Garante per la protezione dei dati personali (Italy) - 10007895

From GDPRhub
Revision as of 09:49, 15 May 2024 by Im (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 10007895
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 13 GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 28.12.2023
Decided: 22.02.2024
Published:
Fine: 150,000 EUR
Parties: Sigma s.r.l.
National Case Number/Name: 10007895
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: im

The DPA fined an agent company €150,000 for using personal customer data from the Vodafone's systems to activate more than 1,300 SIM cards and telephone services without their knowledge.

English Summary

Facts

The Italian Financial Police (Guardia di Finanza) sent a notice to the DPA regarding possible existence of administrative violations related to Sigma s.r.l., a company which operates two Vodafone Italia S.p.A. sale points in northern Italy (‘Sigma or ‘controller’). The Financial Police carried out an investigation following a complaint by a customer of Vodafone who claimed that Sigma charged them on their credit card relating to an activation of a new contract for telephone services. The contract was concluded in the name of her deceased husband.

The investigation revealed that Sigma activated approximately 1,300 SIM cards, numerous telephone services under Vodafone brand and linked telephones to active users without their knowledge while they were made available for sale at the shop. Specifically, the company activated unsolicited services by inducing customers to sign, via a tablet, without clarifying the consequences of such consents. The company sold mobile phones without any request made by the customers that learned of the purchase by finding additional charges on their invoice. These services or devices were never delivered to the customers. Additionally, it emerged that Sigma used data of hundreds of users extracted from the Vodafone information systems.

Vodafone clarified that its relationship with Sigma is governed by a franchising contract according to which Sigma is a dealer acting as an autonomous controller of personal data related to SIM card and telephone service activations. Employees of Sigma were authorized to identify all customers and make a copy of their IDs in case of activation of a new product. Additionally, the data entry and activation of services was carried out by the employees through a computer connected to the Vodafone systems.

Consequently, circumventing the telephone operator’s controls and relevant processing provision amounted to a turnover of more than €80,000.

Holding

It emerged that Sigma planned its activities precisely with the intention to acquire unsolicited telephone contracts which could be used for further illegal activities.

The DPA confirmed that Sigma engaged in several activities which circumvented the relevant provisions on the processing of customer’s data and the agreement it concluded with Vodafone. Because of this circumvention, Sigma became a controller of the processing. According to Article 28(10) GDPR, in case a processor infringes the GDPR by determining the purposes and means of processing, the processor shall be considered a controller in respect of that processing.In particular, Sigma processed personal data of customers without their consent and charged them for the cost of purchase of services which were never requested nor delivered. For failing to provide the data subject with appropriate information and in a fair and transparent manner, Sigma was found in breach of Article 5(1)(a), (2) and Article 13 GDPR.

The DPA closely analysed the franchising contract which laid down specific rules for the identification of the person requesting a new SIM or telephone service activation. According to the DPA’s general measures of 16 February 2006, the operators (e.g. Vodafone) designate agents or dealers as data processors. However, for the purpose of activating the services they exercise real and autonomous decision-making power and therefore must fulfil the relevant obligations provided for by the GDPR. Sigma was a controller for the mentioned processing purposes and planned its activities precisely with the intention of using the personal database at its disposal to acquire unsolicited telephone contracts. For this reasons they were found in breach of the principle of lawfulness and accountability pursuant to Article 5(1)(a) and (2) GDPR and its responsibility as a controller under Article 24(1) and 25(1) GDPR. In addition to that, the data for the SIM and telephone service activation was collected without the customers’ knowledge and therefore Sigma lacked legal basis for this processing under Article 6 GDPR.

The DPA imposed a fine of €150,000 to Sigma and ordered the prohibition of further processing of customers’ data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 3 May 2024



[doc. web no. 10007895]

Provision of 22 February 2024

Register of measures
n. 159 of 22 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

1. THE INVESTIGATORY ACTIVITY CARRIED OUT

1.1. Premise

With deed of 28 December 2023, n. 170449/2023 (notified on the same date by certified email), which must be understood as fully referenced and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation towards Sigma s.r.l., (hereinafter also “Sigma” or “the Company”), in the person of the legal representative pro tempore, with registered office in Trento (TN), Corso Tre Novembre, n. 84, tax code 02314590221.

The procedure originates from an information note sent by the Special Privacy Protection and Technological Fraud Unit of the Financial Police, registered in the protocol with no. 119438 of 10 August 2023, sent by the Economic-Financial Police Unit of Trento of the same Corps, with which the results of the judicial police investigations referred to in proc. pen. n. 2023/20-21 of the Public Prosecutor's Office at the Court of Trento.

The note, to which P.G.'s annotation is attached of 22 March 2023 and the related files, arrived following the authorization issued by the Public Prosecutor. of Trento on 14 April 2023, in order to allow the Authority to evaluate the possible existence of administrative violations with reference to the processing of personal data carried out by owners and employees of Sigma s.r.l. for the activation of cards, Vodafone brand telephone services and for the sale of mobile devices.

As reported in the note, the investigation activities were carried out following a complaint filed on 10 March 2022 by a customer of the telephone company Vodafone Italia S.p.A., who complained of having detected some charges on her card in 2021. credit from the company, deriving from the activation, on 2 February 2021, of a new contract for telephone services in the name of her husband, who died on 8 November 2020.

From the investigations as a whole, for the part that interests us here, a systematic activity emerged carried out by owners and employees of Sigma, which manages two Vodafone sales points in Trento and in Pergine Valsugana (TN), uniquely aimed at the activation of cards SIM cards and other telephone services, as well as the sale and association of mobile telephone equipment with active users, without the knowledge of customers and users of the telephone sector.

In particular, following the searches carried out on 18 May 2022 at the Sigma headquarters in Trento, and at the homes of the managing partners, no. 238 cell phones and other mobile devices with IMEI code and no. 1119 SIM cards. From a check carried out during the search activities, it was possible to note that several seized phones were linked to telephone accounts, despite being available for sale at the shop, and numerous SIM cards were already active and therefore connected to customers' personal data cards. Vodafone.

The investigations also involved the telephone company Vodafone, which, following requests for elements formulated by the Financial Police on 5 July 2022, represented that the relationships between the aforementioned Company and Sigma are regulated by a franchising contract signed on 23 January 2014, from which it is clear that the Company, in the processing of personal data connected to the activation of SIM cards, assumes the legal capacity of the Data Controller, without prejudice to the obligations, expressed contractually, to carry out the new activations on the basis of a identification and data collection process specifically envisaged by Vodafone.

This process provides, as represented by Vodafone with a note dated 12 January 2023 (annex 77 of the P.G. annotation), that "the authorized Vodafone sales points operating on the national territory (Dealers and Points affiliated to the national distributor of Vodafone products and services VND S.p.A. ), are required to identify the subscribers, even if they are already Vodafone Italia customers, and acquire a copy of their identity documentation in the event of activation of new products and services. […] In compliance with current legislation and company directives (or the contractual obligations stipulated with the undersigned), the point of sale is required to: identify all customers who request the activation and/or replacement of a new SIM through the presentation of the original of your identity document (identity card, driving license, passport, residence permit); have the customer view the information pursuant to Legislative Decree no. 196/2003; verify the customer's correspondence with the identity document presented; verify the validity of the document itself; check the forms, keep the documentation (form, copy of the identity document and any accompanying documents) at the point of sale for 24 months and send it to Vodafone in electronic or paper form via courier. […] Data entry and activation of offers and services are carried out by the point of sale employees through the computer workstation […] which connects the premises where the retailer operates to the Vodafone systems or through the use of the new system [ …], which require the mandatory completion of the following fields: 1. Document type 2. Document number 3. Issue date. In the event of a request for activation of a new SIM or replacement by a customer already identified by Vodafone, through the use of the new system [...], the Dealer will be able to proceed with entering the data of the identity document shown at the time of new identification".

With reference to the undue activations carried out by Sigma, Vodafone highlighted, by providing various lists in response to the requests made by the Financial Police, that of the SIMs found at the Company's headquarters and seized on 18 May 2022, 931 were active and/or associated with the details of a customer, while as regards mobile phones and other devices, also subject to seizure, 62 of them were associated with an active user, with charges on the invoice spread over up to 48 months.

The documentary evidence mentioned above was corroborated by an extensive testimonial gathering activity which involved both some customers and employees of the sales outlets managed by Sigma.

In particular, with reference to the employees of the sales outlets, what was declared by an employee, mainly assigned to the Pergine Valsugana sales outlet, who stated that "the SIMs are activated, without the customers' knowledge, to reach the targets, is worth mentioning. normally monthly, established by Vodafone and/or to achieve bonuses. […] The activated SIM cards were kept at the point of sale and in some cases sold to customers other than the first owner. […] For the new activations of the SIM cards or new services, all activated without the customers' knowledge, the personal data was drawn mainly from the Vodafone information system […]. The system […] is a Vodafone application from which the customer's entire contractual situation can be extrapolated.

In some cases, the data was extrapolated on the basis of paper contracts present at our point of sale. Banking data, in particular the lban code, are also managed directly by the Vodafone database, [...]. For new SIM activations or new services, consent to the processing of personal data was acquired with the contract. […] I can say that on many occasions the signatures on behalf of clients were made by [a director and other employees] of Sigma. For terminals formally sold to a customer and never actually delivered to that customer, they were stored in a cube (red) and then sold to subsequent customers unaware of the origin of that phone. It could happen, in some cases, that the first customer, once they noticed the charges on the invoice for phones they never received, stopped paying".

The same practices were confirmed by an employee of the Trento store, who declared that "in that period I noticed that they usually activated contracts in the name of customers who were totally unaware of such activation. In particular, for customers who already had an active landline, for the home landline, [the two administrators] or another employee took steps to activate new mobile or landline lines without the customer's knowledge, with the addition of the sale of telephones mobile phones by signing the relevant contracts. For these operations, the data of customers already registered and their related credit cards or other payment methods were used. The centralized Vodafone system, where all customer data is stored with the relevant credit cards or other means of payment, allows the activation of subsequent contracts, drawing up the data already present and therefore allows automatic debits based on the payment methods sign in. The cell phones sold to unsuspecting customers, who were charged the relevant installments, were actually resold "under the counter" to other customers. [...] These cell phones, sold "under the counter" and officially at a discounted price, were numerous and kept in the most disparate, such as in the bathroom, in the event of an inspection by Vodafone, the display case containing these mobile phones intended for under-the-counter sales was moved to an inaccessible place [...] they showed up with a mobile phone for various problems, with the excuse of "cleaning the phone" of the reported problems, [an administrator] or another employee proceeded to activate new paid options, always without the customer's knowledge [...] In a counter drawer they kept many identity cards in paper format, which had not yet expired".

The circumstances reported by the two employees also appear to be confirmed by the numerous messages that Sigma owners and employees exchanged which were found on the Company's computers and personal mobile phones following the searches and seizures of 18 May 2022. For example, in one chat of 1 February 2022, a partner of Sigma, reminds employees that "in Pergine in the chest of drawers there are next documents and documents for ethnic tourists already separated and ready to make SIM cards in the downtime, they will help us maintain the daily average!". In a chat on May 9th between two employees, reference is made again to the so-called “ethnic documents”: “do you have ethnic documents? … A little yes why? ... Because I've almost finished them ... Hahaha ... Just in case, send me two photos and I'll have them if you need them." In some chats the operating methods and the quantity of activations to be achieved over the course of a day are clarified: "For those who come to Pergine at the weekend I am making a small file with fictitious addresses that I look for on [...] for those who need it in the immediate for insertion, so as not to always use the same ones which is not the best... you can find it on the desktop... How many cards do I make today? … How many cards do you have there? ... Up until now I've done 3 to one that I can't do them anymore... Do about ten... How many sims do I do today? … 10 if you can … I'm already at 5”. On the issue of addresses, very often in chats we agree that undue activations cannot be subject to controls and therefore we avoid inserting real contact details "Should I enter the customer's address? ... No ... Put Rome away, Milan, Piazza Venezia tn ... Message from another customer at worst "we made a mistake" ... Yes ... I also put an email by removing a letter so nothing arrives ... I do the same thing too." The seized devices also contain many messages from customers complaining about undue activations.

Precisely with reference to customers, it must be highlighted that during the investigation activities the Financial Police acquired 12 documents of complaint-complaint, in addition to the one originally produced by the original complainant, and collected summary testimonial information from 34 customers who all reported undue activations not only of SIMs (some 14, 12 and 10) but also of services such as Vodafone TV, Now TV, Vodafone Casa, Vodafone Sport and charges in one's Vodafone invoices for the purchase of unsolicited mobile phones and GPS trackers and of which they never came into possession. Customers have often stated that they were invited, within Sigma stores, to add their signatures via electronic tablets, without a specific reason being given for these collections of subscriptions.

Overall, the Financial Police highlighted that the activities of undue SIM activation allowed Sigma to acquire commissions amounting to €73,413.70 while the commissions acquired by the same Company for undue associations of SIMs to mobile devices amounted to €6,085, 31. The amounts charged to the customers examined for the purchase of cell phones and other mobile devices that were never actually delivered amounted to €4,730.54.

1.2. Dispute of violations

At the end of the investigation, the Office adopted the aforementioned notice of dispute no. 170449/2023 against Sigma, believing that it acted as data controller of personal data of customers in the fixed and mobile telephony sector, carrying out conduct in violation of the provisions of the Regulation.

Specifically, the Office charged the company with the alleged violation of the following provisions:

a) art. 5, par. 1, letter. a), and 2; art. 6; art. 24, par. 1 and 25, par. 1 of the Regulation; for having carried out the processing as described above of personal data of users and contractors in the fixed and mobile telephony sector in conflict with the principles of lawfulness, correctness and responsibility, in the absence of an appropriate legal basis and by implementing technical and organizational measures aimed at evading, right from the design stage, the principles of lawfulness, correctness and responsibility;

b) art. 5, par. 1, letter. a), and 2; art. 13 of the Regulation; for having carried out the above-described treatments without having provided the interested parties with suitable information and therefore in conflict with the principles of correctness and transparency.

2. ASSESSMENTS BY THE AUTHORITY

It should be noted that Sigma, following receipt of the notice of dispute referred to above, proven by the acceptance and delivery certificates of the relevant certified email message, did not intend to exercise its right of defense and, therefore, did not produce briefs, nor did she request to be heard by the Authority.

From this perspective, it is worth reiterating that the communication initiating the procedure, containing the notification of the administrative violations, was sent to Sigma's certified email address as resulting from the information system of the Chambers of Commerce and that the legislative decree 76/2020 (so-called "simplification decree"), converted with amendments by Law 120/2020, has qualified, in art. 37, the certified email address of the companies as a "digital domicile" valid for the purposes of electronic communications having legal value.

In light of this circumstance, it must in any case be stated that the investigations carried out by the Financial Police, in the absence of counterarguments from the party, constitute full proof and allow the liability of Sigma to be affirmed in relation to the disputed conduct.

In fact, it emerged that the Sigma company, through its managing partners, providing unambiguous provisions to its employees operating in the sales points of Trento and Pergine Valsugana, processed the personal data of which it retained availability, relating to customers who had entered relationship with its stores, activating SIM cards, Vodafone services, Now TV services in their names without consent and charging them for the cost of purchasing mobile devices, in particular mobile phones and GPS trackers, which were never requested and never delivered to the customers themselves .

Specifically, with reference to the activation of SIM cards, it must be highlighted that the Vodafone telephone company with which Sigma was linked by a franchising contract, has dictated specific rules, in line with current legislation, for the identification of the person which requires a new activation even if it is already a customer.

The above-mentioned operational practice, in compliance with the provisions of the Regulation, had to also be followed in relation to the activation of services accompanying the telephone contract or for the purchase of cellular devices for which the charge was foreseen in the invoice relating to the Vodafone account, since these activities, involving an expansion of the overall offering of the telephone company, had to be preceded by clear obligations connected to the release of exhaustive information on the processing carried out and by the acquisition of elements suitable for legitimizing and proving the suitability of the legal basis (contractual ) of the same treatments.

This, according to the activities carried out by the Financial Police, not only did not happen, but concordant elements emerged which provide a picture of extremely serious conduct carried out by Sigma s.r.l. for: a) illicitly activating SIM cards using customers' personal data and identity documents extrapolated from Vodafone systems or unduly stored by the point of sale; b) activate unsolicited services by acquiring the temporary availability of the devices used by customers, or by inducing them to sign, usually via electronic tablet, without clarifying the value and consequences of such subscriptions; c) make sales of mobile devices that had not been requested or actually acquired by customers, who however found monthly charges on their invoices linked to the purchase of the aforementioned devices; d) evade controls by the telephone company Vodafone, as described by some employees and documented in the information note dated 10 August 2023 and in the related documents.

In essence, Sigma would not only have failed to implement the provisions on the protection of personal data to activate SIM cards, telephone services and installment sales of mobile devices, but would have designed its activities precisely with the intention of using the base of personal data at its disposal to acquire unsolicited telephone contracts or unduly expand the contractual offer previously signed by its customers.

As regards the ownership of Sigma in relation to the treatments examined, beyond the specific contractual provisions established in the franchising contract stipulated with Vodafone, it is necessary to recall the recent provision of the Guarantor, n. 405 of 14 September 2023 (in www.gpdp.it, web doc. no. 9936215), as well as the general provision regarding unsolicited telephone services, adopted by the Authority on 16 February 2006 and published in the Official Gazette. n. 54 of 6 March 2006 (web doc. no. 1242592), in the part in which it highlights that "agents and resellers have the status of independent data controllers of the data used for the purpose of activating the services when, based on the methods of their activities, exercise real and completely autonomous decision-making power on the methods and purposes of the processing carried out in their area", and then, among others, the provision adopted against a Vodafone dealer operating in the province of Brescia (provision no. 293 of 13 May 2015, web doc. no. 4210697), where it is stated that "with reference to operations aimed at activating telephone cards in the absence of the holder and without the acquisition of a valid document carried out processing of personal data by exercising a completely autonomous decision-making power, free from the provisions that linked it to the telephone operator and the Master dealer, assuming the legal capacity of data controller, as outlined in the aforementioned provision of the Guarantor of 16 February 2006". This last provision was subjected to scrutiny by the First Civil Section of the Court of Cassation which, with Order no. 21234 of 23 July 2021, reiterated "that only the person who has been responsible for the processing by the "owner" and who has complied with the instructions given by the latter in explication of his decision-making power can assert the status of "data controller". ; it follows that if this does not happen, the "manager" may be recognized as the concrete "owner" of the processing, due to the decision-making and management autonomy manifested even by disregarding the provisions of the "owner"".

Sigma's responsibility therefore appears to be confirmed, ascertained by the unequivocal results of the seizure and analysis of the artefacts (computers, mobile phones and SIM cards) and by the testimonial information provided by the Company's employees and customers, regarding the violation of the provisions of the Regulation which require the owner to process the data lawfully, correctly and transparently and to demonstrate compliance with these principles (art. 5, par. 1, letter a), and 2, 24, par. 1 and 25, par. 1), to process the same data in relation to a suitable legal basis (art. 6) and after having issued suitable information to the interested parties (art. 13)

3. CONCLUSIONS

For the above, Sigma's responsibility for the following violations is deemed to be established:

a) art. 5, par. 1, letter. a), and 2; art. 6; art. 24, par. 1 and 25, par. 1 of the Regulation; for having carried out the processing as described above of personal data of users and contractors in the fixed and mobile telephony sector in conflict with the principles of lawfulness, correctness and responsibility, in the absence of an appropriate legal basis and by implementing technical and organizational measures aimed at evading, right from the design stage, the principles of lawfulness, correctness and responsibility;

b) art. 5, par. 1, letter. a), and 2; art. 13 of the Regulation; for having carried out the processing described above without having provided the interested parties with suitable information and therefore in conflict with the principles of correctness and transparency.

Having also ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to:

- impose on Sigma, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of customer data aimed at activating SIM cards or telephone and television services without their knowledge, as well as the sale and charging of the cost of purchasing mobile devices, in particular cell phones and GPS trackers, never requested and never delivered to the customers themselves;

- adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Sigma of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulation.

4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Sigma of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulations (payment of a sum of up to €20,000,000.00);

To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, as well as the conduct attributable to the overall phenomenon of illicit activation of telephone cards, potentially suitable to create further and much more alarming causes of illegality and to constitute an obstacle to the prevention and repression of crimes, including those of an associative nature; of the further purpose connected to the illicit activation of pay telephone and television services and the sale and undue association with customers' users of electronic devices never requested and never delivered to them, activities also attributable to specific hypotheses of criminal offence; of the high number of interested parties involved (931 recipients of the illicit SIM activations and 62 customers whose users were associated with electronic devices never requested and never delivered, with invoice charges spread over up to 48 months); of the illicit profit ascertained from the unsolicited activations and sales (equal to €79,499, corresponding to the damage suffered by Vodafone for the payment of undue commissions) and the damage caused to customers due to the charging on the invoice of mobile devices that were never delivered ( equal to €4,730.54);

2) as an aggravating factor, the intentional nature of the violation (art. 83, par. 2, letter b) of the Regulation), as emerged from the reconstruction of the facts and conduct carried out which exclude the merely negligent nature of the violation, given that the dealer not only disregarded the telephone company's provisions regarding the need for customer identification, both for SIM activations and for the sale of other services and electronic devices, but also planned the overall activities, in which involved the Company's employees, to increase sales and activations and to evade the controls of the telephone company and the customers themselves;

3) as an aggravating factor, the lack of initiatives on the part of Sigma aimed at mitigating the damage suffered by the interested party (art. 83, par. 2, letter c) of the Regulation);

4) as an aggravating factor (art. 83, par. 2, letter g) of the Regulation), the category of data processed, provided in the contractual context and also concerning information on invoicing and payment systems;

5) as an aggravating factor, the lack of collaboration with the Authority (art. 83, par. 2, letter f) of the Regulation), also highlighted by the decision not to provide clarifications regarding the disputed conduct.

Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, it is believed that the administrative sanction of paying a sum of 150,000 euros should be applied to Sigma, equal to 0.75% of the maximum statutory sanction.

In the case in question, it is believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the Company's processing and conduct, as well as the elements of risk for the rights and freedoms of the interested parties, as well as the high number of interested parties actually or potentially involved.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) imposes on Sigma, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of customer data aimed at activating SIM cards or telephone and television services without their knowledge, as well as the sale and charging of the cost of purchasing mobile devices, in particular cell phones and GPS trackers, never requested and never delivered to the customers themselves;

b) orders Sigma, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the imposed measure; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation.

ORDER

to Sigma s.r.l., in the person of the legal representative pro tempore, with registered office in Trento (TN), Corso Tre Novembre, n. 84, tax code 02314590221, to pay the sum of 150,000.00 euros (one hundred and fifty thousand/00) as a pecuniary administrative sanction for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 150,000.00 euros (one hundred and fifty thousand/00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the 'art. 27 of law no. 689/1981.

HAS

The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself.

Pursuant to the articles. 152 of the Code and 10 of the Legislative Decree. n. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, 22 February 2024

PRESIDENT
Stantion

THE SPEAKER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei



SEE ALSO Newsletter of 3 May 2024



[doc. web no. 10007895]

Provision of 22 February 2024

Register of measures
n. 159 of 22 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

1. THE INVESTIGATORY ACTIVITY CARRIED OUT

1.1. Premise

With deed of 28 December 2023, n. 170449/2023 (notified on the same date by certified email), which must be understood as fully referenced and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation towards Sigma s.r.l., (hereinafter also “Sigma” or “the Company”), in the person of the legal representative pro tempore, with registered office in Trento (TN), Corso Tre Novembre, n. 84, tax code 02314590221.

The procedure originates from an information note sent by the Special Privacy Protection and Technological Fraud Unit of the Financial Police, registered in the protocol with no. 119438 of 10 August 2023, sent by the Economic-Financial Police Unit of Trento of the same Corps, with which the results of the judicial police investigations referred to in proc. pen. n. 2023/20-21 of the Public Prosecutor's Office at the Court of Trento.

The note, to which P.G.'s annotation is attached of 22 March 2023 and the related files, arrived following the authorization issued by the Public Prosecutor. of Trento on 14 April 2023, in order to allow the Authority to evaluate the possible existence of administrative violations with reference to the processing of personal data carried out by owners and employees of Sigma s.r.l. for the activation of cards, Vodafone brand telephone services and for the sale of mobile devices.

As reported in the note, the investigation activities were carried out following a complaint filed on 10 March 2022 by a customer of the telephone company Vodafone Italia S.p.A., who complained of having detected some charges on her card in 2021. credit from the company, deriving from the activation, on 2 February 2021, of a new contract for telephone services in the name of her husband, who died on 8 November 2020.

From the investigations as a whole, for the part that interests us here, a systematic activity emerged carried out by owners and employees of Sigma, which manages two Vodafone sales points in Trento and in Pergine Valsugana (TN), uniquely aimed at the activation of cards SIM cards and other telephone services, as well as the sale and association of mobile telephone equipment with active users, without the knowledge of customers and users of the telephone sector.

In particular, following the searches carried out on 18 May 2022 at the Sigma headquarters in Trento, and at the homes of the managing partners, no. 238 cell phones and other mobile devices with IMEI code and no. 1119 SIM cards. From a check carried out during the search activities, it was possible to note that several seized phones were linked to telephone accounts, despite being available for sale at the shop, and numerous SIM cards were already active and therefore connected to customers' personal data cards. Vodafone.

The investigations also involved the telephone company Vodafone, which, following requests for elements formulated by the Financial Police on 5 July 2022, represented that the relationships between the aforementioned Company and Sigma are regulated by a franchising contract signed on 23 January 2014, from which it is clear that the Company, in the processing of personal data connected to the activation of SIM cards, assumes the legal capacity of the Data Controller, without prejudice to the obligations, expressed contractually, to carry out the new activations on the basis of a identification and data collection process specifically envisaged by Vodafone.

This process provides, as represented by Vodafone with a note dated 12 January 2023 (annex 77 of the P.G. annotation), that "the authorized Vodafone sales points operating on the national territory (Dealers and Points affiliated to the national distributor of Vodafone products and services VND S.p.A. ), are required to identify the subscribers, even if they are already Vodafone Italia customers, and acquire a copy of their identity documentation in the event of activation of new products and services. […] In compliance with current legislation and company directives (or the contractual obligations stipulated with the undersigned), the point of sale is required to: identify all customers who request the activation and/or replacement of a new SIM through the presentation of the original of your identity document (identity card, driving license, passport, residence permit); have the customer view the information pursuant to Legislative Decree no. 196/2003; verify the customer's correspondence with the identity document presented; verify the validity of the document itself; check the forms, keep the documentation (form, copy of the identity document and any accompanying documents) at the point of sale for 24 months and send it to Vodafone in electronic or paper form via courier. […] Data entry and activation of offers and services are carried out by the point of sale employees through the computer workstation […] which connects the premises where the retailer operates to the Vodafone systems or through the use of the new system [ …], which require the mandatory completion of the following fields: 1. Document type 2. Document number 3. Issue date. In the event of a request for activation of a new SIM or replacement by a customer already identified by Vodafone, through the use of the new system [...], the Dealer will be able to proceed with entering the data of the identity document shown at the time of new identification".

With reference to the undue activations carried out by Sigma, Vodafone highlighted, by providing various lists in response to the requests made by the Financial Police, that of the SIMs found at the Company's headquarters and seized on 18 May 2022, 931 were active and/or associated with the details of a customer, while as regards mobile phones and other devices, also subject to seizure, 62 of them were associated with an active user, with charges on the invoice spread over up to 48 months.

The documentary evidence mentioned above was corroborated by an extensive testimonial gathering activity which involved both some customers and employees of the sales outlets managed by Sigma.

In particular, with reference to the employees of the sales outlets, what was declared by an employee, mainly assigned to the Pergine Valsugana sales outlet, who stated that "the SIMs are activated, without the customers' knowledge, to reach the targets, is worth mentioning. normally monthly, established by Vodafone and/or to achieve bonuses. […] The activated SIM cards were kept at the point of sale and in some cases sold to customers other than the first owner. […] For the new activations of the SIM cards or new services, all activated without the customers' knowledge, the personal data was drawn mainly from the Vodafone information system […]. The system […] is a Vodafone application from which the customer's entire contractual situation can be extrapolated.

In some cases, the data was extrapolated on the basis of paper contracts present at our point of sale. Banking data, in particular the lban code, are also managed directly by the Vodafone database, [...]. For new SIM activations or new services, consent to the processing of personal data was acquired with the contract. […] I can say that on many occasions the signatures on behalf of clients were made by [a director and other employees] of Sigma. For terminals formally sold to a customer and never actually delivered to that customer, they were stored in a cube (red) and then sold to subsequent customers unaware of the origin of that phone. It could happen, in some cases, that the first customer, once they noticed the charges on the invoice for phones they never received, stopped paying".

The same practices were confirmed by an employee of the Trento store, who declared that "in that period I noticed that they usually activated contracts in the name of customers who were totally unaware of such activation. In particular, for customers who already had an active landline, for the home landline, [the two administrators] or another employee took steps to activate new mobile or landline lines without the customer's knowledge, with the addition of the sale of telephones mobile phones by signing the relevant contracts. For these operations, the data of customers already registered and their related credit cards or other payment methods were used. The centralized Vodafone system, where all customer data is stored with the relevant credit cards or other means of payment, allows the activation of subsequent contracts, drawing up the data already present and therefore allows automatic debits based on the payment methods sign in. The cell phones sold to unsuspecting customers, who were charged the relevant installments, were actually resold "under the counter" to other customers. [...] These cell phones, sold "under the counter" and officially at a discounted price, were numerous and kept in the most disparate, such as in the bathroom, in the event of an inspection by Vodafone, the display case containing these mobile phones intended for under-the-counter sales was moved to an inaccessible place [...] they showed up with a mobile phone for various problems, with the excuse of "cleaning the phone" of the reported problems, [an administrator] or another employee proceeded to activate new paid options, always without the customer's knowledge [...] In a counter drawer they kept many identity cards in paper format, which had not yet expired".

The circumstances reported by the two employees also appear to be confirmed by the numerous messages that Sigma owners and employees exchanged which were found on the Company's computers and personal mobile phones following the searches and seizures of 18 May 2022. For example, in one chat of 1 February 2022, a partner of Sigma, reminds employees that "in Pergine in the chest of drawers there are next documents and documents for ethnic tourists already separated and ready to make SIM cards in the downtime, they will help us maintain the daily average!". In a chat on May 9th between two employees, reference is made again to the so-called “ethnic documents”: “do you have ethnic documents? … A little yes why? ... Because I've almost finished them ... Hahaha ... Just in case, send me two photos and I'll have them if you need them." In some chats the operating methods and the quantity of activations to be achieved over the course of a day are clarified: "For those who come to Pergine at the weekend I am making a small file with fictitious addresses that I look for on [...] for those who need it in the immediate for insertion, so as not to always use the same ones which is not the best... you can find it on the desktop... How many cards do I make today? … How many cards do you have there? ... Up until now I've done 3 to one that I can't do them anymore... Do about ten... How many sims do I do today? … 10 if you can … I'm already at 5”. On the issue of addresses, very often in chats we agree that undue activations cannot be subject to controls and therefore we avoid inserting real contact details "Should I enter the customer's address? ... No ... Put Rome away, Milan, Piazza Venezia tn ... Message from another customer at worst "we made a mistake" ... Yes ... I also put an email by removing a letter so nothing arrives ... I do the same thing too." The seized devices also contain many messages from customers complaining about undue activations.

Precisely with reference to customers, it must be highlighted that during the investigation activities the Financial Police acquired 12 documents of complaint-complaint, in addition to the one originally produced by the original complainant, and collected summary testimonial information from 34 customers who all reported undue activations not only of SIMs (some 14, 12 and 10) but also of services such as Vodafone TV, Now TV, Vodafone Casa, Vodafone Sport and charges in one's Vodafone invoices for the purchase of unsolicited mobile phones and GPS trackers and of which they never came into possession. Customers have often stated that they were invited, within Sigma stores, to add their signatures via electronic tablets, without a specific reason being given for these collections of subscriptions.

Overall, the Financial Police highlighted that the activities of undue SIM activation allowed Sigma to acquire commissions amounting to €73,413.70 while the commissions acquired by the same Company for undue associations of SIMs to mobile devices amounted to €6,085, 31. The amounts charged to the customers examined for the purchase of cell phones and other mobile devices that were never actually delivered amounted to €4,730.54.

1.2. Dispute of violations

At the end of the investigation, the Office adopted the aforementioned notice of dispute no. 170449/2023 against Sigma, believing that it acted as data controller of personal data of customers in the fixed and mobile telephony sector, carrying out conduct in violation of the provisions of the Regulation.

Specifically, the Office charged the company with the alleged violation of the following provisions:

a) art. 5, par. 1, letter. a), and 2; art. 6; art. 24, par. 1 and 25, par. 1 of the Regulation; for having carried out the processing as described above of personal data of users and contractors in the fixed and mobile telephony sector in conflict with the principles of lawfulness, correctness and responsibility, in the absence of an appropriate legal basis and by implementing technical and organizational measures aimed at evading, right from the design stage, the principles of lawfulness, correctness and responsibility;

b) art. 5, par. 1, letter. a), and 2; art. 13 of the Regulation; for having carried out the processing described above without having provided the interested parties with suitable information and therefore in conflict with the principles of correctness and transparency.

2. ASSESSMENTS BY THE AUTHORITY

It should be noted that Sigma, following receipt of the notice of dispute referred to above, proven by the acceptance and delivery certificates of the relevant certified email message, did not intend to exercise its right of defense and, therefore, did not produce briefs, nor did she request to be heard by the Authority.

From this perspective, it is worth reiterating that the communication initiating the procedure, containing the notification of the administrative violations, was sent to Sigma's certified email address as resulting from the information system of the Chambers of Commerce and that the legislative decree 76/2020 (so-called "simplification decree"), converted with amendments by Law 120/2020, has qualified, in art. 37, the certified email address of the companies as a "digital domicile" valid for the purposes of electronic communications having legal value.

In light of this circumstance, it must in any case be stated that the investigations carried out by the Financial Police, in the absence of counterarguments from the party, constitute full proof and allow the liability of Sigma to be affirmed in relation to the disputed conduct.

In fact, it emerged that the Sigma company, through its managing partners, providing unambiguous provisions to its employees operating in the sales points of Trento and Pergine Valsugana, processed the personal data of which it retained availability, relating to customers who had entered relationship with its stores, activating SIM cards, Vodafone services, Now TV services in their names without consent and charging them for the cost of purchasing mobile devices, in particular mobile phones and GPS trackers, which were never requested and never delivered to the customers themselves .

Specifically, with reference to the activation of SIM cards, it must be highlighted that the Vodafone telephone company with which Sigma was linked by a franchising contract, has dictated specific rules, in line with current legislation, for the identification of the person which requires a new activation even if it is already a customer.

The above-mentioned operational practice, in compliance with the provisions of the Regulation, had to also be followed in relation to the activation of services accompanying the telephone contract or for the purchase of cellular devices for which the charge was foreseen in the invoice relating to the Vodafone account, since these activities, involving an expansion of the overall offering of the telephone company, had to be preceded by clear obligations connected to the release of exhaustive information on the processing carried out and by the acquisition of elements suitable for legitimizing and proving the suitability of the legal basis (contractual ) of the same treatments.

This, according to the activities carried out by the Financial Police, not only did not happen, but concordant elements emerged which provide a picture of extremely serious conduct carried out by Sigma s.r.l. for: a) illicitly activating SIM cards using customers' personal data and identity documents extrapolated from Vodafone systems or unduly stored by the point of sale; b) activate unsolicited services by acquiring the temporary availability of the devices used by customers, or by inducing them to sign, usually via electronic tablet, without clarifying the value and consequences of such subscriptions; c) make sales of mobile devices that had not been requested or actually acquired by customers, who however found monthly charges on their invoices linked to the purchase of the aforementioned devices; d) evade controls by the telephone company Vodafone, as described by some employees and documented in the information note dated 10 August 2023 and in the related documents.

In essence, Sigma would not only have failed to implement the provisions on the protection of personal data to activate SIM cards, telephone services and installment sales of mobile devices, but would have designed its activities precisely with the intention of using the base of personal data at its disposal to acquire unsolicited telephone contracts or unduly expand the contractual offer previously signed by its customers.

As regards the ownership of Sigma in relation to the treatments examined, beyond the specific contractual provisions established in the franchising contract stipulated with Vodafone, it is necessary to recall the recent provision of the Guarantor, n. 405 of 14 September 2023 (in www.gpdp.it, web doc. no. 9936215), as well as the general provision regarding unsolicited telephone services, adopted by the Authority on 16 February 2006 and published in the Official Gazette. n. 54 of 6 March 2006 (web doc. no. 1242592), in the part in which it highlights that "agents and resellers have the status of independent data controllers of the data used for the purpose of activating the services when, based on the methods of their activities, exercise real and completely autonomous decision-making power on the methods and purposes of the processing carried out in their area", and then, among others, the provision adopted against a Vodafone dealer operating in the province of Brescia (provision no. 293 of 13 May 2015, web doc. no. 4210697), where it is stated that "with reference to operations aimed at activating telephone cards in the absence of the holder and without the acquisition of a valid document carried out processing of personal data by exercising a completely autonomous decision-making power, free from the provisions that linked it to the telephone operator and the Master dealer, assuming the legal capacity of data controller, as outlined in the aforementioned provision of the Guarantor of 16 February 2006". This last provision was subjected to scrutiny by the First Civil Section of the Court of Cassation which, with Order no. 21234 of 23 July 2021, reiterated "that only the person who has been responsible for the processing by the "owner" and who has complied with the instructions given by the latter in explication of his decision-making power can assert the status of "data controller". ; it follows that if this does not happen, the "manager" may be recognized as the concrete "owner" of the processing, due to the decision-making and management autonomy manifested even by disregarding the provisions of the "owner"".

Sigma's responsibility therefore appears to be confirmed, ascertained by the unequivocal results of the seizure and analysis of the artefacts (computers, mobile phones and SIM cards) and by the testimonial information provided by the Company's employees and customers, regarding the violation of the provisions of the Regulation which require the owner to process the data lawfully, correctly and transparently and to demonstrate compliance with these principles (art. 5, par. 1, letter a), and 2, 24, par. 1 and 25, par. 1), to process the same data in relation to a suitable legal basis (art. 6) and after having issued suitable information to the interested parties (art. 13)

3. CONCLUSIONS

For the above, Sigma's responsibility for the following violations is deemed to be established:

a) art. 5, par. 1, letter. a), and 2; art. 6; art. 24, par. 1 and 25, par. 1 of the Regulation; for having carried out the processing as described above of personal data of users and contractors in the fixed and mobile telephony sector in conflict with the principles of lawfulness, correctness and responsibility, in the absence of an appropriate legal basis and by implementing technical and organizational measures aimed at evading, right from the design stage, the principles of lawfulness, correctness and responsibility;

b) art. 5, par. 1, letter. a), and 2; art. 13 of the Regulation; for having carried out the processing described above without having provided the interested parties with suitable information and therefore in conflict with the principles of correctness and transparency.

Having also ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to:

- impose on Sigma, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of customer data aimed at activating SIM cards or telephone and television services without their knowledge, as well as the sale and charging of the cost of purchasing mobile devices, in particular cell phones and GPS trackers, never requested and never delivered to the customers themselves;

- adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Sigma of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulation.

4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Sigma of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulations (payment of a sum of up to €20,000,000.00);

To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, as well as the conduct attributable to the overall phenomenon of illicit activation of telephone cards, potentially suitable to create further and much more alarming causes of illegality and to constitute an obstacle to the prevention and repression of crimes, including those of an associative nature; of the further purpose connected to the illicit activation of pay telephone and television services and the sale and undue association with customers' users of electronic devices never requested and never delivered to them, activities also attributable to specific hypotheses of criminal offence; of the high number of interested parties involved (931 recipients of the illicit SIM activations and 62 customers whose users were associated with electronic devices never requested and never delivered, with invoice charges spread over up to 48 months); of the illicit profit ascertained from the unsolicited activations and sales (equal to €79,499, corresponding to the damage suffered by Vodafone for the payment of undue commissions) and the damage caused to customers due to the charging on the invoice of mobile devices that were never delivered ( equal to €4,730.54);

2) as an aggravating factor, the intentional nature of the violation (art. 83, par. 2, letter b) of the Regulation), as emerged from the reconstruction of the facts and conduct carried out which exclude the merely negligent nature of the violation, given that the dealer not only disregarded the telephone company's provisions regarding the need for customer identification, both for SIM activations and for the sale of other services and electronic devices, but also planned the overall activities, in which involved the Company's employees, to increase sales and activations and to evade the controls of the telephone company and the customers themselves;

3) as an aggravating factor, the lack of initiatives on the part of Sigma aimed at mitigating the damage suffered by the interested party (art. 83, par. 2, letter c) of the Regulation);

4) as an aggravating factor (art. 83, par. 2, letter g) of the Regulation), the category of data processed, provided in the contractual context and also concerning information on invoicing and payment systems;

5) as an aggravating factor, the lack of collaboration with the Authority (art. 83, par. 2, letter f) of the Regulation), also highlighted by the decision not to provide clarifications regarding the disputed conduct.

Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, it is believed that the administrative sanction of paying a sum of 150,000 euros should be applied to Sigma, equal to 0.75% of the maximum statutory sanction.

In the case in question, it is believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the Company's processing and conduct, as well as the elements of risk for the rights and freedoms of the interested parties, as well as the high number of interested parties actually or potentially involved.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) imposes on Sigma, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of customer data aimed at activating SIM cards or telephone and television services without their knowledge, as well as the sale and charging of the cost of purchasing mobile devices, in particular cell phones and GPS trackers, never requested and never delivered to the customers themselves;

b) orders Sigma, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the imposed measure; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation.

ORDER

to Sigma s.r.l., in the person of the legal representative pro tempore, with registered office in Trento (TN), Corso Tre Novembre, n. 84, tax code 02314590221, to pay the sum of 150,000.00 euros (one hundred and fifty thousand/00) as a pecuniary administrative sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 150,000.00 euros (one hundred and fifty thousand/00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the 'art. 27 of law no. 689/1981.

HAS

The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself.

Pursuant to the articles. 152 of the Code and 10 of the Legislative Decree. n. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, 22 February 2024

PRESIDENT
Stantion

THE SPEAKER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei