Garante per la protezione dei dati personali - 9256486
|Garante per la protezione dei dati personali - doc. web. n. 9256486|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 4 GDPR|
|Decided:||15. 1. 2020|
|National Case Number:||9256486|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la protezione dei dati personali|
15 January 2020, the Italian Data Protection Authority (Garante) imposed a fine of € 27.802.946 on a telecommunications company, TIM S.p.A. Following hundreds complaints related to the receipt of unsolicited promotional calls, investigations pursued by the Italian Authority revealed several unlawful processes of personal data for the purpose of promotional activities.
English Summary[edit | edit source]
Facts[edit | edit source]
The Garante examined different complaints relating to unsolicited promotional calls received by prospects without their consent or despite their express will not to receive them. Further irregularities complained of concerned the collect of consent for promotional purposes in different forms for customers and company’s programs and apps. Users also complained deficiencies in the response to data subjects’ requests, namely requests of access to one's own data and to oppose to data processing for promotional purposes. The Garante also examined several notifications TIM made concerning different data breaches that occurred, which have highlighted inconsistencies in the systems, both of TIM and its providers (namely, call centers), that process personal data of customers such as to cause, for instance, an inaccurate use of customers contact details.
Dispute[edit | edit source]
The Garante had to assess whether TIM lawfully processed prospects’ personal data in its commercial campaigns, namely by applying a legal basis (e.g. consent) to such processing, and ensuring that its providers process personal data accordingly. The Authority also had to determine whether the process of customers and prospects’ personal data complied with data subjects’ requests which object to processing. In this regard, the Authority also analyzed the validity of consent collected for promotional purposes and the related information provided in different forms submitted by the company, including in customers programs and apps. The Garante had to evaluate the compliance of the storage and use for promotional purposes of data relating to customers of others operators, to whom TIM provided network and infrastructure services. Finally, the Authority investigated the management of data breaches by the company namely in relation to customers data processing for promotional purposes, with regard to both the timeliness of the notification and the measures taken to reduce the risks to the rights and freedoms of data subjects.
Holding[edit | edit source]
The Garante found that the processing of prospects’ personal data was not based on a valid consent nor on another lawful basis, hence violating namely Articles 6 and 7 GDPR. Process of prospects and customers’ personal data for marketing purposes was also conducted against the objection from data subjects, thus in breach of Article 21 (2) (3) GDPR. In different forms submitted by the company, as well as in programs and customers apps, consent collected for promotional purposes was not specific and freely given, nor the related information provided was transparent and unambiguous, thus violating articles 4 (11), 7, (1), (2), (4), 12 (1) and 13 GDPR. Moreover, the Authority found that data relating to customers of others operators was stored and used infringing the principles of fairness, purpose limitation, storage limitation, accuracy and integrity referred to in Article 5 (1) GDPR. Concerning the management of data breaches, the Garante considered TIM did not ensure, by appropriate technical and organizational measures, an appropriate level of integrity and confidentiality, nor the accuracy of data, as required by Articles 5 (1) (d), (f), 32 and 33 GDPR. In general, the Garante considered TIM was not able to account and prove compliance for various fundamental aspects of the data processing carried out directly or through its providers, thus not respecting its obligations in terms of accountability (Article 5 (2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). Consequently, the Garante issued a sanction of € 27.802.946, together with different corrective measures.
Comment[edit | edit source]
Share you comment here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the Italian original for more details.