Garante per la protezione dei dati personali (Italy) - 9894662

From GDPRhub
Garante per la protezione dei dati personali - 9894662
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(2) GDPR
Article 6 GDPR
Article 7 GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 14 GDPR
Article 15(1) GDPR
Article 24 GDPR
Article 32(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started: 13.04.2023
Decided:
Published:
Fine: 7,631,175.00 EUR
Parties: Tim spa
National Case Number/Name: 9894662
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: Bernardo Armentano

The DPA issued a €7,631,175.00 fine to a phone company for publication of its users the in the public phone directories and unsollicited phone calls without prior valid consent

English Summary[edit | edit source]

Facts[edit | edit source]

After procedure 7.2020, in which a decision established a deadline for TIM, as the controller, to implement a series of corrective measures, the Italian DPA received several complaints relating to issues already subject to the aforementioned decision. These complaints referred mainly to the following:

1) unsolicited advertising telephone calls, text messages and emails (often repetitive);

2) missed or late response to access requests;

3) publication of personal numbers in telephone directories;

4) unavailability of privacy information during the purchases on the controller's website;

5) a possible data breach.

The Italian DPA grouped together the complaints of a similar and repeated nature and opened a wide investigation against the controller.

1) As for the unsolicited phone calls, the controller denied that data subjects were contacted by its "commercially active sales force" and stated that it did not recognize the calling numbers. It also claimed that, before using personal data obtained from external providers, it verifies that data subjects gave their consent by carrying out a test on a random sample of names included in the database. According to the controller, the data from data subjects who appear to have denied their consent for marketing activities are deleted.

2) With regard to personal data access requests, the controller presented different justifications. In some cases, it claimed to be unaware of the access request or that it was not possible to authenticate the user. In others, it admitted not having answered them or having answered them only partially. About the requests relating to unwanted calls, it claimed that it did not provide more information because it did not recognize the calling numbers as its own numbers.

3) Similarly, the controller presented several arguments in relation to telephone directories. In general, it stated that its customers received a copy of the contractual conditions in which they consented to the publication of their personal data in telephone directories. However, it recognized that there was a misalignment between its systems, which hindered the processing of consent withdrawals. In this regard, the controller informed that the anomaly was resolved and that confidentiality requests are being adequately addressed. In other specific cases, it argued that the the responsability was exclusively on the publisher of the public directories.

4) Concerning the complaints on the unavailability of the privacy information, the controller once again attributed the fact to a temporary anomaly in the system. This anomaly - TIM said - was already resolved and customers could then access the privacy policy before the conclusionof online purchases, expressing their consent for purposes other than the performance of the contract.

5) Finally, with reference to the data breach, the controller alleged that it received no reports or comlplaints on the matter. However, from the checks carried out on its commercial systems, it emerged that some data subjects were associated with the tax code other persons and mistakenly received communications containing their personal data such as name, surname, tax code and telephone number.

Holding[edit | edit source]

1) First, the Italian DPA highlighted the significant overall number of complaints made against TIM and its crucial role as a major operator in the telecommunications market. According to the DPA, the accountability principle provided for by Article 5(2) GDPR implies that the controller must be proactive and constantly monitor its supply chain in order to ensure that the processing of users' personal data is legally compliant. It rejected the argument that the calling numbers could not be recognized as those in use by the controller and its commercial partners since they were made in the controller's name. Therefore, it held that the controller did not make sufficient efforts to monitor the activities carried out on its behalf.

The DPA characterized the practice of using numbers that are not from the company's official sales force, or that cannot be identified, as 'spoofing' or 'undergrowth'. According to the DPA, these camouflage techniques consist of illegal operators who contact people without having obtained their consent, or even people who have expressly opposed this type of calls, in an attempt to reabsorb them as consumers within the official chain of companies. In turn, these companies approve the contracts and recognize the sales activity carried out by these intermediaries, fueling the illicit market. Based on this findings, the DPA considered that TIM violated Article 6 GDPR, for the lack of a legal basis for the processing of personal data.

Furthermore, the DPA reinforced that it is up to the controllers to verify that the contracts proposed by the sales network originate from a regular contact and in line with the specific sector regulations. In the DPA's view, TIM failed to demonstrate that it had carried out adequate checks on the contracts activated by third parties acting on its behalf, something that would have been possible considering the size and structure of the company. Therefore, it found a violation of Article 24 GDPR.

Moreover, the DPA stressed that controllers must be able to demonstrate that they obtained consent, pursuant to Article 7(1) GDPR. The evidence of the online consent must be provided with technical methods such as to guarantee the unchangeable registration of the authentic will of the user. In this sense, with regard to the legitimacy of the consents allegedly expressed by data subjecthe DPA pointed out that the documentation produced by the list providers is not suitable for demonstrating the real and genuine expression of consent with regard to promotional messages and their transfer to third parties.

Besides, where personal data have not been obtained from the data subject, the controller shall provide them with the provided for by Article 14 within a reasonable period after obtaining the personal data, but at the latest within one month, which TIM also failed to do.

2) The DPA recalled that controllers must provide information on action taken on a request without undue delay and in any event within one month of receipt of the request. For the legislator, this is the maximum term, which, only exceptionally, can be extended by two further months, taking into account the complexity and number of the requests. In the case at hand, the DPA held that the controller failed to reply to the requests, withou any legitimate justification. Therefore, it found a violation of Article 12 (2) and (3) and 15(1) GDPR. It is also deemed necessary to order Tim to adopt organizational and technical measures aimed at improving the management of such requests.

3) The DPA also considered that the evidence did not reveal the obtention of a specific consent with regard to the publication of numbers in the telephone directories. In fact, although obliged to demonstrate compliance with its obligations, TIM limited itself to show a copy of the screen displaying the 'consent' in its systems, without attaching a copy of the forms signed by the data subjects or other documentation (e.g.: voice recording) showing agreement to publication in the directory. The DPA stressed that the lack of expression of will should be recorded as a refusal (and not as consent). For these reasons, the DPA held that the controller violated Articles 6 and 7, as well as Article 12(3) GDPR.

4) With regard to the privacy information on the controller's website, the DPA accepted the argument that there was a technical problem of short duration and found no violation.

5) Finally, the DPA held that the controller violated Article 32(1) GDPR by framaining inactive over time, failing to verify and solve the data breach even after it was reported by a data subject.

Considering the seriousness of the violations as well as their recurrence, the DPA issued a fine equal to 1.5% of the statutory maximum (508,745,019 euros), calculated with respect to the Company's turnover (12,718. 625.495), which amounted to €7,631,175.00.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE PRESS RELEASE OF JUNE 9, 2023



[doc. web no. 9894662]

Provision of April 13, 2023

Register of measures
no. 183 of 13 April 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016.679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Personal Data Protection Code (Legislative Decree June 30, 2003, No. 196), as amended by Legislative Decree August 10, 2018, No. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER the lawyer Guido Scorza;

1. REPORTS AND COMPLAINTS RECEIVED BY THE AUTHORITY.

1.1. Preliminary investigation through cumulative requests

1.1.1. Complaints received.

After the adoption of the corrective and sanctioning measure n. 7.2020 against Tim spa (hereinafter: "Tim" or "the Company") and in particular, after the deadline set for the implementation of the corrective measures prescribed therein, are received by the Authority, until January 2022 - according to a trend that remained substantially stable also in the following months (on average, based on a conservative estimate, about 3 reports and/or complaints per working day, for a total of about 15 weekly documents) - numerous complaints and reports relating to critical issues already subject of the aforementioned provision, and in particular:

- pre-recorded telephone calls or with an operator to private users, or registered in the public register of oppositions, or in any case for which consent was denied to Tim for promotional purposes; rarely, even unwanted text messages or emails (fasc. 1750063);

- missed or late response to requests to exercise rights pursuant to art. 15-22 of the Regulation;

- the impossibility of viewing the privacy information during the online purchase, dated 12/17/2021, of a mobile offer on the website www.tim.it. as the link to the aforementioned information led to another page that provided an error message (see file 175689);

- a possible data breach (see report contained in file 174492);

- episodically (see file 173198), alleged telephone contacts aimed at promoting the transfer to Tim following the notification, by the interested party, to the Company of technical faults on the telephone line of a different company.

The complaints regarding unsolicited promotional telephone calls are often repeated (just to give an example: with reference to files 168940 and 168630 there are 6 similar complaints; 5 for file 153087); numerous also relating to files 166767, 164516, 174178, 173169, as well as directed towards multiple users of the interested parties (see files: 171067-160878) and sometimes concern multiple calling numbers, as well as repeated calls (e.g., see .: 97912; 173169).

In some reports, the interested parties have come to hypothesize the phenomenon of 'stalking' and/or to highlight the harassing or aggressive nature of the call center operators (see files 176840 and 166189, in which it was stated that they received "from three to five calls a day ... for a few weeks"), sometimes indicating calls also from non-EU countries (file 166051).

Under various profiles, they also received:

- a report (175689), complaining of the impossibility of viewing the privacy information during the online purchase, dated 12/17/2021, of a mobile offer on the website www.tim.it. as the link to the information led to another page that provided an error message;

- a complaint (176169) - in the context of an alleged story of fraudulent use of personal data (also the subject of a complaint to the Public Prosecutor's Office) for the purchase of some Tim IT products against the unaware interested party - relating to repeated failure, for 9 months, by Tim, with respect to the request for documentation relating to the paper contract signed by the third party who replaced the complainant; to the delivery note as well as to the identity document provided at the time of delivery of the products.
Considering the amount of reports and complaints received and in order to have an overview of the treatments highlighted therein, no. 4 cumulative requests for information (on 18 October 2021, 12 January 2022, 25 January 22 and 12 February 2022), each concerning a certain number of complaints, almost all located in the period between March 2021 and January 2022 (and gathered in file no. 172861), selecting those of a more reiterated nature or in any case containing more useful elements in an investigation key, for a total of 134 deeds.

Tim responded to these requests with various notes, including those of 11.30.2021; of 21.02.2022; of 23.02.2022; of 03.11.2022; of 03.15.2022 and 03.24.2022.

1.1.2. Tim's feedback on unwanted phone calls

With reference to almost all the complaints and reports received (no. 76), Tim has shown that the users of the interested parties have not been contacted "by its commercially active sales force", nor are the calling numbers used for this purpose attributable to it, thus also disregarding the complained telephone calls with promotional content proposed during the technical intervention (see file 173198).

The Company then represented, as a result of this alleged non-involvement, that it believed it was not required to provide further information, adding however that it had verified that various calling numbers, within the scope of the service dedicated to tariff transparency, were non-existent or temporarily unavailable ( e.g.: files: 173935; 173987), or still assigned to call centers outside its commercial network (e.g. files: 171067, 160878, 161620-formerly 155269-; 173259;171453) or pertaining to the United Kingdom (file 174469).

For some reports (files 168344; 167939; 167771; 173502), Tim pointed out that he was unable to provide feedback as the documentation relating to the promotional campaigns was no longer available (kept for a maximum period of 12 months) or not being the reports sufficiently detailed, stating in any case the non-involvement of the calling numbers indicated in the deeds.

With reference, more generally, to the contact lists, Tim highlighted that, before acquiring personal data from external list providers, he verifies the existence and correctness of the texts of the information and privacy consents used by the list provider; subsequently a test is carried out at the latter on a random sample of names included in the database object of the supply, aimed at ascertaining the effectiveness of the obligations by this transferor. If the list is acquired, Tim extracts the lists from the database received containing the numbers and proceeds to filter them, "preliminarily eliminating the numbers of customers and former customers, who appear to have given or denied their consent to the Company for marketing activities; moreover, the numbers of prospects for which opposition to promotional contacts from TIM have already been registered are excluded from the Database (including numbers present in the Black List)."

With specific regard to the fasc. no. 174561, Tim represented that the promotional contact was made through a user account owned by one of its partners (Business Promoter s.r.l.) by an agent of a sub-agency contracted by the latter (Top Solutions s.r.l.), confirming that the called number was not present in their contact lists. In this regard, the Company, despite the precise request of the Authority, has not attached, nor demonstrated the existence of any informed consent for the promotional purpose acquired, directly or from its partners, nor any information provided to the interested party

With regard to the phone calls complained of, the one referred to in file emerges 164015 (formerly 154626), carried out on the basis of a contact list acquired by XX which, although in the records, does not appear to have provided the information to the interested party, so, moreover, it was not possible to verify whether the same provided for the communication of your data to Tim; moreover, based on the screen shot of the registration form, the traceability of the consents to the communication of data for marketing purposes is not unequivocal. A similar criticality is found with reference to file 163526 (in relation to which Tim denied having made promotional contacts), so that it is not proven that what was originally acquired was a specific consent for communication to third parties (including Tim) for marketing purposes.

In the file 168248, the Company, while not acknowledging the calls complained of, nevertheless specified that the user of the whistleblower was included in a contact list on 17.1.2021, coming from a list provider (also in this case, XX), with respect to the which elements relating to the acquisition of consent have been provided, but not also to the information issued to the interested party by the said provider, as a necessary prerequisite for the legitimacy of the communication of the data to Tim and the subsequent use for promotional purposes, also reverberating on the validity of the marketing consent.

The foregoing made it necessary to dispute (for the aforementioned files: 164015 - formerly 154626; 163526; 168248; 174561) the possible violation of articles 6 - 7 of the Regulation as well as 130 of the Code. Furthermore, in all three of the cases just summarized, it does not appear that Tim has released its own disclosure pursuant to art. 14 of the Regulation, thus placing itself in possible violation of this provision as well.

Furthermore, the aforementioned traceability of numbers to Tim's Business and Consumer customer care (e.g. file 173169) and to some companies of the Tim Group (such as Cofitel spa) appeared to be a suitable element, in the context of the dispute, to lead to believe that the related calls were made precisely in Tim's interest (even without a specific mandate). At the same time, it has not been decided to exclude that many telephone calls, with numbers that turned out to be non-existent, had been made on behalf of or in any case in the interest of Tim by disguising the real calling number using the CLI spoofing technique, also considering that, as known, the The displayed caller ID may be forged.

With regard, more generally, to the numerous calls in deeds disregarded by Tim (together with the calling numbers), an underground marketing phenomenon of TIM's products emerged, of which the Company, although most probably a beneficiary, appeared to have inadequate propriety and ability to control, with consequent possible violation of the principle of 'accountability' (Article 5, paragraph 2 and Article 24, Regulation), also taking into account the aforementioned Cons. 74 of the Regulation.

The impossibility of providing feedback due to lack of documentation relating to promotional campaigns, kept for a maximum period of 12 months, also appeared indicative of the Company's lack of accountability.

1.1.3. Tim's findings with respect to the exercise of the rights pursuant to articles 15-22 of the Regulation.

Tim, with the notes of 17.11.2021, of 1 and 24.3.22, also provided feedback on some complaints concerning the incorrect management of the requests to exercise the rights provided for by articles 15-22 of the Regulation; in particular:

a) with regard to that contained in file 167981, the Company claimed that it had not received the first application dated 6/16/2021 and that it had found the second one on 8/8/2021 (received on 8/6/2021);

b) in the case of file 167342, relating to the failure to respond to a request sent to TIM on 06.12.2021 and the reminder sent on 06.21.2021, the Company has demonstrated that it replied to the reporting person on 06.24.2021, providing the information requested regarding the procedure to be follow to exercise the right of access to your personal data and indicating the necessary documentation for the purpose of its identification.

In these two circumstances, therefore, Tim appears to have provided timely feedback.

As for, then:

c) the file 169170, Tim represented that he was unable to produce to the whistleblower a copy of the recordings of the telephone calls made with Customer Service 187 of 15 and 12.16.2020, since he does not make such recordings; however - without prejudice to this company policy - it does not appear that the Company has provided any response to the aforementioned request, even if only to communicate the absence of the requested documentation;

d) similarly, with regard to file 172518, Tim admitted that he had not responded to the two requests (of 20.6.2021 and 14.9.2021) for access to the documentation (copy of the contract and of the registration made when the telephone line was activated) related to the publication .

With reference to these two cases, the Office therefore charged the owner with the violation of articles 12, par. 3, and 15, par. 1, of the Regulation.

With reference:

e) in file 166767 (formerly 165318), relating to the failure to respond to a request for access to data sent on 04.02.2021 via Project Consult Srl, Tim declared that on 04.29.2021 it had proceeded to forward an interlocutory note to the reporting party, respecting, at its notice, thus the maximum term of 30 days established by art. 12, par. 3, of the Regulation, as the request was complex, to then give a response completed on 1.7.2021;

f) in file 163087, concerning a request for confirmation of treatment with possible access, copying and deletion of data, received on 01.27.2021, Tim admitted that he had provided the reply only on 04.26.2021 despite, however, an interlocutory reply from the 26.2.2021;

g) in file 174664, in which the party, on 11.9.21, complained against the Company about the publication, in his opinion never requested, of his personal data listed (see paragraph 5 below), sending the cancellation request both to the Customer Service and to the DPO box dedicated to Consumer Customers, Tim admitted that the Customer Service provided an "inappropriate" response. The request in question was, in Tim's opinion, correctly "and promptly" managed by the Consumer Clients DPO box, specifically, on 12.7.2021 an initial interim response was sent and on 12.23.2021 the final reply was sent.

The three aforementioned cases were therefore the subject of a dispute against Tim, as the procedure followed did not appear to be in line with art. 12, par. 3, of the Regulation, according to which the reply to the requests, formulated by the interested parties, pursuant to articles 15 to 22, should be provided "without unjustified delay and, in any case, at the latest within one month of receipt of the request itself" and this term can be extended by two months only "if necessary, taking into account the complexity and number of requests", elements which, at the state of the documents, were not proven.

h) With reference to file 160287, Tim reported that, on 20.02.2020, the interested party sent to a certified mail address of the Company, as well as to the ordinary e-mail address of a service company operating on behalf of TIM, a request for clarification relating failure to deliver the repaired mobile phone within the agreed terms, also exercising the right of access pursuant to art. 15, of the Regulation. The said service company stated that it had sent the complainant, on several dates via PEC, updates on the situation related to the repair of the mobile phone, referring to Tim for questions related to the processing of personal data. As the latter admitted, although the aforementioned request of 20.2.2020 was also sent to Tim's certified email address, this did not follow the correct typing process, probably due to a system anomaly in the reference period , so that a reply to the whistleblower would not have been possible.

Tim pointed out that this anomaly has been resolved and a further control report of the internal processing process of the received pecs has also been introduced. On 5.5.2020, the complainant sent a further request to the aforementioned certified email address; the aforementioned communication, although correctly "typed" on the customer care systems in charge, was not handled correctly by the employee of this office. On 27.6.2020, the interested party also sent a pec to a certified mail address of the Company, as well as, on 30.06.2020, to a further pec address of the Company and sent further requests, precisely on 3.7.2020 and 7.7 .2020. On 29.7.2020 Tim provided cumulative feedback to all the previous four emails of identical content. In particular, the applicant was informed of the need to be identified in order for the request to be processed and was then invited to resubmit the latter with all useful information and documentation (e.g. photocopy of a valid identity document). On the same date and on 14.8.2020, the interested party reiterated his request again without attaching the necessary documentation for the reply. Tim, in the communications dated 08.03.2020 and 09.11.2020, pointed out these circumstances and, following a long conversation with the whistleblower, informed him of the fact that the sending via pec, although made out to the interested party, was not included among the methods deemed suitable for identifying the same.

With regard to this matter, the Office contested the incorrect handling of the requests of the interested party, which remained unanswered until May 2020, without, from this point of view, detecting the possible content (positive or negative) of the lack of response (which could, for example, have provided clarification on the incompleteness of the application presented); the conditions for the violation of art. 12, par. 2 and par. 3, and of the art. 15, par. 1, of the Regulation.

i) With reference to file 172687, Tim represented that on 02.07.2021 the interested party requested by certified email the documentation of the traffic charged in the months of March and May of the same year, contesting the higher charge than the amount due. The request was processed on 2.8.2021, but, due to a technical problem, an incorrect reply was provided to the reporting entity, erroneously indicating that the traffic data charged in March 2021 was no longer available; otherwise, the whistleblower was informed that the request for May 2021 would be sent (see response dated 2.8.2021). Based on Tim's assertions, the notes present in the system confirm the sending of traffic data relating to the period of May 2021; however, it would not be possible to verify the sending activity, as this can only be done within 15 days of sending the documentation. On 6.9.2021, the reporting party sent a further request, declaring that it had not received the traffic referring to the month of May and complaining about the response relating to the failure to send March. On 6.10.21, a reply was sent by Tim to the complainant who at the same time proceeded with a commercial management of his complaint, acknowledging its validity due to the failure to send the documentation of the requested traffic.

j)  With reference to the case referred to in file 174463, the interested party on 5.6.2021 sent via PEC a request for access to his data, in which he requested to obtain all the 'sensitive' information regarding his users, in particular the "telephone records, any information attributable to the geographical position , even approximate (for example, history of the cells connected by the mobile device; Internet browsing, such as log of connections made or DNS requests made)". Tim provided a first response only on 27.9.2021, moreover with a decidedly limited content compared to the request formulated (name, telephone number, tax code, place of birth, residence, identification document), so that the complainant contested the partiality of the data to the Company reiterating previous requests. On 11.10.2021, after having asked the complainant to specify the line subject of the report, a reply was sent via pec confirming what had already been previously communicated; on 10.18.2021, feedback was provided via email, also attaching the form required for the request for documentation of prepaid traffic. Even after a further exchange of letters, the interested party contested the persistently limited response to his request for access to the data with respect to the elements indicated above. Only on 25.1.2022 was the printout of unencrypted traffic data of his telephone line sent to him, kept for billing purposes for the period 24.7.2021-24.1.2022, informing him, at the same time, of the fact that the checks relating to the geographical and Internet browsing were in progress, and finally providing the complainant with the related results on 02.16.2022. Even taking into account the extent of the request made by the interested party, the response fully provided by Tim only on 16.2.21, after more than 8 months, with respect to the request in question (already formulated on 5.6.2021 and moreover already complete of the generality of the complainant as well as the details of the user concerned) seems decidedly late. This violation appears more serious if one considers its object - the printouts - which can only be kept for 6 months, with the consequence that, in the case in question, printouts relating to the 6 months prior to Tim's reply were provided (25.01.22 , cit.), therefore pertaining to a much later period of time, and therefore very different, compared to those to which the complainant would have been entitled to receive if the request had been promptly handled.

In the two cases mentioned above, the Office had to contest the alleged violation of articles 12, par. 3, and 15, par. 1, of the Regulation, as well as 124, paragraph 1, of the Code.

k) With regard to file 161814, Tim admitted that on 11.4.2020 he had received a request to close his e-mail account and that this request was unfortunately not handled correctly, so that no reply was sent to the reporting party, so much so that on 12.29. 2020, 7.1.2021, 11.2.2021, the interested party contacted TIM Customer Service by telephone. However, Tim also represented that he then proceeded to send the operating instructions for canceling the account, which then also took place thanks to the proactive behavior of the user.

l) With reference to file 173533, the Company, confirming receipt of its requests on 23.5.2016, 3.7.2020, 6.10.2020 and 29.10.2021, represented that the same were not handled correctly and therefore the reply was not sent to the whistleblower.

m)  With regard to file 175169, Tim, also in the light of the supplementary response dated 24.3.22, communicated that he had requested clarifications from the carrier responsible for the delivery of two SIM cards and two mobile telephone devices, so that he could provide suitable proof of the delivery of the aforementioned material to the actual holder, upon verification of your identity (as instructed); proof that was not provided, so Tim proceeded to formally contest the conduct in violation of the service contract to the carrier. That said, it did not appear that the Company gave any reply to the complainant, nor, consequently, that it provided him with a copy of the contractual documentation requested by him.

Also with reference to the three cases mentioned above, the conditions for the violation of articles have therefore been identified 12, par. 3 and 15, par. 1, of the Regulation.

1.1.4. Tim's feedback on publishing data in public telephone directories.

With reference to the complaints concerning the publication in the telephone directories, following the answers provided by Tim on 26.10.21 and 11.3.21, the following was found:

n) in relation to file 165665, Tim represented that, on 24.1.2020, following the activation of the telephone line, he sent the customer a copy of the contractual conditions in which the consent he gave to the publication of his personal data in telephone directories was indicated; on 25.2.2020, the interested party sent a request for confidentiality via the web channel, listing his personal data. The report was closed by Customer Care on 13.3.2020, with the indication that they had made the modification of the consents, enhancing the confidentiality to YES, without providing feedback to the reporting person. In this regard, as reported by Tim, the withdrawal of the consent in question, due to a misalignment between the commercial system and the DBU, did not generate any change in the latter, necessary for the Publishers to implement the update. On 25.2.2021, the complainant sent a certified email to Tim requesting the cancellation of personal data from public lists. On that occasion, the competent customer care structure involved the management structure of TIM's IT systems, in order to follow up on the request, which was correctly registered on the Company's commercial systems. The anomaly was resolved on 06/09/2021 by confirming the alignment of the position on the DBU. The feedback received from the competent Structure confirmed that the DBU has correctly implemented the publication of the confidentiality in the list with effect from 21.5.2021 and that the number of the interested party is confidential with effect from 15.6.2021;

o) with regard to files 165144-165619-165752-165585, Tim communicated that: on 22.02.2018, the interested party sent a request via the web channel aimed at having her fixed telephone number considered as a reserved number; the request was handled on the same date, with a contextual response to the applicant; however, "the change is not detected in the systems and it is not clear whether this error is attributable to a system anomaly or to the operator's failure to operate". On 23.04.2020, the complainant again requested the inclusion of confidentiality in the list via the web channel; “unfortunately, a misinterpretation of the request can be seen from the relative notes inserted in the contact reason; in fact, the confidentiality of only the street number and not of all personal data as requested by the customer is reported." On 10.05.2021, following a telephone request from the interested party, confidentiality was entered in the paper and online list. In this regard, Tim represented that confidentiality has been implemented in the DBU since the first ten days of May 2021 and that the number is correctly reserved in the online public telephone directories, while for the paper directories it was necessary to wait for the first useful publication-distribution foreseen in the November/December period of the same year;

p) with regard to file 164121, Tim represented that, when activating the telephone line of the interested party, the customer expressed his consent, also incorporated in the contractual conditions sent in a copy to his postal address on 05/05/2020, to the publication of the data in the directories paper and online telephone numbers, both with personal data research and with online research. On 14/04/2021, the interested party sent a pec to a certified mail address of the Company, exercising their rights regarding the protection of personal data, pursuant to articles 15-22 of the GDPR and expressing the will to delete your personal data from public telephone directories. An initial interim response was sent to the interested party on 05/14/2021, confirming the correct update received by the DBU regarding the confidentiality of his personal data. On 13/07/2021, further feedback was provided to the whistleblower, "always within the terms of the law", regarding the request previously made by him, concerning the exercise of rights regarding the protection of personal data. Finally, Tim highlighted that, as per the whistleblower's will, the confidentiality for the numbering subject of the report was implemented in April 2021 and sent to the DBU in May 2021;

q) with reference to file 162474, Tim represented that the mobile line subject of the report has been active as a Prepaid Consumer and in the name of the reporting party since May 19, 2017; in relation to mobile lines, the corporate procedure provides that the inclusion, variation and cancellation in the single list must necessarily take place through a written request made with specific forms signed and accompanied by a valid identity document of the applicant. The checks carried out by the Company on the Consumer commercial systems had not highlighted requests for the inclusion and/or confidentiality of the aforementioned line in the DBU. However, following specific indication of the terms of the request by the whistleblower, Tim admitted that he had actually sent the request by certified e-mail, a request that was "correctly received, but unfortunately it was erroneously assigned to a structure not competent", so that "the request in question was neither processed nor matched".

r) regarding the file 174664, Tim represented that, in relation to the circumstance that the telephone number of the interested party had returned to Tim's management, an anomaly would have arisen (later resolved) for which the appointed system would not have taken into account the request for confidentiality of the data in list. This anomaly could have affected the operations of the employee who correctly entered the system on 20.8.2021 the will expressed by the customer not to be published in the list. On 9.11.21, the interested party asked TIM for the publication, according to him never requested, of the personal data in the list. On the basis of this anomaly, the interested party highlighted that his number was the subject of publication in the telephone directories. As represented by the Company, on 11.26.2021, "the Customer Service provided unfortunately inadequate feedback and the request was correctly and promptly handled on 12.7.2021." Tim assured that the data of the interested party would no longer be present in the paper lists (on the occasion of the first useful edition of the year 2022). Tim, in the concrete case, therefore admitted that, even if due to a technical anomaly (not better identified and clarified), the confidentiality of the interested party was not guaranteed.

s) regarding the file 172121, Tim stated that, at the time of requesting activation of the line, from the data recorded in the commercial system of consumer customers, the non-publication of telephone line data in directories would not have been requested. On 29.09.2021, the whistleblower contacted Tim's Customer Service by telephone, requesting information on the matter. Furthermore, on the same date, the interested party submitted a request for confidentiality listed both through the company website and by sending a certified e-mail message. Therefore, again on 9.29.2021, the Customer Care arranged to make the aforementioned line "Reserved" on the commercial system of consumer customers, a variation purchased from the DBU in the third decade of September 2021. In this regard, Tim provided feedback to the whistleblower, with communication of 10.22.2021, sent by e-mail. By virtue of what has been represented, Tim highlighted that it had recorded the "total confidentiality listed" on its systems from the first request received from the reporting person (on 09.29.2021).

In the concrete case, it was considered during the dispute that there was a hypothesis of undesired publication of the data in the telephone directories attributable to Tim, since it occurred in the absence of an express consent of the interested parties, and in particular, therefore that the conditions for the violation of articles 6 and 7 of the Regulation as well as 129, paragraph 2, of the Code.

t) Regarding the file 159767, Tim pointed out that since the activation of the telephone line, which took place on 1 August 2017, the whistleblower would not have formulated any request for confidentiality of the same, thus published in the DBU in the first ten days of August 2017 and, consequently, in the telephone directories. On 24.3.2020, the telephone line was subject to portability to another operator. On 14.1.2021 the interested party sent a pec message to Tim, requesting the cancellation of his personal data published on the website www.paginebianche.it; the Company pointed out that the response provided by the customer service to this request had not been correct, but specified that it could not have followed up on the request of the whistleblower, as the line in question was no longer active on the TIM network.

u) Similarly, with reference to file 172674, following the return of the line to Tim, the interested party did not formulate a request for confidentiality and therefore his number was published in the DBU and in telephone directories. No requests or complaints from the interested party for the change of confidentiality in the telephone directory have been registered in the commercial systems of Tim's customers. On 10.4.2021, the same sent a request to update his data in the DBU to the Company's institutional pec. On 10.15.2021, Customer Care proceeded to change the level of confidentiality for the whistleblower's fixed telephone line to "Reserved on the list": change acquired by the DBU in the second ten days of October 2021.

v) Regarding the file 175715, Tim stated that, at the time of activating the interested party's line, from the data recorded in the TIM systems for the "List" section, non-publication in the list did not appear requested. On 26.08.2021, the whistleblower made this request and, on the same date, therefore, the request was implemented.

w) With reference to file 171194, Tim represented that at the time of the activation request on 07/13/2020 of a telephone line, "confidentiality in telephone directories is not required. Therefore, this telephone line was published in the Single Data Base in the second ten days of July 2020 and consequently in the telephone directories". Subsequently, according to the Company, no complaints (telephone or written) were presented by the interested party relating to the publication in the telephone directories of the said line. Following the report sent to the Guarantor, on 03.07.2022, Customer Care proceeded to make this telephone line confidential. This registration was acquired by the DBU in the first ten days of March 2022. The "Total confidentiality in the directory" would therefore have been implemented by the various publishers of telephone directories and would have resulted in the cancellation of the user in question from them.

x) On the other hand, with regard to files 172846 and 165434, the unwanted publication - according to what Tim reported - depended exclusively on the publisher of the public directories and therefore Tim would have no responsibility.

Therefore, in all the above cases, except for the last two referred to under x), the Office considered that there had been an unwanted publication of the data in the telephone directories attributable to Tim, since it occurred in the absence of an express consent of the interested parties. In particular, therefore, during the dispute, the existence of conduct in violation of articles was found 6 and 7 of the Regulation as well as 129, paragraph 2, of the Code, also considering that the failure to express a negative will with respect to such treatment can never be equated to a consent, which instead must be expressed and unequivocal, as well as specific and documentable.

1.1.5. Tim's response to the information on the website www.tim.it

With regard to the report referred to in fasc. 175689 with which the interested party complained that he had not been able to view the privacy information during the online purchase phase, on 12.17.2021, Tim represented that this was due to a temporary anomaly which, unfortunately, did not make it accessible during the purchase phase, this information on the processing of consumer customer data. This anomaly - Tim said - has been resolved, restoring the possibility of viewing it by customers before concluding the purchase process and providing consent for purposes other than the execution of the contract. In the absence of records: indications on the period in which the anomaly in question continued; elements clarifying the said anomaly; quantitative elements relating to the interested parties involved, Tim was invited - with the aforementioned act of initiation of the procedure of 4.5.2022 - to provide documented elements in this regard. As far as the documents are concerned, the alleged violation of art. 13 of the Regulation.

1.1.6. Tim's response to the data breach.

With reference to the report referred to in file 174492, relating to the receipt from 12.30.2012 of e-mails to the same address of communications referring to another customer, Tim first of all pointed out that there were no reports or complaints relating to the case in question. From the checks carried out on the commercial systems, in relation to the e-mail address of the reporting party, it emerged that the same was associated with the tax code of the other customer, but without however being able to trace the reason for this association; which, regarding the type of communications sent to the reporting person's address, were mainly sent: invoice issuing notice e-mail (without the attachment of the invoice itself), an e-mail activating the Mobile Option offer and two reminder emails for the payment of an overdue invoice containing the following personal data: name, surname, tax code and telephone number.

Since the confidentiality of customer data with reference to the specific episode reported above was not ensured "on a permanent basis", the violation of art. 32, par. 1, lit. b), of the Regulation.

1.2. Investigations carried out on specific cases and related outcomes.

Some cases, characterized by numerous repeated reports (file no. 147099; file no. 169442; 166823-165813), have been the subject of specific investigations.

A) Regarding the file 147099, the whistleblower, in particular, since 2020, has complained of receiving promotional phone calls and emails and the alleged communication of his data to the call center for this marketing purpose, as well as the difficulty encountered in closing his MY Tim account and the "Alice" mailbox (in particular, most recently, with the communications of 26 July and 2 August 2021), also requesting the elimination of all related data.

B) With reference to file 169442, the whistleblower. with multiple communications, starting from 08/03/2021, complained about Tim's failure to produce the contractual variation (of which the interested party had disregarded the stipulation and the relative conditions), as well as, as far as the interest of the Authorities, of the documentation relating to informed consent for the processing of personal data and of the telephone records relating to the line in your name.

C) A consumers' association (fasc.li 166823-165813), with two separate reports (17/5/21 and 7/6/21), also addressed to the Public Prosecutor's Office, complained of receiving unwanted promotional phone calls and aggressive (particularly one with operator; the other with pre-recorded mode).

A) Tim highlighted that the My TIM and TIM Mail accounts work with separate processes; that the former could be deleted from the "Profile" section; otherwise, Alice Mail is the e-mail service from which you can withdraw by connecting to the link https://gestione.servizi.tim.it/closeaccnt/entrance.do. The Company also highlighted that, in order to close the account, a positive action was required by the customer through a specific link provided by Tim to the reporting person in the reply dated 04.23.2021. The link (https://gestione.servizi.tim.it/closeaccnt/entrance.do) leads directly to the TIM Mail termination page where you are asked to enter the e-mail address to be canceled and the related password. Tim also represented, with the same note, that "In consideration of the repeated and manifested desire to terminate the simonecandela@alice.it account, on a completely exceptional basis, on 08.27.2021, the IT structure of TIM started the account termination process, which ended positively on 08.30.2021.” However, this occurred several months after the numerous requests of the whistleblower, dating back to 24 March 2020, given that - as mentioned - only on 23/4/2021 was the interested party provided with the link to connect to in order to proceed autonomously upon termination of the 'Alice' account; on 6, 13 and 17 May 2021, the whistleblower reiterated his request to cancel the "Alice" account, declaring that the link provided by TIM did not work; only on 19 May 2021, an email was sent to the interested party on said account with the subject "Confirm the TIM Mail termination request", with the consequent need for the interested party to click the link at the bottom of the email, to complete the 'process; on 6, 13 and 17 May 2021, the whistleblower, failing to complete the procedure, sent further reports which were only acknowledged by TIM on 3 June 2021 providing again the instructions for deactivating the account in question (see feedback Tim, 6/8/2021).

Tim also represented that "in the last six months, the email (of the interested party) has not been included in TIM's contact lists, it does not appear that (his) data has been communicated/transferred to TIM's commercial partners and it has not been object of sending promotional-advertising emails from TIM". On this occasion, therefore - without prejudice to the legitimate conservation by Tim of the personal data of former customers (which is the interested party) necessary to fulfill any purposes of contractual disputes or provided for by law - a cancellation procedure emerged, overall , not suitable for facilitating the prompt implementation of the requests of interested parties who encounter technical difficulties in providing for themselves, and therefore not in line with art. 12, par. 2, of the Regulation. Furthermore, a gap in Tim's ability to be aware of the processing of data carried out for promotional purposes on behalf of the Company (pursuant to articles 5, paragraphs 2 and 24, Regulations) seems to be discernible.

B) Regarding the reports sent to the Company, with the replies dated 2/9/2021 and 11/11/2021, Tim communicated that the contract (dating back to 1989) was no longer available in consideration of the considerable amount of time that has passed from the activation of the telephone line in question. In this regard, it provided elements relating to the activation date, the data of the new location following the request for a move of the same which occurred in August 2016 and the current contractual data acquired with the  taking over of the sole proprietorship in the name of the interested party in the original SNC, producing , also, a copy of the privacy consent form, where the refusal to process data on 7/7/2017 emerges for purposes other than contractual ones. It being understood that the processing of data for contractual purposes finds its legal basis in the contract itself, to which the form for the takeover in question can be traced back (Article 6, paragraph 1, letter a), without therefore needing to no consent, however, no copy of the disclosure, at the time or subsequently, issued to said sole proprietorship was found in the deeds, with the possible violation of art. 13 Regulation.

C) With regard to the reports from the consumer association, Tim, in response to the requests to provide information formulated by the Office, pointed out (see reply 5/7/21) that the telephone calls in question were not made by its sales force and that the calling numbers, indicated by the whistleblower, do not belong to those used by her. This finding must be evaluated, also in the light of the numerous cases reported below, for which Tim reports a similar finding, for the purpose of assessing the possible violation of the principle of accountability (articles 5, paragraphs 2 and 24, of the Regulation).

2. DISPUTING THE ALLEGED VIOLATIONS

As reported above in relation to individual cases, with deed dated 05.02.2022 - to which reference is made in full for what is not reproduced in this provision - Tim was notified of the start of the administrative procedure for the possible adoption of corrective measures and sanctions pursuant to art. 166, paragraph 5, of the Code and 12 of the Regulation of the Guarantor n.1/2019, due to the alleged violation of the following articles of the Regulation:

- 5, par. 2;

- 6-7;

- 12, para. 2 and 3;

- 13;

- 14;

- 15, par.1;

- 24;

- art. 32, par.1, lett. b);

as well as the following articles of the Code:

- 124, paragraph 1;

- 129, paragraph 2;

- 130.

3. TIM'S DEFENSIVE ACTIVITY.

3.1 Unsolicited Telemarketing.

With reference to the unwanted calls contested by the Authority, the Company, in its defense brief dated 06.15.2022, first of all represented that 128 reports represent a minimum, if any, percentage of the total number of contacts (equal to approximately 0.0008%) carried out by the Sales Force on behalf of Tim. Furthermore, this minimum number would not be attributable to contacts originating from lists provided or authorized by the Company, nor from lists originating from leads, but "exclusively to the so-called 'undergrowth' that all the control processes shared with the Authority and put in place, can in no way be able to completely eliminate", for the reasons better explained below.

The Company then claimed the groundlessness of the contestation of the violation of articles 5 and 24 of the Regulation, representing that, following the implementation of the provision 15 January 2020 no. 7, put in place "a structured system of accountability and privacy by design through a complex and costly set of organizational and technical security measures."

In particular, in addition to those indicated in the compliance report with the provision dated 15.1.2020, Tim stated that it has implemented:

- capillary monitoring and periodic checks, based on 3 different levels, of its Sales Force, also in order to take the appropriate measures (warnings, penalties, contractual terminations);

- a substantial reduction in telesellers and contracted agencies with a percentage decrease of 46.6% for the consumer channel, following the rationalization of the channels implemented also with a view to reducing the risk of non-compliance with the legislation;

- an automated flow that allows, on the basis of the privacy instructions and the updated operational ones made available to the Sales Force, to implement all the objections to the treatment received and compare them with the denials present in Tim's black-lists;

- an automatic notification mechanism to communicate the refusals expressed to Tim's customer care to all those subjects of the consumer Sales Force who have such numbers on the list;

- an automatic control mechanism of all the information provided by the Sales Force based on the privacy and operating instructions given by Tim and which automatically generates specific consistency reports;
moreover, again as a supplement to the indications received in the aforementioned provision, "as proof of its extreme attention to the phenomenon of unwanted calls", Tim stated that he had:

- approved a new contractual model for all partners in the consumer and business spheres with the aim of strengthening the sanction system in the event of violations attributable to the privacy sphere; model that would be fully adopted by customer care outsourcers and telesales consumers;

- adopted, for all contracted consumer and business agencies (both old and new), an incentive plan which guarantees Tim the right not to recognize compensation on contracts activated and which do not comply with the contactability criteria set out in the privacy instructions;

- implemented the systematic analysis of the telephone logs generated by the telephone bar of the Sales Force; if anomalies are found during the checks, they are weighed with a standardized tool (the so-called "evaluator"), which allows you to graduate the measures to be taken against the Sales Force (from the letter of awareness to the termination of the existing contract in the cases more serious).

The Company then represented that, between 2020 and 2022, it had filed six criminal complaints and that it had filed a civil party in a further criminal proceeding "in relation to facts also detected as a consequence of the implementation of the monitoring and control system"; as well as having reported, on 12.4.2022, to the AGCM, and for information to AgCom, the misconduct identified, also through a specific service made available on the website www.tim.it to allow reporting by users and related to unwanted contacts made by unknown subjects who falsely presented themselves as Tim employees to customers and non-customers, promoting false promotional offers. On this occasion, the Company highlighted that a very high percentage of unwanted contacts (about 78%) were attributable to calls from "non-existent numbers", attributable to the CLI spoofing phenomenon, which make it objectively impossible for operators, due to of the current technological structure of the telecommunications networks, identify all the calling numbers when they come from interconnections from abroad or carried out through manipulated CLIs and, identifying, for a part of the said signals, on the through the numbering arcs established on the own network or other operators, the person to whom the calling number is to be attributed.

Tim also represented that, in July 2022, he would have experimented with "the use of a geolocated tablet via a "Digital App" ... to make compliance with the contracting methods of potential customers more stringent, also in relation to the place where the contract is signed by the customer in the presence of the seller and, at the same time, ensure the completeness and non-modifiability of the documentation acquired with an electronic signature, its archiving and subsequent ease of retrieval, as well as allowing the sending to the end customer of a computerized copy of what he has accepted and signed". The Company also highlighted that it has experimented with the smart contract technology for the certification of all phases of marketing and that it has contributed, through participation in a specific "Technical Committee on the Security of Electronic Communications of AgCom, to the study of other possible solutions (regulatory and technological) useful for contrasting the CLI spoofing phenomenon.

In light of the above, the Company underlined that, in your opinion, the phenomenon of "undergrowth" is not attributable to Tim, but is "a system problem to be addressed by the entire market and not just electronic communications." and to believe - "in the absence of specific regulations, specific guidelines or a specific code of conduct" -  "that it has done everything in its power to ensure compliance with the principle of accountability, since the procedures set in would allow direct and capillary control over one's Sales Force".

Similar elements and assessments, with specific reference to the Sales Force, Tim formulated with a note dated 9.28.2022 (to which full reference is made), in response to a supplementary request for elements and documents formulated by the Authority on 9.9.2022, with which was asked, in particular: 1) if, as of 1 January 2021, telephone contacts made by/on behalf of Tim had been contracted - by its partners or by subjects unrelated to the sales force - outside its contact lists , indicating the total number; 2) if and what checks had been carried out regarding the fulfillment of the information and consent by the subjects indicated in the previous point.

With the aforementioned note, Tim specified that, by its "Sales Force" it always refers to the sales channels divided by consumer and business segments that carry out telemarketing activities on its behalf (as specifically detailed in point 7 of the memorandum), while they are excluded from this definition: i) physical shops; ii) the web channel of the Company's website, through which the interested party can autonomously purchase Tim's products and services; and iii) web comparators, which offer a tariff comparison service in the electronic communications market as independent data controllers.

As reported by the Company, all the contracts that it activates with the outbound telephone in question come exclusively from the Sales Force and the information provided with the aforementioned communication concerns only these contacts.

Secondly, Tim, in the same note, recalled what was represented in the defense brief regarding the phenomenon of the so-called "off-list" (or, as indicated by the Authority in pt. 1 of the request, the "telephone contacts [...] outside the contact lists"). As indicated in pt. 23 of the brief, and in particular in the referenced Annex 1 ("Privacy instructions for commercial partners ...) and Annex 1-bis ("Privacy instructions and legal obligations"), the relationship between Tim and its Sales Force provides that :

i) so-called 'own lists': TIM has the right to provide its own contact lists to the Sales Force formed in compliance with the law. The sources of these lists can be: Tim's CRM systems (which concern active or former customers, see pt. B1 a) of the aforementioned Annex 1; or, lists retrieved from the public telephone directory (DBU - see pt. B1 c), annex 1); lists purchased directly from Tim (see pt. B1 b) of the aforementioned Annex 1); or even the "authorized third-party lists" of the list providers which are, before use, approved in advance and cleared by TIM, always passing through the Company's systems;

ii) so-called "authorized third-party lists": the Sales Force has the right to use lists acquired from third parties (so-called list providers) for the promotion of Tim's products/services but only with the latter's authorization and verification, in compliance with the instructions and controls provided by the same and indicated in terms of personal data protection (see pt. C1-C4 of Annex 1 and Annex 1-bis). Once authorised, these lists (as mentioned in the previous point i.) are considered Tim's "own" contact lists.

iii) c. d. "lead" (i.e. contact details that do not imply the collection of consent for marketing purposes, instead originating from a specific request by the interested party to be contacted by telephone with an operator for a specific need relating to Tim products and/or services): the Sales Force has the right, subject to Tim's authorization, to collect leads in compliance with the instructions and controls provided and indicated by it (see pt. D1-D2, attachment 1 and attachment 1-bis).

In the same note dated 9/28/22, the Company also underlined that all the aforementioned lists (i; ii; iii) are considered Tim's "own lists" "due to the instructions and controls already extensively discussed in the Memorandum" and, therefore, all of these are to be understood as "contact lists". Furthermore, the Company points out that, based on the above, "There is therefore an express prohibition for the Sales Force to carry out "off-list" activities other than those referred to in points I. and I. above (see pt. E of Attachment 1 and Attachment 1-bis) (i.e. 'unjustified off-listers').", adding that "for the period January 2021 - June 2022, the total figure for unjustified off-listers that the Company found and sanctioned on the basis of its documented monitoring and control system (developed online and in some respects even going beyond what the Authority imposed within the most ancient Provision 7.2020) is equal to: I) for the consumer channel: a) Consumer telesales: 0% out of 207,611 contracts (this value is indicative of active partners as of November 2021; b) Consumer agencies: 0.10% out of 158,166 contracts in 2021 and 0% out of 84,301 contracts up to June 2022; II) for the business channel: 0.29% out of 399,372 contracts as of November 2021.".

3.2. Exercise of rights pursuant to articles 15-22 of the Regulation.

Tim then represented that it had updated its privacy system relating to the exercise of rights by data subjects, in order to ensure management of the very numerous requests in a proactive and compliant manner, highlighting some statistical data (96.9% of requests processed in 30 days; 1.8%, in the following two months). Recalling the measures already adopted in implementation of provision 15 January 2020, the Company also highlighted the effectiveness of the guidelines for the management of requests both received in the boxes of the DPO and through multiple other channels set up for this purpose, including multiple use cases of standard responses constantly updated and based on interactions with stakeholders.

He also highlighted: a) that it has implemented a centralized control system for the management of requests received by customer care via various channels (e-mail, web, digital, physical, etc.) with the aim of allowing the correct identification, analysis and management of requests to exercise rights within the terms of the law; b) that it has invested considerable resources in the training of personnel responsible for managing requests for the exercise of rights, developing a team dedicated to the management of traffic data requests.

Tim also underlined that, on average, each employee handling requests to exercise rights deals with about 280 requests per month. With the brief dated 15.6.2022, to be understood as fully referenced and reproduced here, the Company contested the violations identified in the individual cases (articles 12, paragraph 3 and 15, of the Regulation, as well as 124 of the Code), also representing the following .

- File 169170: Tim pointed out that "following the complaint received on 16 December 2020 and 4 January 2021, in which the complainant requested a copy of the recordings of the telephone calls made on 15 and 16 December 2020, TIM promptly replied on January 13, 2021, informing you that there is no recording of phone calls when customers contact customer care for contractual.commercial information.”

- File 166767-formerly 165318: in relation to the reporter's request dated 04.02.2021, Tim declared that he had replied acknowledging the delayed response due to the complexity of the request, since it was a request concerning access, limitation, portability of the data, and the opposition to the treatment towards Tim and all the recipients of the data, as well as proof of the communication of the opposition to the same. Subsequently, a definitive reply was sent on 1.07.2021.

- File 163087: "in the face of an evidently complex request (of 01.26.2021), since it concerns the exercise of the right of access, cancellation and opposition", Tim provided "an initial response, albeit not entirely conclusive." (26.2.2021) in which it was represented that, "given the particular complexity of these operations", TIM, in order to conclude the procedures and investigations necessary for the fulfillment of the request, took advantage of the extension pursuant to art. 12, par. 3, Regulation (for a total period of 90 days, being the final reply dated 25 April 2021).

- File 174664: Tim represented that to the complaint of 11.9.2021 concerning the request for cancellation of the interested party's data from the public telephone directories, "provided a prompt reply on 11.26.2021", representing how the interested party was already excluded from the directories . On the same day, the interested party presented a further complaint to the Authority, since the number was still published in the list. Consequently, and following further technical investigations, TIM verified that, although in the offer conclusion phase the Company had correctly understood the customer's wishes (in this regard, attaching the relative screenshot), due to a technical anomaly (promptly resolved ), the same was not correctly registered in the other systems used for the management of public directories. After further discussions, TIM provided a final reply on 12.23.2021 to the interested party.

- File 160287: Tim represented that, in his opinion, the three requests via pec that had not been processed should be considered placed in a time period prior to the deadline assigned for complete compliance with the provisions contained in provision no. 7.2020 and that, since the identity document was not attached, the identity of the applicant could not be said to be certain.

-fasc. 172687: Tim reiterated the validity of the requests formulated in the first place by the interested party, "tracing the delay to a mere human error", pleading the groundlessness instead of the violation pursuant to art. 124 of the Code, since, in his opinion, the resolution of the aforementioned problems in agreement with the interested party, would have determined "the loss of interest in consulting the traffic of the period in question." (“In fact, the original request concerned access to traffic data for the purpose of disputing an invoice which reported an increase in costs that occurred due to a misalignment of the systems in the transition from one offer to another). At the end of the discussions with the interested party, Tim, having recognized this problem, proceeded to compensate the amount erroneously charged in the subsequent invoices, thus losing the interest in obtaining the traffic data.".

- File 174463: as reported by Tim, the interested party had exercised the request to exercise the rights also pursuant to article 124 of the Code, on 5.6.2021; the Company had provided an initial response to the aforementioned request on 06/08/2021; subsequently, further reminders were presented by the interested party to which Tim provided a belated response, but justified by the complexity of the request presented.

- File 161814: confirming the late nature of the response, Tim highlighted that it would be a practically isolated case, probably attributable to human error in a multifaceted and complex organization, acknowledging that, contrary to the provisions of its internal procedures, it was not able capable of providing timely responses to the requests of the interested party, bearing in mind however the considerable workload on average assigned to each employee in charge of managing requests concerning the rights pursuant to articles 15-22 of the Regulation.

- File 173533: in this regard, the Company pointed out that the first report (2016) took place well before the compliance imposed by the aforementioned provision no. 7.2020; it was "a practically isolated case, probably attributable to a human error which, in an organization as articulated and complex as that of TIM, is not to be considered as evidence of the company conduct normally prescribed for the management of requests". Instead, as regards the reports received after 2016, Tim confirmed instead that he had not provided adequate feedback.

- File 175169: with regard to the notification of the interested party received on 06/07/2021, relating to the documentation relating to the contract of which the interested party was formally the holder, as well as to the traffic data generated by the two SIMs of the contract, the Company reported that it had provided three different responses, also due to the complexity of the request as regards traffic data, of which, the first two within 30 days, and one, having provided reasons for the delay, within 90 days. A further reply would have been sent to the interested party on 22 February 2022, providing him - in addition to the documentation already sent - the additional documents requested.

3.3. Publication of data in telephone directories.

With the brief dated 15.6.2022, to which full reference is made, Tim provided partly supplementary elements with respect to what emerged during the preliminary investigation, representing, with reference to the individual disputed cases, the following and affirming the non-existence of the violation of the articles 6 and 7 of the Regulation and 129, paragraph 2, of the Code.

- File 165665: Tim added that, in his opinion - on the basis of provision 15 July 2004 doc. web [1032381], par. 6 - "the obligation of technical conformity for the purposes of immediate updating of the lists both for operators and for the manager of the general directory (DBU). Consequently, since TIM correctly implemented the whistleblower's revocation on its systems, it cannot be held attributable to a failure to update since this would appear to depend on a technical problem relating to the misalignment of the general directory manager's systems";

- File 165144 -165619-165752-165585: Tim pointed out that he had received a first request, dated 22.2.2018 and a second one, dated 4.23.2020; that both requests, however, due to technical anomalies (not dependent on the manager of the general list) and/or partial processing by the customer care employee, did not appear to have been handled correctly. In any case, subject to a further report dated 10.5.2021, the request was implemented in the DBU on 12.5.2021. In the Company's opinion, the matter should be viewed as "a certainly isolated case and probably attributable to an error which, in an organization as articulated and complex as that of TIM, is not to be considered as evidence of corporate conduct prescribed for the management of requests for publication in directories.";

- File 164121: the Company, in reiterating what was already highlighted during the preliminary investigation, represented that "on the three pecs with which the interested party exercised the rights of access, rectification, cancellation, limitation and opposition, dated 05.14.21, TIM provided reply to this request to exercise the rights, confirming on the one hand the revocation of the consent and representing, due to the complexity of the request, that the definitive reply regarding the exercise of the rights would be received within a further two months, as actually happened on 13.07.21.". He also added that "on the basis of the very high average commitment of those involved in managing requests to exercise rights, the high number of requests provided for by art. 12, par. 3, Regulations.”

- File 162474: Tim would never have published any information about the whistleblower; the publication would be exclusively attributable to the manager of the public directories "due to a data enrichment mechanism exclusively under the control of the publisher".

- File 174664: the Company represented that it had correctly understood, during the activation of the contract, the willingness of the whistleblower to consider his/her telephone number confidential. However, "following an internal technical anomaly", this will would not have been correctly implemented within the DBU. Therefore ("in any case within the terms of the law for the response regarding the exercise of rights"), said problem was resolved and, finally, the will of the interested party was implemented. Again, according to Tim, it would have been an isolated case.

- Files 172121, 172674, 175715 and 171194: Tim claimed to have united these 4 cases, by virtue of their common characteristics. In fact, as would be proven by the related reports already in the documents, said interested parties, even when addressing the Guarantor, would have failed to attach the form (which is part of the Company's contractual set) "by means of which they could express their consent or not to publication in the lists. Tim has instead, as demonstrated in the aforementioned reports, demonstrated that said interested parties had given such consent"; moreover, in his opinion, he would have “always provided an adequate and timely response, modifying the preference of users so that they were no longer published in the list. “;

- File 159767: the case would be similar to those indicated above, but would differ, since the utilities subject to the report were then transferred to another operator. With specific reference to fixed users (subject to report) activated on 1.8.2017 and ceased on 24.3.2020, Tim argued that said consent was given, which would then be managed by the Company in line with the provision of the Guarantor "Processing of subscriber data in the case of number portability - 1 April 2010 [1711492]” and that the first complaint took place on a date (14.1.2021) in which the users of the interested party had already belonged to another operator for some time.

3.4. The information on the website www.Tim.it.

Tim, in the brief dated 15.6.2022, highlighted that the anomaly that prevented access to the web page containing the Company's information "was so exceptional and temporary that it did not generate a system warning, as it should happen in the event of application malfunctions. As proof of this we provide …. by means of the Google analytics service, proof of continuous access to the pages of the GruppoTim.it domain which also include the web page containing the information being reported for the days of 17, 18 and 19 December 2021 (Annex 15). In particular, as highlighted in yellow in the aforementioned attachment, with reference to the URL subject of the report, for the day of 17 December 2021 at 15.00 - 16.00, it is clear that in this time slot multiple people have accessed this web page .”.

3.5. The data breach.

In relation to file 174492, with regard to the undue communication of personal data of a Tim customer, with the aforementioned brief dated 15.6.2021, the Company added that the problem of erroneous association of the e-mail with the tax code had been resolved correctly informing the whistleblower; that, considering the considerable period of time (10 years) without the whistleblower or others reporting the problem, "it is currently impossible to reconstruct the events and trace the technical anomalies that caused such an accident. However, it is worth noting that the perimeter of the risk perpetrated against the data subject (...) is very limited since it does not concern particular data and since the number of personal data involved is small.".

3.6. Investigations carried out on specific cases.

Tim, with the aforementioned defense brief - to which full reference is always made - provided further explanations with respect to the cases subject to specific investigation (cases 147099; 169442; 166823 and 165813), also due to the reiterated nature of the reports. In particular:

- with regard to the file 147099, the Company represented that it had provided all useful and necessary information in order to facilitate the interested party to carry out the cancellation, regulated by an automatic procedure "which, however, requires a positive action by the interested party to confirm their willingness to delete the account”; adding that "according to a legal presumption proper to the Civil Code on obligations, it must be considered that the average man possesses the average experience requirements suitable for interpreting this cancellation process including the need to click on a specific link to express one's will to cancel. If this does not happen, however, any possible delay in following up the procedure certainly cannot be attributed to the data controller (who in fact has set up a quick and easy procedure), but rather to the interested party who - concretely - failed to apply the steps of the procedure.”;

- with reference to file 169442, Tim pointed out that, following further investigations, the information (initially indicated as missing) was instead "actually included in the takeover form and that therefore, it was viewed at the same time as the form was completed by part of the interested party” (see annex 8 to the brief);

- with regard to files 166823 and 165813, Tim recalled the defense set out above with general regard to unsolicited promotional calls that it does not recognize and to the compliance of its actions with the principle of accountability.

In light of all of the above, the Company has requested the filing of the proceeding initiated or, alternatively, the application of a sanction in its minimum statutory value, also requesting to be able to hold the hearing envisaged by art. 166, paragraph 6, of the Code, "to better illustrate one's position within such an articulated and complex case".

3.7. Tim's audition.

During the hearing, held on 18.7.2022, Tim, in reiterating the reflections and data contained in the defense brief, highlighted the high number of notices and contractual terminations, with reference to the violations of the various privacy obligations, not with regard to the issue of off-lists ("which as a rule no longer exist"), but to the implementation of control of the telephone bar (and log files) used by partner call centres, such as to prevent any exceptional off-list contacts and, where there were , knowing how to recognize them, specifying however that "the contract is in any case taken to respect the wishes of the users concerned". He added that “a quality check policy was also activated for 9 months to verify the effective contractual intention of the user, even if contacted in an unwanted way. Furthermore, if the contract is not activated and made operational, the Agcom legislation provides for an indemnity of around 7.5 euros for each day of delay in activating the service; then we suspended it because the people contacted for the aforementioned purpose only declared themselves disturbed by this service.” Tim also referred to how the document “ECC, doc. no. 338 of June 7, 2022 on CLI spoofing", highlights "that the technology currently in use is not suitable for avoiding the phenomenon of spoofing. “

4. LEGAL ASSESSMENTS.

4.1. General considerations

With reference to the factual profiles highlighted above, also on the basis of the Company's statements, for which the declarant is liable pursuant to art. 168 of the Code, the following assessments are made in relation to aspects concerning the regulations on the protection of personal data.

In the first place, we cannot agree with the attempt to consider the overall number of reports brought to Tim's attention by the Authority as insignificant in percentage terms. In several circumstances, the Guarantor, with particular reference to cases of unwanted telephone calls, has had the opportunity to specify, however, that "the mere non-traceability of the calling numbers to the list of those in use by the company and its commercial partners, more repeated several times by (Tim) as an element of response to the requests sent by the Guarantor, it is, in fact, critical due to that proactive perspective that defines the principle of accountability of the data controller and which permeates the entire new regulatory framework of data protection". Precisely the relevance of the phenomenon and the circumstance that the telephone contacts were made in the name of Tim as well as the primary role that it plays as an operator in the telecommunications market and the considerable organizational and managerial possibilities that characterize it, would have required activities more in line with the necessary and essential work of constant vigilance and monitoring of the phenomena that emerged following the complaints received directly to the company in the field of telemarketing (see for similar arguments, ord. ing. 16 December 2022. web doc. n. 973567] ).
Dutifully stated, the efforts undertaken by

Tim to obtain better control over the supply chain and, more generally, over the processing of users' personal data. However, from the analysis carried out, there is still ample room for improvement, in particular in relation to the need to direct effective actions to contrast the activities of abusive procurers of contractual offers, which, as will be seen in relation to the individual points, are the basis of the violations found.

4.2. Unsolicited telemarketing.

With regard to the objections raised regarding unsolicited telemarketing, it is necessarily necessary to preliminarily reiterate what the Authority has repeatedly stated regarding telephone calls not coming from the company's official sales force or for which it is not possible to identify the calling number for the adoption of camouflage techniques such as spoofing.

The results of recent years of investigations into the phenomenon have in fact highlighted that the activities of the so-called "undergrowth", of operators who illicitly reach people by telephone who have not provided suitable consent, or even expressly opposed this form of contact, base their survival on the reabsorption of successful activities within the official chain of companies who end up approving the contract and recognizing the related sales rights, which, in this way - through various flows between intermediaries - continue to feed the illicit market.

In the light of these considerations, statements such as those released by Tim on the fact that the phenomenon of the "undergrowth" would not be an issue that it could solve, "but is a system problem to be faced by the entire market and not just electronic communications .”. The solution to this problem, on the other hand, must necessarily pass through the initiatives of each operator, who, due to the principles of accountability and privacy by design, must implement all initiatives aimed at avoiding the perpetration of illicit processing of personal data.

In this sense it is now clear that the controls and interdiction activities must be implemented with regard to the contracts proposed by the sales network, verifying by every possible means that they originate from a regular contact and in line with the provisions of the sector regulations .
In other words, as long as it is technically possible to insert contractual proposals and activate services in the systems of the client companies by insinuating themselves into the official sales chain and introducing into the information assets of the same companies illicitly collected personal data from which unauthorized contacts originated, the so-called The telemarketing "undergrowth" will always have a chance to finalize its activities and realize its undue economic gains.

Tim, in his defence, instead provided elements mostly linked to the dimension of the contractual legitimacy between himself and his partners, without however producing the necessary evidence of suitable and decisive concrete initiatives towards abusive subjects (additional to the complaints and reports to various Authorities, from the various work tables and technical trials, all measures and initiatives, however, clearly worthy of appreciation), assumed as owner and final manager of the treatment, in the face of the spread of such an invasive phenomenon.

In particular, it did not prove that it had carried out adequate checks on the contracts that may have been activated by subjects who unduly use Tim's name. Tim's history, structure and organizational size would have enabled this company, leader in the Italian telephone market and always a protagonist of the economic-productive life of the country, "to prepare with due diligence cutting-edge organizational measures in the protection of interested parties, as well as appropriate and effective control tools on the entire supply chain (even the one outside the sales force) involved in the processing of personal data." (see Eng. order 16 December 2021, cit.).

This, even more so, in consideration, on the one hand, of the amount of personal data which the company holds; on the other hand, the high number of reports received directly and the repeated requests for information sent by the Guarantor.

To certify an inadequate control on this aspect, it should be noted that Tim - although requested on 9.9.2022 by the Authority to provide information on the contracts activated through the network outside the sales force - in the aforementioned response of 9.28.2022 , and likewise in other phases of the present proceeding (defensive brief; hearing), did not provide any elements in this regard, limiting itself to describing the management of the telephone outbound only carried out by the Sales Force and the sporadic detection of 'off the list' with respect to this network official.

The importance of verifying the legitimacy of the original contact was moreover well known to Tim who, in fact, reported that he had put in place, in relation to the unlisted persons from his own sales force, a punctual verification activity at the customer's premises in order to the legitimacy of the origin of the personal data at the basis of the contractual proposal, but to have experimented it for a limited period of time, to then abandon it, allegedly in the face of the annoyed reaction of some interested parties.

With regard to the significant number of "off-list" phone calls made by Tim's official network, as represented by the same in its defense brief (a total of 1,715 in the period January 2021 - June 2022), it should also be remembered that with the provision of 5 January 2020 the Company had been ordered to "implement a technical and organizational procedure, in the campaign management system, which would allow Tim to know and govern correctly, as well as adequately document the phenomenon of calls addressed to so-called "off the list", as well as to ensure that these users are contacted for promotional purposes only if a suitable consent is available or on the basis of another detailed and documentable legal basis pursuant to articles 6 and 7 of the Regulation" (prescription referred to in letter e) of the provision of the provision January 15, 2020).

Far from setting up effective control systems on the origin of the contract, Tim declared that he would in any case collect the contracts (see hearing mentioned above) and, moreover, in the overall preliminary investigation phase, he initially represented that he was not required to provide further elements in order to telephone calls from the unofficial network, precisely because such telephone calls would go beyond his sphere of competence and responsibility, then he declared that he had carried out a control work which led to a significant number of contractual terminations in his own sales network, without clarify the causes of these terminations and, above all, without highlighting the impact this choice has had on any contractual proposals formed as a result of illicit contacts. These elements, combined with the observation that most of the reports received by both the Authority and Tim itself of illicit promotional contacts come from numbers not belonging to the Company's sales network, demonstrate a significant underestimation of the phenomenon and the related responsibilities also incumbent on the client companies.

In this regard, the Authority has not failed, on other occasions, to recall, precisely in a preventive logic and respect for privacy by design, the possibility of resorting to corporate and organizational choices aimed, for example, at inhibiting the activation contractual offers or services when they are certainly not attributable to activities carried out in compliance with the rules and rights of the interested parties from the moment of the first contact and the origin of the data (see the aforementioned provisions of 12 November 2020 and 25 March 2021).

A contract acquired in violation of the regulations on the protection of personal data should not find entry into the systems of the companies, since the same would result from an illegal fact and in clear violation of the art. 2-decies of the Code, according to which "Personal data processed in violation of the relevant regulations on the processing of personal data cannot be used...".

We are aware of the apparent conflicting need to meet the negotiating will of the interested party in any case, but if anything, this objective can be achieved after an amnesty procedure that necessarily verifies that same will, once it has been proposed, even after the contractor l illegality of the original contact.

And it is only by implementing punitive measures, following the outcome of the aforementioned verification procedure, and by avoiding the payment of commissions to those who have presented the company with a contract affected by these defects that the illicit food coming from the "undergrowth" can be stemmed.

The Company, acquiring in its systems the personal data of the subjects who, after being contacted, have accepted the offers proposed, should adopt measures of particular guarantee in order to prove that these contracts originate from contacts made in full compliance with the provisions on protection of personal data, in particular those referred to in articles 5, 6 and 7 of the Regulation relating to consent. The interventions of the Guarantor mentioned above and the parallel activity of the national legislator in the matter of unwanted calls (most recently, with the strengthening of the protections provided by the Public Opposition Register) acknowledge the level reached by the users' intolerance which requires them to demand an increase guarantee measures by those who benefit from these economic activities, taking into account that, at the state of the art, further and more advanced solutions of a technical and organizational nature are already available. The numerous preliminary activities conducted over the years by the Guarantor in the field of telemarketing as well as the parallel discussions carried out with the various data controllers, have allowed us to conclude, based on experience data, that the implementation of procedures governing telemarketing and of teleselling alone cannot constitute a valid barrier to the widespread practices of undue contacts if it is not accompanied by equally rigorous procedures for controlling contracts and activations.

From the foregoing, therefore, while acknowledging the important measures implemented by Tim, an unsatisfactory picture still emerges in terms of compliance with the principles of accountability, confirming the violation of articles 5, par. 2 and 24 of the Regulation, such that it can also be considered the basis of the individual violations which are summarized below:

the. first of all, the cases referred to in files 164015 (formerly 154626) are highlighted; 168248 and 163526, which can be combined in the underlying factual and legal dynamics.

For the first of these, the contact, according to Tim, was made on the basis of a documented consent given directly to the Company, but also on the basis of the communication of the same data for marketing purposes by XX. However, the information does not include some essential elements pursuant to art. 13 of the Regulation, such as data retention times or the criteria for calculating them and the possibility of appealing to the Guarantor; the unsuitability of the information also affects the consents acquired by XX, which therefore must be considered invalid (see Ing. ordinance 10 February 2022, web doc. n. 9756869).

In the case in question, based on the documentation provided by the Company, it is believed that neither the owner nor the list provider has provided elements capable of proving the integrity of the database in which the results of the registration of the interested parties were collected and the adequacy of the production and conservation measures of the system logs, and that they have not indicated the conservation methods suitable to guarantee the unmodifiability of the collected data. From this point of view, the mere proposition of a string of text, allegedly certifying the expression of a consent, lacking the elements indicated above, cannot be considered adequate to fully document the methods of its acquisition as well as its genuineness and integrity, nor, more in general, the process of acquiring data from data subjects. To this end, the display of Excel tables - allegedly relating to the registration data - copied on the texts provided in response to the requests of the Guarantor certainly cannot be considered suitable.

As is known, the art. 7, par. 1 of the Regulation, clearly establishes the obligation of the data controller to demonstrate the consent of the interested party. The documentation of the online consent must be provided with technical methods such as to guarantee the unchangeable registration of the authentic will of the user. In this sense, with regard to the legitimacy of the consents allegedly expressed by the interested parties, it is noted that the documentation produced by the list providers is not suitable for demonstrating the real and genuine expression of consent to the receipt of promotional messages and their transfer to third parties. For the purpose of demonstrating the consent given by the interested party, it would be useful to produce not only the IP address and the Timestamp, but, to certify the unequivocal will of the interested parties, it would also be advisable to produce the related log files. Moreover, the Authority has repeatedly deemed it necessary, as a minimum and sustainable measure, in the state of the art, for the owner to adopt further measures, such as sending a confirmation message to the address indicated during registration - the so-called double opt-in (see provision 26 October 2017, web doc. n. 7320903 and provision 25 November 2021, web doc. n. 9737185).

Moreover, more precisely, with regard to the documentation relating to the consent acquired by the interested parties, it may be useful, as an example of a way to prove the consent of the interested parties, as provided for in art. 3, paragraph 1, letter c) of the d.P.C.M. November 13, 2014 containing "Technical rules on the formation, transmission, copying, duplication, reproduction and time stamping of IT documents as well as the formation and conservation of IT documents of public administrations pursuant to articles 20, 22, 23-bis, 23- ter, 40, paragraph 1, 41, and 71, paragraph 1, of the Digital Administration Code (legislative decree no. 82.2005"), according to which the "computerized recording of information resulting from IT transactions or processes is an electronic document or from the telematic presentation of data through forms or forms made available to the user”. As regards the non-modifiability of the document thus formed, an essential element for fully attesting the expression of the data subject's consent, it should be remembered that, pursuant to paragraph 6 of the same article, "the characteristics of non-modifiability and integrity are determined by the operation of recording the outcome of the same operation and the application of measures for the protection of the integrity of the databases and for the production and storage of system logs, or with the production of a static data extraction and the transfer of the itself in the conservation system”

Therefore, as a consequence, the communication of data by the list provider to Tim is illegal and it follows that subsequent processing for promotional purposes carried out by the Company is to be considered equally illegal. Furthermore, Tim has not demonstrated the release to the interested party of its own information pursuant to art. 14 of the Regulations, resulting in the deeds only the declaration of the aforementioned list provider of having sent an informative e-mail to the subjects whose data have been transferred, but of not being able to produce it (like the related report), because, having passed 23 months from the sending of the email, the latter would no longer be "available on the sending platform" (Annex 12 in the file).

Similarly, the treatment carried out by Tim, albeit limited, of the data referred to in file 168248 (registration and storage, acknowledging the Company's declaration that it has not used the related telephone number for promotional campaigns) can be considered illegitimate, given that there are no disclosure issued by Tim nor any consent acquired, except those attributable to XX with the same criticalities identified for the previous case.

Also with reference to the file 163526, the consent acquired from the transferor data controller (XX), for communication to third parties ("I consent to the transfer to third parties for the purposes described in the information"), is unsuitable because it is formulated generically and not, as necessary, for the specific third party marketing purposes. This, also considering that in the text of the information provided by the aforementioned owner on the site www.listeprofilate.com, the communication of the data of the interested parties was also foreseen for different purposes ("they may be communicated by the Owner, to the extent that this is necessary to execute contractual obligations and.or to fulfill legal obligations, to independent third party data controllers, such as notaries and chamber of commerce officials in charge of identifying the winners of the prize competition organized on the Site, as well as the third parties indicated in the regulation of the competition prize, to which the data must necessarily be communicated to allow the User to take advantage of any prizes won (e.g. travel agencies, ticket offices, hotels, etc.)". Which evidently does not facilitate the understanding of the exact scope of the consent generally required (for transfer to third parties).Furthermore, the alleged lack of promotional contacts does not affect the illegality of some treatments that are relevant in themselves, such as the recording and storage of data collected in ways that do not comply with the law. It must also be considered that the 'collection', like the 'storage', of personal data - is in itself - regardless of any further processing, such as the sending of communications for promotional purposes, a processing operation relevant for of the legislation on the matter (see art. 4, paragraph 1, letter letter a), of the Regulation, which incorporates the provisions of the previously applicable art. 4 of the Code; in this sense, see, among others: provv. 12 June 2019, doc. web no. 9120218; provision you 27 October 2016, doc. web no. 568777; 20 November 2014, doc. web no. 3657934).

ii. Also with regard to the fasc. 163526, the information fulfillment due by Tim pursuant to art. 14 of the Regulation and the Company limited itself to referring to its own operating practice of issuing "a summary oral information with the possibility of viewing the complete information on the website", without however providing any demonstration or documentation in this regard (in topic, see also provision of 27 May 2021, web doc. n. 9689375).

Moreover, the said disclosure must in any case be provided, even if the promotional contact has not been made, "within a reasonable term of obtaining the personal data, but at the latest within one month, in consideration of the specific circumstances in which the personal data are treated" (see art. 14, par.3, letter a), or - if the sending of communications to the interested party is envisaged - "no later than the first communication".

iii. peaceful then appears the confirmation of the violation of Articles 13 as well as 6-7 of the Regulation, in relation to the case of fasc. 174561 considering that Tim has admitted unwanted telephone contact, without giving evidence of either the consent or the information provided by the interested party.

The need therefore emerges to confirm, in the terms set out above, for the complaints relating to unwanted telemarketing, the violation pursuant to Articles 5, par. 2 and 24, as well as - with limited regard to files 164015 (formerly 154626), 163526; 168248 - of the articles 6, 7 and 14 of the Regulation and 130 of the Code, as well as to adopt a provision for the prohibition of processing for promotional purposes of all data acquired from XX, XX and other list providers, with a similar defect, for which Tim does not have a informed consent, otherwise acquired, and documented in the terms indicated above.

4.3. Exercise of rights.

As a preliminary point, it should be noted that the Authority, having examined the compliance report, prepared by the Company regarding the implementation of the instructions given with the aforementioned provision no. 7.2020, decided to send a request for information on 19.01.2021, taking the opportunity to provide the Company with clarifications also on the measures to be taken to ensure the best compliance with the law. Moreover, with the aforementioned note, in addition to some operational indications on telemarketing, it was recalled that, pursuant to art. 12, paragraph 3, of the Regulation: "The data controller provides the interested party with information relating to the action taken regarding a request pursuant to articles 15 to 22 without unjustified delay and, in any case, at the latest within one month of receipt of the request itself. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests". For the legislator, therefore, that of 30 days is a maximum term, which should be used exceptionally, where it is not possible to satisfy the request earlier, as the extension of two months must be considered, all the more exceptional.

- File 172687: the delay was clearly admitted by Tim and the settlement of the contractual dispute, which occurred after the claim of the interested party, cannot eliminate the established violations, which therefore must be considered confirmed;

- File 174463: Tim has not denied what was reported during the preliminary investigation, in response to the request for information from the Office, adding the reference to an initial, undocumented response, and admitting late responses to further reminders that would be justified by the complexity of the request presented, without however explaining the alleged complexity;

- Files 161814 and 173533: the Company has expressly admitted the delay, while stating that these are practically isolated cases, probably attributable "to a human error in an organization as articulated and complex as that of TIM"; delays contrary to "the provisions of its internal procedures".

- Files 165144-165619-165752-165585 (in truth, referring to a single grievance originating from a single whistleblower): also in this case, the delay was expressly admitted by the Company;

- File 175169: while acknowledging the composite nature of the request as well as the response finally provided by Tim to the interested party, it must be noted that both the phased management (the request for traffic data processed in two different moments, without an appreciable reason, under the logical-juridical aspect), and the overall management (the last reply provided by the Company is dated 22.2.2022) conflict with the legislation, which provides for a reply without unjustified delay, considering that the request of the interested party dates back to 7.6 .2021;

- Files 163087 and 166767 (formerly 165318): it is believed that the overall reasons given by Tim can be shared and allow the Company to be exempted from the application of the sanction and therefore that the proposed violations can be archived;

- File 162474: it is confirmed that the interested party's request via pec has not been answered;

- File li 160287 and 169170: the Authority considers filing the related disputes, considering, for the first, that the reports of the interested party are placed at the beginning of the adjustment period established for the fulfillment of the provisions contained in provision 7 January 15, 2020; and, for the second, that the Company clarified that it had given the interested party feedback also with regard to the impossibility of providing copies of the recordings of the telephone calls made with the customer service, as these recordings were not made.

Therefore, excluding files 160287, 169170, 163087 and 166767 (formerly 165318) - this Authority must confirm, for the other aforementioned interested parties, the violations of articles 12, par. 2 and 3 and 15, par. 1, of the Regulation, as well as 124, paragraph 1, of the Code (the latter provision, limited to file 172687 and file 174463).

It is also deemed necessary to order Tim to adopt organizational and technical measures aimed at improving the management of such requests.

4.4. Publication in telephone directories.

With regard to files 175715, 172121 and 171194, the overall examination of the documents does not reveal proof of the collection of a specific consent, given by the interested parties, for publication in the lists. In fact Tim - although obliged to demonstrate its obligations also on the basis of the principle of accountability - limited itself to producing a copy of the screen displaying the aforementioned consent in its systems, without attaching a copy of the paper form.form web signed by the interested parties, or other documentation (e.g.: voice recording), with reference to the choice relating to publication in the directory. It is evident that such documentation constitutes the necessary coherent operational prerequisite for what is present in the corporate systems and that any lack of expression of will ("request for confidentiality"), by the interested parties, should be recorded as a refusal (and not as consent) ,  requiring express and prior consent, as well as free, informed and documented consent (see also art. 12, paragraph 2, directive 2002.58.CE,  on the basis of which: "Member States ensure that subscribers have the possibility to decide whether their personal data -and if so- "which should be included in a public directory, provided that such data is relevant for the purposes of the directory declared by its provider. Member States shall ensure that subscribers have the opportunity to verify, rectify or withdraw such data.").

Similar reasoning (relating to the need for the documentation underlying the consent allegedly given for publication in the list) can also be applied to the case referred to in file 159767, with regard to the original publication of the fixed user, with respect to which Tim also admitted that he had not provided a "pertinent" response, not detecting, in function of exempting the violation, the subsequent transfer of the customer to another operator.

From a different point of view - for the cases of files 174664, 165144, 165619, 165752, 165585 and 165665 - it cannot be recognized as a function exempting the technical problems (indicated in Tim's defence), given that the holder was not able to fully trace the various events back to the concrete cause that produced them individually. In fact, the indication provided is generic and unsubstantiated, and does not allow us to be aware of the actual correctness of the processing in place, as well as regarding the measures put in place to protect the data to guarantee their integrity.

Therefore, with regard to the aforementioned events (files 171194; 174664; 165144; 65619; 165752; 165585; 165665; 159767; 172121 and 175715), the violation of articles must therefore be considered confirmed 6 and 7 of the Regulation as well as 129, paragraph 2, of the Code.

On the other hand, with regard to the fasc. 164121, in the light of the clarifications provided by Tim, and in particular of the contractual documentation attached hereto, it is deemed appropriate to file the dispute relating to the lack of consent (for publication in the lists), like that relating to art. 12, par. 3, of the Regulation.

Finally, it is also believed to file the proposed dispute in relation to file 162474, since in the present case there is no request from Tim to publish the data in the public directories.

Having said that, however, it is deemed necessary to order Tim to adopt organizational and technical measures aimed at improving the implementation of the discipline pursuant to art. 129, co.2, of the Code.

4.5. Information for e-commerce on the website www.Tim.it.

Considering what Tim has highlighted in this regard on the access made by the interested party without being able to view the privacy information, it is considered necessary to file the relative dispute, considering that, as clarified by the Company, it was a technical problem of short duration and plausibly explainable by unforeseeable circumstances or force majeure (e.g. excessive congestion of the Internet network) and not by Tim's willful or guilty conduct.

4.6. Data breaches.

Also in the light of the findings in the Office's records, regarding the Company's notification of other data breaches to the Authority, and while acknowledging Tim's observations (limited perimeter of the violation and common nature of the violated data) regarding the one in question in the provision, it is deemed necessary to confirm the proposed violation of art. 32, par.1, lett. b), of the Regulation, considering that not only the whistleblower but also Tim has remained inactive over time, not having verified and detected the problem complained of for a long time.

4.7. Investigations carried out on specific cases and related outcomes.

With regard to the investigations raised on specific cases, the following is highlighted:

- File no. 147099, it is believed that - in the face of the technical problem explained several times by the interested party, without prejudice to the retention of data for any contractual, administrative, accounting or legal purposes - the owner must proceed with the cancellation request (in the case specific, of the account), without delay, especially where the interested party encounters technical difficulties in implementing the procedures provided by the owner, and therefore the violation of art. 12, par. 2, of the Regulation;

- File 169442, considering that the copy of the information produced by the Company does not bear any sign of the means of transmission, nor of the temporal circumstances of the transmission allegedly made to the interested party, the violation of art. 13 of the Regulation;

- files 166823 and 165813, it is deemed necessary to confirm the dispute in the light of what was said in the aforementioned paragraph (4.2.), "Unwanted telemarketing", concerning the violation of the provisions indicated therein, with particular reference to the principle of accountability.

5. OVERALL RESULTS AND CONSEQUENT MEASURES TO BE ADOPTED.

In consideration of the above, overall, the following provisions of the Regulation are violated:

- art. 5, par.2 and 24;

- art. 6;

- art. 7;

- art. 12, par.2 and 3;

- art. 13;

- art. 14;

- 15, par. 1;

- 32, par.1, lett. b);

as well as the following provisions of the Code:

- articles 124, paragraph 1; 129, paragraph 2; 130.

Based on the ascertainment of these violations, while acknowledging the detailed measures already adopted by the Company, it is necessary, with respect to Tim spa:

a) pursuant to art. 58, par. 2, lit. d) of the Regulation, to order the adaptation of any treatment carried out for telemarketing and teleselling purposes to methods and measures suitable for foreseeing and proving at any time that the activation of offers and services and the registration of contracts takes place only following contacts promotions carried out by the Company's sales network through telephone numbers surveyed and registered in the ROC - Register of Communication Operators and without prejudice to the necessary verification of the contact lists and, for each contractual proposal, of the certain traceability of each activity, from the first contact to uploading information into the telephone company's system, to figures operating within the official sales network, duly surveyed and responsible for the telephone company itself;

b) pursuant to art. 58, par. 2, lit. f), of the Regulation, prohibit the processing for promotional purposes of all data acquired by XX and XX, for which Tim does not have informed and documentable consent in the terms indicated above, as well as, possibly, by other list suppliers, with analogous vice;

c) pursuant to art. 58, par. 2, lit. d), enjoin the adoption of organizational and technical measures aimed at improving the management of requests to exercise the rights pursuant to articles 15-22 of the Regulation and 124, paragraph 1, of the Code;

d) pursuant to art. 58, par. 2, lit. d), enjoin the adoption of organizational and technical measures aimed at improving the implementation of the discipline referred to in art. 129, co. 2, of the Code;

e) adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689.1981, for the application of the pecuniary administrative sanctions provided for by art. 83, par. 4 and 5, of the Regulation.

6. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION.

On the basis of the foregoing, considering the violations referred to, the penalties provided for by art. 83, para. 4 and 5, of the Regulation. However, as various provisions of the Regulation and of the Code have been infringed in relation to connected treatments carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the least serious violations.

Specifically, the aforementioned violations - having as their object, among others, the rights of the interested parties - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation envisaged for the non-compliance with the aforementioned conditions of lawfulness, with consequent application of the sole sanction provided for in art. 83, par. 5, of the Regulation.
For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements listed in par. 2 of the art. 83 in question, to be evaluated when quantifying the relative amount.

As aggravating circumstances, in this case, the following must be considered:

1. the significant number of interested parties involved, with particular regard to the users acquired by XX and by XX, for the promotional purposes of Tim (letter a) and, more generally, of the recipients of wild telemarketing;

2. the serious nature of the violation, with particular regard to the processing of lists of users acquired with consent for promotional purposes with unprovable methods, as well as the publication in public lists of the data of the most interested parties, with the consequent dissemination of the same data; as well as the highly pervasive nature of the aforementioned telemarketing activities (letter a);

While recognizing the recidivism of some violations (specifically, with regard to the management of the requests of the interested parties) with respect to those covered by previous provisions (including in particular, most recently, the provision of 15 January 2020, cited .; letter i) , it is deemed not to consider the repetition, due to the reduced payment of the fine provided for by the injunction order, included in the aforementioned provision of 2020 (see art. 8-bis, paragraph 5, law n.689/1981).

As mitigating elements, it is believed that the following should be taken into account:

1. the fact that, overall, there was a significant decrease in the number of reports and complaints received by the Guarantor against Tim compared to what was recorded in the period covered by the investigation that led to the provision of 15 January 2020, as well as the percentage of violations found with respect to the complaints in question (letter a);

2. the measures adopted to limit the problems encountered, with particular reference to the promotional activities of the sales force (letter c);

3. the constant collaboration provided during the investigation conducted (letter f).

The set of elements indicated above must be assessed taking due account of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1, of the Regulation, and, in this perspective, the significant economic results of the Company, but, at the same time, also the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the needs organisational, functional and occupational aspects of the Company. Having said that, it is believed that it should apply to Tim S.p.A. the administrative sanction of the payment of a sum of 7,631,175 euros, equal to 1.5% of the statutory maximum (508,745,019 euros), calculated - similarly to the previous provisions adopted in the same matter - with respect to the Company's turnover (12,718. 625.495) and not of the corporate group to which it belongs.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1.2019, taking into account the matters subject to the investigation, and in particular the pernicious phenomenon of 'wild' telemarketing, also in relation to the circulation and use for promotional purposes of inadequately informed and approved lists, acquired from third parties, as well as the incomplete management of some requests for the exercise of the fundamental rights of data subjects  (see, among others, provision 22 May 2018, web doc. n. 8995274 and provision 18 April 2019, web doc. n. 9105201), with respect to which this Authority has adopted numerous provisions both of a general nature and aimed at specific data controllers and on which the attention of users is high.

Finally, the conditions set forth in art. 17 of Regulation no. 1.2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THIS CONSIDERING THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f) of the Regulation, declares the processing carried out by Tim S.p.A. to be unlawful. - with registered office in Via Gaetano Negri, 1, Milan; p. VAT 00488410010 - described in the terms referred to in the justification, and, as corrective measures, against the same Company:

b) pursuant to art. 58, par. 2, lit. d) of the Regulation, to order the adaptation of any treatment carried out for telemarketing and teleselling purposes to methods and measures suitable for foreseeing and proving at any time that the activation of offers and services and the registration of contracts takes place only following contacts promotions carried out by the Company's sales network through telephone numbers surveyed and registered in the ROC - Register of Communication Operators and without prejudice to the necessary verification of the contact lists and, for each contractual proposal, of the certain traceability of each activity, from the first contact to uploading information into the telephone company's system, to figures operating within the official sales network, duly surveyed and responsible for the telephone company itself;

c) pursuant to art. 58, par. 2, lit. f), of the Regulation, prohibits the processing for promotional purposes of all data acquired by XX, XX, for which Tim does not have informed and documentable consent in the terms indicated above, as well as, possibly, by other list suppliers, with analogous vice;

d) pursuant to art. 58, par. 2, lit. d), enjoins the adoption of organizational and technical measures aimed at improving the management of requests to exercise the rights pursuant to articles 15-22 of the Regulation and 124, par. 1, of the Code;

e) pursuant to art. 58, par. 2, lit. d), enjoins the adoption of organizational and technical measures aimed at improving the implementation of the discipline referred to in art. 129, co. 2, of the Code;

f) pursuant to art. 58, par. 1 of the Regulation, invites you to communicate, within 30 days from the date of receipt of this provision, which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, letter. e), of the Regulation;

ORDER

to Tim spa to pay the sum of 7,631,175 euros, as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 7,631,175, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689.1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1.2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1.2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Please note that, pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e) of the Regulation.

Pursuant to art. 78 of Regulation (EU) 2016.679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the measure itself, or of six 166189 days if the appellant resides abroad.

Rome, 13 April 2023

PRESIDENT
station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew



SEE PRESS RELEASE OF JUNE 9, 2023



[doc. web no. 9894662]

Provision of April 13, 2023

Register of measures
no. 183 of 13 April 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016.679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Personal Data Protection Code (Legislative Decree June 30, 2003, No. 196), as amended by Legislative Decree August 10, 2018, No. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER the lawyer Guido Scorza;

1. REPORTS AND COMPLAINTS RECEIVED BY THE AUTHORITY.

1.1. Preliminary investigation through cumulative requests

1.1.1. Complaints received.

After the adoption of the corrective and sanctioning measure n. 7.2020 against Tim spa (hereinafter: "Tim" or "the Company") and in particular, after the deadline set for the implementation of the corrective measures prescribed therein, are received by the Authority, until January 2022 - according to a trend that remained substantially stable also in the following months (on average, based on a conservative estimate, about 3 reports and/or complaints per working day, for a total of about 15 weekly documents) - numerous complaints and reports relating to critical issues already subject of the aforementioned provision, and in particular:

- pre-recorded telephone calls or with an operator to private users, or registered in the public register of oppositions, or in any case for which consent was denied to Tim for promotional purposes; rarely, even unwanted text messages or emails (fasc. 1750063);

- missed or late response to requests to exercise rights pursuant to art. 15-22 of the Regulation;

- the impossibility of viewing the privacy information during the online purchase, dated 12/17/2021, of a mobile offer on the website www.tim.it. as the link to the aforementioned information led to another page that provided an error message (see file 175689);

- a possible data breach (see report contained in file 174492);

- episodically (see file 173198), alleged telephone contacts aimed at promoting the transfer to Tim following the notification, by the interested party, to the Company of technical faults on the telephone line of a different company.

The complaints regarding unsolicited promotional telephone calls are often repeated (just to give an example: with reference to files 168940 and 168630 there are 6 similar complaints; 5 for file 153087); numerous also relating to files 166767, 164516, 174178, 173169, as well as directed towards multiple users of the interested parties (see files: 171067-160878) and sometimes concern multiple calling numbers, as well as repeated calls (e.g., see .: 97912; 173169).

In some reports, the interested parties have come to hypothesize the phenomenon of 'stalking' and/or to highlight the harassing or aggressive nature of the call center operators (see files 176840 and 166189, in which it was stated that they received "from three to five calls a day ... for a few weeks"), sometimes indicating calls also from non-EU countries (file 166051).

Under various profiles, they also received:

- a report (175689), complaining of the impossibility of viewing the privacy information during the online purchase, dated 12/17/2021, of a mobile offer on the website www.tim.it. as the link to the information led to another page that provided an error message;

- a complaint (176169) - in the context of an alleged story of fraudulent use of personal data (also the subject of a complaint to the Public Prosecutor's Office) for the purchase of some Tim IT products against the unaware interested party - relating to repeated failure, for 9 months, by Tim, with respect to the request for documentation relating to the paper contract signed by the third party who replaced the complainant; to the delivery note as well as to the identity document provided at the time of delivery of the products.
Considering the amount of reports and complaints received and in order to have an overview of the treatments highlighted therein, no. 4 cumulative requests for information (on 18 October 2021, 12 January 2022, 25 January 22 and 12 February 2022), each concerning a certain number of complaints, almost all located in the period between March 2021 and January 2022 (and gathered in file no. 172861), selecting those of a more reiterated nature or in any case containing more useful elements in an investigation key, for a total of 134 deeds.

Tim responded to these requests with various notes, including those of 11.30.2021; of 21.02.2022; of 23.02.2022; of 03.11.2022; of 03.15.2022 and 03.24.2022.

1.1.2. Tim's feedback on unwanted phone calls

With reference to almost all the complaints and reports received (no. 76), Tim has shown that the users of the interested parties have not been contacted "by its commercially active sales force", nor are the calling numbers used for this purpose attributable to it, thus also disregarding the complained telephone calls with promotional content proposed during the technical intervention (see file 173198).

The Company then represented, as a result of this alleged non-involvement, that it believed it was not required to provide further information, adding however that it had verified that various calling numbers, within the scope of the service dedicated to tariff transparency, were non-existent or temporarily unavailable ( e.g.: files: 173935; 173987), or still assigned to call centers outside its commercial network (e.g. files: 171067, 160878, 161620-formerly 155269-; 173259;171453) or pertaining to the United Kingdom (file 174469).

For some reports (files 168344; 167939; 167771; 173502), Tim pointed out that he was unable to provide feedback as the documentation relating to the promotional campaigns was no longer available (kept for a maximum period of 12 months) or not being the reports sufficiently detailed, stating in any case the non-involvement of the calling numbers indicated in the deeds.

With reference, more generally, to the contact lists, Tim highlighted that, before acquiring personal data from external list providers, he verifies the existence and correctness of the texts of the information and privacy consents used by the list provider; subsequently a test is carried out at the latter on a random sample of names included in the database object of the supply, aimed at ascertaining the effectiveness of the obligations by this transferor. If the list is acquired, Tim extracts the lists from the database received containing the numbers and proceeds to filter them, "preliminarily eliminating the numbers of customers and former customers, who appear to have given or denied their consent to the Company for marketing activities; moreover, the numbers of prospects for which opposition to promotional contacts from TIM have already been registered are excluded from the Database (including numbers present in the Black List)."

With specific regard to the fasc. no. 174561, Tim represented that the promotional contact was made through a user account owned by one of its partners (Business Promoter s.r.l.) by an agent of a sub-agency contracted by the latter (Top Solutions s.r.l.), confirming that the called number was not present in their contact lists. In this regard, the Company, despite the precise request of the Authority, has not attached, nor demonstrated the existence of any informed consent for the promotional purpose acquired, directly or from its partners, nor any information provided to the interested party

With regard to the phone calls complained of, the one referred to in file emerges 164015 (formerly 154626), carried out on the basis of a contact list acquired by XX which, as far as in the records, does not appear to have provided the information to the interested party, so, moreover, it was not possible to verify whether the same provided for the communication of your data to Tim; moreover, based on the screen shot of the registration form, the traceability of the consents to the communication of data for marketing purposes is not unequivocal. A similar criticality is found with reference to file 163526 (in relation to which Tim denied having made promotional contacts), so that it is not proven that what was originally acquired was a specific consent for communication to third parties (including Tim) for marketing purposes.

In the file 168248, the Company, while not acknowledging the calls complained of, nevertheless specified that the user of the whistleblower was included in a contact list on 17.1.2021, coming from a list provider (also in this case, XX), with respect to the which elements relating to the acquisition of consent have been provided, but not also to the information issued to the interested party by the said provider, as a necessary prerequisite for the legitimacy of the communication of the data to Tim and the subsequent use for promotional purposes, also affecting the validity of the marketing consent.

The foregoing made it necessary to dispute (for the aforementioned files: 164015 - formerly 154626; 163526; 168248; 174561) the possible violation of articles 6 - 7 of the Regulation as well as 130 of the Code. Furthermore, in all three of the cases just summarized, it does not appear that Tim has released its own disclosure pursuant to art. 14 of the Regulation, thus placing itself in possible violation of this provision as well.

Furthermore, the aforementioned traceability of numbers to Tim's Business and Consumer customer care (e.g. file 173169) and to some companies of the Tim Group (such as Cofitel spa) appeared to be a suitable element, in the context of the dispute, to lead to believe that the related calls were made precisely in Tim's interest (even without a specific mandate). At the same time, it has not been decided to exclude that many telephone calls, with numbers that turned out to be non-existent, had been made on behalf of or in any case in the interest of Tim by disguising the real calling number using the CLI spoofing technique, also considering that, as known, the The displayed caller ID may be forged.

With regard, more generally, to the numerous calls in deeds disregarded by Tim (together with the calling numbers), an underground marketing phenomenon of TIM's products emerged, of which the Company, although most probably a beneficiary, appeared to have inadequate propriety and ability to control, with consequent possible violation of the principle of 'accountability' (Article 5, paragraph 2 and Article 24, Regulation), also taking into account the aforementioned Cons. 74 of the Regulation.

The impossibility of providing feedback due to lack of documentation relating to promotional campaigns, kept for a maximum period of 12 months, also appeared indicative of the Company's lack of accountability.

1.1.3. Tim's findings with respect to the exercise of the rights pursuant to articles 15-22 of the Regulation.

Tim, with the notes of 17.11.2021, of 1 and 24.3.22, also provided feedback on some complaints concerning the incorrect management of the requests to exercise the rights provided for by articles 15-22 of the Regulation; in particular:

a) with regard to that contained in file 167981, the Company claimed that it had not received the first application dated 6/16/2021 and that it had found the second one on 8/8/2021 (received on 8/6/2021);

b) in the case of file 167342, relating to the failure to respond to a request sent to TIM on 06.12.2021 and the reminder sent on 06.21.2021, the Company has demonstrated that it replied to the reporting person on 06.24.2021, providing the information requested regarding the procedure to be follow to exercise the right of access to your personal data and indicating the necessary documentation for the purpose of its identification.

In these two circumstances, therefore, Tim appears to have provided timely feedback.

As for, then:

c) the file 169170, Tim represented that he was unable to produce to the whistleblower a copy of the recordings of the telephone calls made with Customer Service 187 of 15 and 12.16.2020, since he does not make such recordings; however - without prejudice to this company policy - it does not appear that the Company has provided any response to the aforementioned request, even if only to communicate the absence of the requested documentation;

d) similarly, with regard to file 172518, Tim admitted that he had not responded to the two requests (of 20.6.2021 and 14.9.2021) for access to the documentation (copy of the contract and of the registration made when the telephone line was activated) related to the publication .

With reference to these two cases, the Office therefore charged the owner with the violation of articles 12, par. 3, and 15, par. 1, of the Regulation.

With reference:

e) in file 166767 (formerly 165318), relating to the failure to respond to a request for access to data sent on 04.02.2021 via Project Consult Srl, Tim declared that on 04.29.2021 it had proceeded to forward an interlocutory note to the reporting party, respecting, at its notice, thus the maximum term of 30 days established by art. 12, par. 3, of the Regulation, as the request was complex, to then give a response completed on 1.7.2021;

f) in file 163087, concerning a request for confirmation of treatment with possible access, copying and deletion of data, received on 01.27.2021, Tim admitted that he had provided the reply only on 04.26.2021 despite, however, an interlocutory reply from the 26.2.2021;

g) in file 174664, in which the party, on 11.9.21, complained against the Company about the publication, in his opinion never requested, of his personal data listed (see paragraph 5 below), sending the cancellation request both to the Customer Service and to the DPO box dedicated to Consumer Customers, Tim admitted that the Customer Service provided an "inappropriate" response. The request in question was, in Tim's opinion, correctly "and promptly" managed by the Consumer Clients DPO box, specifically, on 12.7.2021 an initial interim response was sent and on 12.23.2021 the final reply was sent.

The three aforementioned cases were therefore the subject of a dispute against Tim, as the procedure followed did not appear to be in line with art. 12, par. 3, of the Regulation, according to which the reply to the requests, formulated by the interested parties, pursuant to articles 15 to 22, should be provided "without unjustified delay and, in any case, at the latest within one month of receipt of the request itself" and this term can be extended by two months only "if necessary, taking into account the complexity and number of requests", elements which, at the state of the documents, were not proven.

h) With reference to file 160287, Tim reported that, on 20.02.2020, the interested party sent to a certified mail address of the Company, as well as to the ordinary e-mail address of a service company operating on behalf of TIM, a request for clarification relating failure to deliver the repaired mobile phone within the agreed terms, also exercising the right of access pursuant to art. 15, of the Regulation. The said service company stated that it had sent the complainant, on several dates via PEC, updates on the situation related to the repair of the mobile phone, referring to Tim for questions related to the processing of personal data. As the latter admitted, although the aforementioned request of 20.2.2020 was also sent to Tim's certified email address, this did not follow the correct typing process, probably due to a system anomaly in the reference period , so that a reply to the whistleblower would not have been possible.

Tim pointed out that this anomaly has been resolved and a further control report of the internal processing process of the received pecs has also been introduced. On 5.5.2020, the complainant sent a further request to the aforementioned certified email address; the aforementioned communication, although correctly "typed" on the customer care systems in charge, was not handled correctly by the employee of this office. On 27.6.2020, the interested party also sent a pec to a certified mail address of the Company, as well as, on 30.06.2020, to a further pec address of the Company and sent further requests, precisely on 3.7.2020 and 7.7 .2020. On 29.7.2020 Tim provided cumulative feedback to all the previous four emails of identical content. In particular, the applicant was informed of the need to be identified in order for the request to be processed and was then invited to resubmit the latter with all useful information and documentation (e.g. photocopy of a valid identity document). On the same date and on 14.8.2020, the interested party reiterated his request again without attaching the necessary documentation for the reply. Tim, in the communications dated 08.03.2020 and 09.11.2020, pointed out these circumstances and, following a long conversation with the whistleblower, informed him of the fact that the sending via pec, although made out to the interested party, was not included among the methods deemed suitable for identifying the same.

With regard to this matter, the Office contested the incorrect handling of the requests of the interested party, which remained unanswered until May 2020, without, from this point of view, detecting the possible content (positive or negative) of the lack of response (which could, for example, have provided clarifications on the incompleteness of the application presented); the conditions for the violation of art. 12, par. 2 and par. 3, and of the art. 15, par. 1, of the Regulation.

i) With reference to file 172687, Tim represented that on 02.07.2021 the interested party requested by certified email the documentation of the traffic charged in the months of March and May of the same year, contesting the higher charge than the amount due. The request was processed on 2.8.2021, but, due to a technical problem, an incorrect reply was provided to the reporting entity, erroneously indicating that the traffic data charged in March 2021 was no longer available; otherwise, the whistleblower was informed that the request for May 2021 would be sent (see response dated 2.8.2021). Based on Tim's assertions, the notes present in the system confirm the sending of traffic data relating to the period of May 2021; however, it would not be possible to verify the sending activity, as this can only be done within 15 days of sending the documentation. On 6.9.2021, the reporting party sent a further request, declaring that it had not received the traffic referring to the month of May and complaining about the response relating to the failure to send March. On 6.10.21, a reply was sent by Tim to the complainant who at the same time proceeded with a commercial management of his complaint, acknowledging its validity due to the failure to send the documentation of the requested traffic.

j)  With reference to the case referred to in file 174463, the interested party on 5.6.2021 sent via PEC a request for access to his data, in which he requested to obtain all the 'sensitive' information regarding his users, in particular the "telephone records, any information attributable to the geographical position , even approximate (for example, history of the cells connected by the mobile device; Internet browsing, such as log of connections made or DNS requests made)". Tim provided a first response only on 27.9.2021, moreover with a decidedly limited content compared to the request formulated (name, telephone number, tax code, place of birth, residence, identification document), so that the complainant contested the partiality of the data to the Company reiterating previous requests. On 11.10.2021, after having asked the complainant to specify the line subject of the report, a reply was sent via pec confirming what had already been previously communicated; on 10.18.2021, feedback was provided via email, also attaching the form required for the request for documentation of prepaid traffic. Even after a further exchange of letters, the interested party contested the persistently limited response to his request for access to the data with respect to the elements indicated above. Only on 25.1.2022 was the printout of unencrypted traffic data of his telephone line sent to him, kept for billing purposes for the period 24.7.2021-24.1.2022, informing him, at the same time, of the fact that the checks relating to the geographical and Internet browsing were in progress, and finally providing the complainant with the related results on 02.16.2022. Even taking into account the extent of the request made by the interested party, the response fully provided by Tim only on 16.2.21, after more than 8 months, with respect to the request in question (already formulated on 5.6.2021 and moreover already complete of the generality of the complainant as well as the details of the user concerned) seems decidedly late. This violation appears more serious if one considers its object - the printouts - which can only be kept for 6 months, with the consequence that, in the case in question, printouts relating to the 6 months prior to Tim's reply were provided (25.01.22 , cit.), therefore pertaining to a much later period of time, and therefore very different, compared to those to which the complainant would have been entitled to receive if the request had been promptly handled.

In the two cases mentioned above, the Office had to contest the alleged violation of articles 12, par. 3, and 15, par. 1, of the Regulation, as well as 124, paragraph 1, of the Code.

k) With regard to file 161814, Tim admitted that on 11.4.2020 he had received a request to close his e-mail account and that this request was unfortunately not handled correctly, so that no reply was sent to the reporting party, so much so that on 12.29. 2020, 7.1.2021, 11.2.2021, the interested party contacted TIM Customer Service by telephone. However, Tim also represented that he then proceeded to send the operating instructions for canceling the account, which then also took place thanks to the proactive behavior of the user.

l) With reference to file 173533, the Company, confirming receipt of its requests on 23.5.2016, 3.7.2020, 6.10.2020 and 29.10.2021, represented that the same were not handled correctly and therefore the reply was not sent to the whistleblower.

m)  With regard to file 175169, Tim, also in the light of the supplementary response dated 24.3.22, communicated that he had requested clarifications from the carrier responsible for the delivery of two SIM cards and two mobile telephone devices, so that he could provide suitable proof of the delivery of the aforementioned material to the actual holder, upon verification of your identity (as instructed); proof that was not provided, so Tim proceeded to formally contest the conduct in violation of the service contract to the carrier. That said, it did not appear that the Company gave any reply to the complainant, nor, consequently, that it provided him with a copy of the contractual documentation requested by him.

Also with reference to the three cases mentioned above, the conditions for the violation of articles have therefore been identified 12, par. 3 and 15, par. 1, of the Regulation.

1.1.4. Tim's feedback on publishing data in public telephone directories.

With reference to the complaints concerning the publication in the telephone directories, following the answers provided by Tim on 26.10.21 and 11.3.21, the following was found:

n) in relation to file 165665, Tim represented that, on 24.1.2020, following the activation of the telephone line, he sent the customer a copy of the contractual conditions in which the consent he gave to the publication of his personal data in telephone directories was indicated; on 25.2.2020, the interested party sent a request for confidentiality via the web channel, listing his personal data. The report was closed by Customer Care on 13.3.2020, with the indication that they had made the modification of the consents, enhancing the confidentiality to YES, without providing feedback to the reporting person. In this regard, as reported by Tim, the withdrawal of the consent in question, due to a misalignment between the commercial system and the DBU, did not generate any change in the latter, necessary for the Publishers to implement the update. On 25.2.2021, the complainant sent a certified email to Tim requesting the cancellation of personal data from public lists. On that occasion, the competent customer care structure involved the management structure of TIM's IT systems, in order to follow up on the request, which was correctly registered on the Company's commercial systems. The anomaly was resolved on 06/09/2021 by confirming the alignment of the position on the DBU. The feedback received from the competent Structure confirmed that the DBU has correctly implemented the publication of the confidentiality in the list with effect from 21.5.2021 and that the number of the interested party is confidential with effect from 15.6.2021;

o) with regard to files 165144-165619-165752-165585, Tim communicated that: on 22.02.2018, the interested party sent a request via the web channel aimed at having her fixed telephone number considered as a reserved number; the request was handled on the same date, with a contextual response to the applicant; however, "the change is not detected in the systems and it is not clear whether this error is attributable to a system anomaly or to the operator's failure to operate". On 23.04.2020, the complainant again requested the inclusion of confidentiality in the list via the web channel; “unfortunately, a misinterpretation of the request can be seen from the relative notes inserted in the contact reason; in fact, the confidentiality of only the street number and not of all personal data as requested by the customer is reported." On 10.05.2021, following a telephone request from the interested party, confidentiality was entered in the paper and online list. In this regard, Tim represented that confidentiality has been implemented in the DBU since the first ten days of May 2021 and that the number is correctly reserved in the online public telephone directories, while for the paper directories it was necessary to wait for the first useful publication-distribution foreseen in the November/December period of the same year;

p) with regard to file 164121, Tim represented that, when activating the telephone line of the interested party, the customer expressed his consent, also incorporated in the contractual conditions sent in a copy to his postal address on 05/05/2020, to the publication of the data in the directories paper and online telephone numbers, both with personal data research and with online research. On 14/04/2021, the interested party sent a pec to a certified mail address of the Company, exercising their rights regarding the protection of personal data, pursuant to articles 15-22 of the GDPR and expressing the will to delete your personal data from public telephone directories. An initial interim response was sent to the interested party on 05/14/2021, confirming the correct update received by the DBU regarding the confidentiality of his personal data. On 13/07/2021, further feedback was provided to the whistleblower, "always within the terms of the law", regarding the request previously made by him, concerning the exercise of rights regarding the protection of personal data. Finally, Tim highlighted that, as per the whistleblower's will, the confidentiality for the numbering subject of the report was implemented in April 2021 and sent to the DBU in May 2021;

q) with reference to file 162474, Tim represented that the mobile line subject of the report has been active as a Prepaid Consumer and in the name of the reporting party since May 19, 2017; in relation to mobile lines, the corporate procedure provides that the inclusion, variation and cancellation in the single list must necessarily take place through a written request made with specific forms signed and accompanied by a valid identity document of the applicant. The checks carried out by the Company on the Consumer commercial systems had not highlighted requests for the inclusion and/or confidentiality of the aforementioned line in the DBU. However, following specific indication of the terms of the request by the whistleblower, Tim admitted that he had actually sent the request by certified e-mail, a request that was "correctly received, but unfortunately it was erroneously assigned to a structure not competent", so that "the request in question was neither processed nor matched".

r) regarding the file 174664, Tim represented that, in relation to the circumstance that the telephone number of the interested party had returned to Tim's management, an anomaly would have arisen (later resolved) for which the appointed system would not have taken into account the request for confidentiality of the data in list. This anomaly could have affected the operations of the employee who correctly entered the system on 20.8.2021 the will expressed by the customer not to be published in the list. On 9.11.21, the interested party asked TIM for the publication, according to him never requested, of the personal data in the list. On the basis of this anomaly, the interested party highlighted that his number was the subject of publication in the telephone directories. As represented by the Company, on 11.26.2021, "the Customer Service provided unfortunately inadequate feedback and the request was correctly and promptly handled on 12.7.2021." Tim assured that the data of the interested party would no longer be present in the paper lists (on the occasion of the first useful edition of the year 2022). Tim, in the concrete case, therefore admitted that, even if due to a technical anomaly (not better identified and clarified), the confidentiality of the interested party was not guaranteed.

s) regarding the file 172121, Tim stated that, at the time of the line activation request, from the data recorded in the commercial system of consumer customers, the non-publication of the telephone line data in the directories would not have been requested. On 29.09.2021, the whistleblower contacted Tim's Customer Service by telephone, requesting information on the matter. Furthermore, on the same date, the interested party submitted a request for confidentiality listed both through the company website and by sending a certified e-mail message. Therefore, again on 9.29.2021, the Customer Care arranged to make the aforementioned line "Reserved" on the commercial system of consumer customers, a variation purchased from the DBU in the third ten days of September 2021. In this regard, Tim replied to the whistleblower, with communication of 10.22.2021, sent by e-mail. By virtue of the foregoing, Tim highlighted that it had recorded the "total confidentiality listed" on its systems from the first request received from the whistleblower (on 09.29.2021).

In the specific case, it was considered during the dispute that an undesired publication of the data in the telephone directories attributable to Tim could be configured, since it occurred in the absence of an express consent of the interested parties, and in particular, therefore that the conditions for the violation of articles 6 and 7 of the Regulation as well as 129, paragraph 2, of the Code.

t) Regarding the file 159767, Tim pointed out that since the activation of the telephone line, which took place on 1 August 2017, the whistleblower would not have formulated any request for confidentiality of the same, thus published in the DBU in the first ten days of August 2017 and, consequently, in the telephone directories. On 24.3.2020, the telephone line was subject to portability to another operator. On 14.1.2021 the interested party sent a pec message to Tim, requesting the cancellation of his personal data published on the website www.paginebianche.it; the Company pointed out that the response provided by the customer service to this request had not been correct, but specified that it could not have followed up on the request of the whistleblower, as the line in question was no longer active on the TIM network.

u) Similarly, with reference to file 172674, following the return of the line to Tim, the interested party did not formulate a request for confidentiality and therefore his number was published in the DBU and in telephone directories. No requests or complaints from the interested party for the change of confidentiality in the telephone directory have been registered in the commercial systems of Tim's customers. On 10.4.2021, the same sent a request to update his data in the DBU to the Company's institutional pec. On 10.15.2021, Customer Care proceeded to change the level of confidentiality for the whistleblower's fixed telephone line to "Reserved on the list": change acquired by the DBU in the second ten days of October 2021.

v) Regarding the file 175715, Tim stated that, at the time of activating the interested party's line, from the data recorded in the TIM systems for the "List" section, non-publication in the list did not appear requested. On 26.08.2021, the whistleblower made this request and, on the same date, therefore, the request was implemented.

w) With reference to file 171194, Tim represented that at the time of the activation request on 07/13/2020 of a telephone line, "confidentiality in telephone directories is not required. Therefore, this telephone line was published in the Single Data Base in the second ten days of July 2020 and consequently in the telephone directories". Subsequently, according to the Company, no complaints (telephone or written) were presented by the interested party relating to the publication in the telephone directories of the said line. Following the report sent to the Guarantor, on 03.07.2022, Customer Care proceeded to make this telephone line confidential. This registration was acquired by the DBU in the first ten days of March 2022. The "Total confidentiality in the directory" would therefore have been implemented by the various publishers of telephone directories and would have resulted in the cancellation of the user in question from them.

x) On the other hand, with regard to files 172846 and 165434, the unwanted publication - according to what Tim reported - depended exclusively on the publisher of the public directories and therefore Tim would have no responsibility.

Therefore, in all the above cases, except for the last two referred to under x), the Office considered that there had been an unwanted publication of the data in the telephone directories attributable to Tim, since it occurred in the absence of an express consent of the interested parties. In particular, therefore, during the dispute, the existence of conduct in violation of articles was found 6 and 7 of the Regulation as well as 129, paragraph 2, of the Code, also considering that the failure to express a negative will with respect to such treatment can never be equated to a consent, which instead must be expressed and unequivocal, as well as specific and documentable.

1.1.5. Tim's response to the information on the website www.tim.it

With regard to the report referred to in fasc. 175689 with which the interested party complained that he had not been able to view the privacy information during the online purchase phase, on 12.17.2021, Tim represented that this was due to a temporary anomaly which, unfortunately, did not make it accessible during the purchase phase, this information on the processing of consumer customer data. This anomaly - Tim said - has been resolved, restoring the possibility of viewing it by customers before concluding the purchase process and providing consent for purposes other than the execution of the contract. In the absence of records: indications on the period in which the anomaly in question continued; elements clarifying the said anomaly; quantitative elements relating to the interested parties involved, Tim was invited - with the aforementioned act of initiation of the procedure of 4.5.2022 - to provide documented elements in this regard. As far as the documents are concerned, the alleged violation of art. 13 of the Regulation.

1.1.6. Tim's response to the data breach.

With reference to the report referred to in file 174492, relating to the receipt from 12.30.2012 of e-mails to the same address of communications referring to another customer, Tim first of all pointed out that there were no reports or complaints relating to the case in question. From the checks carried out on the commercial systems, in relation to the e-mail address of the reporting party, it emerged that the same was associated with the tax code of the other customer, but without however being able to trace the reason for this association; which, regarding the type of communications sent to the reporting person's address, were mainly sent: invoice issuing notice e-mail (without the attachment of the invoice itself), an e-mail activating the Mobile Option offer and two reminder emails for the payment of an overdue invoice containing the following personal data: name, surname, tax code and telephone number.

Since the confidentiality of customer data with reference to the specific episode reported above was not ensured "on a permanent basis", the violation of art. 32, par. 1, lit. b), of the Regulation.

1.2. Investigations carried out on specific cases and related outcomes.

Some cases, characterized by numerous repeated reports (file no. 147099; file no. 169442; 166823-165813), have been the subject of specific investigations.

A) Regarding the file 147099, the whistleblower, in particular, since 2020, has complained of receiving promotional phone calls and emails and the alleged communication of his data to the call center for this marketing purpose, as well as the difficulty encountered in closing his MY Tim account and the "Alice" mailbox (in particular, most recently, with the communications of 26 July and 2 August 2021), also requesting the elimination of all related data.

B) With reference to file 169442, the whistleblower. with multiple communications, starting from 08/03/2021, complained about Tim's failure to produce the contractual variation (of which the interested party had disregarded the stipulation and the relative conditions), as well as, as far as the interest of the Authorities, of the documentation relating to informed consent for the processing of personal data and of the telephone records relating to the line in your name.

C) A consumers' association (fasc.li 166823-165813), with two separate reports (17/5/21 and 7/6/21), also addressed to the Public Prosecutor's Office, complained of receiving unwanted promotional phone calls and aggressive (particularly one with operator; the other with pre-recorded mode).

A) Tim highlighted that the My TIM and TIM Mail accounts work with separate processes; that the former could be deleted from the "Profile" section; otherwise, Alice Mail is the e-mail service from which you can withdraw by connecting to the link https://gestione.servizi.tim.it/closeaccnt/entrance.do. The Company also highlighted that, in order to close the account, a positive action was required by the customer through a specific link provided by Tim to the reporting person in the reply dated 04.23.2021. The link (https://gestione.servizi.tim.it/closeaccnt/entrance.do) leads directly to the TIM Mail termination page where you are asked to enter the e-mail address to be canceled and the relative password. Tim also represented, with the same note, that "In consideration of the repeated and manifested desire to terminate the simonecandela@alice.it account, on a completely exceptional basis, on 08.27.2021, the IT structure of TIM started the account termination process, which ended positively on 08.30.2021.” However, this occurred several months after the numerous requests of the whistleblower, dating back to 24 March 2020, given that - as mentioned - only on 23/4/2021 was the interested party provided with the link to connect to in order to proceed autonomously upon termination of the 'Alice' account; on 6, 13 and 17 May 2021, the whistleblower reiterated his request to cancel the "Alice" account, declaring that the link provided by TIM did not work; only on 19 May 2021, an email was sent to the interested party on said account with the subject "Confirm the TIM Mail termination request", with the consequent need for the interested party to click the link at the bottom of the email, to complete the 'process; on 6, 13 and 17 May 2021, the whistleblower, failing to complete the procedure, sent further reports which were only acknowledged by TIM on 3 June 2021 providing again the instructions for deactivating the account in question (see feedback Tim, 6/8/2021).

Tim also represented that "in the last six months, the email (of the interested party) has not been included in TIM's contact lists, it does not appear that (his) data has been communicated/transferred to TIM's commercial partners and it has not been object of sending promotional-advertising emails from TIM". On this occasion, therefore - without prejudice to the legitimate conservation by Tim of the personal data of former customers (which is the interested party) necessary to fulfill any purposes of contractual disputes or provided for by law - a cancellation procedure emerged, overall , not suitable for facilitating the prompt implementation of the requests of interested parties who encounter technical difficulties in providing for themselves, and therefore not in line with art. 12, par. 2, of the Regulation. Furthermore, a gap in Tim's ability to be aware of the processing of data carried out for promotional purposes on behalf of the Company (pursuant to articles 5, paragraphs 2 and 24, Regulations) seems to be discernible.

B) Regarding the reports sent to the Company, with the replies dated 2/9/2021 and 11/11/2021, Tim communicated that the contract (dating back to 1989) was no longer available in consideration of the considerable amount of time that has passed from the activation of the telephone line in question. In this regard, it provided elements relating to the activation date, the data of the new location following the request for a move of the same which occurred in August 2016 and the current contractual data acquired with the  taking over of the sole proprietorship in the name of the interested party in the original SNC, producing , also, a copy of the privacy consent form, where the refusal to process data on 7/7/2017 emerges for purposes other than contractual ones. It being understood that the processing of data for contractual purposes finds its legal basis in the contract itself, to which the form for the takeover in question can be traced back (Article 6, paragraph 1, letter a), without therefore needing to no consent, however, no copy of the disclosure, at the time or subsequently, issued to said sole proprietorship was found in the deeds, with the possible violation of art. 13 Regulation.

C) With regard to the reports from the consumer association, Tim, in response to the requests to provide information formulated by the Office, pointed out (see reply 5/7/21) that the telephone calls in question were not made by its sales force and that the calling numbers, indicated by the whistleblower, do not belong to those used by her. This finding must be evaluated, also in the light of the numerous cases reported below, for which Tim reports a similar finding, for the purpose of assessing the possible violation of the principle of accountability (articles 5, paragraphs 2 and 24, of the Regulation).

2. DISPUTING THE ALLEGED VIOLATIONS

As reported above in relation to individual cases, with deed dated 05.02.2022 - to which reference is made in full for what is not reproduced in this provision - Tim was notified of the start of the administrative procedure for the possible adoption of corrective measures and sanctions pursuant to art. 166, paragraph 5, of the Code and 12 of the Regulation of the Guarantor n.1/2019, due to the alleged violation of the following articles of the Regulation:

- 5, par. 2;

- 6-7;

- 12, para. 2 and 3;

- 13;

- 14;

- 15, par.1;

- 24;

- art. 32, par.1, lett. b);

as well as the following articles of the Code:

- 124, paragraph 1;

- 129, paragraph 2;

- 130.

3. TIM'S DEFENSIVE ACTIVITY.

3.1 Unsolicited Telemarketing.

With reference to the unwanted calls contested by the Authority, the Company, in its defense brief dated 06.15.2022, first of all represented that 128 reports represent a minimum, if any, percentage of the total number of contacts (equal to approximately 0.0008%) carried out by the Sales Force on behalf of Tim. Furthermore, this minimum number would not be attributable to contacts originating from lists provided or authorized by the Company, nor from lists originating from leads, but "exclusively to the so-called 'undergrowth' that all the control processes shared with the Authority and put in place, can in no way be able to completely eliminate", for the reasons better explained below.

The Company then claimed the groundlessness of the contestation of the violation of articles 5 and 24 of the Regulation, representing that, following the implementation of the provision 15 January 2020 no. 7, put in place "a structured system of accountability and privacy by design through a complex and costly set of organizational and technical security measures."

In particular, in addition to those indicated in the compliance report with the provision dated 15.1.2020, Tim stated that it has implemented:

- capillary monitoring and periodic checks, based on 3 different levels, of its Sales Force, also in order to take the appropriate measures (warnings, penalties, contractual terminations);

- a substantial reduction in telesellers and contracted agencies with a percentage decrease of 46.6% for the consumer channel, following the rationalization of the channels implemented also with a view to reducing the risk of non-compliance with the legislation;

- an automated flow that allows, on the basis of the privacy instructions and the updated operational ones made available to the Sales Force, to implement all the objections to the treatment received and compare them with the denials present in Tim's black-lists;

- an automatic notification mechanism to communicate the refusals expressed to Tim's customer care to all those subjects of the consumer Sales Force who have such numbers on the list;

- an automatic control mechanism of all the information provided by the Sales Force based on the privacy and operating instructions given by Tim and which automatically generates specific consistency reports;
moreover, again as a supplement to the indications received in the aforementioned provision, "as proof of its extreme attention to the phenomenon of unwanted calls", Tim stated that he had:

- approved a new contractual model for all partners in the consumer and business spheres with the aim of strengthening the sanction system in the event of violations attributable to the privacy sphere; model that would be fully adopted by customer care outsourcers and telesales consumers;

- adopted, for all contracted consumer and business agencies (both old and new), an incentive plan which guarantees Tim the right not to recognize compensation on contracts activated and which do not comply with the contactability criteria set out in the privacy instructions;

- implemented the systematic analysis of the telephone logs generated by the telephone bar of the Sales Force; if anomalies are found during the checks, they are weighed with a standardized tool (the so-called "evaluator"), which allows you to graduate the measures to be taken against the Sales Force (from the letter of awareness to the termination of the existing contract in the cases more serious).

The Company then represented that between 2020 and 2022 it had filed six criminal complaints and that it had filed a civil party in a further criminal proceeding "in relation to facts also detected as a consequence of the implementation of the monitoring and control system"; as well as having reported, on 12.4.2022, to the AGCM, and for information to AgCom, the misconduct identified, also through a specific service made available on the website www.tim.it to allow reporting by users and related to unwanted contacts made by unknown subjects who falsely presented themselves as Tim employees to customers and non-customers, promoting false promotional offers. On this occasion, the Company highlighted that a very high percentage of unwanted contacts (about 78%) were attributable to calls from "non-existent numbers", attributable to the CLI spoofing phenomenon, which make it objectively impossible for operators, due to of the current technological structure of the telecommunications networks, identify all the calling numbers when they come from interconnections from abroad or carried out through manipulated CLIs and, identifying, for a part of the said signals, on the through the numbering arcs established on the own network or other operators, the person to whom the calling number is to be attributed.

Tim also represented that, in July 2022, he would have experimented with "the use of a geolocated tablet via a "Digital App" ... to make compliance with the contracting methods of potential customers more stringent, also in relation to the place where the contract is signed by the customer in the presence of the seller and, at the same time, ensure the completeness and non-modifiability of the documentation acquired with an electronic signature, its archiving and subsequent ease of retrieval, as well as allowing the sending to the end customer of a computerized copy of what he has accepted and signed". The Company also highlighted that it has experimented with the smart contract technology for the certification of all phases of marketing and that it has contributed, through participation in a specific "Technical Committee on the Security of Electronic Communications of AgCom, to the study of other possible solutions (regulatory and technological) useful for contrasting the CLI spoofing phenomenon.

In light of the above, the Company underlined that, in your opinion, the phenomenon of "undergrowth" is not attributable to Tim, but is "a system problem to be addressed by the entire market and not just electronic communications." and to believe - "in the absence of specific regulations, specific guidelines or a specific code of conduct" -  "that it has done everything in its power to ensure compliance with the principle of accountability, since the procedures set in would allow direct and capillary control over one's Sales Force".

Similar elements and assessments, with specific reference to the Sales Force, Tim formulated with a note dated 9.28.2022 (to which full reference is made), in response to a supplementary request for elements and documents formulated by the Authority on 9.9.2022, with which was asked, in particular: 1) if, as of 1 January 2021, telephone contacts made by/on behalf of Tim had been contracted - by its partners or by subjects unrelated to the sales force - outside its contact lists , indicating the total number; 2) if and what checks had been carried out regarding the fulfillment of the information and consent by the subjects indicated in the previous point.

With the aforementioned note, Tim specified that, by its "Sales Force" it always refers to the sales channels divided by consumer and business segments that carry out telemarketing activities on its behalf (as specifically detailed in point 7 of the memorandum), while they are excluded from this definition: i) physical shops; ii) the web channel of the Company's website, through which the interested party can autonomously purchase Tim's products and services; and iii) web comparators, which offer a tariff comparison service in the electronic communications market as independent data controllers.

As reported by the Company, all the contracts that it activates with the outbound telephone in question come exclusively from the Sales Force and the information provided with the aforementioned communication concerns only these contacts.

Secondly, Tim, in the same note, recalled what was represented in the defense brief regarding the phenomenon of the so-called "off-list" (or, as indicated by the Authority in pt. 1 of the request, the "telephone contacts [...] outside the contact lists"). As indicated in pt. 23 of the brief, and in particular in the referenced Annex 1 ("Privacy instructions for commercial partners ...) and Annex 1-bis ("Privacy instructions and legal obligations"), the relationship between Tim and its Sales Force provides that :

i) so-called 'own lists': TIM has the right to provide its own contact lists to the Sales Force formed in compliance with the law. The sources of these lists can be: Tim's CRM systems (which concern active or former customers, see pt. B1 a) of the aforementioned Annex 1; or, lists retrieved from the public telephone directory (DBU - see pt. B1 c), annex 1); lists purchased directly from Tim (see pt. B1 b) of the aforementioned Annex 1); or even the "authorized third-party lists" of the list providers which are, before use, approved in advance and cleared by TIM, always passing through the Company's systems;

ii) so-called "authorized third-party lists": the Sales Force has the right to use lists acquired from third parties (so-called list providers) for the promotion of Tim's products/services but only with the latter's authorization and verification, in compliance with the instructions and controls provided by the same and indicated in terms of personal data protection (see pt. C1-C4 of Annex 1 and Annex 1-bis). Once authorised, these lists (as mentioned in the previous point i.) are considered Tim's "own" contact lists.

iii) c. d. "lead" (i.e. contact details that do not imply the collection of consent for marketing purposes, instead originating from a specific request by the interested party to be contacted by telephone with an operator for a specific need relating to Tim products and/or services): the Sales Force has the right, subject to Tim's authorization, to collect leads in compliance with the instructions and controls provided and indicated by it (see pt. D1-D2, attachment 1 and attachment 1-bis).

In the same note dated 9/28/22, the Company also underlined that all the aforementioned lists (i; ii; iii) are considered Tim's "own lists" "due to the instructions and controls already extensively discussed in the Memorandum" and, therefore, all of these are to be understood as "contact lists". Furthermore, the Company points out that, based on the above, "There is therefore an express prohibition for the Sales Force to carry out "off-list" activities other than those referred to in points I. and I. above (see pt. E of Attachment 1 and Attachment 1-bis) (i.e. 'unjustified off-listers').", adding that "for the period January 2021 - June 2022, the total figure for unjustified off-listers that the Company found and sanctioned on the basis of its documented monitoring and control system (developed online and in some respects even going beyond what the Authority imposed within the most ancient Provision 7.2020) is equal to: I) for the consumer channel: a) Consumer telesales: 0% out of 207,611 contracts (this value is indicative of active partners as of November 2021; b) Consumer agencies: 0.10% out of 158,166 contracts in 2021 and 0% out of 84,301 contracts up to June 2022; II) for the business channel: 0.29% out of 399,372 contracts as of November 2021.".

3.2. Exercise of rights pursuant to articles 15-22 of the Regulation.

Tim then represented that it had updated its privacy system relating to the exercise of rights by data subjects, in order to ensure management of the very numerous requests in a proactive and compliant manner, highlighting some statistical data (96.9% of requests processed in 30 days; 1.8%, in the following two months). Recalling the measures already adopted in implementation of provision 15 January 2020, the Company also highlighted the effectiveness of the guidelines for the management of requests both received in the boxes of the DPO and through multiple other channels set up for this purpose, including multiple use cases of standard responses constantly updated and based on interactions with stakeholders.

He also highlighted: a) that it has implemented a centralized control system for the management of requests received by customer care via various channels (e-mail, web, digital, physical, etc.) with the aim of allowing the correct identification, analysis and management of requests to exercise rights within the terms of the law; b) that it has invested considerable resources in the training of personnel responsible for managing requests for the exercise of rights, developing a team dedicated to the management of traffic data requests.

Tim also underlined that, on average, each employee handling requests to exercise rights deals with about 280 requests per month. With the brief dated 15.6.2022, to be understood as fully referenced and reproduced here, the Company contested the violations identified in the individual cases (articles 12, paragraph 3 and 15, of the Regulation, as well as 124 of the Code), also representing the following .

- File 169170: Tim pointed out that "following the complaint received on 16 December 2020 and 4 January 2021, in which the complainant requested a copy of the recordings of the telephone calls made on 15 and 16 December 2020, TIM promptly replied on January 13, 2021, informing you that there is no recording of phone calls when customers contact customer care for contractual.commercial information.”

- File 166767-formerly 165318: in relation to the reporter's request dated 04.02.2021, Tim declared that he had replied acknowledging the delayed response due to the complexity of the request, since it was a request concerning access, limitation, portability of the data, and the opposition to the treatment towards Tim and all the recipients of the data, as well as proof of the communication of the opposition to the same. Subsequently, a definitive reply was sent on 1.07.2021.

- File 163087: "in the face of an evidently complex request (of 01.26.2021), since it concerns the exercise of the right of access, cancellation and opposition", Tim provided "an initial response, albeit not entirely conclusive." (26.2.2021) in which it was represented that, "given the particular complexity of these operations", TIM, in order to conclude the procedures and investigations necessary for the fulfillment of the request, took advantage of the extension pursuant to art. 12, par. 3, Regulation (for a total period of 90 days, being the final reply dated 25 April 2021).

- File 174664: Tim represented that to the complaint of 11.9.2021 concerning the request for cancellation of the interested party's data from the public telephone directories, "provided a prompt reply on 11.26.2021", representing how the interested party was already excluded from the directories . On the same day, the interested party presented a further complaint to the Authority, since the number was still published in the list. Consequently, and following further technical investigations, TIM verified that, although in the offer conclusion phase the Company had correctly understood the customer's wishes (in this regard, attaching the relative screenshot), due to a technical anomaly (promptly resolved ), the same was not correctly registered in the other systems used for the management of public directories. After further discussions, TIM provided a final reply on 12.23.2021 to the interested party.

- File 160287: Tim represented that, in his opinion, the three requests via pec that had not been processed should be considered placed in a time period prior to the deadline assigned for complete compliance with the provisions contained in provision no. 7.2020 and that, since the identity document was not attached, the identity of the applicant could not be said to be certain.

-fasc. 172687: Tim reiterated the validity of the requests formulated in the first place by the interested party, "tracing the delay to a mere human error", pleading the groundlessness instead of the violation pursuant to art. 124 of the Code, since, in his opinion, the resolution of the aforementioned problems in agreement with the interested party, would have determined "the loss of interest in consulting the traffic of the period in question." (“In fact, the original request concerned access to traffic data for the purpose of disputing an invoice which reported an increase in costs that occurred due to a misalignment of the systems in the transition from one offer to another). At the end of the discussions with the interested party, Tim, having recognized this problem, proceeded to compensate the amount erroneously charged in the subsequent invoices, thus losing the interest in obtaining the traffic data.".

- File 174463: as reported by Tim, the interested party had exercised the request to exercise the rights also pursuant to article 124 of the Code, on 5.6.2021; the Company had provided an initial response to the aforementioned request on 06/08/2021; subsequently, further reminders were presented by the interested party to which Tim provided a belated response, but justified by the complexity of the request presented.

- File 161814: confirming the late nature of the response, Tim highlighted that it would be a practically isolated case, probably attributable to human error in a multifaceted and complex organization, acknowledging that, contrary to the provisions of its internal procedures, it was not able capable of providing timely responses to the requests of the interested party, bearing in mind however the considerable workload on average assigned to each employee in charge of managing requests concerning the rights pursuant to articles 15-22 of the Regulation.

- File 173533: in this regard, the Company pointed out that the first report (2016) took place well before the compliance imposed by the aforementioned provision no. 7.2020; it was "a practically isolated case, probably attributable to a human error which, in an organization as articulated and complex as that of TIM, is not to be considered as evidence of the company conduct normally prescribed for the management of requests". Instead, as regards the reports received after 2016, Tim confirmed instead that he had not provided adequate feedback.

- File 175169: with regard to the notification of the interested party received on 06/07/2021, relating to the documentation relating to the contract of which the interested party was formally the holder, as well as to the traffic data generated by the two SIMs of the contract, the Company reported that it had provided three different responses, also due to the complexity of the request as regards traffic data, of which, the first two within 30 days, and one, having provided reasons for the delay, within 90 days. A further reply would have been sent to the interested party on 22 February 2022, providing him - in addition to the documentation already sent - the additional documents requested.

3.3. Publication of data in telephone directories.

With the brief dated 15.6.2022, to which full reference is made, Tim provided partly supplementary elements with respect to what emerged during the preliminary investigation, representing, with reference to the individual disputed cases, the following and affirming the non-existence of the violation of the articles 6 and 7 of the Regulation and 129, paragraph 2, of the Code.

- File 165665: Tim added that, in his opinion - on the basis of provision 15 July 2004 doc. web [1032381], par. 6 - "the obligation of technical conformity for the purposes of immediate updating of the lists both for operators and for the manager of the general directory (DBU). Consequently, since TIM correctly implemented the whistleblower's revocation on its systems, it cannot be held attributable to a failure to update since this would appear to depend on a technical problem relating to the misalignment of the general directory manager's systems";

- File 165144 -165619-165752-165585: Tim pointed out that he had received a first request, dated 22.2.2018 and a second one, dated 4.23.2020; that both requests, however, due to technical anomalies (not dependent on the manager of the general list) and/or partial processing by the customer care employee, did not appear to have been handled correctly. In any case, subject to a further report dated 10.5.2021, the request was implemented in the DBU on 12.5.2021. In the Company's opinion, the matter should be viewed as "a certainly isolated case and probably attributable to an error which, in an organization as articulated and complex as that of TIM, is not to be considered as evidence of corporate conduct prescribed for the management of requests for publication in directories.";

- File 164121: the Company, in reiterating what was already highlighted during the preliminary investigation, represented that "on the three pecs with which the interested party exercised the rights of access, rectification, cancellation, limitation and opposition, dated 05.14.21, TIM provided reply to this request to exercise the rights, confirming on the one hand the revocation of the consent and representing, due to the complexity of the request, that the definitive reply regarding the exercise of the rights would be received within a further two months, as actually happened on 13.07.21.". He also added that "on the basis of the very high average commitment of those involved in managing requests to exercise rights, the high number of requests provided for by art. 12, par. 3, Regulations.”

- File 162474: Tim would never have published any information about the whistleblower; the publication would be exclusively attributable to the manager of the public directories "due to a data enrichment mechanism exclusively under the control of the publisher".

- File 174664: the Company represented that it had correctly understood, during the activation of the contract, the willingness of the whistleblower to consider his/her telephone number confidential. However, "following an internal technical anomaly", this will would not have been correctly implemented within the DBU. Therefore ("in any case within the terms of the law for the response regarding the exercise of rights"), said problem was resolved and, finally, the will of the interested party was implemented. Again, according to Tim, it would have been an isolated case.

- Files 172121, 172674, 175715 and 171194: Tim claimed to have united these 4 cases, by virtue of their common characteristics. In fact, as would be proven by the related reports already in the documents, said interested parties, even when addressing the Guarantor, would have failed to attach the form (which is part of the Company's contractual set) "by means of which they could express their consent or not to publication in the lists. Tim has instead, as demonstrated in the aforementioned reports, demonstrated that said interested parties had given such consent"; moreover, in his opinion, he would have “always provided an adequate and timely response, modifying the preference of users so that they were no longer published in the list. “;

- File 159767: the case would be similar to those indicated above, but would differ, since the utilities subject to the report were then transferred to another operator. With specific reference to fixed users (subject to report) activated on 1.8.2017 and ceased on 24.3.2020, Tim argued that said consent was given, which would then be managed by the Company in line with the provision of the Guarantor "Processing of subscriber data in the case of number portability - 1 April 2010 [1711492]” and that the first complaint took place on a date (14.1.2021) in which the users of the interested party had already belonged to another operator for some time.

3.4. The information on the website www.Tim.it.

Tim, in the brief dated 15.6.2022, highlighted that the anomaly that prevented access to the web page containing the Company's information "was so exceptional and temporary that it did not generate a system warning, as it should happen in the event of application malfunctions. As proof of this we provide …. by means of the Google analytics service, proof of continuous access to the pages of the GruppoTim.it domain which also include the web page containing the information being reported for the days of 17, 18 and 19 December 2021 (Annex 15). In particular, as highlighted in yellow in the aforementioned attachment, with reference to the URL subject of the report, for the day of 17 December 2021 at 15.00 - 16.00, it is clear that in this time slot multiple people have accessed this web page .”.

3.5. The data breach.

In relation to file 174492, with regard to the undue communication of personal data of a Tim customer, with the aforementioned brief dated 15.6.2021, the Company added that the problem of erroneous association of the e-mail with the tax code had been resolved correctly informing the whistleblower; that, considering the considerable period of time (10 years) without the whistleblower or others reporting the problem, "it is currently impossible to reconstruct the events and trace the technical anomalies that caused such an accident. However, it is worth noting that the perimeter of the risk perpetrated against the data subject (...) is very limited since it does not concern particular data and since the number of personal data involved is small.".

3.6. Investigations carried out on specific cases.

Tim, with the aforementioned defense brief - to which full reference is always made - provided further explanations with respect to the cases subject to specific investigation (cases 147099; 169442; 166823 and 165813), also due to the reiterated nature of the reports. In particular:

- with regard to the file 147099, the Company represented that it had provided all useful and necessary information in order to facilitate the interested party to carry out the cancellation, regulated by an automatic procedure "which, however, requires a positive action by the interested party to confirm their willingness to delete the account”; adding that "according to a legal presumption proper to the Civil Code on obligations, it must be considered that the average man possesses the average experience requirements suitable for interpreting this cancellation process including the need to click on a specific link to express one's will to cancel. If this does not happen, however, any possible delay in following up the procedure certainly cannot be attributed to the data controller (who in fact has set up a quick and easy procedure), but rather to the interested party who - concretely - failed to apply the steps of the procedure.”;

- with reference to file 169442, Tim pointed out that, following further investigations, the information (initially indicated as missing) was instead "actually included in the takeover form and that therefore, it was viewed at the same time as the form was completed by part of the interested party” (see annex 8 to the brief);

- with regard to files 166823 and 165813, Tim recalled the defense set out above with general regard to unsolicited promotional calls that it does not recognize and to the compliance of its actions with the principle of accountability.

In light of all of the above, the Company has requested the filing of the proceeding initiated or, alternatively, the application of a sanction in its minimum statutory value, also requesting to be able to hold the hearing envisaged by art. 166, paragraph 6, of the Code, "to better illustrate one's position within such an articulated and complex case".

3.7. Tim's audition.

During the hearing, held on 18.7.2022, Tim, in reiterating the reflections and data contained in the defense brief, highlighted the high number of notices and contractual terminations, with reference to the violations of the various privacy obligations, not with regard to the issue of off-lists ("which as a rule no longer exist"), but to the implementation of control of the telephone bar (and log files) used by partner call centres, such as to prevent any exceptional off-list contacts and, where there were , knowing how to recognize them, specifying however that "the contract is in any case taken to respect the wishes of the users concerned". He added that “a quality check policy was also activated for 9 months to verify the effective contractual intention of the user, even if contacted in an unwanted way. Furthermore, if the contract is not activated and made operational, the Agcom legislation provides for an indemnity of around 7.5 euros for each day of delay in activating the service; then we suspended it because the people contacted for the aforementioned purpose only declared themselves disturbed by this service.” Tim also referred to how the document “ECC, doc. no. 338 of June 7, 2022 on CLI spoofing", highlights "that the technology currently in use is not suitable for avoiding the phenomenon of spoofing. “

4. LEGAL ASSESSMENTS.

4.1. General considerations

With reference to the factual profiles highlighted above, also on the basis of the Company's statements, for which the declarant is liable pursuant to art. 168 of the Code, the following assessments are made in relation to aspects concerning the regulations on the protection of personal data.

In the first place, we cannot agree with the attempt to consider the overall number of reports brought to Tim's attention by the Authority as insignificant in percentage terms. In several circumstances, the Guarantor, with particular reference to cases of unwanted telephone calls, has had the opportunity to specify, however, that "the mere non-traceability of the calling numbers to the list of those in use by the company and its commercial partners, more repeated several times by (Tim) as an element of response to the requests sent by the Guarantor, it is, in fact, critical due to that proactive perspective that defines the principle of accountability of the data controller and which permeates the entire new regulatory framework of data protection". Precisely the relevance of the phenomenon and the circumstance that the telephone contacts were made in the name of Tim as well as the primary role that it plays as an operator in the telecommunications market and the considerable organizational and managerial possibilities that characterize it, would have required activities more in line with the necessary and essential work of constant vigilance and monitoring of the phenomena that emerged following the complaints received directly to the company in the field of telemarketing (see for similar arguments, ord. ing. 16 December 2022. web doc. n. 973567] ).
Dutifully stated, the efforts undertaken by

Tim to obtain better control over the supply chain and, more generally, over the processing of users' personal data. However, from the analysis carried out, there is still ample room for improvement, in particular in relation to the need to direct effective actions to contrast the activities of abusive procurers of contractual offers, which, as will be seen in relation to the individual points, are the basis of the violations found.

4.2. Unsolicited telemarketing.

With regard to the objections raised regarding unsolicited telemarketing, it is necessarily necessary to preliminarily reiterate what the Authority has repeatedly stated regarding telephone calls not coming from the company's official sales force or for which it is not possible to identify the calling number for the adoption of camouflage techniques such as spoofing.

The results of recent years of investigations into the phenomenon have in fact highlighted that the activities of the so-called "undergrowth", of operators who illicitly reach people by telephone who have not provided suitable consent, or even expressly opposed this form of contact, base their survival on the reabsorption of successful activities within the official chain of companies who end up approving the contract and recognizing the related sales rights, which, in this way - through various flows between intermediaries - continue to feed the illicit market.

In the light of these considerations, statements such as those released by Tim on the fact that the phenomenon of the "undergrowth" would not be an issue that it could solve, "but is a system problem to be faced by the entire market and not just electronic communications .”. The solution to this problem, on the other hand, must necessarily pass through the initiatives of each operator, who, due to the principles of accountability and privacy by design, must implement all initiatives aimed at avoiding the perpetration of illicit processing of personal data.

In this sense it is now clear that the controls and interdiction activities must be implemented with regard to the contracts proposed by the sales network, verifying by every possible means that they originate from a regular contact and in line with the provisions of the sector regulations .
In other words, as long as it is technically possible to insert contractual proposals and activate services in the systems of the client companies by insinuating themselves into the official sales chain and introducing into the information assets of the same companies illicitly collected personal data from which unauthorized contacts originated, the so-called The telemarketing "undergrowth" will always have a chance to finalize its activities and realize its undue economic gains.

Tim, in his defence, instead provided elements mostly linked to the dimension of the contractual legitimacy between himself and his partners, without however producing the necessary evidence of suitable and decisive concrete initiatives towards abusive subjects (additional to the complaints and reports to various Authorities, from the various work tables and technical trials, all measures and initiatives, however, clearly worthy of appreciation), assumed as owner and final manager of the treatment, in the face of the spread of such an invasive phenomenon.

In particular, it did not prove that it had carried out adequate checks on the contracts that may have been activated by subjects who unduly use Tim's name. Tim's history, structure and organizational size would have enabled this company, leader in the Italian telephone market and always a protagonist of the economic-productive life of the country, "to prepare with due diligence cutting-edge organizational measures in the protection of interested parties, as well as appropriate and effective control tools on the entire supply chain (even the one outside the sales force) involved in the processing of personal data." (see Eng. order 16 December 2021, cit.).

This, even more so, in consideration, on the one hand, of the amount of personal data which the company holds; on the other hand, the high number of reports received directly and the repeated requests for information sent by the Guarantor.

To certify an inadequate control on this aspect, it should be noted that Tim - although requested on 9.9.2022 by the Authority to provide information on the contracts activated through the network outside the sales force - in the aforementioned response of 9.28.2022 , and likewise in other phases of the present proceeding (defensive brief; hearing), did not provide any elements in this regard, limiting itself to describing the management of the telephone outbound only carried out by the Sales Force and the sporadic detection of 'off the list' with respect to this network official.

The importance of verifying the legitimacy of the original contact was moreover well known to Tim who, in fact, reported that he had put in place, in relation to the unlisted persons from his own sales force, a punctual verification activity at the customer's premises in order to the legitimacy of the origin of the personal data at the basis of the contractual proposal, but to have experimented it for a limited period of time, to then abandon it, allegedly in the face of the annoyed reaction of some interested parties.

With regard to the significant number of "off-list" phone calls made by Tim's official network, as represented by the same in its defense brief (a total of 1,715 in the period January 2021 - June 2022), it should also be remembered that with the provision of 5 January 2020 the Company had been ordered to "implement a technical and organizational procedure, in the campaign management system, which would allow Tim to know and govern correctly, as well as adequately document the phenomenon of calls addressed to so-called "off the list", as well as to ensure that these users are contacted for promotional purposes only if a suitable consent is available or on the basis of another detailed and documentable legal basis pursuant to articles 6 and 7 of the Regulation" (prescription referred to in letter e) of the provision of the provision January 15, 2020).

Far from setting up effective control systems on the origin of the contract, Tim declared that he would in any case collect the contracts (see hearing mentioned above) and, moreover, in the overall preliminary investigation phase, he initially represented that he was not required to provide further elements in order to telephone calls from the unofficial network, precisely because such telephone calls would go beyond his sphere of competence and responsibility, then he declared that he had carried out a control work which led to a significant number of contractual terminations in his own sales network, without clarify the causes of these terminations and, above all, without highlighting the impact this choice has had on any contractual proposals formed as a result of illicit contacts. These elements, combined with the observation that most of the reports received by both the Authority and Tim itself of illicit promotional contacts come from numbers not belonging to the Company's sales network, demonstrate a significant underestimation of the phenomenon and the related responsibilities also incumbent on the client companies.

In this regard, the Authority has not failed, on other occasions, to recall, precisely in a preventive logic and respect for privacy by design, the possibility of resorting to corporate and organizational choices aimed, for example, at inhibiting the activation contractual offers or services when they are certainly not attributable to activities carried out in compliance with the rules and rights of the interested parties from the moment of the first contact and the origin of the data (see the aforementioned provisions of 12 November 2020 and 25 March 2021).

A contract acquired in violation of the regulations on the protection of personal data should not find entry into the systems of the companies, since the same would result from an illegal fact and in clear violation of the art. 2-decies of the Code, according to which "Personal data processed in violation of the relevant regulations on the processing of personal data cannot be used...".

We are aware of the apparent conflicting need to meet the negotiating will of the interested party in any case, but if anything, this objective can be achieved after an amnesty procedure that necessarily verifies that same will, once it has been proposed, even after the contractor l illegality of the original contact.

And it is only by implementing punitive measures, following the outcome of the aforementioned verification procedure, and by avoiding the payment of commissions to those who have presented the company with a contract affected by these defects that the illicit food coming from the "undergrowth" can be stemmed.

The Company, acquiring in its systems the personal data of the subjects who, after being contacted, have accepted the offers proposed, should adopt measures of particular guarantee in order to prove that these contracts originate from contacts made in full compliance with the provisions on protection of personal data, in particular those referred to in articles 5, 6 and 7 of the Regulation relating to consent. The interventions of the Guarantor mentioned above and the parallel activity of the national legislator in the matter of unwanted calls (most recently, with the strengthening of the protections provided by the Public Opposition Register) acknowledge the level reached by the users' intolerance which requires them to demand an increase guarantee measures by those who benefit from these economic activities, taking into account that, at the state of the art, further and more advanced solutions of a technical and organizational nature are already available. The numerous preliminary activities conducted over the years by the Guarantor in the field of telemarketing as well as the parallel discussions carried out with the various data controllers, have allowed us to conclude, based on experience data, that the implementation of procedures governing telemarketing and of teleselling alone cannot constitute a valid barrier to the widespread practices of undue contacts if it is not accompanied by equally rigorous procedures for controlling contracts and activations.

From the foregoing, therefore, while acknowledging the important measures implemented by Tim, an unsatisfactory picture still emerges in terms of compliance with the principles of accountability, confirming the violation of articles 5, par. 2 and 24 of the Regulation, such that it can also be considered the basis of the individual violations which are summarized below:

the. first of all, the cases referred to in files 164015 (formerly 154626) are highlighted; 168248 and 163526, which can be combined in the underlying factual and legal dynamics.

For the first of these, the contact, according to Tim, was made on the basis of a documented consent given directly to the Company, but also on the basis of the communication of the same data for marketing purposes by XX. However, the information does not include some essential elements pursuant to art. 13 of the Regulation, such as the data retention times or the criteria for calculating them and the possibility of appealing to the Guarantor; the unsuitability of the information also affects the consents acquired by XX, which therefore must be considered invalid (see Ing. ordinance 10 February 2022, web doc. n. 9756869).

In the case in question, based on the documentation provided by the Company, it is believed that neither the owner nor the list provider has provided elements capable of proving the integrity of the database in which the results of the registration of the interested parties were collected and the adequacy of the production and conservation measures of the system logs, and that they have not indicated the conservation methods suitable to guarantee the unmodifiability of the collected data. From this point of view, the mere proposition of a string of text, allegedly certifying the expression of a consent, lacking the elements indicated above, cannot be considered adequate to fully document the methods of its acquisition as well as its genuineness and integrity, nor, more in general, the process of acquiring data from data subjects. To this end, the display of Excel tables - allegedly relating to the registration data - copied on the texts provided in response to the requests of the Guarantor certainly cannot be considered suitable.

As is known, the art. 7, par. 1 of the Regulation, clearly establishes the obligation of the data controller to demonstrate the consent of the interested party. The documentation of the online consent must be provided with technical methods such as to guarantee the unchangeable registration of the authentic will of the user. In this sense, with regard to the legitimacy of the consents allegedly expressed by the interested parties, it is noted that the documentation produced by the list providers is not suitable for demonstrating the real and genuine expression of consent to the receipt of promotional messages and their transfer to third parties. For the purposes of demonstrating the consent given by the interested party, it would be useful to produce not only the IP address and the Timestamp, but, to certify the unequivocal will of the interested parties, it would also be advisable to produce the related log files. Moreover, the Authority has repeatedly deemed it necessary, as a minimum and sustainable measure, in the state of the art, for the owner to adopt further measures, such as sending a confirmation message to the address indicated during registration - the so-called double opt-in (see provision 26 October 2017, web doc. n. 7320903 and provision 25 November 2021, web doc. n. 9737185).

Moreover, more precisely, with regard to the documentation relating to the consent acquired by the interested parties, it may be useful, as an example of a way to prove the consent of the interested parties, as provided for in art. 3, paragraph 1, letter c) of the d.P.C.M. November 13, 2014 containing "Technical rules on the formation, transmission, copying, duplication, reproduction and time stamping of IT documents as well as the formation and conservation of IT documents of public administrations pursuant to articles 20, 22, 23-bis, 23- ter, 40, paragraph 1, 41, and 71, paragraph 1, of the Digital Administration Code (legislative decree no. 82.2005"), according to which the "computerized recording of information resulting from IT transactions or processes is an electronic document or from the telematic presentation of data through forms or forms made available to the user”. As regards the non-modifiability of the document thus formed, an essential element for fully attesting the expression of the data subject's consent, it should be remembered that, pursuant to paragraph 6 of the same article, "the characteristics of non-modifiability and integrity are determined by the operation of recording the outcome of the same operation and the application of measures for the protection of the integrity of the databases and for the production and storage of system logs, or with the production of a static data extraction and the transfer of the itself in the conservation system”

Therefore, as a consequence, the communication of data by the list provider to Tim is illegal and it follows that subsequent processing for promotional purposes carried out by the Company is to be considered equally illegal. Furthermore, Tim has not demonstrated the release to the interested party of its own information pursuant to art. 14 of the Regulations, resulting in the deeds only the declaration of the aforementioned list provider of having sent an informative e-mail to the subjects whose data have been transferred, but of not being able to produce it (like the related report), because, having passed 23 months from the sending of the email, the latter would no longer be "available on the sending platform" (Annex 12 in the file).

Similarly, the treatment carried out by Tim, albeit limited, of the data referred to in file 168248 (registration and storage, acknowledging the Company's declaration that it has not used the related telephone number for promotional campaigns) can be considered illegitimate, given that there are no disclosure issued by Tim nor any consent acquired, except those attributable to XX with the same criticalities identified for the previous case.

Also with reference to the file 163526, the consent acquired from the transferor data controller (XX), for communication to third parties ("I consent to the transfer to third parties for the purposes described in the information"), is unsuitable because it is formulated generically and not, as necessary, for the specific third party marketing purposes. This, also considering that in the text of the information provided by the aforementioned owner on the site www.listeprofilate.com, the communication of the data of the interested parties was also foreseen for different purposes ("they may be communicated by the Owner, to the extent that this is necessary to execute contractual obligations and.or to fulfill legal obligations, to independent third party data controllers, such as notaries and chamber of commerce officials in charge of identifying the winners of the prize competition organized on the Site, as well as the third parties indicated in the regulation of the competition prize, to which the data must necessarily be communicated to allow the User to take advantage of any prizes won (e.g. travel agencies, ticket offices, hotels, etc.)". Which evidently does not facilitate the understanding of the exact scope of the consent generally required (for transfer to third parties).Furthermore, the alleged lack of promotional contacts does not affect the illegality of some treatments that are relevant in themselves, such as the recording and storage of data collected in ways that do not comply with the law. It must also be considered that the 'collection', like the 'storage', of personal data - is in itself - regardless of any further processing, such as the sending of communications for promotional purposes, a processing operation relevant for of the legislation on the matter (see art. 4, paragraph 1, letter letter a), of the Regulation, which incorporates the provisions of the previously applicable art. 4 of the Code; in this sense, see, among others: provv. 12 June 2019, doc. web no. 9120218; provision you 27 October 2016, doc. web no. 568777; 20 November 2014, doc. web no. 3657934).

ii. Also with regard to the fasc. 163526, the information fulfillment due by Tim pursuant to art. 14 of the Regulation and the Company limited itself to referring to its own operating practice of issuing "a summary oral information with the possibility of viewing the complete information on the website", without however providing any demonstration or documentation in this regard (in topic, see also provision of 27 May 2021, web doc. n. 9689375).

Moreover, the said disclosure must in any case be provided, even if the promotional contact has not been made, "within a reasonable term of obtaining the personal data, but at the latest within one month, in consideration of the specific circumstances in which the personal data are treated" (see art. 14, par.3, letter a), or - if the sending of communications to the interested party is envisaged - "no later than the first communication".

iii. peaceful then appears the confirmation of the violation of Articles 13 as well as 6-7 of the Regulation, in relation to the case of fasc. 174561 considering that Tim has admitted unwanted telephone contact, without giving evidence of either the consent or the information provided by the interested party.

The need therefore emerges to confirm, in the terms set out above, for the complaints relating to unwanted telemarketing, the violation pursuant to Articles 5, par. 2 and 24, as well as - with limited regard to files 164015 (formerly 154626), 163526; 168248 - of the articles 6, 7 and 14 of the Regulation and 130 of the Code, as well as to adopt a provision for the prohibition of processing for promotional purposes of all data acquired from XX, XX and other list providers, with a similar defect, for which Tim does not have a informed consent, otherwise acquired, and documented in the terms indicated above.

4.3. Exercise of rights.

As a preliminary point, it should be noted that the Authority, having examined the compliance report, prepared by the Company regarding the implementation of the instructions given with the aforementioned provision no. 7.2020, decided to send a request for information on 19.01.2021, taking the opportunity to provide the Company with clarifications also on the measures to be taken to ensure the best compliance with the law. Moreover, with the aforementioned note, in addition to some operational indications on telemarketing, it was recalled that, pursuant to art. 12, paragraph 3, of the Regulation: "The data controller provides the interested party with information relating to the action taken regarding a request pursuant to articles 15 to 22 without unjustified delay and, in any case, at the latest within one month of receipt of the request itself. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests". For the legislator, therefore, that of 30 days is a maximum term, which should be used exceptionally, where it is not possible to satisfy the request earlier, as the extension of two months must be considered, all the more exceptional.

- File 172687: the delay was clearly admitted by Tim and the settlement of the contractual dispute, which occurred after the claim of the interested party, cannot eliminate the established violations, which therefore must be considered confirmed;

- File 174463: Tim has not denied what was reported during the preliminary investigation, in response to the request for information from the Office, adding the reference to an initial, undocumented response, and admitting late responses to further reminders that would be justified by the complexity of the request presented, without however explaining the alleged complexity;

- Files 161814 and 173533: the Company has expressly admitted the delay, while stating that these are practically isolated cases, probably attributable "to a human error in an organization as articulated and complex as that of TIM"; delays contrary to "the provisions of its internal procedures".

- Files 165144-165619-165752-165585 (in truth, referring to a single grievance originating from a single whistleblower): also in this case, the delay was expressly admitted by the Company;

- File 175169: while acknowledging the composite nature of the request as well as the response finally provided by Tim to the interested party, it must be noted that both the phased management (the request for traffic data processed in two different moments, without an appreciable reason, under the logical-juridical aspect), and the overall management (the last reply provided by the Company is dated 22.2.2022) conflict with the legislation, which provides for a reply without unjustified delay, considering that the request of the interested party dates back to 7.6 .2021;

- Files 163087 and 166767 (formerly 165318): it is believed that the overall reasons given by Tim can be shared and allow the Company to be exempted from the application of the sanction and therefore that the proposed violations can be archived;

- File 162474: it is confirmed that the interested party's request via pec has not been answered;

- File li 160287 and 169170: the Authority considers filing the related disputes, considering, for the first, that the reports of the interested party are placed at the beginning of the adjustment period established for the fulfillment of the provisions contained in provision 7 January 15, 2020; and, for the second, that the Company clarified that it had given the interested party feedback also with regard to the impossibility of providing copies of the recordings of the telephone calls made with the customer service, as these recordings were not made.

Therefore, excluding files 160287, 169170, 163087 and 166767 (formerly 165318) - this Authority must confirm, for the other aforementioned interested parties, the violations of articles 12, par. 2 and 3 and 15, par. 1, of the Regulation, as well as 124, paragraph 1, of the Code (the latter provision, limited to file 172687 and file 174463).

It is also deemed necessary to order Tim to adopt organizational and technical measures aimed at improving the management of such requests.

4.4. Publication in telephone directories.

With regard to files 175715, 172121 and 171194, the overall examination of the documents does not reveal proof of the collection of a specific consent, given by the interested parties, for publication in the lists. In fact Tim - although obliged to demonstrate its obligations also on the basis of the principle of accountability - limited itself to producing a copy of the screen displaying the aforementioned consent in its systems, without attaching a copy of the paper form.form web signed by the interested parties, or other documentation (e.g.: voice recording), with reference to the choice relating to publication in the directory. It is evident that such documentation constitutes the necessary coherent operational prerequisite for what is present in the corporate systems and that any lack of expression of will ("request for confidentiality"), by the interested parties, should be recorded as a refusal (and not as consent) ,  requiring express and prior consent, as well as free, informed and documented consent (see also art. 12, paragraph 2, directive 2002.58.CE,  on the basis of which: "Member States ensure that subscribers have the possibility to decide whether their personal data -and if so- "which should be included in a public directory, provided that such data is relevant for the purposes of the directory declared by its provider. Member States shall ensure that subscribers have the opportunity to verify, rectify or withdraw such data.").

Similar reasoning (relating to the need for the documentation underlying the consent allegedly given for publication in the list) can also be applied to the case referred to in file 159767, with regard to the original publication of the fixed user, with respect to which Tim also admitted that he had not provided a "pertinent" response, not detecting, in function of exempting the violation, the subsequent transfer of the customer to another operator.

From a different point of view - for the cases of files 174664, 165144, 165619, 165752, 165585 and 165665 - it cannot be recognized as a function exempting the technical problems (indicated in Tim's defence), given that the holder was not able to fully trace the various events back to the concrete cause that produced them individually. In fact, the indication provided is generic and unsubstantiated, and does not allow us to be aware of the actual correctness of the processing in place, as well as regarding the measures put in place to protect the data to guarantee their integrity.

Therefore, with regard to the aforementioned events (files 171194; 174664; 165144; 65619; 165752; 165585; 165665; 159767; 172121 and 175715), the violation of articles must therefore be considered confirmed 6 and 7 of the Regulation as well as 129, paragraph 2, of the Code.

On the other hand, with regard to the fasc. 164121, in the light of the clarifications provided by Tim, and in particular of the contractual documentation attached hereto, it is deemed appropriate to file the dispute relating to the lack of consent (for publication in the lists), like that relating to art. 12, par. 3, of the Regulation.

Finally, it is also believed to file the proposed dispute in relation to file 162474, since in the present case there is no request from Tim to publish the data in the public directories.

Having said that, however, it is deemed necessary to order Tim to adopt organizational and technical measures aimed at improving the implementation of the discipline pursuant to art. 129, co.2, of the Code.

4.5. Information for e-commerce on the website www.Tim.it.

Considering what Tim has highlighted in this regard on the access made by the interested party without being able to view the privacy information, it is considered necessary to file the relative dispute, considering that, as clarified by the Company, it was a technical problem of short duration and plausibly explainable by unforeseeable circumstances or force majeure (e.g. excessive congestion of the Internet network) and not by Tim's willful or guilty conduct.

4.6. Data breaches.

Also in the light of the findings in the Office's records, regarding the Company's notification of other data breaches to the Authority, and while acknowledging Tim's observations (limited perimeter of the violation and common nature of the violated data) regarding the one in question in the provision, it is deemed necessary to confirm the proposed violation of art. 32, par.1, lett. b), of the Regulation, considering that not only the whistleblower but also Tim has remained inactive over time, not having verified and detected the problem complained of for a long time.

4.7. Investigations carried out on specific cases and related outcomes.

With regard to the investigations raised on specific cases, the following is highlighted:

- File no. 147099, it is believed that - in the face of the technical problem explained several times by the interested party, without prejudice to the retention of data for any contractual, administrative, accounting or legal purposes - the owner must proceed with the cancellation request (in the case specific, of the account), without delay, especially where the interested party encounters technical difficulties in implementing the procedures provided by the owner, and therefore the violation of art. 12, par. 2, of the Regulation;

- File 169442, considering that the copy of the information produced by the Company does not bear any sign of the means of transmission, nor of the temporal circumstances of the transmission allegedly made to the interested party, the violation of art. 13 of the Regulation;

- files 166823 and 165813, it is deemed necessary to confirm the dispute in the light of what was said in the aforementioned paragraph (4.2.), "Unwanted telemarketing", concerning the violation of the provisions indicated therein, with particular reference to the principle of accountability.

5. OVERALL RESULTS AND CONSEQUENT MEASURES TO BE ADOPTED.

In consideration of the above, overall, the following provisions of the Regulation are violated:

- art. 5, par.2 and 24;

- art. 6;

- art. 7;

- art. 12, par.2 and 3;

- art. 13;

- art. 14;

- 15, par. 1;

- 32, par.1, lett. b);

as well as the following provisions of the Code:

- articles 124, paragraph 1; 129, paragraph 2; 130.

Based on the ascertainment of these violations, while acknowledging the detailed measures already adopted by the Company, it is necessary, with respect to Tim spa:

a) pursuant to art. 58, par. 2, lit. d) of the Regulation, to order the adaptation of any treatment carried out for telemarketing and teleselling purposes to methods and measures suitable for foreseeing and proving at any time that the activation of offers and services and the registration of contracts takes place only following contacts promotions carried out by the Company's sales network through telephone numbers surveyed and registered in the ROC - Register of Communication Operators and without prejudice to the necessary verification of the contact lists and, for each contractual proposal, of the certain traceability of each activity, from the first contact to uploading information into the telephone company's system, to figures operating within the official sales network, duly surveyed and responsible for the telephone company itself;

b) pursuant to art. 58, par. 2, lit. f), of the Regulation, prohibit the processing for promotional purposes of all data acquired by XX and XX, for which Tim does not have informed and documentable consent in the terms indicated above, as well as, possibly, by other list suppliers, with analogous vice;

c) pursuant to art. 58, par. 2, lit. d), enjoin the adoption of organizational and technical measures aimed at improving the management of requests to exercise the rights pursuant to articles 15-22 of the Regulation and 124, paragraph 1, of the Code;

d) pursuant to art. 58, par. 2, lit. d), enjoin the adoption of organizational and technical measures aimed at improving the implementation of the discipline referred to in art. 129, co. 2, of the Code;

e) adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689.1981, for the application of the pecuniary administrative sanctions provided for by art. 83, par. 4 and 5, of the Regulation.

6. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION.

On the basis of the foregoing, considering the violations referred to, the penalties provided for by art. 83, para. 4 and 5, of the Regulation. However, as various provisions of the Regulation and of the Code have been infringed in relation to connected treatments carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the least serious violations.

Specifically, the aforementioned violations - having as their object, among others, the rights of the interested parties - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation envisaged for the non-compliance with the aforementioned conditions of lawfulness, with consequent application of the sole sanction provided for in art. 83, par. 5, of the Regulation.
For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements listed in par. 2 of the art. 83 in question, to be evaluated when quantifying the relative amount.

As aggravating circumstances, in this case, the following must be considered:

1. the significant number of interested parties involved, with particular regard to the users acquired by XX and by XX, for the promotional purposes of Tim (letter a) and, more generally, of the recipients of wild telemarketing;

2. the serious nature of the violation, with particular regard to the processing of lists of users acquired with consent for promotional purposes with unprovable methods, as well as the publication in public lists of the data of the most interested parties, with the consequent dissemination of the same data; as well as the highly pervasive nature of the aforementioned telemarketing activities (letter a);

While recognizing the recidivism of some violations (specifically, with regard to the management of the requests of the interested parties) with respect to those covered by previous provisions (including in particular, most recently, the provision of 15 January 2020, cited .; letter i) , it is deemed not to consider the repetition, due to the reduced payment of the fine provided for by the injunction order, included in the aforementioned provision of 2020 (see art. 8-bis, paragraph 5, law n.689/1981).

As mitigating elements, it is believed that the following should be taken into account:

1. the fact that, overall, there was a significant decrease in the number of reports and complaints received by the Guarantor against Tim compared to what was recorded in the period covered by the investigation that led to the provision of 15 January 2020, as well as the percentage of violations found with respect to the complaints in question (letter a);

2. the measures adopted to limit the problems encountered, with particular reference to the promotional activities of the sales force (letter c);

3. the constant collaboration provided during the investigation conducted (letter f).

The set of elements indicated above must be assessed taking due account of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1, of the Regulation, and, in this perspective, the significant economic results of the Company, but, at the same time, also the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the needs organisational, functional and occupational aspects of the Company. Having said that, it is believed that it should apply to Tim S.p.A. the administrative sanction of the payment of a sum of 7,631,175 euros, equal to 1.5% of the statutory maximum (508,745,019 euros), calculated - similarly to the previous provisions adopted in the same matter - with respect to the Company's turnover (12,718. 625.495) and not of the corporate group to which it belongs.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1.2019, taking into account the matters subject to the investigation, and in particular the pernicious phenomenon of 'wild' telemarketing, also in relation to the circulation and use for promotional purposes of inadequately informed and approved lists, acquired from third parties, as well as the incomplete management of some requests for the exercise of the fundamental rights of data subjects  (see, among others, provision 22 May 2018, web doc. n. 8995274 and provision 18 April 2019, web doc. n. 9105201), with respect to which this Authority has adopted numerous provisions both of a general nature and aimed at specific data controllers and on which the attention of users is high.

Finally, the conditions set forth in art. 17 of Regulation no. 1.2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THIS CONSIDERING THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f) of the Regulation, declares the processing carried out by Tim S.p.A. to be unlawful. - with registered office in Via Gaetano Negri, 1, Milan; p. VAT 00488410010 - described in the terms referred to in the justification, and, as corrective measures, against the same Company:

b) pursuant to art. 58, par. 2, lit. d) of the Regulation, to order the adaptation of any treatment carried out for telemarketing and teleselling purposes to methods and measures suitable for foreseeing and proving at any time that the activation of offers and services and the registration of contracts takes place only following contacts promotions carried out by the Company's sales network through telephone numbers surveyed and registered in the ROC - Register of Communication Operators and without prejudice to the necessary verification of the contact lists and, for each contractual proposal, of the certain traceability of each activity, from the first contact to uploading information into the telephone company's system, to figures operating within the official sales network, duly surveyed and responsible for the telephone company itself;

c) pursuant to art. 58, par. 2, lit. f), of the Regulation, prohibits the processing for promotional purposes of all data acquired by XX, XX, for which Tim does not have informed and documentable consent in the terms indicated above, as well as, possibly, by other list suppliers, with analogous vice;

d) pursuant to art. 58, par. 2, lit. d), enjoins the adoption of organizational and technical measures aimed at improving the management of requests to exercise the rights pursuant to articles 15-22 of the Regulation and 124, par. 1, of the Code;

e) pursuant to art. 58, par. 2, lit. d), enjoins the adoption of organizational and technical measures aimed at improving the implementation of the discipline referred to in art. 129, co. 2, of the Code;

f) pursuant to art. 58, par. 1 of the Regulation, invites you to communicate, within 30 days from the date of receipt of this provision, which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, letter. e), of the Regulation;

ORDER

to Tim spa to pay the sum of 7,631,175 euros, as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 7,631,175, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689.1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1.2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1.2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Please note that, pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e) of the Regulation.

Pursuant to art. 78 of Regulation (EU) 2016.679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or of six 166189 days if the appellant resides abroad.

Rome, 13 April 2023

PRESIDENT
Station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew