Garante per la protezione dei dati personali - 9256486

From GDPRhub
Garante per la protezione dei dati personali - doc. web. n. 9256486
Garante per la protezione dei dati personali Italy.jpg
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4 GDPR

Article 5 GDPR

Article 6 GDPR

Article 7 GDPR

Article 12 GDPR

Article 13 GDPR

Article 21 GDPR

Article 24 GDPR

Article 25 GDPR

Article 28 GDPR

Article 32 GDPR

Type: Complaints
Outcome: Upheld
Decided: 15. 1. 2020
Published: n/a
Fine: € 27.802.946
Parties:

TIM S.p.A.

Vs. Anonymous

National Case Number: 9256486
European Case Law Identifier: n/a
Appeal: n/a
Original language:

Italian

Original Source: Garante per la protezione dei dati personali

15 January 2020, the Italian Data Protection Authority (Garante) imposed a fine of € 27.802.946 on a telecommunications company, TIM S.p.A. Following hundreds complaints related to the receipt of unsolicited promotional calls, investigations pursued by the Italian Authority revealed several unlawful processes of personal data for the purpose of promotional activities.

English Summary[edit | edit source]

Facts[edit | edit source]

The Garante examined different complaints relating to unsolicited promotional calls received by prospects without their consent or despite their express will not to receive them. Further irregularities complained of concerned the collect of consent for promotional purposes in different forms for customers and company’s programs and apps. Users also complained deficiencies in the response to data subjects’ requests, namely requests of access to one's own data and to oppose to data processing for promotional purposes. The Garante also examined several notifications TIM made concerning different data breaches that occurred, which have highlighted inconsistencies in the systems, both of TIM and its providers (namely, call centers), that process personal data of customers such as to cause, for instance, an inaccurate use of customers contact details.

Dispute[edit | edit source]

The Garante had to assess whether TIM lawfully processed prospects’ personal data in its commercial campaigns, namely by applying a legal basis (e.g. consent) to such processing, and ensuring that its providers process personal data accordingly. The Authority also had to determine whether the process of customers and prospects’ personal data complied with data subjects’ requests which object to processing. In this regard, the Authority also analyzed the validity of consent collected for promotional purposes and the related information provided in different forms submitted by the company, including in customers programs and apps. The Garante had to evaluate the compliance of the storage and use for promotional purposes of data relating to customers of others operators, to whom TIM provided network and infrastructure services. Finally, the Authority investigated the management of data breaches by the company namely in relation to customers data processing for promotional purposes, with regard to both the timeliness of the notification and the measures taken to reduce the risks to the rights and freedoms of data subjects.

Holding[edit | edit source]

The Garante found that the processing of prospects’ personal data was not based on a valid consent nor on another lawful basis, hence violating namely Articles 6 and 7 GDPR. Process of prospects and customers’ personal data for marketing purposes was also conducted against the objection from data subjects, thus in breach of Article 21 (2) (3) GDPR. In different forms submitted by the company, as well as in programs and customers apps, consent collected for promotional purposes was not specific and freely given, nor the related information provided was transparent and unambiguous, thus violating articles 4 (11), 7, (1), (2), (4), 12 (1) and 13 GDPR. Moreover, the Authority found that data relating to customers of others operators was stored and used infringing the principles of fairness, purpose limitation, storage limitation, accuracy and integrity referred to in Article 5 (1) GDPR. Concerning the management of data breaches, the Garante considered TIM did not ensure, by appropriate technical and organizational measures, an appropriate level of integrity and confidentiality, nor the accuracy of data, as required by Articles 5 (1) (d), (f), 32 and 33 GDPR. In general, the Garante considered TIM was not able to account and prove compliance for various fundamental aspects of the data processing carried out directly or through its providers, thus not respecting its obligations in terms of accountability (Article 5 (2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). Consequently, the Garante issued a sanction of € 27.802.946, together with different corrective measures.

Comment[edit | edit source]

Share you comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Italian original for more details.

Marketing: from the Privacy Guarantor sanction of 27 million and 800 thousand euros to Tim

The Privacy Guarantor has imposed a fine of 27,802,946 euros on Tim spa for numerous unlawful processing of data related to marketing activities. The violations involved a total of several million people.

From January 2017 to early 2019, the Authority received hundreds of reports relating, in particular, to the receipt of unsolicited promotional calls made without consent or despite the registration of telephone users in the Public Objections Register, or even despite the fact that the persons contacted had expressed to the company their wish not to receive promotional calls. Irregularities in the processing of data were also complained about in the offer of prize contests and in the forms submitted to users by Tim.

From the complex investigative activity that resulted, carried out also with the contribution of the Special Protection of Privacy and Technological Fraud Unit of the Guardia di Finanza, numerous and serious violations of the discipline regarding the protection of personal data have emerged.

Tim has demonstrated that he does not have sufficient account of fundamental aspects of the data processing carried out (accountability).

Among the millions of promotional telephone calls made in six months to "non-customers", the Authority found that the call center companies commissioned by Tim have, in many cases, contacted those concerned without their consent. One person was called 155 times in a month. In about two hundred thousand cases, "off-list" numbers were also contacted, i.e. not on Tim's contact lists. Other unlawful conduct was also detected, such as the company's lack of control over the operations of some call centres; the incorrect management and failure to update the black lists where people who do not want to receive advertising are registered; the compulsory acquisition of consent for promotional purposes in order to join the "Tim Party" programme with its discounts and prizes.

In the management of some apps intended for customers, moreover, incorrect and non-transparent information on data processing was provided and invalid consent acquisition methods were adopted. In some cases paper forms were used with a request for a single consent for different purposes, including marketing.

The management of data breaches was not efficient, just as the implementation and management by the Company of systems that process personal data (in violation of the principle of privacy by design) was inadequate. Misalignments emerged between Tim's black lists and those of the call centres in charge, as well as for audio recordings of contracts entered into by telephone (verbal orders).  The users of clients of other operators, held by Tim as network operator, were stored for a time longer than the legal limits and included, without the consent of the interested parties, in some promotional campaigns.

In addition to the sanction, the Authority imposed 20 corrective measures on Tim, including prohibitions and prescriptions. In particular, it prohibited Tim from using the data for marketing purposes of those who had expressed to call centres their refusal to receive promotional calls, those on the black list and "non-customers" who had not given their consent.

The company may no longer use even the customer data collected through the apps "My Tim", "Tim Personal" and "Tim Smart Kid" for purposes other than the provision of services without a free and specific consent.

Among the prescriptions, the Guarantor has enjoined Tim to verify the consistency of the black lists used and to promptly acquire those formed by call centers to transfer them to its black list. Tim must also review the "Tim Party" program and allow customers access to discounts and sweepstakes by eliminating the mandatory consent to marketing. The company must also verify the procedure for the activation of all the apps, always specify, in clear and comprehensible language, the processing carried out with an indication of the purposes pursued and the processing methods used, and acquire valid consent. The Company shall also implement the technical and organizational measures relating to the management of the requests for the exercise of the rights of the data subjects and strengthen the measures aimed at ensuring the quality, accuracy and timely updating of the personal data processed by the various systems of the company.

The measures and implementations required must be introduced and communicated to the Authority within set timescales, while the payment of the penalty must be made within thirty days.