by partner XX using its own lists acquired, in turn, from supplier XX; at the same time, Wind Tre produced a response email sent to the reporting party on March 22, 2022, in which it declared that the user "does not appear to have been included in any Wind Tre commercial campaign, but passed through the lists of partner XX by virtue of the consent given" adding that it had "revoked the consent". With regard to this case, it should be noted that the consents were denied since the activation of the user account and Mrs. XX had also exercised opposition to Wind Tre via registered letter dated March 2, 2018 (relating to another user account but also generically extended to all her active Wind Tre numbers). Therefore, the interested party had never given any consent and, indeed, had written in 2018 to complain about unwanted contacts. The Company, as mentioned, declared that the contact would have been made by the partner XX on the basis of a consent given to the supplier XX. However, it should be remembered that the consent given to a partner, even if it acts as a data controller, cannot overcome the denial expressly expressed towards the client, the data controller. In this case, Mrs. XX had denied all optional consents since the activation of the mobile phone account and had even complained about receiving unwanted contacts; in this context, it is clear that she wishes, and expects, not to be contacted on behalf of Wind Tre regardless of whether the interested party subsequently gave her consent to a third party. This is because the specific refusal expressed towards the data controller prevails over the general consent given to the third party and therefore it is the responsibility of the data controller, once the list has been received, to verify that it does not contain data of subjects who have expressed the desire not to be contacted on behalf of Wind Tre. If this were not the case, it would be very easy to circumvent any refusal by the interested parties and it would be impossible for the latter to assert their right not to receive unwanted contacts. For these reasons, the objections raised against the Company in the act of initiation of the proceeding cannot be overcome and the violation of Articles 5, paragraph 1, letter a), 6, paragraph 1 and 7 of the Regulation, as well as Article 130 of the Code is confirmed since the processing of the complainant's data for promotional purposes was carried out in the absence of consent. 1.4 Calls made to numbers not authorized by Wind Tre. During the investigation, Wind Tre was asked to produce the list of purchase proposals, coming from its sales network. In response to this request, the Company produced two files: "XX" for the consumer market and "XX" for the business sector. The files relating to the lists authorized by Wind Tre (see attachment 4 of the note of June 13, 2023) showed 653,799 authorized numbers. The XX file showed 3,402 numbers called. From the comparison between the numbers called and the authorized numbers, it resulted that, of the 3,402 numbers called, only 1,257 were also present among the authorized numbers; consequently, 2,145 numbers were called that were not authorized by Wind Tre. This would have occurred despite the Company's assurances regarding the aforementioned impossibility of activating contracts without going through the CM system (therefore without using previously authorized lists). Furthermore, with note prot. 107208 of 12 July 2023, the Office requested the Ugo Bordoni Foundation (FUB) to compare the numbers called, extracted from the XX file, with the registrations in the RPO made up to 31/01/2023. In the file returned by the FUB, it was found that 344 numbers out of 3402 numbers called were registered in the RPO. Of these 344 numbers registered in the RPO, only 121 were also present in the list of numbers authorised by Wind Tre. In this regard, in the defense brief, the Company clarified that "the authorized numbers represent only a part of the campaigns carried out and the partners involved between February/March 2023 while the 3402 XX contracts represent the entire Wind Tre production of the week under analysis"; this is possible because the Company carries out many of the promotional campaigns towards its customer base using its own lists that do not require authorization or control in the Opposition Register. Based on the justifications provided, this profile can be considered archived. 1.5 Guarantee measures adopted by Wind Tre During the inspection and with numerous subsequent communications also sent spontaneously, the Company provided updates regarding the organizational and technical changes implemented to limit unwanted contacts. In particular, Wind Tre communicated the following: - telemarketing activities are centralized through the system called Campaign Management (CM), already described during the investigation that led to the provision adopted by the Guarantor on 9 July 2020 against Wind Tre; through this system, the Company tracks the calls made by partners and their outcome; the integration of the partners' CRM (Customer Relationship Management) systems via API has been planned, in order to eliminate the autonomous entry operations by partners and avoid sending lists to partners by Wind Tre (procedure available for all partners from 31 December 2022, as confirmed with note no. 217.23 of 8 March 2023); - in the event of revocation of the consent expressed during a call, the system allows the operator to record the interested party's will and to report the same information in the black list; - training activities on the processing of personal data were organized for employees and subsequently extended to partners; - a page on the company website was dedicated to informing users about nuisance calls with the possibility of submitting reports directly to Wind Tre (which carried out subsequent checks); - the Company participated in the Agcom working group to combat CLI (Calling Line Identification) spoofing and made the “Please don’t call” app available to its customers to filter nuisance calls. Furthermore, since the end of March 2023, the Company has activated the blocking of international calls with CLI not compliant with the ITU-T E.164 recommendations for its customers, in order to protect them from CLI spoofing activities; in this regard, the Company has specified, by way of example, that since then it has blocked approximately half a billion calls per month sent by foreign carriers that use altered numbers. - the Company, highlighting a significant economic investment, has created a system for the control of the supply chain, called "from contact to contract" consisting of a series of automatic checks aimed at verifying compliance with the rules of remote contact in order to reconstruct the consent-contact-contract chain; the Company added that it has launched a study project to ensure tracking with blockchain technology; - the Company has described the partner accreditation procedure consisting of the administration of a detailed questionnaire and a declaration of commitment to comply with the rules imposed by Wind Tre; a sample check is planned on said questionnaires with requests for further information if necessary; furthermore, the Company carries out audit activities on partners with both remote and in-person checks; - at the time of the inspection, the Company had declared that it would carry out a check call on a sample of activated contracts (see minutes of 11 October 2022); subsequently (see note 16.23 of 16/01/2023) Wind Tre communicated that this quality check is carried out on 100% of activated contracts; it was also planned to include "decoy numbers" in the lists entrusted to partners; - following the suspension of the use of third-party cold lists for the consumer branch, the Company has enhanced the use of lead contacts by ensuring the user's will through a double opt-in mechanism. PROCEDURE 173400 With the initiation of the proceeding prot. no. 25394 of 29 February 2024, Wind Tre was charged with violating art. 6, par. 1, letter a) of the Regulation and art. 130, paragraph 2 of the Code for sending an unwanted promotional SMS. In particular, the complainant had complained, on 18 October 2021, of receiving an unwanted text message. During the investigation, the Company had clarified that the sending, which had only concerned the complainant, had occurred following a technical anomaly due to the fact that the user assigned to the complainant had been dismissed by a previous holder without disabling the consents given by the latter. Subsequently, on 9 October 2023, the same complainant complained of receiving a new text message, despite the assurances provided by Wind Tre regarding the reception in a special black list of the desire not to be contacted. On that occasion, the Company declared that the sending had occurred due to human error. Only in the defensive phase, Wind Tre better described the circumstances that would have determined the human error, clarifying that the sample of recipients had been formed by extracting from the database a series of segmentations to which precise requirements were attributed: among these, the presence of consent to receive promotional messages. Unfortunately, the operator, in carrying out the subsequent steps, linked these requirements to only one of the provinces involved in the campaign, thus mistakenly including customers who did not consent for all the other provinces. However, the Company added that this campaign creation platform was subsequently replaced by a new system that will automatically exclude all users without consent, avoiding the repetition of similar errors. Furthermore, immediately and in order to remedy the error, the Company proceeded to inform the customers affected by the event and, until the new platform was implemented, carried out random checks to verify the consents resulting in the company CRM. In light of the new clarifications provided - taking into account the measures adopted to avoid the repetition of similar events - it is believed that the dispute can be archived due to the fact that the event was caused by an unforeseeable error of the person in charge without harmful consequences for the interested party. PROCEDURE 262138 With the act of initiation of the proceeding prot. no. 158163 of 25 November 2023, Wind Tre was charged with the violation of articles 5, par. 1, letter f), 32 and 33 of the Regulation for the adoption of inadequate technical measures that would have led to a data violation not notified to the Guarantor. In particular, with a complaint of 27 April 2023, a Wind Tre customer declared that he had viewed the data of another customer when accessing his personal area. In this regard, the Company stated that access to the other customer's data was caused by an incorrect entry of the customer code during registration. This would have generated an incorrect data match, also due to the fact that the other user was not registered in the customer area; the improper access, in particular, had occurred as a result of a recent change made by the Company to the login function with the elimination of the tax code from the list of credentials required for access so that, "by removing the tax code, a check was also removed that verified that the tax code corresponded to the personal data retrieved from the CRM (Customer Relationship Management) associated with the indicated customer code. This removal was carried out to simplify customer access by avoiding the entry of data not necessary for authentication". In particular, once the obligation to enter the tax code was eliminated, only the verification of the correspondence between CLI and customer code was carried out, referring to the personal data retrieved from CRM; however, in the case of CLI belonging to a customer not registered in the reserved area, this last check was not carried out. Therefore, in the case in question, when, during the registration phase for the customer area, the complainant entered an incorrect customer code, this value, although associated with another subject not registered on the portal, generated the incorrect association between the portal user and the personal data in the CRM. Following this event, which according to the Company would have been an isolated case, Wind Tre set up security controls by verifying the correspondence between the CLI and the customer code, with respect to the personal data present in the CRM, even in the case of users not registered in the personal area. Overall, it is observed that the conduct described - consisting in the removal of security controls at access without adequate verification of the consequences - led to unauthorized access to the data of an unaware customer. Therefore, since the technical measures adopted by Wind Tre at the time of the event must be considered inadequate, the violation of Articles 5, paragraph 1, letter f) and 32 of the regulation is deemed to have been integrated. With regard to the contested failure to notify the Guarantor of the violation of personal data, the Company stated that, in addition to having promptly corrected the anomaly, it initiated a dialogue with the complainant, informing him of what had happened and asking him to destroy copies, if any, in his possession of data of the third party to which he had accidentally had access. Having done so, the Company, not perceiving serious prejudice to the interested party, deemed it unnecessary to notify the Guarantor. In this regard, it is noted that art. 33 of the Regulation provides that notification to the Guarantor must be made if a personal data breach occurs, unless it is unlikely that such a breach presents a risk to the rights and freedoms of natural persons. The seriousness of the damage, however, is relevant only in the case in which it is necessary to evaluate whether to also communicate the event to the interested party. (1) In this case, therefore, at least notification to the Authority would have been necessary and therefore the violation of art. 33 of the Regulation is also confirmed 2. CONCLUSIONS At the end of the complex investigation activity, described above, and taking into account the arguments added in the defense phase, some potential profiles of violation, punctually described in the previous paragraphs, were archived while for other conducts, recalled below, the violations contested in the act of initiation of the proceeding were considered confirmed. This refers, in particular, to the ability to prove possession of suitable consents for making promotional calls to recipients extracted from the so-called "cold lists" of partners as well as to the use of Mrs. XX's data for promotional purposes in the absence of suitable consent (file 178557). Similarly, the violations contested with the act of initiation of the proceeding prot. no. 158163 of 25 November 2023, relating to file 262138, are confirmed for the inadequacy of the security measures adopted at the time of the event described and for the failure to notify the Guarantor of the violation of personal data. For the above reasons, Wind Tre's liability is therefore deemed to be ascertained in relation to the following violations: a) artt. 5, par. 2, 24 and 28 for the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and for the inadequate control over the data controllers for the processing aimed at carrying out promotional campaigns; b) art. 5, par. 1, letter a), 6, par. 1 and 7 of the Regulation as well as art. 130 of the Code because the processing for promotional purposes, carried out in the context of the violations described regarding the lawfulness of consent, were found to lack an appropriate legal basis; c) art. 5, par. 1, letter f) and 32 of the Regulation for the inadequacy of the technical measures adopted, at the time of the reported event, to enable access to the users' personal area; d) art. 33 of the Regulation for the failure to notify the Guarantor of the violation of personal data. However, it is useful to make some considerations regarding the conduct of the owner and the corrective measures adopted even before the initiation of the proceedings. First of all, it is necessary to acknowledge the significant activity carried out by Wind Tre aimed at bringing to light and combating the phenomenon of unwanted telemarketing, together with the equally necessary considerations relating to the fruitful dialogue and collaboration that the Company has undertaken for a long time with the Authority. From the results of the initiating proceedings, in fact, it emerges that the Company has implemented interventions and procedures suitable for creating a framework of significant increase in guarantees for the interested parties compared to that which emerged following provision no. 143 of 9 July 2020. With regard to the carrying out of promotional activities, in fact, the Company has acknowledged that it has changed its operating methods, especially with regard to the processing of personal data of consumer customers, interrupting the use of cold lists from 1 December 2022. The Company has also implemented significant changes to its systems to optimize the control of the supply chain of managers who operate in telemarketing and teleselling activities by independently implementing the measures provided for by the relevant code of conduct before the actual entry into force of the same. Also relevant and worthy of attention are the solutions to combat CLI spoofing spontaneously adopted for its customers through the Please don't call app and the blocking of international calls with CLI not compliant with the ITU-T E.164 recommendations. Measures that the legislator(2) has only recently imposed in a generalized manner, delegating the Communications Guarantee Authority the task of introducing the relevant technical measures. These important interventions, many of which also required significant investments or involved the assumption, in a completely autonomous manner, of a burden not yet imposed on the generality of other competitors, must be carefully considered in the overall assessment of the conduct, while also taking into account that the contested promotional activities carried out on the basis of consents not lawfully collected, as well as in parallel the measures adopted at the time for the control of the supply chain, date back to the end of 2022. With regard to the violations that emerged from proceeding 262138, it is noted that the modification made by the Company for the purposes of simplifying the user experience was implemented without due diligence; this is because the insertion, during registration by the customer, of a 9-digit code, without other checks by the owner, can lead to events of the type reported, as it is possible, as occurred in this case, to a typing error. The Company has however acknowledged that it intervened promptly to introduce corrective measures aimed at avoiding the repetition of similar events. Furthermore, it is necessary to take into account what was declared by Wind Tre, aware of the criminal consequences for false declarations, regarding the singularity of the event that would have occurred only thanks to the concomitance of the typing error by the complainant and the absence of a previous registration in the personal area by the account holder. Therefore, having ascertained the unlawfulness of Wind Tre's conduct with reference to the treatments under examination, taking into account that all the violations ascertained have already been remedied during the present investigation, the conditions for the adoption of corrective measures against the account holder are not found; with regard to the violations that have occurred, it is instead necessary to adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Wind Tre of the administrative pecuniary sanction provided for by art. 58, paragraph 2, letter i) and 83 of the Regulation. In accordance with the provisions of art. 154-bis, paragraph 3 of the Code, this provision is published on the Authority's website (see also art. 37 of the internal regulation of the Guarantor no. 1/2019). Finally, it is noted that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, paragraph 1, letter u) of the Regulation, are met. 3. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION Based on the above, various provisions of the Regulation and the Code have been violated in relation to connected processing carried out by Wind Tre, for which reason art. 83, paragraph 3, of the Regulation, according to which, if, in relation to the same processing or to connected processing, a data controller violates, with intent or negligence, several provisions of the Regulation, the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation with consequent application of only the sanction provided for by art. 83, par. 5, of the Regulation. For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum amount set by law in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the preceding financial year if higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount. In compliance with this provision, on the basis of the information found in the latest balance sheet (recorded on 31 December 2023), using the second hypothesis provided for by the aforementioned art. 83, par. 5 and therefore quantified at € 173,760,000 as the maximum applicable fine, the following aggravating circumstances must be considered: 1. the negligent nature of the violations, since the conduct was carried out in the absence of the diligence that would be commonly expected from a data controller who processes data on a large scale and with regard to issues, such as the selection of list providers, on which the Guarantor has clearly expressed itself several times; negligent conduct was also observed with regard to the changes made to the registration system for the personal area without adequately assessing the potential risks (art. 83, par. 2, letter b), of the Regulation); As mitigating factors, it is believed that the following can be taken into account: 2. the low level of damage suffered by the data subjects (Article 83, paragraph 2, letter a), of the Regulation); 3. the measures adopted by the data controller that led to a radical change in the operating methods adopted at the time of the violations (Article 83, paragraph 2, letter c), of the Regulation); 4. the degree of cooperation with the Supervisory Authority that led, in relation to procedure 262138, to promptly put an end to the violation and, in the case of processing for promotional purposes, to maintaining constant discussions with the Authority for the definition of best application practices, in addition to the assiduous participation of Wind Tre in the working group that led to the presentation of the Code of Conduct on telemarketing and teleselling (Article 83, paragraph 2, letter f), of the Regulation); 5. of the categories of data affected by the violations, since they are common data (art. 83, par. 2, letter g), of the Regulation). In an overall balance between the rights of the interested parties and the freedom of enterprise, it is necessary to prudently evaluate the aforementioned criteria, also in order to limit the economic impact of the sanction. Therefore, it is believed that - based on the set of elements indicated above - the administrative sanction of payment of a sum of €347,520.00 (three hundred and forty-seven thousand five hundred and twenty/00) should be applied to Wind Tre, equal to 0.2% of the maximum statutory sanction identified with reference to the provisions of art. 83, paragraph 5, of the Regulation, taking into account that 4% of Wind Tre's turnover, based on the data reported in the latest financial statement, is greater than 20 million euros. In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the internal regulation of the Guarantor n. 1/2019, this chapter containing the injunction order must be published on the website of the Guarantor. This is in consideration of the elements of risk for the rights and freedoms of the interested parties deriving from the use of lists formed by third parties without a preliminary accurate verification of the lawfulness of the consents given, taking into account that the Company has stopped using cold lists only from 1 December 2022 for the consumer market. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, par. 1, letter a and letter f), of the Regulation, declares the processing described in the terms of the motivation carried out by Wind Tre S.p.A., with registered office in Milan, via Monte Rosa n. 91, tax code 02517580920, to be unlawful; consequently ORDERS pursuant to art. 58, par. 2, letter i), of the Regulation, to Wind Tre S.p.A., in the person of its legal representative, to pay the sum of Euro 347,520.00 (three hundred and forty-seven thousand five hundred and twenty/00) as an administrative pecuniary sanction for the violations indicated in the reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed. ORDERS the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 347,520.00 (three hundred and forty-seven thousand five hundred and twenty/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law No. 689/1981; ORDERS a) pursuant to Articles 154-bis of the Code and 37 of the Internal Regulations of the Guarantor No. 1/2019, the publication of this provision on the Guarantor's website; b) pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Internal Regulations of the Guarantor No. 1/2019, the publication of the injunction order on the Guarantor's website; c) pursuant to Article 17 of the Internal Regulations of the Guarantor No. 1/2019, the annotation in the Authority's internal register, provided for by Article 57, paragraph 1, letter u) of the Regulation, of the violations and the measures adopted. Pursuant to Article 78 of Regulation (EU) 2016/679, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 12 December 2024 THE PRESIDENT Stanzione THE RAPPORTEUR Ghiglia THE DEPUTY SECRETARY GENERAL Filippi _______ 1) See also the clarifications provided by the EDPB in Guidelines 9/2022 on the notification of personal data breaches under the General Data Protection Regulation, adopted on 28 March 2023. 2) Legislative Decree no. 48 of 24 March 2024, amending Legislative Decree no. 259/2003 (Electronic Communications Code) introduced, on the part of Agcom, the obligation to require telephone operators to block calls made through CLI spoofing. On this basis, in the session of 13 November 2024, Agcom launched a public consultation (Resolution no. 457/24/CONS) to introduce new rules aimed at combating fraud and wild telemarketing through measures that prevent the so-called CLI Spoofing. SEE ALSO Newsletter of 28 February 2025 [web doc. no. 10105764] Measure of 12 December 2024 Register of measures no. 774 of 12 December 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice president, Dr. Agostino Ghiglia, members, and Dr. Claudio Filippi, deputy secretary general; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”); HAVING SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, containing provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter “Code”); HAVING SEEN the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Dr. Agostino Ghiglia; WHEREAS With documents no. 158162 of 25 November 2023 (file no. 178557), no. 25394 of 29 February 2024 (file no. 173400) and 158163 of 25 November 2023 (file no. 262138), which must be considered fully recalled and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5 of the Code, three proceedings for the adoption of the provisions referred to in art. 58, paragraph 2 and the administrative pecuniary sanctions referred to in art. 83, paragraphs 4 and 5 of the Regulation against Wind Tre S.p.A., (hereinafter “Wind Tre” or “the Company). In particular, the first proceeding (file no. 178557) originates from an ex officio verification aimed at controlling the processing activities carried out for promotional purposes within the more general activities to combat wild telemarketing. The other two proceedings instead originate from two complaints relating, in one case, to the sending of promotional communications without consent (file no. 173400) and, in the other, to a violation of personal data (file no. 262138). The three proceedings, initiated separately against the same owner, concern issues of the same nature (the processing of data for promotional purposes and the adequacy of technical and organizational measures) therefore, in order to promote their organic examination and implement the principles of economy and speed referred to in art. 9 of the internal regulation no. 1/2019 (in www.gpdp.it, web doc. no. 9107633), it was deemed appropriate to jointly handle the documents pursuant to and for the purposes of the subsequent art. 10 of the same regulation. In this case, moreover, joint handling appeared more suitable to guarantee the right of defense and the need not to aggravate the proceedings. PROCEDURE 178557 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT The proceeding originates from an investigation initiated ex officio by the Authority within the scope of the supervisory tasks identified by art. 57, par. 1, letter a) of the Regulation, in direct connection with the results of provision no. 143 of 9 July 2020 (in www.gpdp.it, web doc. no. 9435753) with which, among other things, the Company was given prescriptions pursuant to art. 58, par. 2, letter d), of the Regulation. In particular, as part of the investigations launched to combat the phenomenon of illicit telemarketing, an inspection was carried out at Wind Tre on 10 and 11 October 2022. During these investigations, the Company described the measures adopted for the implementation of telemarketing campaigns, pointing out that the current operating methods would soon be replaced by more stringent procedures with the aim of obtaining total control of the supply chain and avoiding the implementation of promotional activities that were not permitted and unknown to the data controller. The activity made it possible to verify, by directly accessing the systems, the functioning of the procedures in place starting from specific contracts activated in the previous month, for which it was requested to document the lawfulness of the related contacts; in addition, some numbers reported to the Guarantor were verified; in particular, during the inspection, the Authority officials delivered to Wind Tre all the reports received in the period October 2021 - September 2022, asking the owner to provide observations in this regard. Some checks were carried out on site on a small sample of these reports. Some elements were acquired directly during the days of verification while for other aspects the Company reserved the right to produce subsequent additions (presented with note no. 845.22 of 4 November 2022). Subsequently, the information was updated and integrated due to the progressive implementation of the planned improvement measures or in response to requests for information from the Office. In particular, with note prot. 55088 of 31 March 2023, the Office requested Wind Tre to provide a list of purchase proposals from its sales network that led to the activation of electronic communication services in the period from 6 March 2023 to 13 March 2023 inclusive, divided between "consumer" and "business" detailing some specific elements; at the same time, the Company was asked to provide some clarifications regarding what was acquired during the inspection and the subsequent integration of the reserves. From this overall investigation, some profiles emerged that the Office deemed potentially configurable as illicit processing of personal data. The profiles found and the outcome of the assessments carried out after the defensive phase are summarized below, referring for details to the act of initiation of the proceeding of 25 November 2023, prot. no. 158162, as well as to the defensive brief presented by Wind Tre on 12 January 2024 and to the hearing minutes of the party of 5 September 2024 which are considered to be fully recalled here. 1.1 Use of numbers not registered in the ROC (Register of Communication Operators) During the inspection (see minutes of 10 October 2022) Wind Tre declared that the partners, before being contracted, are subjected to a pre-qualification procedure and, subsequently on an annual basis, are monitored with a self-assessment questionnaire and any audits. Subsequently, the Company, at the specific request of the Office, described the methods of acquisition and verification of the numbers used by the partners to make promotional calls (see annex 2, letter h of the note of 5 May 2023): - telesellers must communicate in advance the numbers used and Wind Tre verifies them at the ROC; the number is then acquired in the CM (Campaign Management) system with autonomous insertion by the partner; - the points of sale upload the outgoing numbers together with a document certifying registration in the ROC; subsequently the system “performs a check directly with the ROC blocking the loading for numbers that do not comply with the checks”. In the same note dated 5 May, the Company responded to the Office’s request to produce the list of purchase proposals from its sales network that led to the activation of electronic communication services in the period from 6 March 2023 to 13 March 2023 inclusive. The Office verified the data reported in the file relating to consumer customers, noting that many of the calling numbers were not present in the ROC by querying the search system available at the link https://www.agcom.it/numerazionicallcenter. Therefore, with note prot. 92564 of 13 June 2023, the Office requested to “produce documentation certifying registration with the ROC (with indication of the registered numbers with respective dates)” for 19 specific partners. The Company responded with note no. 544.23 of 27 June 2023 attaching "the documentation certified by the ROC, produced by the partners". From an examination of this documentation, many of the numbers used by the partners were registered in the ROC on dates subsequent to those on which the promotional calls that led to the activation of the contracts had been made. In the defensive phase, however, the Company clarified that the documentation produced only contained the last registration present in the ROC since the consultation of said register does not show the history of previous registrations but only the latest update. Therefore, it proceeded to attach, for each of the partners in question, the documentation certifying the original registration, which occurred on a date prior to the telephone contacts. The clarifications and documentation produced in the defensive phase allow us to overcome the objections raised in the act of initiation of the proceeding. Therefore, for this profile, no violations are found. 1.2 Ability to prove the consent of interested parties for promotional purposes and validity of recorded consents During the inspection (see minutes of 11 October 2022), a list of contracts activated by partners in September 2022 was examined starting from cold lists; finding that 15 of these contracts were activated on numbers other than those envisaged for the promotional campaign, clarifications were requested. The Company provided feedback with the note of integration of the reserves of 4 November 2022 (in the document called “Annex G”) indicating, for each of the 15 numbers, the partner who had made the call, the date of the last contact and the calling number; for each number it also attached IP timestamps to document the consent. In order to ascertain the lawfulness of the processing connected to the acquisition of such data by the partners, the Office requested to provide "also the legends relating to the timestamps, to interpret the consent fields reported in the tables, as well as the respective formulas for requesting consent and the information provided to the interested parties at the time of collection of said consents". The Company provided feedback on 5 May 2023, reporting, for each number contacted, the legend of the relative timestamp without, however, attaching a copy of the formulas for requesting consent and the information provided to the interested parties at the time of collection; the Company was therefore asked to integrate this information, which was finally transmitted with a note dated 27 June 2023. The examination of the aforementioned Annex G revealed the following: 1.2.1 evidence of partner XX Points 1 to 5 of Annex G showed that partner XX had activated contracts by telephone contacting 5 numbers extracted from a list created by XX S.r.l. with registered office in Moldova through the website www.listeprofilate.com. On 22 February 2024, the Office verified the website www.listeprofilate.com and the related privacy policy, finding that the data controller, XX S.r.l., had not appointed a representative in the EU as required by art. 27 of the Regulation; this verification was carried out by accessing the website www.listeprofilate.com both in the version published online on 22 February 2024, and in the version that was present on www.webarchive.org on previous dates (29 January 2022 and 9 June 2023). Furthermore, the information indicated the retention periods of 24 months for promotional purposes and 12 months for profiling, but the timestamp in point 1 of Annex G reported an “expire” date of 3 years after collection. The data, acquired between July and December 2020, were in fact used to activate contracts in September 2022. Having identified these critical issues, the Office, with a note dated 31 March 2023, requested to "describe the checks carried out on partner XX both during the accreditation phase and at the time of authorization of the lists used for the promotional campaign that led to the activation of the contracts relating to the [5] numbers". The Company responded on 5 May 2023 (see attachment 2 to note no. 379.23, point e) declaring that it had acquired documentation from the partner before authorizing the use of the cold list. The Office therefore, with a note dated 13 June 2023, asked Wind Tre to exhibit the documentation relating to these checks. With a note dated 27 June 2023 (see attachment 7 to note no. 544.23), the Company produced information which, however, related to the Company XX SAS with headquarters in Aix-en-Provence (France), contractual documentation relating to agreements with XX S.r.l.s. and evidence of consent collection relating to websites other than www.listeprofilate.com (documentation which therefore had no relevance to the list acquired by XX S.r.l.). The Office therefore contested Wind Tre, with the act initiating the procedure, that the consents of the interested parties were not adequately proven and that the critical issues identified on the data collection site would have been easily verifiable also by Wind Tre during the preliminary accreditation of the partner. In the defense phase, the Company, with regard to the use of numbers after 24 months from collection, declared that the partner XX would have provided proof of the "renewal of consents for the indicated numbers" and attached in this regard the new timestamps of the partner from which the dates of issue of consents between 13 December 2021 and 28 November 2022 result. Instead, with regard to the contested unsuitability of the partner due to the lack of a representative in Europe, the Company transmitted the privacy information of the website www.listeprofilate.com provided by the partner in which the representative in Europe is indicated. However, this information does not report any date and is therefore not suitable to prove that this requirement was present at the time of accreditation of the partner by Wind Tre, also taking into account the fact that the official checks had in any case found this deficiency. For these reasons, the objections raised against the Company in the act of initiation of the proceeding cannot be overcome and the violation of articles 5, par. 2, 24 and 28 of the Regulation due to the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and for the inadequate control over the person responsible for the processing aimed at carrying out promotional campaigns. Furthermore, in consideration of the fact that the consents thus collected by the partner could not be considered lawful, the violation of articles 6, par. 1 and 7 of the Regulation, as well as art. 130 of the Code, is also confirmed. 1.2.2 evidence of XX partners Points 6 to 8 of the aforementioned Annex G reported three numbers used by XX S.r.l. for the activation of contracts and the list formed from the site https://... was indicated as the source of the data; for one of these numbers, consent was acquired on 04/16/2020; according to what is indicated in the information, the data should have been stored for 24 months but the numbering had been contacted by the partner on 09/30/2022. Also in this case, the Office asked Wind Tre to "describe the checks carried out on the partner XX Srl at the time of authorization of the lists used for the promotional campaign that led to the activation of the contracts relating to the numbers: XX, XX, XX". The Company responded on 5 May 2023 (see attachment 2 to note no. 379.23, point f) declaring that it had acquired documentation from the partner before authorizing the use of the cold list. At the request of the Office, with a note dated 27 June 2023 (see attachment 8 to note no. 544.23) the Company produced the privacy information of XX S.r.l. and the images relating to the consent collection screens used on the web. In the defensive phase, the Company stated that the privacy policy of XX authorized by Wind Tre in 2020 was different from the one currently published and indicated that the consent was valid until revoked by the user. Also in this case, it is highlighted that the Company was not able to provide immediate evidence of the processing carried out: in fact, several discussions were necessary to obtain the documents but only in the defensive phase was the information presented to the user at the time of data collection produced. Moreover, such a generic formulation of the data retention times cannot be considered adequate because the consent for marketing purposes is, yes, valid until revoked but still within the retention time limits established by the owner and made known through the information. For these reasons, the objections raised against the Company in the act of initiation of the proceeding cannot be overcome and the violation of Articles 5, par. 2, and 24 of the Regulation is confirmed due to the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and due to the inadequacy of the checks carried out before acquiring the list of the partner, taking into account that the unlawfulness relating to the data retention period could easily be detected by the owner. Furthermore, in consideration of the fact that the consents thus collected by the partner could not be considered lawful, the violation of Articles 6, par. 1 and 7 of the Regulation, as well as of Article 130 of the Code, is also confirmed. 1.2.3 evidence of partner XX Partner XX was found to have used data acquired through the website www.vincosubito.it for which XX srl was the owner. The information on this site did not indicate the data retention period for promotional purposes; in fact, it stated that "Your personal data will be retained for a period of time not exceeding the purposes for which they were collected. We may retain your data for up to 10 (ten) years, or for the longest applicable limitation period, to demonstrate that we have obtained your consent, unless it is essential to retain such data for a longer period and in compliance with the applicable legislation. In any case, we will not process your data for marketing purposes for the entire period. You can exercise your rights indicated below at any time". In defense, Wind Tre stated that the partner confirmed the retention periods described in the information and added that in any case the Company used them for a period not exceeding 24 months. Also in this case, it must be noted the inadequacy of the formulation which, by not allowing the interested party to have correct information, determines the invalidity of the consent given by the latter. For these reasons, the objections raised against the Company in the initiation of the proceeding cannot be overcome and the violation of Articles 5, paragraph 2, and 24 of the Regulation is confirmed due to the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and due to the inadequacy of the checks carried out before acquiring the partner's list, taking into account that the unlawfulness relating to the data retention period could easily be detected by the owner. In consideration of the fact that the consents thus collected by the partner could not be considered lawful, the violation of Articles 6, paragraph 1 and 7 of the Regulation, as well as Article 130 of the Code, is also confirmed. 1.2.4 numbering without confirmation Among the numbers subject to verification, Wind Tre was asked to document the consent also for the number XX; however, this user was not reported in the aforementioned Annex G and therefore Wind Tre was accused of not having documented the existence of prior consent to make the call. In the defense phase, the Company declared that it had omitted the information due to a mere material error and produced a statement from the partner XX S.r.l. containing the timestamp of the consent given by the user. In this document there is a "third party consent" item with two boxes set to "yes" but, since it lacks the relative legend, there is no certainty as to the meaning of this documentary source nor was any useful documentation provided for this purpose. For these reasons, despite the late feedback provided, the objections raised against the Company in the act of initiation of the proceeding cannot be entirely overcome and the violation of articles 5, par. 2, and 24 of the Regulation is confirmed due to the inability of the owner to comply with the obligation to prove compliance with the rules (accountability). Furthermore, given that the document produced shows that the data was acquired through the portal www.vincosubito.it, referring to what is described in the previous point, the violation of articles 6, par. 1 and 7 of the Regulation, as well as art. 130 of the Code, is also confirmed. 1.2.5 Validity of IP timestamps In the act initiating the procedure, the Company was charged that the documents proving consent, included in Annex G, contained IP timestamps that presumably attested the registration dates to the respective sites from which the data had been collected but did not necessarily also document the date of issue of the individual consents (which were in any case differentiated by purpose). In fact, if the granting of consent can be contextual to registration on a website, it is always possible that such consent may subsequently be revoked or that a consent not granted at the time of registration may be modified at a later date; this circumstance also occurred in the case, described above, of the partner XX, for which the Company declared that the consents had been used beyond the 24-month deadline because they had been "renewed" by the partner. There was no trace of such possible changes in the dating of the consents in the documents produced, nor could it have been otherwise since there were no fields capable of distinguishing the dating of the individual consents from the date of registration for the service or the website (the fields only report a YES/NO value). Therefore, these documents attested, at most, the date of data collection but were not suitable for demonstrating with certainty also the date of the individual consents. Moreover, as seen in relation to the evidence produced by the partner XX, the user's consent had been renewed at a time subsequent to that documented with the registration and no trace had been kept of this circumstance. It should be noted that, if the date of issue of consent cannot be ascertained, it is not even possible to document that it was present at the time of the promotional contact since the documentation produced appears to be only a static photograph of what was present in the systems at the time of the extraction. In this regard, the Company, in its defense, limited itself to declaring that "all partners have confirmed that the date present in the Time Stamp is the same as the date of entry of data into the site by the user who provided consent to the commercial contact. In fact, for these types of hot leads, no prior registration to any site or portal is required". However, this statement seems to be probably the result of a misunderstanding since the numbers under examination - referring exclusively to those given in the aforementioned Annex G and in subsequent discussions - were all extracted from cold lists as declared by Wind Tre itself and as is evident from the documentation produced: the sites from which the data were collected are sites that require - at least apparently - registration to obtain a service or to participate in competitions and the date of collection of personal data (which, as mentioned, was sometimes even more than 24 months) is not compatible with the 72-hour deadline imposed by Wind Tre for making calls to so-called "lead" numbers. However, it must be taken into account that, according to what was declared by Wind Tre, as of 1 December 2022 - only for consumer customers - the Company has suspended the purchase of prospect lists (cold lists) by suppliers (purchased independently or from third parties as list providers); consequently, to date, the Company carries out promotional campaigns only on the customer base (customers and former customers) or on lead lists (hot lists), i.e. generated by interactions on the web and on social media to collect contacts of subjects interested in the Company's products and services. In the latter case, the contact must take place within 72 hours of the user's expression of interest and the collection of a lead contact is followed by an SMS to the user to ascertain their awareness. For these reasons, the objections raised against the Company in the act of initiating the proceeding cannot be overcome and - for the conduct described - the violation of Articles 5, paragraph 2, and 24 of the Regulation is confirmed due to the inability of the owner to comply with the obligation to prove compliance with the rules (accountability) and for the inadequacy of the checks carried out before acquiring the partner's list, taking into account that the unlawfulness relating to the documentation of the consent was easily detectable by the owner. Furthermore, considering that the consents thus collected could not be considered lawful, the violation of Articles 6, paragraph 1 and 7 of the Regulation, as well as Article 130 of the Code, is also confirmed. 1.3 Promotional communications made in the absence of consent During the on-site activity, some numbers of subjects who had submitted reports to the Guarantor were verified, the results of which are reported in the minutes of 11 October 2022. On some positions, the Company provided clarifications during the investigation. In one case (file 133372 - reporting party XX), the defensive arguments were not sufficient to overcome the objections raised. In fact, the contact to the reporting party was found to be present in the system, having been made by partner XX with subsequent registration of the number in the black list; Wind Tre was therefore asked to document the preliminary checks carried out on this partner, providing evidence of the original consent of the interested party. With a note dated 4 November 2022, Wind Tre communicated that in its systems all consents relating to the user concerned had been denied since the activation date; the number had been used by the partner XX using its own lists acquired, in turn, from the supplier XX; at the same time, Wind Tre produced a feedback email sent to the reporting party on 22 March 2022, in which it declared that the user "did not appear to have been included in any Wind Tre commercial campaign, but had passed through the lists of the partner XX by virtue of the consent given" adding that it had "revoked the consent". With regard to this case, it should be noted that the consents had been denied since the activation of the user and Mrs XX had also exercised her opposition to Wind Tre via registered letter dated 02 March 2018 (relating to another user but also generically extended to all her active Wind Tre numbers). Therefore, the interested party had never given any consent and, indeed, had written in 2018 to complain about unwanted contacts. The Company, as mentioned, declared that the contact would have been made by the partner XX on the basis of a consent given to the supplier XX. However, it should be remembered that the consent given to a partner, even if it acts as a data controller, cannot overcome the denial expressly expressed towards the client, the data controller. In the specific case, Mrs. XX had denied all optional consents since the activation of the mobile phone service and had even complained about receiving unwanted contacts; in this context, her will, and the related expectation, not to be contacted on behalf of Wind Tre is evident regardless of whether the interested party subsequently gave her consent to a third party. This is because the specific denial expressed towards the owner prevails over the general consent given to the third party and therefore it is the owner's responsibility, once the list has been received, to verify that it does not contain data of subjects who have expressed the desire not to be contacted on behalf of Wind Tre. If this were not the case, it would be very easy to circumvent any denials from the interested parties and it would be impossible for the latter to assert their right to not receive unwanted contacts. For these reasons, the objections raised against the Company in the act of initiation of the proceeding cannot be overcome and the violation of articles 5, par. 1, letter a), 6, par. 1 and 7 of the Regulation, as well as art. 130 of the Code is confirmed since the processing of the complainant's data for promotional purposes was carried out in the absence of consent. 1.4 Calls made to numbers not authorised by Wind Tre. During the investigation, Wind Tre was asked to produce the list of purchase proposals, coming from its sales network. In response to this request, the Company produced two files: "XX" for the consumer market and "XX" for the business sector. The files relating to the lists authorised by Wind Tre (see attachment 4 of the note dated 13 June 2023) showed 653,799 authorised numbers. The XX file showed 3,402 numbers called. From the comparison between the numbers called and the authorised numbers, it was found that, of the 3,402 numbers called, only 1257 were also present among the authorised numbers; consequently, 2145 numbers were called that were not authorised by Wind Tre. This would have occurred despite the Company's assurances regarding the aforementioned impossibility of activating contracts without going through the CM system (therefore without using previously authorised lists). Furthermore, with note prot. 107208 of 12 July 2023, the Office requested the Ugo Bordoni Foundation (FUB) to compare the numbers called, extracted from the XX file, with the registrations in the RPO made up to 31/01/2023. In the file returned by the FUB, it was found that 344 numbers out of 3402 numbers called were registered in the RPO. Of these 344 numbers registered in the RPO, only 121 were also present in the list of numbers authorised by Wind Tre. In this regard, in the defence brief, the Company clarified that "the authorised numbers represent only a part of the campaigns carried out and the partners involved between February/March 2023 while the 3402 XX contracts represent the entire Wind Tre production of the week being analysed"; this is possible because the Company carries out many of the promotional campaigns towards its customer base using its own lists which do not require authorisation or control in the Register of Oppositions. Based on the justifications provided, this profile can be considered archived. 1.5 Guarantee measures adopted by Wind Tre During the inspection and with numerous subsequent communications also sent spontaneously, the Company provided updates regarding the organizational and technical changes implemented to limit unwanted contacts. In particular, Wind Tre communicated the following: - telemarketing activities are centralized through the system called Campaign Management (CM), already described during the investigation that led to the provision adopted by the Guarantor on 9 July 2020 against Wind Tre; through this system, the Company keeps track of the calls made by partners and their outcome; the integration of the partners' CRM (Customer Relationship Management) systems via API has been planned, in order to eliminate the need for independent entry operations by the partners and avoid sending lists to the partners by Wind Tre (procedure available for all partners from 31 December 2022, as confirmed with note no. 217.23 of 8 March 2023); - in the event of revocation of the consent expressed during a call, the system allows the operator to record the interested party's will and to report the same information in the black list; - training activities on the processing of personal data have been organized for employees and subsequently extended to partners; - a page of the company website has been dedicated to informing users about nuisance calls with the possibility of submitting reports directly to Wind Tre (which has carried out subsequent checks); - the Company participated in the Agcom working group to combat CLI (Calling Line Identification) spoofing and made the “Please don’t call” app available to its customers to filter nuisance calls. Furthermore, since the end of March 2023, the Company has activated the blocking of international calls with CLI not compliant with ITU-T E.164 recommendations for its customers, in order to protect them from CLI spoofing activities; in this regard, the Company has specified, by way of example, that since then it has blocked approximately half a billion calls per month transmitted by foreign carriers that use altered numbers. - the Company, highlighting a significant economic investment, has created a system for monitoring the supply chain, called “from contact to contract” consisting of a series of automatic checks aimed at verifying compliance with the rules of remote contact in order to reconstruct the consent-contact-contract chain; the Company added that it has started a study project to ensure tracking with blockchain technology; - the Company described the partner accreditation procedure consisting of the administration of a detailed questionnaire and a declaration of commitment to comply with the rules imposed by Wind Tre; a sample check is planned on said questionnaires with requests for further information if necessary; furthermore, the Company carries out audit activities on partners with both remote and in-person checks; - at the time of the inspection, the Company had declared that it would carry out a check call on a sample of activated contracts (see minutes of 11 October 2022); subsequently (see note 16.23 of 16/01/2023) Wind Tre communicated that this quality check is carried out on 100% of activated contracts; it was also planned to include "decoy numbers" in the lists entrusted to partners; - following the suspension of the use of third-party cold lists for the consumer branch, the Company has enhanced the use of lead contacts by ensuring the user's will through a double opt-in mechanism. PROCEEDING 173400 With the act of initiation of the proceeding prot. no. 25394 of 29 February 2024, Wind Tre was charged with the violation of art. 6, par. 1, letter a) of the Regulation and art. 130, paragraph 2 of the Code for sending an unwanted promotional SMS. In particular, the complainant had complained, on 18 October 2021, of the receipt of an unwanted SMS. During the investigation, the Company had clarified that the sending, which had only concerned the complainant, had occurred following a technical anomaly due to the fact that the user assigned to the complainant had been dismissed by a previous holder without disabling the consents given by the latter. Subsequently, on 9 October 2023, the same complainant complained of receiving a new text message, despite the assurances provided by Wind Tre regarding the inclusion in a special blacklist of the desire not to be contacted. On that occasion, the Company declared that the sending had occurred due to human error. Only in the defensive phase, Wind Tre better described the circumstances that would have determined the human error, clarifying that the sample of recipients had been formed by extracting from the database a series of segmentations to which specific requirements were attributed: among these, the presence of consent to receive promotional messages. Unfortunately, the operator, in carrying out the subsequent steps, linked these requirements to only one of the provinces involved in the campaign, thus mistakenly including customers who did not consent for all the other provinces. However, the Company added that this campaign creation platform was subsequently replaced by a new system that will automatically exclude all users without consent, avoiding the repetition of similar errors. Furthermore, immediately and in order to remedy the error, the Company proceeded to inform the customers affected by the event and, until the new platform was implemented, carried out random checks to verify the consents resulting in the company CRM. In light of the new clarifications provided - taking into account the measures adopted to avoid the repetition of similar events - it is believed that the dispute can be archived due to the fact that the event was caused by an unforeseeable error of the person in charge without harmful consequences for the interested party. PROCEDURE 262138 With the act of initiation of the proceeding prot. no. 158163 of 25 November 2023, Wind Tre was charged with the violation of articles 5, par. 1, letter f), 32 and 33 of the Regulation for the adoption of inadequate technical measures that would have led to a data breach not notified to the Guarantor. In particular, with a complaint of 27 April 2023, a Wind Tre customer declared that he had viewed the data of another customer when accessing his personal area. In this regard, the Company declared that access to the data of the other customer was caused by an incorrect entry of the customer code during registration. This would have generated an incorrect data matching, also due to the fact that the other user was not registered in the customer area; the improper access, in particular, had occurred as a result of a recent change made by the Company to the login function with the elimination of the tax code from the list of credentials required for access so that, "by removing the tax code, a check was also removed that verified that the tax code corresponded to the personal data retrieved from the CRM (Customer Relationship Management) associated with the indicated customer code. This removal was carried out to simplify customer access by avoiding the insertion of data not necessary for authentication". In particular, once the obligation to enter the tax code was eliminated, only the verification of the correspondence between CLI and customer code was carried out, referring to the personal data retrieved from CRM; however, in the case of CLI belonging to a customer not registered in the reserved area, this last check was not carried out. Therefore, in the case in question, when, during the registration phase for the customer area, the complainant entered an incorrect customer code, this value, although associated with another subject not registered on the portal, generated the incorrect association between the portal user and the personal data in the CRM. Following this event, which according to the Company would have been an isolated case, Wind Tre set up security controls by verifying the correspondence between the CLI and the customer code, with respect to the personal data present in the CRM, even in the case of users not registered in the personal area. Overall, it is observed that the conduct described - consisting in the removal of security controls at access without adequate verification of the consequences - led to unauthorized access to the data of an unaware customer. Therefore, since the technical measures adopted by Wind Tre at the time of the event must be considered inadequate, the violation of Articles 5, paragraph 1, letter f) and 32 of the regulation is deemed to have been integrated. With regard to the contested failure to notify the Data Protection Authority of the personal data breach, the Company stated that, in addition to having promptly remedied the anomaly, it initiated a dialogue with the complainant, informing him of what had happened and asking him to destroy any copies in his possession of the data of the third party to whom he had accidentally accessed. Having done so, the Company, not perceiving serious harm to the interested party, deemed it unnecessary to notify the Data Protection Authority. In this regard, it is noted that art. 33 of the Regulation provides that notification to the Data Protection Authority must be made if a personal data breach occurs, unless it is unlikely that such a breach presents a risk to the rights and freedoms of natural persons. The seriousness of the harm, however, is relevant only in the case in which it is necessary to evaluate whether to also communicate the event to the interested party.(1) In this case, therefore, at least notification to the Authority would have been necessary and therefore the violation of art. 33 of the Regulation 2. CONCLUSIONS Following the complex investigation activity described above, and taking into account the arguments added in the defense phase, some potential violation profiles, punctually described in the previous paragraphs, were archived while for other conducts, recalled below, the violations contested in the initiation of the proceeding were considered confirmed. Reference is made, in particular, to the ability to prove the possession of suitable consents for making promotional calls to recipients extracted from the so-called "cold lists" of the partners as well as to the use for promotional purposes of the data of Ms. XX in the absence of suitable consent (file 178557). Similarly, the violations contested in the initiation of the proceeding prot. no. are confirmed. 158163 of 25 November 2023, relating to file 262138, for the inadequacy of the security measures adopted at the time of the event described and for the failure to notify the Guarantor of the violation of personal data. For the above reasons, Wind Tre is therefore deemed to be liable for the following violations: a) articles 5, par. 2, 24 and 28 for the inability of the owner to comply with the obligation to demonstrate compliance with the rules (accountability) and for inadequate control over those responsible for processing aimed at carrying out promotional campaigns; b) articles 5, par. 1, letter a), 6, par. 1 and 7 of the Regulation as well as art. 130 of the Code because the processing for promotional purposes, carried out in the context of the violations described regarding the lawfulness of consent, was found to lack an appropriate legal basis; c) art. 5, par. 1, letter f) and 32 of the Regulation for the inadequacy of the technical measures adopted, at the time of the reported event, to enable access to the personal area of users; d) art. 33 of the Regulation for the failure to notify the Guarantor of the violation of personal data. However, it is useful to make some considerations regarding the conduct of the owner and the corrective measures adopted even before the initiation of the proceedings. First of all, it is necessary to acknowledge the significant activity carried out by Wind Tre aimed at highlighting and combating the phenomenon of unwanted telemarketing, together with the equally necessary considerations relating to the fruitful dialogue and collaboration that the Company has undertaken for a long time with the Authority. In fact, from the results of the initiated proceedings, it emerges that the Company has implemented interventions and procedures suitable for creating a framework of significant increase in guarantees for the interested parties compared to that which emerged following provision no. 143 of 9 July 2020. With regard to the carrying out of promotional activities, in fact, the Company has acknowledged that it has changed its operating methods, especially with regard to the processing of personal data of consumer customers, interrupting the use of cold lists from 1 December 2022. The Company has also implemented significant changes to its systems to optimize the control of the supply chain of managers who operate in telemarketing and teleselling activities by independently implementing the measures provided for by the relevant code of conduct before the actual entry into force of the same. Also relevant and worthy of attention are the solutions to combat CLI spoofing spontaneously adopted for its customers through the Please don't call app and the blocking of international calls with CLI not compliant with the ITU-T E.164 recommendations. Measures that the legislator(2) has only recently imposed in a generalized manner, delegating the Communications Guarantee Authority the task of introducing the relevant technical measures. These important interventions, many of which also required significant investments or involved the assumption, in a completely autonomous manner, of a burden not yet imposed on the generality of other competitors, must be carefully considered in the overall assessment of the conduct, while also taking into account that the contested promotional activities carried out on the basis of consents not lawfully collected, as well as in parallel the measures adopted at the time for the control of the supply chain, date back to the end of 2022. With regard to the violations that emerged from proceeding 262138, it is noted that the modification made by the Company for the purposes of simplifying the user experience was implemented without due diligence; this is because the insertion, during registration by the customer, of a 9-digit code, without other checks by the owner, can lead to events of the type reported, as it is possible, as occurred in this case, to a typing error. The Company has however acknowledged that it intervened promptly to introduce corrective measures aimed at avoiding the repetition of similar events. Furthermore, it is necessary to take into account what was declared by Wind Tre, aware of the criminal consequences for false declarations, regarding the singularity of the event that would have occurred only thanks to the concomitance of the typing error by the complainant and the absence of a previous registration in the personal area by the account holder. Therefore, having ascertained the unlawfulness of Wind Tre's conduct with reference to the treatments under examination, taking into account that all the violations ascertained have already been remedied during the present investigation, the conditions for the adoption of corrective measures against the account holder are not found; with regard to the violations that have occurred, it is instead necessary to adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Wind Tre of the administrative pecuniary sanction provided for by art. 58, paragraph 2, letter i) and 83 of the Regulation. Pursuant to the provisions of art. 154-bis, paragraph 3 of the Code, this provision is published on the Authority's website (see also art. 37 of the internal regulation of the Guarantor no. 1/2019). Finally, it is noted that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation. 3. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION Based on the above, various provisions of the Regulation and the Code have been violated in relation to connected processing carried out by Wind Tre, for which reason art. 83, par. 3, of the Regulation, according to which, if, in relation to the same processing or to connected processing, a data controller violates, with intent or negligence, several provisions of the Regulation, the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation with consequent application of only the sanction provided for by art. 83, par. 5, of the Regulation. For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum amount set by law in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the preceding financial year if higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount. In compliance with this provision, on the basis of the information found in the latest balance sheet (recorded on 31 December 2023), using the second hypothesis provided for by the aforementioned art. 83, par. 5 and therefore quantified at € 173,760,000 as the maximum applicable fine, the following aggravating circumstances must be considered: 1. the negligent nature of the violations, since the conduct was carried out in the absence of the diligence that would be commonly expected from a data controller who processes data on a large scale and with regard to issues, such as the selection of list providers, on which the Guarantor has clearly expressed itself several times; negligent conduct was also observed with regard to the changes made to the registration system for the personal area without adequately assessing the potential risks (art. 83, par. 2, letter b), of the Regulation); As mitigating factors, it is believed that the following can be taken into account: 2. the low level of damage suffered by the data subjects (Article 83, paragraph 2, letter a), of the Regulation); 3. the measures adopted by the data controller that led to a radical change in the operating methods adopted at the time of the violations (Article 83, paragraph 2, letter c), of the Regulation); 4. the degree of cooperation with the Supervisory Authority that led, in relation to procedure 262138, to promptly put an end to the violation and, in the case of processing for promotional purposes, to maintaining constant discussions with the Authority for the definition of best application practices, in addition to the assiduous participation of Wind Tre in the working group that led to the presentation of the Code of Conduct on telemarketing and teleselling (Article 83, paragraph 2, letter f), of the Regulation); 5. of the categories of data affected by the violations, since they are common data (art. 83, par. 2, letter g), of the Regulation). In an overall balance between the rights of the interested parties and freedom of enterprise, it is necessary to prudently evaluate the aforementioned criteria, also in order to limit the economic impact of the sanction. Therefore, it is believed that - on the basis of the set of elements indicated above - the administrative sanction of the payment of a sum of €347,520.00 (three hundred and forty-seven thousand five hundred and twenty/00) should be applied to Wind Tre, equal to 0.2% of the maximum statutory sanction identified with reference to the provisions of art. 83, par. 5, of the Regulation, taking into account that 4% of Wind Tre's turnover, based on the data reported in the latest balance sheet, is greater than 20 million euros. In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the internal regulation of the Guarantor no. 1/2019, this chapter containing the injunction order must be published on the Guarantor's website. This is in consideration of the elements of risk for the rights and freedoms of the interested parties deriving from the use of lists formed by third parties without a preliminary accurate verification of the lawfulness of the consents given, taking into account that the Company has stopped using cold lists only from 1 December 2022 for the consumer market. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, par. 1, letter a and letter f), of the Regulation, declares the processing described in the terms of the motivation carried out by Wind Tre S.p.A., with registered office in Milan, via Monte Rosa no. 91, tax code 02517580920, to be unlawful; consequently ORDERS pursuant to art. 58, par. 2, letter i), of the Regulation, to Wind Tre S.p.A., in the person of its legal representative, to pay the sum of Euro 347,520.00 (three hundred and forty-seven thousand five hundred and twenty/00) as an administrative pecuniary sanction for the violations indicated in the reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed. ORDERS the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 347,520.00 (three hundred and forty-seven thousand five hundred and twenty/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law No. 689/1981; ORDERS a) pursuant to Articles 154-bis of the Code and 37 of the Internal Regulations of the Guarantor No. 1/2019, the publication of this provision on the Guarantor's website; b) pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Internal Regulations of the Guarantor No. 1/2019, the publication of the injunction order on the Guarantor's website; c) pursuant to Article 17 of the Internal Regulations of the Guarantor No. 1/2019, the annotation in the Authority's internal register, provided for by Article 57, paragraph 1, letter u) of the Regulation, of the violations and the measures adopted. Pursuant to Article 78 of Regulation (EU) 2016/679, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 12 December 2024 THE PRESIDENT Stanzione THE RAPPORTEUR Ghiglia THE DEPUTY SECRETARY GENERAL Filippi _______ 1) See also the clarifications provided by the EDPB in Guidelines 9/2022 on the notification of personal data breaches under the General Data Protection Regulation, adopted on 28 March 2023. 2) Legislative Decree no. 48 of 24 March 2024, amending Legislative Decree no. 259/2003 (Electronic Communications Code) introduced, on the part of Agcom, the obligation to require telephone operators to block calls made through CLI spoofing. On this basis, in the session of 13 November 2024, Agcom launched a public consultation (Resolution no. 457/24/CONS) to introduce new rules aimed at combating fraud and wild telemarketing through measures that prevent the so-called CLI Spoofing.
- ↑ See Garante per la protezione dei dati personali (Italy) - 9435753.
- ↑ In marketing jargon, a "cold list" is a list of contact data from consumers who had no previous interaction with a company.
- ↑ This Articles is the national implementation of Article 13 ePrivacy Directive 2002/58/EC.
