Garante per la protezione dei dati personali - 9256486

From GDPRhub
Garante per la protezione dei dati personali - doc. web. n. 9256486
Garante per la protezione dei dati personali Italy.jpg
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4 GDPR

Article 5 GDPR

Article 6 GDPR

Article 7 GDPR

Article 12 GDPR

Article 13 GDPR

Article 21 GDPR

Article 24 GDPR

Article 25 GDPR

Article 28 GDPR

Article 32 GDPR

Type: Complaints
Outcome: Upheld
Decided: 15. 1. 2020
Published: n/a
Fine: € 27.802.946
Parties:

TIM S.p.A.

Vs. Anonymous

National Case Number: 9256486
European Case Law Identifier: n/a
Appeal: n/a
Original language:

Italian

Original Source: Garante per la protezione dei dati personali

15 January 2020, the Italian Data Protection Authority (Garante) imposed a fine of € 27.802.946 on a telecommunications company, TIM S.p.A. Following hundreds complaints related to the receipt of unsolicited promotional calls, investigations pursued by the Italian Authority revealed several unlawful processes of personal data for the purpose of promotional activities.

English Summary[edit | edit source]

Facts[edit | edit source]

The Garante examined different complaints relating to unsolicited promotional calls received by prospects without their consent or despite their express will not to receive them. Further irregularities complained of concerned the collect of consent for promotional purposes in different forms for customers and company’s programs and apps. Users also complained deficiencies in the response to data subjects’ requests, namely requests of access to one's own data and to oppose to data processing for promotional purposes. The Garante also examined several notifications TIM made concerning different data breaches that occurred, which have highlighted inconsistencies in the systems, both of TIM and its providers (namely, call centers), that process personal data of customers such as to cause, for instance, an inaccurate use of customers contact details.

Dispute[edit | edit source]

The Garante had to assess whether TIM lawfully processed prospects’ personal data in its commercial campaigns, namely by applying a legal basis (e.g. consent) to such processing, and ensuring that its providers process personal data accordingly. The Authority also had to determine whether the process of customers and prospects’ personal data complied with data subjects’ requests which object to processing. In this regard, the Authority also analyzed the validity of consent collected for promotional purposes and the related information provided in different forms submitted by the company, including in customers programs and apps. The Garante had to evaluate the compliance of the storage and use for promotional purposes of data relating to customers of others operators, to whom TIM provided network and infrastructure services. Finally, the Authority investigated the management of data breaches by the company namely in relation to customers data processing for promotional purposes, with regard to both the timeliness of the notification and the measures taken to reduce the risks to the rights and freedoms of data subjects.

Holding[edit | edit source]

The Garante found that the processing of prospects’ personal data was not based on a valid consent nor on another lawful basis, hence violating namely Articles 6 and 7 GDPR. Process of prospects and customers’ personal data for marketing purposes was also conducted against the objection from data subjects, thus in breach of Article 21 (2) (3) GDPR. In different forms submitted by the company, as well as in programs and customers apps, consent collected for promotional purposes was not specific and freely given, nor the related information provided was transparent and unambiguous, thus violating articles 4 (11), 7, (1), (2), (4), 12 (1) and 13 GDPR. Moreover, the Authority found that data relating to customers of others operators was stored and used infringing the principles of fairness, purpose limitation, storage limitation, accuracy and integrity referred to in Article 5 (1) GDPR. Concerning the management of data breaches, the Garante considered TIM did not ensure, by appropriate technical and organizational measures, an appropriate level of integrity and confidentiality, nor the accuracy of data, as required by Articles 5 (1) (d), (f), 32 and 33 GDPR. In general, the Garante considered TIM was not able to account and prove compliance for various fundamental aspects of the data processing carried out directly or through its providers, thus not respecting its obligations in terms of accountability (Article 5 (2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). Consequently, the Garante issued a sanction of € 27.802.946, together with different corrective measures.

Comment[edit | edit source]

Share you comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Italian original for more details.

Marketing: from the Privacy Guarantor sanction of 27 million and 800 thousand euros to Tim

The Privacy Guarantor has imposed a fine of 27,802,946 euros on Tim spa for numerous unlawful processing of data related to marketing activities. The violations involved a total of several million people.

From January 2017 to early 2019, the Authority received hundreds of reports relating, in particular, to the receipt of unsolicited promotional calls made without consent or despite the registration of telephone users in the Public Objections Register, or even despite the fact that the persons contacted had expressed to the company their wish not to receive promotional calls. Irregularities in the processing of data were also complained about in the offer of prize contests and in the forms submitted to users by Tim.

From the complex investigative activity that resulted, carried out also with the contribution of the Special Protection of Privacy and Technological Fraud Unit of the Guardia di Finanza, numerous and serious violations of the discipline regarding the protection of personal data have emerged.

Tim has demonstrated that he does not have sufficient account of fundamental aspects of the data processing carried out (accountability).

Among the millions of promotional telephone calls made in six months to "non-customers", the Authority found that the call center companies commissioned by Tim have, in many cases, contacted those concerned without their consent. One person was called 155 times in a month. In about two hundred thousand cases, "off-list" numbers were also contacted, i.e. not on Tim's contact lists. Other unlawful conduct was also detected, such as the company's lack of control over the operations of some call centres; the incorrect management and failure to update the black lists where people who do not want to receive advertising are registered; the compulsory acquisition of consent for promotional purposes in order to join the "Tim Party" programme with its discounts and prizes.

In the management of some apps intended for customers, moreover, incorrect and non-transparent information on data processing was provided and invalid consent acquisition methods were adopted. In some cases paper forms were used with a request for a single consent for different purposes, including marketing.

The management of data breaches was not efficient, just as the implementation and management by the Company of systems that process personal data (in violation of the principle of privacy by design) was inadequate. Misalignments emerged between Tim's black lists and those of the call centres in charge, as well as for audio recordings of contracts entered into by telephone (verbal orders).  The users of clients of other operators, held by Tim as network operator, were stored for a time longer than the legal limits and included, without the consent of the interested parties, in some promotional campaigns.

In addition to the sanction, the Authority imposed 20 corrective measures on Tim, including prohibitions and prescriptions. In particular, it prohibited Tim from using the data for marketing purposes of those who had expressed to call centres their refusal to receive promotional calls, those on the black list and "non-customers" who had not given their consent.

The company may no longer use even the customer data collected through the apps "My Tim", "Tim Personal" and "Tim Smart Kid" for purposes other than the provision of services without a free and specific consent.

Among the prescriptions, the Guarantor has enjoined Tim to verify the consistency of the black lists used and to promptly acquire those formed by call centers to transfer them to its black list. Tim must also review the "Tim Party" program and allow customers access to discounts and sweepstakes by eliminating the mandatory consent to marketing. The company must also verify the procedure for the activation of all the apps, always specify, in clear and comprehensible language, the processing carried out with an indication of the purposes pursued and the processing methods used, and acquire valid consent. The Company shall also implement the technical and organizational measures relating to the management of the requests for the exercise of the rights of the data subjects and strengthen the measures aimed at ensuring the quality, accuracy and timely updating of the personal data processed by the various systems of the company.

The measures and implementations required must be introduced and communicated to the Authority within set timescales, while the payment of the penalty must be made within thirty days.

-------------------------------------------------------------------------

The decision:

Corrective and sanctioning measure against TIM SpA - January 15, 2020

Register of measures
n. 7 of January 15, 2020

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, in the presence of Dr. Antonello Soro, president, of Dr. Augusta Iannini, vice president, of Dr. Giovanna Bianchi Clerici and of Prof. Licia Califano, components, and of Dr. Giuseppe Busia, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");

GIVEN the numerous complaints and reports received by the Guarantor, with regard to various processing of personal data carried out by TIM SpA (hereinafter also referred to as: "TIM" or "the Company");

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Licia Califano;

WHEREAS

1. THE EDUCATIONAL ACTIVITY CARRIED OUT

From 1 January 2017 to the first months of 2019, the Authority received a large number of reports and complaints (in the order of a few hundreds according to a trend that was constantly confirmed before and even after the aforementioned time interval), concerning data processing relating to the receipt of unwanted promotional calls, in the interest of TIM SpA (hereinafter also "the Company"), made without the consent of the interested parties; or despite the registration of telephone numbers in the public register of oppositions; or even after exercising the right to object to the Company; or even in the context of procedures aimed at solving technical failures inherent in the telephone services provided to other interested parties by other telephone companies.

Further complaints also highlighted the lack of response to the requests made by the interested parties with regard to the rights enshrined in the legislation on the protection of personal data, and in particular those of access to their data and opposition to processing for promotional purposes, as well as the request of a consent, to be compulsorily issued for processing for marketing purposes, upon activation of the "TIM Party" program within the Company's website and the collection of a single and indistinct consent to the processing of data for various purposes - also additional to the execution of the contract - as part of the forms prepared for self-certification of possession of a prepaid line.

TIM then sent, in the period considered, various notifications relating to violations of personal data (so-called "data breach") which, in particular, highlighted some misalignments between the systems that process customers' personal data such as to cause, for example, the incorrect attribution of telephone lines to the holders or the incorrect association between holders and the contact details used by the Company.

Starting from these elements, this Office has carried out, pursuant to art. 10 of the Guarantor Regulation n. 1/2019 (in www.garanteprivacy.it, web doc. 9107633 ), a complex investigation activity, formalized through requests for information addressed to the Company, inspections conducted at the same, starting from November 2018 until the month of of February 2019.

Further inspection activities were also carried out, also through the Special Protection of Privacy and Technological Fraud Unit of the Guardia di Finanza, between March and June 2019, at certain companies entrusted with the promotional activity of the Company itself (so-called "partner"), such as XX srl; XX srl; XX srl; XX srl; XX srl; XX srl.

As a result of these activities, on 25 July 2019, the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, containing the invitation to send any observations within 30 days of receipt of the same, granting the Company, at the request of the same, an extension to 10 October 2019 to provide feedback.

As part of the preliminary investigation, TIM's request to access, for defensive purposes, the preliminary documentation, including that relating to the investigations carried out at its partners, was accepted (see management decision of 12 September 2019). We then proceeded to examine TIM's defense brief dated 10 October 2019, the minutes of the hearing of 5 November 2019, as well as the additional supplementary defense documents of 12 November 2019, albeit belatedly produced (beyond the deadline of 10 October 2019 ).

All the documentation provided by TIM is understood to be fully referenced and considered - for a complete representation of the cases, as well as for the benefit of the Company's right of defense - in the assessments contained in this provision.

2. RESULTS OF THE INVESTIGATION

At the end of the inspection activity and the examination of the documentation produced by the Company, the Authority found numerous and varied violations of the regulations on the protection of personal data referred to below and illustrated in detail in the following paragraphs. In particular:

- commercial contacts made during promotional campaigns aimed at "prospect" subjects (ie non-customers), in the absence of the consent of the interested parties; numbers contacted up to 155 times in a month; absence of control by the Company over the work of its partners during the conduct of commercial campaigns (see par. 2.1.);

- incorrect management of the exclusion lists from commercial campaigns (so-called "black list)"; failure to update the black lists on the basis of the denials expressed by the interested parties during the telephone commercial contact, which led to gaps in the accuracy and quality of the data in the corporate information systems; inconsistencies, not sufficiently clarified, of the data present in TIM's black lists compared to those of its partners' black lists; users included in the black list many days after the expression of the denial to marketing; users present in the black lists of the partners but not included in those of the Company (see par. 2.1);

- promotional phone calls to numbers not present in the contact lists (so-called off-list), made by commercial partners without the consent of the interested parties or other suitable legal basis; commercial phone calls to "off-list" numbers for which the Authority's provision of June 22, 2016 (in www.gpdp.it. web doc. no. 5255159 ) had prohibited TIM itself from processing for marketing purposes (see par . 2.2);

- promotional contacts made by the Company despite the exercise of the right of opposition of the interested parties or carried out in the framework of service contacts or even without giving timely feedback to the interested parties or incorporating in its systems the exercise of the right of opposition (see par. 2.3);

- cases of conservation, in the CRM (Customer Relationship Management), of the Company, of data relating to customers of other Operators, to which TIM provides the mere network and infrastructure service (OLO-Other Licensed Operator), for a time exceeding the limits required by law (10 years) and with visibility by customer care operators beyond the time limits established by company policies (5 years); cases of abusive use of said numbers for promotional purposes (see par. 2.4);

- acquisition of promotional consent as part of the "TIM Party" program in ways that do not ensure free expression (see par. 2.5);

- with respect to some Apps intended for customers, the issue to interested parties of incorrect or transparent information on the processing of data, as well as methods of acquiring consent that do not comply with current regulations (see par. 2.6);

- use of paper forms for the collection of personal data with a request for a single consent for different purposes (see par. 2.7);

- unsuitable management of data breaches, both with regard to the timeliness of notification to the Authority, and with regard to the measures put in place to reduce the risks to the rights and freedoms of the data subjects; inadequate management by the Company of the systems that process personal data, in violation, in particular, of the principles of data accuracy, as well as of the confidentiality and integrity of the systems (see par. 2.8).

2.1. Promotional campaigns aimed at so-called "prospects", the management of black lists and denials expressed by interested parties during a commercial contact

As regards the telemarketing campaigns for fixed-line and mobile telephone offers carried out by the Company in the period July 2018-February 2019, aimed at customers (registered in the TIM Customer Base) and non-customers (the so-called prospects), TIM stated that the list acquired by the Office during the inspection "contains the identifiers of the 650 campaigns carried out, with the associated validation date and number of numbers for each of them" for a total of 50 million numbers in the TIM lists (cf . p. 9, matched 3/8/2019).

Of these 650 campaigns, carried out in the aforementioned limited period, 484 were aimed at customers involving 15 million numbers, while the remaining 166, according to TIM's prospect, were aimed at 13 million prospects, reaching approximately 5.2 million numbers. , since "Prospect campaigns" would have "an 'average reachability' threshold of around 40%" (memory 10/10/2019). With specific reference to the commercial campaigns addressed to the aforementioned prospects, a comparison between the so-called contact lists (i.e. the lists of numbers that can be contacted for promotional purposes prepared and provided to partners by TIM), and those associated with outgoing calls recorded on automated call systems of some call centers subject to inspection (in particular: XX,

- the calls made by the aforementioned call centers were associated with TIM's contact lists, which are not included in the lists provided by the Company to the Office; in this regard, TIM stated that “currently” it could “exclusively assume that the disputed discrepancies [were] essentially due to: the use of criteria for coding separate data flows by the Partners, which generate different nomenclatures; [to] comparison made on partial lists in the availability of the Partners; (al) comparison with different campaign codes as the lists provided by TIM report the coding of the Marketing List ID, while those provided by the Partner IDs of the Sales List "(10/10/2019, cit.).

In this regard, it is therefore noted that TIM - as the client of the treatments in question - proves not to have sufficient knowledge of the criteria for coding the flows used by the partners or of the methods of naming the contact lists, also for the purpose of its own better control. ;

- the same telephone number, within a month, was contacted up to 155 times and was registered in various contact lists, in contrast with the same policies declared by TIM, according to which: "the callback rules issued partners provide that each numbering in the list can be the subject of a useful contact per month, meaning by useful contact a telephone call with an OK response (adherence to the contractual proposal), KO (non-adhesion), denial (opposition to processing). For this reason, a number reached by a useful contact is no longer recalled within the same campaign "(see minutes 5/2/2019, p. 4);

- in the "outcome" field of the promotional calls (made by partner XX) entries not recognized by the Company, according to which they fall exclusively within the entrepreneurial autonomy of the same partner (eg "Refusal of customers CB TI NOT CONSENTED"; "Consent recovery on former TIM and former TI (OK)"; see statement 10/10/2019).

With specific reference to XX, the Company, in addition to admitting telephone calls outside the contact lists (see infra paragraph 2.1), has also admitted the serious operational differences in the frequency of promotional contacts made by this partner with respect to what is abstractly established in the own policies (the "conduct is openly in disregard of the rules for the production of TIM's contact lists for the execution of commercial campaigns"), denying its responsibility, due to its presumed extraneousness to the operating procedures of XX (see memories 10/10/19 and 12/11/19 cit.).

Thus, however, TIM - neglecting its fundamental role as client - has shown that it does not have the necessary awareness of this conduct, nor that it has adequately supervised the work of the partner.

The Company has represented that, to exclude from the contact lists numbers belonging to interested non-customers (so-called "prospects") who have expressed the desire not to receive promotional communications, it uses two different black lists:

1. a first ("black list marketing"), manually fed and uploaded to the campaign management system on the basis of the opposition to the processing for promotional purposes sent by the interested parties to the company Customer Care; includes a total of 2,272,226 numbers, of which, however, 2,232,935 entered by the Company following the prohibition of data processing for promotional purposes issued by the Guarantor with the provision of 22 June 2016 (web doc. no. 5255159 ) and only 39,291, therefore, referable to interested parties whose opposition to the processing has been registered by the Company;

2. a second ("black list denials"), automatically fed into the campaign management system, consisting of the results of denial (ie "objections to processing for marketing purposes") expressed by the so-called prospects during the commercial phone calls made by partners ; includes 6,215 numbers.

In total, therefore, the interested parties who, overall, appear to have expressed their desire not to receive promotional communications from TIM and which TIM has registered, are 45,506.

This quantitative figure - however relatively small especially considering TIM's primary role in the national market of telephone operators - was not aligned with the much greater consistency of the overall exclusion lists used by TIM's commercial partners (for example, the black list acquired by XX Srl was made up of about 260,000 numbers).

The Company, as of 10 October 2019, with regard to the concerns expressed by the Guarantor with the communication of the initiation of the procedure of 25 July last, while providing some elements for clarification, declared itself "not fully able to clarify the reasons for the discrepancy found by the 'Authority between its own black lists and the analogous black lists used by the Partners "This, since" the black lists held by the Partners "would not fall, according to TIM," in the context of the denial management process defined by TIM "and "All denials received from Partners, when they operate on behalf of TIM, must necessarily be included in Thin Client, the only company system responsible for managing denials expressed by subjects contacted by the Partner."

Furthermore, from the comparison between the aforementioned black lists of the Company and the results uploaded by the partners in the Company's systems and indicated as "denial" relating to campaigns carried out by the Company in the period identified above, as well as the black lists of the partners, although necessarily considered the possible different composition of these lists - it emerged that (Annex 6 to the reply 8/3/2019):

a) there are 3,442 commercial contacts with a "denial" outcome registered by the partners on the occasion of the aforementioned prospect campaigns;

b) of the aforementioned 3,442 contacts, only 1,026 are reported in the black list of denials of TIM, while the remaining 2,415 are not present in this list, which should be precisely "made up of the results of denial (ie the 'opposition to processing for marketing purposes ') expressed by prospects during the commercial phone calls made by the partners "(see p. 8, feedback 20.2.2019).

TIM, without providing suitable evidence, stated that these 2,415 denials have not been reported in its black lists as they have been registered in the Company's CRM systems (which records the existence or not of the customers' consent) precisely because they are referable to customer numbers, with the exception of 5 numbers, which were discarded during the loading phase.

In any case, while taking into account the many exceptions represented by the Company, it should be noted that some numbers, referring both to TIM fixed or mobile network customers and to prospects, were included in the contact lists many days after the expression of the denial ( or more than 300 days later for some prospects; more than 200 days later for some fixed or mobile network customers; see acts 12/11/2019).

The Company (see notes March 8 and November 12, 2019) stated that "as a consequence of the ... anomaly in the updating of the DWH Consenso Prospect archive and consequently of the Denials Black List used by the marketing functions", 184 unique numbers have been erroneously included in the contact lists for promotional campaigns. The Company - to certify the awareness of an inadequate management of denials - also pointed out its intention to introduce a new system, which would entail the registration of denials of TIM active fixed lines in the archive intended for the management of consent ( in this case the "DWH Consent": see supplementary note 12/11/2019);

c) 862 numbers present in the denial black list appear to have a "denial result" subsequent to the date of their insertion, in contrast to what is indicated by the Company regarding the automatic exclusion from the commercial campaigns of the numbers present in the black lists (see, for example , p. 8 reply 20/2/2019 and pp. 3 and 5, minutes 5/2/2019). In this regard, the Company (see supplementary note 12/11/2019) has represented what is attributable "to the erroneous operation of some of its partners, who registered the" denial through THIN Client…. with even prolonged delays with respect to "outcomes 49" (ie the outcomes monitoring system) and thus "disregarded the procedures defined by TIM" in this regard. According to TIM "Aware of these shortcomings, the Partners recovered the refusals uploads via THIN Client in massive mode on the dates…. concentrated in November 2018 for denials acquired by XX and in the following months of December and January for those acquired by XX ". TIM appears, however, to have become aware of these delays in the loading of denials only on the occasion of the investigations initiated by the Guarantor in February 2019;

d) in the black list used by the partner XX Srl (acquired during the inspection on 28/3/2019), there were 1,645 objections to the processing received during commercial telephone calls made on behalf of TIM; however, none of the relative numbers were included in the Company's denial black list;

e) in the black list used by the partner XX Srl there were almost 200,000 numbers that did not match the black list of the Company (see p. 2, minutes 23/4/2019); however, this is difficult to understand if we consider that the aforementioned partner is a single agent of TIM, and therefore the two lists should mostly correspond or in any case contain similar quantities;

f) in the black list used by XX, referring to denials expressed during commercial telephone calls made on behalf of TIM, there were 2,401 numbers; however, of these only 3 were found on the TIM marketing black list and none were found on the TIM denial black list. This is difficult to understand as these numbers had to be all included in this list, precisely as denials expressed during the Company's promotional campaigns;

g) in the black list sent by TIM to XX (see Annex 11, report 7/5/2019) there are 22,296 numbers; however, of these only 19,488 are present in the marketing black list and 6 are present in the denials black list provided by TIM to the Authority.

Indeed, the aforementioned differences can only be considered partially attributable to the different criteria for the composition and implementation of the black lists or to the different denomination / classification of lists and the outcomes of the contacts (see TIM 10/10/2019 memory and supplementary note 12 / 11/2019, cit.) That TIM does not appear to have agreed with its partners or even to the existence of clients-principals other than TIM, for some of these partners. It is precisely the use of different criteria and denomination that in this case - in addition to incorrect practices implemented by the partners with reference to the methods of managing denials - also the lack of adequate implementation by the Company of shared management procedures emerges,

Furthermore, the events in question highlight a partially fallacious functioning of the automated system of exclusion from the contact lists, however confirmed by various anomalies on the systems admitted on several occasions by the Company (see notes of 8/3/2019, 3 / 4/2019 and 12/11/2019), which did not guarantee a correct and consistent representation, in the computer systems dedicated to this, of the negative will of the interested parties, resulting, depending on the cases represented above, in the processing of personal data for marketing carried out without complying with the legitimate exercise of the rights of the interested parties, in particular that of opposition.

2.2. Telephone calls to users not present in TIM's contact lists (so-called "unlisted calls")

Numerous complaints about the persistence of unwanted promotional calls concerned users not included in TIM's contact lists (so-called “out of list”).

In this regard, the Company stated that "... partners are contractually prohibited from using contact lists independently found and not authorized by TIM", however "... during the useful contact with the line ... present in the contact list provided by TIM, it may happen that the person contacted requests to be called back on another number or indicates another person from the household to contact for the offer in question, providing the number [so-called references]… ". Again with reference to "unlisted calls", TIM stated that these "... cannot be known to the Company as they are performed by partners through their telephone / CRM systems ..." unless "the customer / prospect accepts the commercial offer , [which] is compulsorily traced in TIM's 'Verbal Order' system ”(hereinafter also“ VO ”) (see pp. 7 and 8, reply 14/3/2019). This is whether the numbering contacted derives from the contact lists provided by the Company, or whether it falls within the so-called "off-list".

The Company was therefore unable to quantify the "off-list" calls made by its commercial partners, nor to provide the list of numbers contacted, and quantified, only partially and indirectly, this information, providing the numbers not present in the contact lists delivered to the partners who, in the period 1 July 2018 - 28 February 2019, were associated with a verbal order on the campaign management system, the presence of which only reveals the commercial contacts made that concluded with the signing of a contract, ratified by the Verbal Order. Therefore, "... the Company has applied a calculation methodology based on the comparison between the information stored in the" Verbal Order "system with respect to the numbers contained in the contact lists provided to the partners, being able to calculate only the" out-of-list "associated with a verbalized order … ", That is, in total, 116,461, and a good 184,655 starting from 1 March 2018 (see TIM 10/10/2019 memorandum). Also in order to understand the extent of the phenomenon of "out of list" contacts, it may be useful to highlight that the Verbal Order number provides an indication of the underlying calls by default: for example, during the inspections, XX stated that , on customers present in the customer base, the number of contracts stipulated represents about 9% of promotional calls made in the case of upselling campaigns, while only 3% in the case of campaigns intended to activate new lines. This adhesion rate, however, is generally even lower in the case of promotional campaigns aimed at "prospect" subjects due to the lower accuracy of the data (eg numbers that are no longer active or subjects who have more advantageous subscriptions than those proposed ).

Moreover, in the contracts stipulated by TIM with its partners, it emerged that the assignment to carry out promotional telephone contacts concerned not only contact lists provided by TIM, but also so-called "lead" numbers or numbers acquired by partners following the request of the interested parties. to be contacted to receive a specific commercial offer (see art. 2 "Object" of the TIM-3G spa contract, attached to the inspection reports), while the contract does not contain organizational and technical instructions and measures with specific regard to the particular category of " off the list ”represented by the so-called“ referenced ”. Nevertheless, the Company could not fail to be aware of the fact that the partners made "off-list" contacts outside the "lead" numbers, as this was concretely detectable by the misalignment of the numbers associated with the Verbal Orders, uploaded by the partners in the Company's systems, compared to the numbers included in the contact lists, provided by TIM to its partners. Indeed, during the inspections, only two partners declared that the “off-list” contacts came from lead lists; in the other cases, it emerged that the “off-list” contacts made concerned the so-called “referenced” subjects.

The analysis of the so-called "off-list" numbers and black lists held by the Company also highlighted the following:

- 1,504 numbers contacted were present in the marketing black list at the time of registration of the verbal order (and therefore at the time of making the telephone commercial contact);

- of these 1,504, 1,464 were contacted despite having been included by the Company in the marketing black list following the provision of June 22, 2016 cited, which - as highlighted above - had prohibited their processing for marketing purposes;

- 15 users had expressed a denial to marketing before the registration of the Verbal Order (and therefore before the making of the telephone commercial contact).

With regard to the aforementioned 1,504 numbers, the Company hypothesized that these "were independently found by the Partners with the mechanism of leads and references, and therefore used for the purposes of commercial contact on the basis ... of the consent provided by the interested party himself or of the balance of subsisting interest for the referenced ", but did not provide any further information, nor did it document this assumption, as instead required by the accountability principle.

Furthermore, since 1,464 users are included by TIM in its marketing black list following the aforementioned provision of 22 June 2016, in order not to incur a repeated violation of the aforementioned provision, the Company itself should have provided this black list to its partners, monitoring the activities of its partners, in order to allow an appropriate match with the data acquired or in any case in the possession of the partners, and thus avoid a new further unwanted contact.

In order to properly investigate the phenomenon of the so-called "off-roadists", the Authority also carried out inspections at some partners.

In operational practice, the method of manual composition of the numbers subject to contact has been accepted, a method that has not been governed by TIM in the contracts with its partners in order to limit possible abuses. It was found that, in general, the outgoing call management systems used by call centers keep track of these calls, an element that allowed the Authority to make some checks with respect to the data provided by TIM regarding the aforementioned Verbal Orders , once again ascertaining evident quantitative inconsistencies (see communication of the initiation of the procedure of 25 July 2019). In particular, the data provided by TIM regarding the Verbal Orders (see

The checks carried out also highlighted that - with reference to some call centers (XX; XX; XX; XX) - numbers of "referenced" subjects were contacted although in the presence of a previous opposition to the processing expressed by the interested party, as well as numbers entered in the marketing black list following the aforementioned provision of 22 June 2016 (in particular, this was found for: 258 "referenced" calls made by XX; 250 "referenced" calls made by XX; as well as one "referenced" call made by XX) .

It appears evident that TIM - while knowing and accepting the phenomenon of calls to "referenced" users, from which it has constantly received the relative profits, as attested by the Verbal Orders cited above - has not regulated it with specific and detailed instructions in order to guarantee its compliance with current legislation (in these terms, see also note XX of 18/10/2019). This entailed the processing of personal data for marketing purposes carried out in the absence of a proven and suitable legal basis (not showing that suitable consent has been acquired for them, such as for example by proxy, email, recording of the telephone call), or without taking into account the right to object previously expressed by the interested parties.

With specific regard to the Verbal Orders - as well as the composition of the contact lists - the Company, after an alleged discussion with the partners on 7 November 2019, provided elements (such as the "use of coding criteria for separate data flows by of the Partners, which generate different nomenclatures "; the comparison made on partial lists in the availability of the Partners"; the different denomination of the type of "off-list" contacts, referred by some partners also to "Lead" users, acquired directly from the same partners, and not only to "referenced" users; the different concept of VO, used in practice), on the basis of which the Company believes it can reasonably limit and reduce the phenomenon in question (see statement 10/10/2019 and supplementary note 12 / 11/2019, cit.). However,these elements do not fully and precisely justify the considerable diversity of the quantitative data, in particular of the VOs.

Even today, the management of lists and VOs - as well as of "off-list" contacts - by TIM is not adequately demonstrated and reported, also due to evident differences in the criteria used and not shared with partners, so much so that the Company itself has come to represent that "the punctual checks are still in progress to numerically compare and verify with the Partners in question the lists of the unlisted and related Verbal Orders" and to report "that the interventions started ... and represented (in the memory 12.11 .19) will allow the adoption of off-list control methods based on more structured checks and provided for by contractual obligations ", confirming the gaps that have emerged.

2.3. Further unwanted promotional communications emerged from the feedback provided by TIM regarding reports and complaints and management of the rights of the interested parties

As a result of the analysis of the feedback provided by TIM (6/12/2018; 13/2/2019 and 1/3/2019) regarding the requests made by the Authority on 7 November 2018 and 14 January 2019, relating to multiple reports ; to some complaints (feedback TIM 25/10/2018; 8/1/2019; 5 and 16/9/2019), as well as to supplement the inspections indicated above (feedback 8/3/2019, 20/3/2019 and 2 / 5/2019), the following emerged:

1) for almost all of the reports and complaints, TIM denied unwanted promotional contacts, affirming the extraneousness of the users of the reporting persons with respect to the lists used for promotional purposes as well as of the calling users with respect to its sales force;

2) nevertheless the following reports were found to be well founded; in particular the Company:

to. with regard to XX, despite the opposition exercised by him, he admitted that he had mistakenly entered him in contact lists and that he had actually contacted him, through the XX srl call center;

b. with reference to XX, despite the opposition exercised by the latter, he represented that he continued to include him in the contact lists and therefore to call him, as XX srl, the call center author of the call, did not receive “due to internal problems in…. back office "the negative will of the interested party" in the marketing systems ", so that the user in question was included in subsequent contact lists (see confirmation TIM 13/2/2019);

3) with regard to the requests of other interested parties (XX; XX; XX; XX; XX; XX; XX; XX; XX), the call centers entrusted with the execution of the promotional telephone calls have admitted (as, moreover, TIM itself: v . memory 10 October 2019) unwanted contacts citing, generically, alleged "oversights" or typing errors of the telephone number to be contacted or occasional contact initiatives "in manual mode", unauthorized, carried out by its staff and not further substantiated and clarified (see also specific findings of: XX srl and XX srl of 30/1/2019: XX srl and XX srls of 30/11/2018; XX spa of 5/12/2018; XX srls of 19/3/2019 - the latter with a total of 4 reports, subject to separate feedback; all attached to the aforementioned TIM feedback).A generic explanation is also provided by XX spa, which argues, to motivate a further unwanted promotional contact, "a duplication of the data on (own) CRM (technical error) ascertained following the control of the reports ..." (confirmation XX 22 / 11/2018, attached to the TIM response of 6/12/2018, cit.);

4) in the cases of so-called "hybrid" phone calls, the promotional contact made by the Company was made, despite the already expressed denial of processing for promotional purposes, in the context of "endocontractual" or "service" communications (in a first case, reporting XX, by phone call with operator: see response TIM 6/12/2018, cit .; in a second case, complainant XX, by text message: see response TIM 8/1/2019, cit.). In this second case, according to the Company, the late reply to the request of the reporting party and the inclusion in the black list - in the face of multiple objections made by the complainant, also by means of documented communication by certified e-mail - would have occurred for no better detailed "... incorrect operation by customer care operators";

5) the following critical issues also emerged with regard to the requests presented by the interested parties, with particular reference to the opposition to processing for promotional purposes:

a) the lack of written or otherwise documented reply to the requests of several interested parties (XX; XX; XX; XX: see reply 2/5/2019); failure to reply to requests received by certified mail (see for report by XX: reply 2/5/2019, cit .; see for complaint from XX: reply 25/10/2018). In the first case, the request "is not tracked in the systems ... for filing the correspondence received"; in the second case, an "alleged loss of information ... in the process of transfer from the certified e-mail to paper documentation ..." is alleged). A similar lack was found for: the report from XX, whose request was printed and sent to the outsourcer in charge of 'typing', but not found due to a problem relating to said procedure (response 20/3/2019, cit. ); for reporting XX, managed, with the inclusion in the black list, only on the occasion of the response provided to the request for information formulated by the Authority (feedback 8/3/19 and 5/11/2018); as well as for the complaint of XX, in relation to which several requests made to the Company - even if sent, several times via certified e-mail and ordinary e-mail - are not detected in the systems due to technical anomalies or managed late and whose opposition to the promotional treatment is entered into the system only after a period of more than 4 months from the originally formulated request (feedback 5/9/2019 and 10/10/2019);

b) the response to opposition requests, but without effective implementation in the corporate systems, of the refusal to processing expressed by further interested parties (XX; XX; XX: see reply 2/5/2019, cit.).

In the face of some of the aforementioned critical issues submitted to TIM by this Authority, the Company (see statement 10/10/2019), pointed out that "the integration of the text of the i-sms with the information about the methods by which the customer can oppose the receipt of the aforementioned messages. "

Such conduct once again highlights the carrying out of unwanted promotional calls in the absence of suitable consent or even in the presence of an express denial by the interested parties.

2.4. The processing of customer data so-called "OLO" (Other Licensed Operator)

During the inspections, the retention, in the Company's CRM, of personal data belonging to non-customers (name, surname or company name; tax code or VAT number; telephone line; address; contact details) emerged.

In particular, in relation to some data breach events, one of which had involved the personal data of a "subject" that never belonged to TIM customers, the Company represented that the processing of the related data was necessary as the interested party himself, although being a customer of another telephone operator (Other Licensed Operator-OLO / Alternative Network Operator), he was using a "wholesale line rental" (WLR) service, sold by TIM to OLOs and offered by the latter to their customers.

The Company also stated that “the general category of“ customers ”also includes customers of residential fixed telephony services to which customers of WLR services are also assimilated. For this type of interested party, the general criteria for the availability of personal data are defined which provide for [...] the visibility of the data for 5 years from the termination (except in cases in derogation, eg disputes, specified in the policy) for the purposes carried out by part of the customer care "and" the maximum availability for 10 years for the purposes of tax management and tax obligations (unless exceptions, eg disputes), including the conservation of invoices for the service provided. " (see p. 9, response 13/12/2018 and of 14/12/2018, p. 8).

Instead, the results of the inspections showed - contrary to the provisions of the aforementioned TIM policy - that access to OLO customer data was allowed to customer care operators even beyond the 5-year period. In this regard, the Company specified that only following the inspections did it modify "the visibility of the personal data of the customers of the WLR services by the customer care operators" inhibiting them "the visibility of the personal data of the customers of WLR services if ceased for more than 5 years. " (see p. 8, reply 13/12/2018, cit.).

In addition, the presence of the personal data of a reporting party in the CRM (ie the customer management system) of the Company was verified, even though more than 10 years have passed since the termination of the contract with TIM. In this regard, the Company stated that the "... customer records remain visible to TIM Customer Care operators as long as the underlying telephone line is active with another Operator (OLO) and for the following 5 years from termination (technical deactivation) of the line "(see reply 14/3/2019, p. 6). However, for the line in question - which has been in the management of another telephone operator for over 10 years - no WLR service was active (see report attached to the reply sent on 2/5/2019).

Moreover, the result relating to the presence in TIM's CRM of 23,298 assignees of WLR lines managed by another OLO (altogether referring to 23,428 telephone lines), is of doubtful compatibility with the legitimate purposes of the processing attributable to TIM, taking into account that - in accordance with the provisions of online portal of the Company, "the WLR service allows Operators to virtualize the customer's connection to their network and to directly manage the customer with regard to" various contractual functions or in any case connected to the execution of the service. Furthermore, in the manual of procedures relating to this service (annex G to the reply 13/12/2018), it is indicated that "The

Although the Company has declared its intention to reorganize the CRM that would also lead to a review of the data of OLO customers (10/10/2019 memory), to date these data are stored in the CRM of the Company beyond the limit of 10 years. This represents an excessively long period of time that finds no justification in light of the alleged purposes pursued by TIM.

From another point of view, as a result of internal audits conducted by the Company, the same stated that "anomalous behavior emerged in accessing and consulting the database relating to 'failures' allegedly by OLO employees ... subject to a complaint to the Public Prosecutor's Office Repubblica ... on 1 October 2019, so that it can carry out the investigative investigations deemed necessary ... "(see note of 12/11/2019).

With the same note, the Company stated that, "with reference to the 23,428 lines corresponding to active lines at the date of" native "customers of OLO for the WLR service ... only 2,410 were included in the contact lists of the prospect campaigns for the period from 1 July 2018 to 28 February 2019 ... "; of the 2410 aforementioned users, 414 would have been "acquired from the telephone directory and verified with respect to the Register of Oppositions and 2 instead, would have subsequently returned to TIM" (see statement 10/10/2019). Nevertheless, the Company was not able to substantiate and prove - for the 414 users - the aforementioned verification activity and - for the remaining 2 - the circumstance of the possible acquisition of valid consent for promotional purposes (such as, for example: copy of paper or online forms; audio recording;

(i) the numbering of lines that have ceased and subsequently reactivated and assigned to a different user (OLO customer) to activate a new system with the WLR service ... and (ii) the active lines migrated for the passage of the TIM customer to an OLO. As a result of this anomaly, 1,995 numbers assigned to OLO customers and corresponding to numbers previously used by former TIM customers with contact consent were included in the Lists of prospect campaigns. This anomaly was corrected by eliminating from the extractions carried out by CRM ... all the lines registered to OLO customers "(see note 12/11/2019). In other words, the aforementioned anomaly involved, with reference to the promotional campaigns carried out by the Company towards former customers, the inclusion in the contact lists of numbers belonging to the Company's customers then deactivated and subsequently reassigned, as available, to customers of other operators. This resulted in the unlawful processing of data relating to the telephone numbers of customers of other operators, since the commercial contact took place in the absence of the prior consent of the interested parties or other suitable legal basis. Moreover, it should be borne in mind that the quantification of the phenomenon (1,995 numbers) refers only to the promotional campaigns carried out by TIM in the period July 2018-February 2019, while the anomaly in question reasonably concerned a much longer period of time. This resulted in the unlawful processing of data relating to the telephone numbers of customers of other operators, since the commercial contact took place in the absence of the prior consent of the interested parties or other suitable legal basis. Moreover, it should be borne in mind that the quantification of the phenomenon (1,995 numbers) refers only to the promotional campaigns carried out by TIM in the period July 2018-February 2019, while the anomaly in question reasonably concerned a much longer period of time. This resulted in the unlawful processing of data relating to the telephone numbers of customers of other operators, since the commercial contact took place in the absence of the prior consent of the interested parties or other suitable legal basis. Moreover, it should be borne in mind that the quantification of the phenomenon (1,995 numbers) refers only to the promotional campaigns carried out by TIM in the period July 2018-February 2019, while the anomaly in question reasonably concerned a much longer period of time.

In addition, the arguments presented by the Company are not adequately substantiated in documents. In some cases (213 numbers and 638 commercial contacts) the activation date of the WLR service was in fact more than 5 years earlier than the date of execution of the commercial campaign: after 5 years, even the possible consent to marketing provided by the former - ceased customer - erroneously attributed, according to the Company, to a different subject, OLO customer - should have been considered - according to the same TIM policy - no longer valid for carrying out the commercial contact.

The conduct described above denote illegal processing as it is carried out in the absence of suitable consent from the interested parties as well as in breach of the principles of limitation of conservation and the obligation to guarantee and prove compliance with the data protection regulations in compliance with the principle accountability (cf. infra par. 3.8).

2.5. The "TIM Party" online program

The Company, as shown by the analysis of the website www.tim.it, offers its customers the possibility of joining the "TIM Party" program, which allows them to access advantages and discounts, as well as participation in prize competitions, representing to the same that "If you have not yet issued it, you will be asked for your consent for marketing purposes by Telecom". The customer, therefore, to access this program and the related benefits, must give consent to the promotional purposes. Moreover, the number of customers who have joined this program is very high (approximately 2,000,000 telephone lines, up to December 2018: see minutes 5 and 6/2/2019).

In this regard, TIM has represented (see statement 10/10/2019) that "the dedicated offers do not constitute a promotional activity ... but rather the specific function and purpose of the program itself, ie the so-called object of the contract. .. Thus, the TIM customer who intends to join the program makes a conscious and informed choice and expresses, through registration, his will to receive communications relating to offers, advantages and competitions, which represent the sole purpose of TIM Party . For this reason, registering with TIM Party necessarily involves modifying the consents registered in the CRM, as registering with the Program is ictu oculi incompatible with the denial of commercial offers ... ". The Company, in the same location, leaking some reasonable doubts about the legitimacy of this practice, he added that "If this indication is not shared, it is noted in the alternative that the 'transfer of consent' in the face of advantages remains a free choice of the consumer, not expressly precluded Regulation. " and referred to an alleged, and unidentified, opinion requested on the matter by this Authority.

In this way, the Company, by subordinating participation in the "TIM Party" loyalty program to the release of consent to processing for promotional activities, is conditioning the will of the interested parties with regard to the (generalized and undifferentiated) receipt of promotional communications by the same and with the most diverse methods (automated and traditional). This, although the aforementioned processing is not necessary for the purposes of executing the contract stipulated by the interested party by joining the program, which has as its object the achievement of prizes and discounts. Nor is it duly clarified in the information provided to the interested parties that this manifestation of will automatically entails the modification of any denials expressed by them prior to joining the Program. Therefore,

2.6. App made available to customers

The Company offers its customers the possibility of installing some applications online on their mobile devices. During the inspection it emerged that, in particular, "My TIM", "TIM Personal" and "TIM Smart Kid" provided that the user, in order to use the various features provided, at the time of their installation, had to 'accept 'together with the “terms of service” also the “privacy information”, which, moreover, referred to promotional, geolocation and communication purposes to third parties for promotional purposes.

Considering the very high number of customers who have installed these applications (7,000,000, "My TIM"; 400,000, "TIM Personal"; 10,000, "TIM Smart Kid": see annex 1 to the minutes 6/2/2019 cit .), and that for a whistleblower (XX) the enhancement of the consent to marketing emerged despite the original refusal expressed in the contract, the Company, upon specific request, denied that the acceptance of the "terms of service" together with the '"Privacy policy" entailed a change in the manifestations of will previously expressed by customers when activating the SIM (see minutes 6/2/2019).

With regard to the information, TIM has denied using the data collected with these Apps for carrying out the aforementioned promotional, geolocation and communication activities to third parties for promotional purposes. With specific reference to the "My TIM" App, however, the Company subsequently produced a new revised disclosure to the Authority in light of the critical issues highlighted above (see minutes 6, 14 and 28/2/2019; as well as feedback 20/2 / 2018).

More generally, the same - in invoking its "good faith", according to him, proven by the following changes made to the configuration of the "My TIM", "TIM Personal" and "TIM Smart Kid" Apps - represented that (see statement 10/10/2019):

- "the activation of the App in question does not require an express consent for the use nor does it allow the modification of the consents for marketing purposes of the customer, which can be managed by the same through the channels relating to the management of the TIM line (ie through the My TIM web portal and, from August 2019, through the My TIM App) ";

- to have "taken note of the remarks raised by the Authority regarding the potential textual misunderstanding of the information in relation to the possible effects deriving from the installation of the App in question, and has amended", in the period between February and August 2019, " consequently the text of the information itself ";

- to have also modified, in line with the criticalities that emerged during the inspection, the procedure relating to the "acceptance of the Terms & Conditions and the acknowledgment of the Privacy Policy", setting "the necessary selection of two separate buttons".

In addition, the “My TIM” App; "TIM Personal"; "TIM Smart Kid", at the time of the investigations, did not provide for the acquisition of a free and specific consent from the interested parties for the processing of personal data for multiple purposes and multiple processing operations (including, in particular, "Statistics"; "service sizing"; "diagnostics"), heterogeneous among themselves and not all apparently necessary for the services provided to the interested parties through the App.

In summary, with regard to the Apps indicated above, correct and transparent processing is therefore not carried out; the failure to acquire a free and specific consent of the users in relation to each individual purpose pursued also emerged. 

2.7. Forms used for the "self-certification of possession of a prepaid line"

The Authority received a report highlighting the administration of the aforementioned forms to the reporting party by TIM, where, in the face of various processing purposes (statistics; promotional; profiling), a single indistinct consent was required. In this regard, the Company represented that: "the self-certification form in question (published in March 2009), used by the Customer Care Business, had not been updated and therefore contained contents that were no longer adequate, including the declaration of privacy consents ... it is not possible to trace the number of business customers who have signed this form, as there is no specific tracking for this type of form (used only for the header of the prepaid mobile line to a third person with respect to the holder of the business mobile telephone contract) ",

The Company subsequently presented (on 10/10/2019) documentation relating to new modules in charge of the same function and already distributed, presenting the request for free and specific consents based on the different purposes of the processing pursued, reporting that the data collected by the reporting party and by the other interested parties would not have been used for the purposes indicated in the information (including promotional ones), thus confirming, however, the collection of an unsuitable consent.

2.8. Data breach management - anomalies and misalignments relating to customer personal data

Based on the results of the inspections as well as the examination of some of the most significant data breach notifications presented by the Company, it was found that:

- in some cases, the Company took steps to identify and manage the violation episodes late, activating the DPO only a few months after the problem was detected, as well as making the communications to this Authority required by current legislation;

- the systems that process the personal data of customers frequently encounter "misalignments", "anomalies" and "incorrect associations".

These events appear to have been the cause of inconsistencies in the data, which have caused, for example, the incorrect attribution of telephone lines to the holders or the incorrect association between holders and contact data (see, for example, data breach n. 170, 171, 175 and 186). This resulted in undue communications of personal data to subjects other than the interested party, for example when sending the invoice and the telephone and telematic traffic data associated with it. Furthermore, access by customers to data of other subjects, displayed in their own self-care area of ​​the customer portal, was found.

The misalignments, suitable to jeopardize the accuracy of the data processed, have also had an impact on the privacy consents reported in the customer data sheets. In this regard, during the inspections, it was found that there was an inconsistency between the privacy consents reported in a customer's personal data and the data inferable from the examination of the consent history (see p. 5, minutes 14 / 2/2019; p. 7, minutes 28/2/2019).

The Company specified that the misalignment indicated concerned a further 2,894,292 lines and occurred following the occurrence of an "anomaly" in the course of a massive reclamation activity, which involved all mobile lines of TIM's consumer customers, carried out, starting from 14/1/2019, on the DWH-Consent system (see reply 20/3/2019).

Therefore, for these lines, from the date of carrying out the remediation to 18/3/2019 (date on which the Company declared that it had resolved the anomaly), there was an inconsistency between the consents present in the personal data sheet and the status of the last change of consent. Therefore the expression of the last modification of the consent made by the interested party, during the indicated period, was not correctly "propagated" in the consumer CRM, whose personal data sheet continued to show the values ​​of the consents prior to the last expression of will.

An anomaly also concerned the denials black list, in particular affecting the date of insertion of the numbers in the black list itself. The Company appears to have become aware of this only when, during the aforementioned inspections relating to telemarketing, it had to explain the reasons why almost half of the numbers included in the aforementioned exclusion list had the same insertion date (see p. 2 , minutes 28/2/2019; acknowledgment 3/4/2019). The Company, specifying that the software malfunction started on 1/30/2018 and lasted until 2/14/2019, assured that it "structurally solved the anomaly as of 3/8/19 ... ", And to have inserted in the black list" all the denials 'blocked' and only temporarily not resulting on all the databases and, therefore, the black list is, currently, complete and correct ", thus admitting that this black list previously presented some inconsistencies in the data (see memory 10/10/2019). The Company, in the same memorandum, highlighted that these misalignments did not "lead to the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed, but only the misalignment between different databases and / or interfaces ", since" the updated and exact data were in any case present in the DWH-Consent, ie from the master system on which all the activities conducted by TIM are based on the basis of the privacy consents of customers .. " It is also noted that this last statement is partially in contrast with what the Company represents, in the statement of 12 November 2019, in which it stated that: "The anomaly already represented to the Guarantor in the Response of April 3, 2019, which temporarily blocked the updating of the DWH Consenso Prospect archive and that the anomaly was restored starting from February 15, 2019, some denials were recorded in the DWH Prospect consent from that date. [...] As already represented in the Memorandum and in the Feedback of 8 March 2019 ", according to TIM, there would be an" anomaly in the updating of the DWH Consenso Prospect archive and consequently of the Denials Black List used by the marketing functions ... "from which it seems it was clear that even in the DWH Consent system there were anomalies relating to the status of the consents of the interested parties. which temporarily blocked the updating of the DWH Consenso Prospect archive and that the anomaly was restored starting from February 15, 2019, some denials were recorded in the DWH Consenso Prospect starting from that date. [...] As already represented in the Memorandum and in the Feedback of 8 March 2019 ", according to TIM, there would be an" anomaly in the updating of the DWH Consenso Prospect archive and consequently of the Denials Black List used by the marketing functions ... "from which it seems it was clear that even in the DWH Consent system there were anomalies relating to the status of the consents of the interested parties. which temporarily blocked the updating of the DWH Consenso Prospect archive and that the anomaly was restored starting from February 15, 2019, some denials were recorded in the DWH Consenso Prospect starting from that date. [...] As already represented in the Memorandum and in the Feedback of 8 March 2019 ", according to TIM, there would be an" anomaly in the updating of the DWH Consenso Prospect archive and consequently of the Denials Black List used by the marketing functions ... "from which it seems it was clear that even in the DWH Consent system there were anomalies relating to the status of the consents of the interested parties.

The aforementioned anomalies reveal an incorrect and unsuitable treatment to guarantee the accuracy of personal data, as well as the integrity and confidentiality of the systems, and therefore the failure to adopt adequate technical and organizational measures for these purposes.

3. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also based on the declarations of the Company to which it responds pursuant to art. 168 of the Code, the following assessments are formulated in relation to the profiles concerning the regulations regarding the protection of personal data.

3.1. Calls made on behalf of users "off the list "

With specific regard to the phone calls made to "unlisted" users by some TIM partner call centers, it was found that "referenced" subjects were contacted, on the basis of a constant operating practice attributable to a conscious corporate choice of the Company and not attributable to exceptional unauthorized initiatives undertaken - without the knowledge of the client - and the call center in charge of promotional activities - by the staff (see par. 2.1).

In this regard, TIM should, directly or through its partners, have checked the information collected on the so-called "referenced", especially in relation to the origin and the concrete methods of data acquisition (in particular, the existence of the necessary prior consent for the promotional purpose or the presence of the user in a public list and, at the same time, its failure to register in the public register of oppositions, see provision 18 April 2018, web doc. no. 9358243). In fact, the status of "referenced" cannot replace the necessary fulfillment of the obligation of the prior acquisition of a specific, documented and unequivocal consent of the interested party. This, since the third referencing agent is not (as a rule) entitled to give any valid consent on behalf of the interested recipient of the call (see provision 26 July 2018, web doc. 9358243 ).

In addition, it was found that the “off-list” users contacted also included 1,464 users who, in compliance with the aforementioned provision of 22 June 2016, had been placed on the black list and therefore could not have been contacted for promotional purposes.

Furthermore, it cannot be invoked as a legal basis - as TIM did, however, only with the note of 13 May 2019 and the memorandum of 10 October 2019, trying to depart from what has already emerged and crystallized during the inspection - that of the "legitimate interest "Of TIM and its partners in marketing activities, perhaps together with the alleged interest of the" referring "subject, which involves a friend or relative in the promotion.

In this regard, it is useful to reiterate first of all that TIM has not substantiated or demonstrated the status of "referenced" for the individual users contacted "off the list" (including, among the elements, the origin and the exact methods, including temporal in question), but limited itself to assuming, generically and without distinction, that they could be "referenced" users.

It should then be pointed out that the legitimate interest, pursuant to art. 6, par. 1, lett. f), of the Regulation - already provided for by both the repealed Directive 95/46 / EC, as well as by the Code prior to the amendments made by Legislative Decree no. 101/2018 (Legislative Decree No. 196/2003, Article 24, paragraph 1, letter g) - cannot substitute - in general - the consent of the interested party as the legal basis for marketing. Indeed, the Regulation itself - like Directive 95/46 / EC already in art. 7, paragraph 1, lett. f) - only admits it "provided that the interests or fundamental rights and freedoms of the interested party that require the protection of personal data do not prevail". Furthermore, the same Regulation (see recital 47), with specific regard to applicability of the legitimate interest in marketing requires - with a rigorous and prudent approach - that due account be taken of “the reasonable expectations of the data subject based on his relationship with the data controller. For example, such legitimate interests could exist when there is a relevant and appropriate relationship between the data subject and the data controller, for example when the data subject is a customer or is employed by the data controller. In any case, the existence of legitimate interests requires a careful assessment also with regard to the possibility that the interested party, at the time and in the context of the collection of personal data, can reasonably expect that a processing for this purpose will take place. The interests and fundamental rights of the data subject could in particular prevail over the interests of the data controller if the personal data are processed in circumstances in which the data subjects cannot reasonably expect further processing of the personal data ". The application of the legal basis of the legitimate interest therefore presupposes the prevalence in concrete (based on a balance given to the owner, but always assessable by the Supervisory Authority) of the latter over the rights, freedoms and mere interests of the data subjects (specifically , the recipients of promotional communications not assisted by consent). In this comparison, it is necessary to carefully weigh the impact of the processing, which is intended to be carried out on these rights, freedoms and interests (including, in the case of marketing, First of all, the right to data protection and the right to individual peace of mind of the data subject are recognizable, see, most recently, Annual Report 2018, p. 107; also prov. 22 May 2018, doc. web n.8995274), and it is also necessary, in compliance with the principles of accountability and transparency, the concrete implementation of adequate measures to guarantee the rights of the data subjects, such as in particular that of opposition (in this sense, see already the Opinion of the Group Art. 29 , no. 6/2014, on the concept of legitimate interest - WP 217, p. 35: the institution of legitimate interest "guarantees greater protection of the interested party; in particular, it establishes that not only the rights and fundamental freedoms of the data subject, but also his "interest" - mere and unqualified. ... all categories of interests of the data subject must be taken into consideration and compared with those of the data controller,insofar as they are relevant within the scope of the Directive ").

Moreover, “the data controller cannot…. retroactively resorting to the basis of legitimate interest in the event of consent validity problems. Since he has the obligation to communicate [in the information issued to the interested party] the legitimate basis at the time of the collection of personal data, the data controller must have decided on the legitimate basis before the data is collected "(so see Guidelines of the Group Art. 29 on consent pursuant to Regulation (EU) 2016/679, 10 April 2018, WP 259 rev.01). 

Therefore - if the aforementioned conditions for legitimate interest do not exist and with the exception of the so-called "soft spam" hypotheses (Article 130, paragraph 4, Code), as well as the "opt-out" system for the data in the lists public - it must be considered that the general rule to be followed for processing for promotional purposes is that of the prior informed, free, specific and documented consent of the interested parties (as also underlined by the Guidelines of the Guarantor on promotional matters, 4 July 2013, cit. , and even earlier by the January 19, 2011 provision, "Requirements for the processing of personal data for marketing purposes, through the use of the telephone with operator, following the establishment of the public register of oppositions", web doc. No. 1784528, that - in recalling the need, also with respect to the users of companies or freelancers available in public directories or registers, the further stringent limit, in compliance with the principle of 'purpose', of the close and direct functionality between telephone and promotional offers specific object of the entrepreneurial / professional activity - clarified that, outside the aforementioned cases, the processing for promotional purposes of the "data contained in databases, however formed, is permitted only in compliance with the general principles of the Code and therefore only after the release of suitable information and the acquisition of specific consent… .. "); principles, as known, confirmed and indeed made more stringent by the Regulation through the provisions of Articles 6, 7, 12 and 13.

With regard to "off-list" users (in particular, "referenced" ones), the "general" responsibility for the promotional treatment carried out must be ascribed - contrary to what TIM believes - also to the latter, also in light of the findings of the Group Art. 29, with regard to the concept of data controller, which "is functional, that is, aimed at attributing responsibility where an effective influence occurs: it is therefore based on a factual rather than formal analysis". In particular, for the purpose of identifying the ownership actually exercised, it is also necessary to examine "extra-contractual elements, such as the real control exercised by a party, the image given to the interested parties and the legitimate expectation of the latter on the basis of this visibility" (cf. . Opinion no. 1/2010).

Indeed, based on the elements collected, the Company in fact constitutes the client on behalf of which the telemarketing activity is carried out (including that of finding and contacting "off-list"), based primarily on the contract but also in the operational practice of the call centers, constantly committed to using the name and image of TIM, as well as the scripts of the promotional messages of the same Company; moreover, it is clearly the subject to whom the economic advantages deriving from the contracts stipulated with the interested parties who adhere to the telephone offer are mainly destined. In view of this, it does not appear that TIM originally regulated or adequately monitored these methods of managing telephone contact,

for example, art. 7 of the TIM-3G spa type contract, on the basis of which "lead" means the "authorization to be contacted by the Customer who releases his personal data (complete and correct name, correct and active telephone number and / or correct and active e-mail address) ... in accordance with the laws in force, collected in paper, voice or digital form) "where it is also established that for" the calculation of the fees, the useful contacts made and the contracts acquired and activated according to the data resulting from the information systems of Telecom ", in which in fact the so-called" referenced "also rejoined). Furthermore,

Considering the extent of the phenomenon of unwanted promotional contacts towards the "off-list" attributable, as illustrated above, also to the continuing and serious shortcomings of the Company, the latter must be held responsible for the aforementioned violation of consent with respect to the "referenced" users, as it does not appear to have put in place "adequate and effective measures, in consideration of the nature, scope, context and purpose of the processing, as well as the risk to the rights and freedoms of individuals" to guarantee, and be able to prove the compliance of the processing with the personal data protection discipline, thus seriously and repeatedly violating the accountability obligations (see articles 24 and 28, especially paragraph 3, of the Regulation). In particular,

This, notwithstanding the fact that precisely for the “referenced” users present in the public lists and at the same time in the public register of oppositions, art. 1, paragraph 11, of law no. 5/2018, introduced in our system an express principle of joint and several liability of the owner-client for promotional activities entrusted to third party call centers, establishing that: "The owner of the processing of personal data is jointly and severally liable for violations of the provisions of this also law in the case of entrusting call center activities to third parties for making telephone calls. ".

It should also be noted that this legal formulation is not disproved, as instead stated by TIM, by the aforementioned order-injunction adopted by this Authority on 11 April 2019, against XX srls (web doc. No. 9116053 ), taking into account the substantial diversity of the case covered by the aforementioned ordinance, concerning an articulated supply chain that descended from the client to an Albanian company through several subjects and intermediate steps.

Moreover, it cannot be ruled out that the relationship between TIM and its partners may be qualified in terms of joint ownership. It appears, in fact, that said partners have identified and contacted "off-list" users outside the contact lists and the contract formally stipulated with TIM, in fact exceeding the role of mere controllers formally entrusted to them for the execution of promotional campaigns aimed at interested parties on the TIM lists and determining "purposes and means of processing", within the framework of a unitary and de facto shared design, at least with regard to the purpose of acquiring new customers and in its operational effects, with TIM ( see prov. 1 February 2018, web doc. 7810723). This also in consideration of the irrefutable circumstance, that the use of “off-list” numbers was functional to the pursuit of a shared interest, both of TIM and its partners, from which each benefited from an economic nature. In this way, TIM also substantially influenced the processing of data carried out by the partners by participating in the determination of the purposes and means of such processing.

In this context, the telemarketing activity carried out on behalf of TIM towards the "off-list" must be considered a substantially unitary economic activity, as it is neither possible nor correct to separate and separate the related obligations and responsibilities (for similar considerations on the responsibility of the client with respect to the conduct of its partners as well as other subjects possibly involved in the "processing chain", see provision 26 October 2017, web doc. no. 7320903 ; Jan. 15, 2011, web doc. . 1821257, which, in arguing the ownership of the treatment by the clients, highlights some precise elements: if, as in the present case, the promotional contacts are made in the name, on behalf and in the interest of the principal company, "in the interested parties it creates a legitimate expectation, since they perceive that they are recipients of advertising initiatives conducted directly by the company on behalf of which the proposal for the sale of products or services is formulated; … - the mandate, often with representation, conferred from time to time binds the agent to the presentation of offers and the conclusion of contracts in the name, in any case on behalf of the principal using, moreover, the forms prepared by the latter ". Furthermore, based on the aforementioned provision. general June 15, 2011, "The powers strictly provided for by the Code for the configuration and exercise of ownership"…. “Are and remain the exclusive prerogative of the principals. Among these, first of all: - make decisions relating to the purposes of processing the data of recipients of promotional campaigns for the purpose of sending advertising or direct sales material or commercial research or commercial communication carried out by third parties acting in outsourcing for the performance of the aforementioned promotion and marketing activities for goods, products and services ". For similar arguments, see also: the Guidelines on promotional activities and the fight against spam, 4 July 2013, doc. web n. Among these, first of all: - make decisions relating to the purposes of processing the data of recipients of promotional campaigns for the purpose of sending advertising or direct sales material or commercial research or commercial communication carried out by third parties acting in outsourcing for the performance of the aforementioned promotion and marketing activities for goods, products and services ". For similar arguments, see also: the Guidelines on promotional activities and the fight against spam, 4 July 2013, doc. web n. Among these, first of all: - make decisions relating to the purposes of processing the data of recipients of promotional campaigns for the purpose of sending advertising or direct sales material or commercial research or commercial communication carried out by third parties acting in outsourcing for the performance of the aforementioned promotion and marketing activities for goods, products and services ". For similar arguments, see also: the Guidelines on promotional activities and the fight against spam, 4 July 2013, doc. web n. - make decisions relating to the purposes of processing the data of recipients of promotional campaigns for the purpose of sending advertising or direct sales material or commercial research or commercial communication carried out by third parties acting in outsourcing for the performance of the aforementioned promotional activities and marketing of goods, products and services ". For similar arguments, see also: the Guidelines on promotional activities and the fight against spam, 4 July 2013, doc. web n. - make decisions relating to the purposes of processing the data of recipients of promotional campaigns for the purpose of sending advertising or direct sales material or commercial research or commercial communication carried out by third parties acting in outsourcing for the performance of the aforementioned promotional activities and marketing of goods, products and services ". For similar arguments, see also: the Guidelines on promotional activities and the fight against spam, 4 July 2013, doc. web n.2542348 ; prov. gen. April 18, 2019, on electoral propaganda and political communication, doc. web n. 9105201 ; in this sense v. Court of Milan, section I civ., 28 March 2019, n. 2629, which confirms the orientation expressed by the Guarantor in the provision. October 26, 2017, doc. web 7320903 , on the co-ownership of the treatment by the client; ord. injunction June 18, 2015, doc. web n. 4253116; opinion no. 1/2010 WP n. 169 of February 16, 2010, which highlighted, already in line with Directive 95/46 / EC, that, for the purpose of identifying the ownership actually exercised, it is also necessary to examine "non-contractual elements, such as the actual control exercised by a party, the image given to the interested parties and the legitimate trust of the latter on the basis of this visibility ". See, in this sense also the orientation of the community jurisprudence, with respect to which there is the obligation of compliant interpretation of the norms: sent. CJEU, Case C-131/12 - Google Spain SL, Google Inc./Agencia Española de Protección de Datos, Mario Costeja Gonzáles, on the well-known case "Google Spain", from which it can be inferred that the responsibilities cannot be separated from the advantages, such as economic profits, deriving from the same processing activity; sent. CJEU, 5 June 2018, C-210/16, Wirtschaftsakademie Schleswig-Holstein, referring to a broad concept of (co) ownership in the processing, also including the subject who, in some way, has contributed to the determination of the sole purposes of the treatment. On joint ownership, cf. sent. CJEU, 10 July 2018, C-25/17, Tietosuojavaltuutettu; CJEU, 29 July 2019, C-40/17, Fashion ID GmbH & Co. KG / Verbraucherzentrale NRW eV). 10 July 2018, C-25/17, Tietosuojavaltuutettu; CJEU, 29 July 2019, C-40/17, Fashion ID GmbH & Co. KG / Verbraucherzentrale NRW eV). 10 July 2018, C-25/17, Tietosuojavaltuutettu; CJEU, 29 July 2019, C-40/17, Fashion ID GmbH & Co. KG / Verbraucherzentrale NRW eV).

Considering this, since the aforementioned treatments took place in the absence of the necessary consent of the interested parties or other suitable legal basis, TIM appears to have violated the articles. 5, par. 1, lett. a), and par. 2, 6, 7, 24 and 28 of the Regulation, as well as art. 130 of the Code.

3.2. "Hybrid" promotional communications and violation of the provisions on the exercise of the rights of interested parties

The cases regarding the lack of adequate respect for the rights of the interested parties are varied (see par. 2.2 and 2.3).

It is ascertained that some interested parties have failed to respond to the requests for exercise of the rights provided for in this matter, some of which sent by certified mail, and therefore a conduct inconsistent with the obligation of the owner to facilitate with appropriate measures the exercise of the rights of the interested parties provided for by the relevant legislation and to satisfy them without delay (see Article 12, paragraphs 1, 2 and 3, of the Regulations; see, however, already Article 8, paragraph 1, of the previous Code, to certify the constant nature of this obligation).

subsequent to the aforementioned provision - and therefore worthy of censure - the similar lacunae ascertained with regard to the requests of XX; XX; XX; XX; XX; XX; and, lastly, XX, recognizing the violation of the right of withdrawal of consent and of opposition referred to, respectively, in Articles 7, par. 3, and 21, par. 2 and 3, of the Regulation (right, that of opposition, already sanctioned by Article 7, paragraph 4, letter b, of the previous Code).

A lack of management of the opposing will of the interested parties also appears with reference to the malfunctioning of the software that did not allow for a long period (see above par. 2.8) the timely loading of denials in the black list and their timely and correct result on all company databases.

Furthermore, it does not appear that the Company has correctly managed the data processing of the so-called "off-list" and any objections made by the same (see par. 2.1), nor that it has adequately monitored the correct management of denials and the correct implementation of the black lists by its partners, having emerged, in particular, that various denials have been registered in the corporate systems even 451 days after the date of the denial (see attached table - no.1 - a note of 12/11/2019 ), and in any case well beyond the acknowledgment required by law (without undue delay or, at most, within one month of receipt of the request, as established by art. par. 2.1). The seriousness of TIM's conduct emerges all the more in light of the fact that in the current legislation, 

Also based on what has already been said regarding TIM's responsibility, as co-owner with regard to such calls or in any case client of promotional campaigns, an even more serious violation can be found with respect to telephone users which - although placed in the black list marketing following the aforementioned provision 22 June 2016, which had prohibited their processing for marketing purposes - however, they are contacted in the context of "off-the-list" calls made by call centers, in the absence of adequate monitoring and "filtering" of these promotional contacts which must be reproached to the Company, as to the call centers who made the contacts. Nor does it appear that the Company, for all interested parties in question, has proved the necessary consent by producing suitable documentation. This,

Moreover, it is not in line with the right of opposition, nor with the principle of correctness, the practice, sometimes emerged, of addressing, as part of the same promotional campaign, a very high number (even 155 times, all the more considering the period - monthly - of their development) of telephone calls to the same user; an excess that can be considered facilitated by TIM when it does not appear to have adopted adequate organizational and technical measures to avoid, perhaps with adequate on-site supervision, unwanted promotional re-contacts.

Also with specific regard to communications made by TIM, including via SMS, for allegedly endo-contractual purposes, but also containing a promotional offer despite the refusal of the interested parties to receive promotional communications (see paragraph 2.3), the violation of the principles of purpose and correctness of processing, as well as the right to object to processing for promotional purposes (sanctioned, respectively, by art.5, par.1, lett.a and b, and by art.21, par. 2 and 3, of the Regulations), as well as the violation of the rules on automated promotional communications (articles 6, 7, of the Regulations, and 130 of the Code). In fact, it does not reveal whether the promotional offer, in practice, does not benefit the company but the interested party (see TIM 10/10/2019 memorandum), instead noting only the content, even if only partially,

Finally, with reference to unsolicited phone calls caused by alleged "oversights or errors" committed by some TIM partners (see par. 2.3), it is believed that the latter, in addition to revealing, to the call centers, the possible violation of rules of technical and professional diligence, also bring out the responsibility of the Company, which has not proved that it has worked sufficiently to prevent them. In particular, it is recognized a culpa in vigilando, as it does not appear that TIM has adequately verified, even with on-site audits, that no telephone calls were made to users in the absence of a suitable legal basis, thus violating the art. 28, par. 3, lett. a), of the Regulation.

3.3. Customer data so-called "OLO" and data on the black list

For greater clarity (also with respect to what is indicated by the Company in order to reduce the number of calls made, noting the percentage of "reachability" of the same), it is necessary, first of all, to note that the inclusion of user data already constitutes relevant treatment in contact lists as well as the promotional phone call made, even if it does not "reach" the person concerned (because perhaps he does not answer or blocks the contact attempt).

With specific reference to the number of OLO customers included in the lists of prospect campaigns (see par.2.4), the Company has not provided proof that the processing for promotional purposes was carried out on the basis of a suitable prior consent for the marketing activity. of the individuals concerned, thus violating Articles 6 and 7; recitals 32, 40, 42 and 43, of the Regulation, as well as art. 130 Code (as already sanctioned by articles 23-130, previous Code). In this regard, cf. also Guidelines on the processing of personal data for online profiling - 19 March 2015), nor does it appear to have detailed and documented other different and alternative legal bases, with reference to the same interested parties.

The Company in this regard (see memoirs 10/10/2019 and 12/11/2019, cit.), Limited itself to forecasting on the origin of the data referring to OLOs included in commercial campaigns, that some users would be obtained from telephone directories public, but without documenting the necessary prior verification activity at the public register of oppositions; other users would have returned to TIM, without however giving details of this eventuality (in particular: times; collection channel), nor providing proof of the fulfillment of the information and the successful collection of specific consent for promotional purposes. For the rest, he made express reference (only in the note 12/11/2019) to an anomaly in the procedure that would have determined the consequent inclusion in the lists for the promotional campaign. Therefore, the Company has also violated the obligation pursuant to art. 5, par. 2, and 24 of the Regulation, placed on the head of the data controller to demonstrate compliance of the treatment with the principles of the Regulation itself.

For such data (OLO customers) - as for the data in the black list, subject to systematic misalignment - however, it should be remembered that, regardless of their use or not for promotional purposes, the related processing, for the above, must be considered illegal already on the basis of non-compliance with the principles of correctness, purpose limitation, conservation limitation, as well as accuracy and integrity pursuant to art. 5, par. 1, lett. a), b) and e), of the Regulation.

3.4. The "TIM Party" online program

Guidelines on consent pursuant to Regulation (EU) 2016/679, developed by the Art. 29 Group and adopted by the European Data Protection Committee in the version of 10 April 2018; Opinion No. 15/2011 on the definition of consent - WP 187, adopted by the Art. 29 Group on 13 July 2011; Recommendation CM / Rec (2010) 13 of the Committee of Ministers of the Council of Europe to Member States on the protection of individuals with regard to the automated processing of personal data in the context of profiling, 23 November 2010).

In fact, the consent to the processing of personal data that the interested party must provide cannot be defined as free, and is unduly required, accepting (in this case as a condition for obtaining the advantages of the prize operation) the use of their data personal data conferred for other purposes for sending advertising communications (obviously, the consent for promotional purposes thus acquired when the interested party joins the "TIM Party" program overrides any denial present in the Company's systems). Interested parties must instead be enabled to express (consciously and) freely their choices regarding the processing of data concerning them, by giving their consent (so to speak, 'modular') for each distinct purpose pursued by the owner, further than joining the “TIM Party” loyalty program and enjoying the related benefits. While the processing of data preordained for loyalty in the strict sense can in fact be considered necessary for the execution of a contact to which the interested party is a party, for which it does not require any consent for its execution (art. 6, par. 1, lett. b, of the Regulations), any other processing purpose (e.g. profiling, marketing, etc.) requires, instead, free, specific, informed and distinct consent for each of them (Article 6, par. 1, lett. a, of the Regulation).

This is an orientation that finds full and constant correspondence also in the provisions of this Authority (see in this regard, general provision February 24, 2005, web doc. 1103045 , as well as among many, provision 3-2-2005, web doc. n. 1109503 ; provision 9-3-2006, web doc. no. 1252220 ; web doc. 22-2-2007, web doc. no. 1388590 ; provision. 5-3-2009, web doc. 1615731 ; prov . 15-7-2010, web doc. N. 1741998; prov. 22-7-2010, web doc. 1741988 ; prov. 7-10-2010, web doc. 1763037 ; 20 December 2012, web doc. no. 2223607 ; provision 24-1-2013, web document no. 2433614 ; provision 21-11-2013, web document no. 2830611; prov. 9-1-2014, doc. web n. 2904350 ; prov. 25-9-2014, doc. web n. 3457687 ; 1 October 2015, doc. web n. 4452896 ; prov. 27 October 2016, n. 439, doc. web n. 5687770 ; prov. 10 March 2016, doc. web n. 4988238 ; prov. 11 February 2016, doc. web n. 4885578 ; prov. 22 May 2018, doc. web n. 8995274 ).

The same orientation was confirmed by the Authority, even after the full operation of the Regulation (see prov. 12 June 2019, web doc. 9120218). Similarly, the Control Authorities of the other Member States of the European Union have also expressed their opinion (see ICO, Direct marketing guidance, version 1.124 October 2013; CNIL, Délibération nº 2013-378 du 5 décembre 2013 portant adoption d'une recommandation relative aux Cookies et aux autres traceurs visés par the article 32-II de la loi du 6 janvier 1978).

It should also be considered that the procedure relating to "TIM Party", in the event of failure to give consent for promotional purposes, is rooted in preventing access to this program and, with this, participation in multiple services and functions all combined and conditioned, without distinction, to the provision of said consent. In particular, this procedure thus results in prejudice to the interested party who intends to remain free in the choices regarding the processing of data concerning him, at the same time discriminating him - with respect to subjects who allow themselves to be persuaded to grant said consent - with regard to access to more various benefits of appreciable economic content. This foreclosure, with specific reference to the prize competitions indicated by the program in question, in a more systematic view,

The violation of the freedom of the interested parties is even more serious because it is carried out massively with respect to a very high number of people and because the said restriction to consent is not assisted by a prior suitable and specific information for the processing of data dedicated to the "TIM Party" (but, in this case, from a concise presentation form, where the 'free' program is incorrectly stated), nor from the possibility of revoking the consent forced upon accession, with consequent violation of articles 7, par. 4, and 13 of the Regulations.

It should also not be underestimated that the Company could have developed its business and gained economic benefits (other than the coercion of consent) in the face of the benefits provided (such as discounts) and potential benefits (such as for prize competitions) in alternative ways, moreover, widespread in consumer practices, for example by providing for procedures that attribute reserved discounts, or greater points and discounts dedicated to those who spend more or make regular purchases, or similar forms of loyalty aimed at rewarding the most constant and high-spending customers, such as to preserve the fundamental right to consent, which is also a fundamental guarantee of the power of control over the data released and the purposes of the processing.

3.5. Criticalities regarding the App subject to investigation

In relation to the “My TIM”, “TIM Personal” and “TIM Smart Kid” Apps (see par. 2.6), the non-compliance of the processing with Articles 5, par 1, lett. a), and 12, par. 1, of the Regulation, with specific reference to the obligation to provide information in a correct and transparent manner, in order to make the interested parties aware of the processing concerning the data concerning them. Indeed, processing activities for promotional purposes of geolocation and / or communication to third parties for promotional purposes have been indicated in the relative information, even if they are not actually carried out, as declared by the Company.

Nor did it appear that these disclosures contained adequate elements, in terms of content and clarity of the wording, regarding the actual data processing carried out by the Company through these Apps. even greater when it comes to Apps (such as the "TIM Smart Kid") aimed (also) at minors and other vulnerable subjects, which should also be specifically ensured with suitable graphic means, such as, for example, "standardized" icons (see recital 60, Regulation, and also the Guidelines of the Art. 29 Group on transparency, adopted on 29 November 2017 and amended on 11 April 2018).

Furthermore, the version used by TIM, with regard to the “My TIM” App; "TIM Personal"; "TIM Smart Kid, at the time of the investigations did not ask the interested parties for a suitable consent for the processing of personal data for multiple purposes and multiple processing operations (including, in particular:" statistical "activities; service ";" diagnostics "), although indicated in the information provided to users, which are heterogeneous and apparently not necessary for the provision of services to the interested parties through the App.

It should also be considered that the Company has provided for a procedure where the acceptance - joint and indivisible - of "terms of service" and privacy information was necessary. Even this setting cannot be considered neither correct nor transparent, since - even in the absence of an effective ability to modify the privacy consents previously expressed by the interested party - it nevertheless generates reasonable doubt in users regarding a possible interference of the aforementioned acceptance with the management of user consents to the treatments indicated in the information.

as well as the aforementioned Opinion 15/2011 on the definition of consent of the Group Art. 29, pp. 35-37).

Therefore, in addition to incorrect or transparent processing, methods of acquiring consent that do not comply with the principles of freedom and specificity of the same in relation to each individual purpose pursued have emerged (articles 4, point 11 and 7, paragraph 4 of the Regulation ).

3.6. Self-certification form for possession of a prepaid line

Also with reference to the self-certification form for possession of a prepaid line (see par. 2.7), the violation of art. 7, par. 1 and 2, in conjunction with art. 4, par. 1, point 11, and of the Regulations for failure to acquire the free and specific consent of the interested parties, already sanctioned by art. 23 and 130, previous Code. This is because, with reference to said form, a single consent has been acquired for contractual purposes and distinct and different purposes for which further and specific consent (promotional and / or profiling) would have been necessary. Moreover, as further confirmation of their non-compliance, the Company communicated, with the memorandum of 10 October 2019, that it had amended the same.

In this regard, what is stated by the Company regarding the non-use, for purposes other than the contractual ones, of the data collected by this contractual means - which is indeed stated, but not adequately demonstrated, as the Company has not produced any evidence, taken from its own information systems, from reports of promotional or alien campaigns, of the failure to enter such data in promotional campaigns conducted, directly or through third parties - does not matter due to a further necessary consideration. That is, that the collection and subsequent storage of personal data carried out in the absence of the necessary free and specific consent for promotional purposes, as carried out by the Company, constitute in themselves two processing operations relevant for the purposes of the relevant legislation (see provision . 12 June 2019, doc. web n.9120218 as well as provisions of 27 October 2016, cit .; 20 November 2014, doc. web n. 365793 ), and therefore - contrary to what TIM claims - unlawful processing is to be considered.

3.7. Misalignments and data breach

With regard to the aforementioned data breaches (see par. 2.8), the violation of the provisions aimed at guaranteeing, through appropriate technical and organizational measures, the integrity and confidentiality of the systems, the accuracy of the data, as well as allowing the timely activation the verification procedures by the Authority (see articles 5, paragraph 1, letters d and f); 32, paragraph 1; 33, paragraph 1, Regulation).

Various anomalies and misalignments related to a very high number of customer personal data also emerged. Such misalignments, capable of compromising the accuracy of the data processed, have also had an impact on the privacy consents reported in the customer data sheets. In this regard, during the inspections, it was found that there was an inconsistency between the privacy consents reported in a customer's personal data and the data that can be inferred from the examination of the consent history, again with violation of the principles of accuracy of the data and integrity of the systems referred to in art. 5 of the Regulations (see p. 5, minutes 14/2/2019; p. 7, minutes 28/2/2019).

3.8. Violation of the principles of accountability and privacy by design

The procedures for uploading denials in the various archives, and, albeit in a limited way, those aimed at preventing the inclusion in promotional campaigns of users already present in the black list. This is because these procedures were not, in particular, suitable for allowing neither a timely registration of consents / denials in the corporate systems, nor a correct updating of the black lists, also considering the lack of univocal and shared coding criteria (see par. . 2.1). Furthermore, TIM's policy was seriously deficient in managing the contacts made by the partners with respect to the so-called “off-list” and related denials.

In this context, the Company thus appears to have violated, in several respects, the principle of privacy by design, as "taking into account the state of the art and the costs of implementation, as well as the nature, scope of application, context and of the purposes of the processing, as well as of the risks with different probability and severity for the rights and freedoms of natural persons constituted by the processing, both when determining the means of processing and at the time of processing itself, the data controller "does appears to have implemented adequate "adequate technical and organizational measures ... aimed at ... integrating the necessary guarantees into the processing in order to meet the requirements of this regulation and protect the rights of the data subjects" (see Article 25, paragraph 1; considering 75 and 78, Regulations).

From a different point of view, TIM revealed that it did not have sufficient knowledge and ability to account for various fundamental aspects of the treatments carried out by the same directly or through third parties of its partners, and therefore showed an inadequate ability to prove the exact fulfillment of the legislation on the subject, thus appearing to have violated the fundamental principle of accountability (articles 5, paragraphs 2 and 24, paragraphs 1 and 2, Regulations).

In particular, TIM - while giving impetus, knowing and endorsing the practice established by the partners, as well as making a profit, with regard to the off-call calls made by its commercial partners - was not able, during the inspection, to precisely quantify the same, nor to provide the list of numbers contacted, except those that are successful and, therefore, associated with a Verbal Order. Furthermore, TIM had considerable difficulties in clarifying even the functioning of the registration of denials and therefore of the black lists, explaining a more articulated functioning only with the note of 12 November 2019.

Moreover, again with regard to these calls, as indicated above, there are serious inconsistencies - from the comparison of statements and findings respectively relating to the Company and its commercial partners - regarding the quantification of both the off-list calls, including "referenced" Verbal Order relating to this type of contact.

It should be added that, at times (see above, paragraph 2.1), a considerable divergence between the contact lists presented by TIM and allegedly provided to call centers and those concretely in possession of the same call centers, for carrying out promotional campaigns on its behalf, as well as between the black lists of TIM and those of some call centers, even if referring to the promotional campaigns carried out for this Company. Divergence that has only been partially clarified and documented by TIM (see briefs of 10/10/2019 and 12/11/2019, as well as hearing of 5/11/2019).

With regard to the behavior of its partners, for which TIM has a specific supervisory obligation (Article 28 of the Regulation), the Company - also during the hearing on November 5, 2019 and most recently with the note dated 11/12/19 2019 - was unable to fully clarify the non / late inclusion in the black list of denials by the partners as well as indicate and document the timing relating to the effective insertion of the denials in the corporate systems, manifesting a tiring exercise of the accountability obligation.

The Company also appears to have taken adequate awareness, only on the occasion of the aforementioned investigations, of the inadequacy of the self-certification forms for the possession of a prepaid line, dating back to 2009, and was unable to provide the number of business customers subscribing to this form, since has not provided for "a specific tracking for this type of form ..." Moreover, as further confirmation of their non-compliance, the Company communicated, with the memorandum of 10 October 2019, that it had amended the same.

4. VIOLATIONS DETECTED

The processing of personal data carried out by TIM is even more serious if we consider that the same Company was, even in recent times (2016 and 2017), already the recipient of various injunctions, prescriptions and sanctions precisely with regard to the same type of violations (unwanted marketing; inadequate management of data subjects' rights; data breach; see provision 22 June 2016, web doc. 5255159 ; 30 May 2007, web doc. 14125989 ; provision 21 July 2016, web doc. . 5436585 ). This, without considering that, albeit under a different profile (unsolicited phone calls also not with promotional content), it has been established (see prov. April 6, 2017, web doc. No. 6376175) the unjustified activation by TIM, in the name of a complainant and without his knowledge, of a large number of residential telephone lines (over 800), the processing of personal data which involved numerous other customers.

There are also numerous injunction orders adopted for the aforementioned violations and other similar ones; by way of example only, reference is made to the injunction orders of 3 October 2013 (web doc. no. 2726332 ); of 16 May 2018, doc. web nos. 9370105 and 9370122 ); of 18 January 2018 (web doc. no. 7665804 ).  

It is noted - confirming the extent and continuation of the criticalities found - the persistence of numerous reports and complaints, received by the Authority even after the date of the inspections carried out at TIM SpA and its commercial partners up to today's date, and containing complaints similar to those ascertained, on which this Authority reserves the right to carry out further investigative activities.

As a result of the analysis of the overall documentation acquired in deeds, in consideration of some elements that emerged (such as, in particular, among others, the very high number of data subjects involved in the treatments in question as well as the variety and severity of the violations found by TIM ), this Authority - having also assessed some measures whose next implementation the Company has envisaged - deems a broad spectrum intervention (inhibitory, prescriptive and sanctioning) necessary, in order to ensure compliance with current legislation of the treatments covered by this provision.

The aforementioned violations ascertained against TIM, in fact, represent proof, on the one hand, of a policy implemented by the Company in serious discrepancy with the regulations in force, moreover in many respects; on the other hand, the alarming context in which the phenomenon of unwanted promotional calls must be framed. This phenomenon has been the subject, for over fifteen years, of social alarm on the part of citizens and of attention from the legislator and the Guarantor. The numerous regulatory interventions connected to the regulation of the sector were accompanied by constant control activities by the Authority, carried out extensively with reference to all aspects of the phenomenon, from the relationships between the various parties involved, to the correct acquisition of the lists of contactable interested parties. , from the management of telephone directories and the public register of oppositions, to the use of call centers. The numerous measures adopted in this regard have all been published and taken up with attention by the media, without this having led to a significant contraction of the phenomenon, so as to induce the Authority, in April 2019, to send a general information to the Public Prosecutor's Office at the Court of Rome aimed at highlighting the criminal consequences of telemarketing activities carried out in violation of the provisions on the protection of personal data.

On the basis of the elements set out above, having identified the violations indicated in par. 3 of this provision, it is considered, pursuant to art. 58, par. 2, lett. d) and f), of the Regulations, to consequently adopt corrective measures for the definitive limitation of certain treatments against TIM SpA, also ordering them to comply with the regulations in force as detailed in the device, as well as having to adopt a 'injunction order, pursuant to art. 58, par. 2, lett. i), of the Regulation, 166, paragraph 7, of the Code, and 18 of the law n. 689/1981, for the application of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation.

In fact, various provisions of the Regulations and of the Code are violated in relation to related processing carried out by TIM SpA for marketing purposes, for which art. 83, par. 3, of the Regulation, according to which, if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation (pursuant to art.83, par. 5, lett. a, of the Regulation) thus absorbing the less serious violations (see art. 83, par. 4, lett. a, and 5, letter a and b, of the Regulation). Therefore, the aforementioned violations having as their object, among others, the conditions of lawfulness of the processing referred to in Articles 6 and 7, Regulations, and 130 of the Code, are to be traced back, pursuant to art. 83, par. 3 of the same Regulation, in the context of the most serious violation envisaged for non-compliance with the aforementioned conditions of lawfulness with consequent application of the only sanction provided for in art. 83, par. 5, lett. a), of the Regulation.

For the purposes of determining the amount of the pecuniary sanction, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation, which, in this case, are relevant under the following profiles:

1. the wide scope of processing, almost always concerning (for example, the self-certification forms for prepaid line possession, reserved for business customers), the generality of customers and users of the telephone service and related services, as well as the high number of interested parties involved, at the date of the on-site inspections (February 2019), and in particular: 2,894,292 lines involved in misalignments of the IT systems; customers who have downloaded the “My TIM” App; "TIM Personal"; "TIM Smart Kid" (respectively: 7,000,000; 400,000; 10,000); the approximately 2,000,000 customers participating in the “TIM Party” program (Article 83, paragraph 2, letter a) of the Regulations);

2. the seriousness of the violations detected, due to: illegitimate, and in particular unwanted, contacts made in the context of telemarketing and teleselling activities (potentially damaging various fundamental rights and, in particular, in addition to the right to the protection of personal data , the right to individual peace of mind and the right to privacy); of data collection procedures, such as those provided for the "My TIM", "TIM Personal" and "TIM Smart Kid" Apps, for the self-certification forms for the prepaid line and for the "TIM Party" program, such , to coerce the free expression of the will of the interested parties with regard to the processing of their data and therefore also to undermine the fundamental right to self-determination of the interested parties (regardless of any actual use of the same for the purposes not adequately consensed, such as promotional or geolocation: see the “My TIM”, “TIM Personal” and “TIM Smart Kid” App); access to various benefits of appreciable economic content (including various discounts and prize competitions), precluded by the "TIM Party" program to interested parties (already, of course, burdened, as consumers, by the information asymmetry regarding forms and clauses prepared unilaterally) that were unable to adhere to them to safeguard the freedom of their consent, also in violation of the principles of gratuity and equal treatment in relation to prize competitions; the difficulties that the interested parties have encountered in stemming the phenomenon of unwanted marketing, also considering the inadequate management of the right to object through the black lists; the multiplicity and variety of conduct (active and passive) referable to TIM in violation of several provisions of the Regulation and the Code; of the serious organizational shortcomings that have led to an inadequate implementation of the fundamental principles of data protection from design (privacy by design) and accountability; the violation of the fundamental principles of data accuracy, as well as the integrity and confidentiality of the systems, as attested by various data breaches, however managed by TIM with considerable delay,

3. the significant duration of the violations and, in the absence of specific elements for some, prudently circumscribed by this Authority, even if the very high number of interested parties involved would lead to backdating the beginning of the same with respect to the date identified below: for some ( such as those relating to the principles of privacy by design and accountability, as well as the excess storage of OLO data), which began at least from 25 May 2018, the date of full operation of the Regulation and which have not yet been fully disciplined and resolved; for others (such as unwanted telemarketing, which lasted at least until 9 October 2019, when TIM sent its partners a note inviting them not to contact the so-called "referenced"); for still others (such as the procedure for installing the identified Apps) at least from 25 May 2018 until February 2019 ("My TIM" App, in truth, further updated in August 2019, and "XX Kid") or July 2019 (“TIM Personal” App); for system misalignments - which prevented the completeness and correctness of the denials black list and their correct representation in all company databases - the software malfunction started on 1/30/2018 and lasted until 2/14/2019, as well as resolved on 8/3/2019; for "TIM Party", on the other hand, the violation is still in place (Article 83, paragraph 2, letter a, of the Regulations); for system misalignments - which prevented the completeness and correctness of the denials black list and their correct representation in all company databases - the software malfunction started on 1/30/2018 and lasted until 2/14/2019, as well as resolved on 8/3/2019; for "TIM Party", on the other hand, the violation is still in place (Article 83, paragraph 2, letter a, of the Regulations); for system misalignments - which prevented the completeness and correctness of the denials black list and their correct representation in all company databases - the software malfunction started on 1/30/2018 and lasted until 2/14/2019, as well as resolved on 8/3/2019; for "TIM Party", on the other hand, the violation is still in place (Article 83, paragraph 2, letter a, of the Regulations);

4. the malicious nature of the following conducts, with particular regard to their conception and implementation, in relation to the following profiles: the incorrect information provided to the interested parties as part of the installation procedure of the aforementioned Apps and the methods of acquiring the consent of the interested parties who they have not ensured its free manifestation; the methods of obtaining consent, neither free nor specific, through the self-certification forms of the possession of a prepaid line for purposes other than invasive (such as marketing and profiling); the “TIM Party” service, with regard to the acquisition of a non-free consent to marketing; the processing, through some partners, of the data of numerous "referenced" subjects, in the absence of the necessary prior consent for promotional purposes,

5. the gravely negligent, more properly culpable, nature of other treatments, such as: the inadequate implementation of the fundamental principles of privacy by design and accountability, also proven by various procedural anomalies and by the evident difficulties that have emerged in providing certain and precise reconstructions of some problems encountered; the numerous data breaches; the excess storage of OLO data and the use, of a part of these, for non-consented promotional purposes; the inadequate management of black lists; the inadequate control of the work of its partners with respect to contacts to users typed manually or the result of alleged oversights / errors; that, also taking into account the use of procedures in clear contrast with the current regulatory framework and the interpretation provided by the Guarantor with various general and specific provisions; or, as for the data of the OLOs, taking into account that these are treatments and practices, in part, that do not comply, in addition to the current legislation, with the internal procedures of the Company (Article 83, paragraph 2, letter b, of the Regulation );

6. the existence of numerous previous measures - adopted by this Authority against TIM - inhibitors, prescriptions and sanctions, the latter defined with reduced payments or injunction orders, including those cited above, of 3 October 2013; of 16 May 2018; of 18 January 2018 in which, however, it was already highlighted that "TIM SpA has undertaken a telephone contact activity aimed at subjects who had expressed a clear intention to the contrary, reaching them with unwanted or disturbing communications ... it carried out the aforementioned activity on the basis of a conscious choice and not for mere negligence, having acquired, over the years, through constant dialogue with the Guarantor,5255159 ; of 21 July 2016, doc. web n. 5436585 ; of 6 April 2017, doc. web n. 6376175 , concerning some violations similar to those ascertained with this provision) (Article 83, paragraph 2, letter e, of the Regulations);

7. the existence of significant economic advantages, mostly current or even potential, deriving from the activities - in particular, of telemarketing and unwanted teleselling and from those connected to the "TIM Party" program (with specific reference to saving resources in terms of denied utilities , rewards and discounts, to customers who have not registered in the program in order not to be subject to the obligation to receive promotional offers) - carried out in violation of the Regulations and the Code, having regard to both the turnover as indicated in the financial statements of TIM SpA for the year 2018, the latest available (€ 13,901,473,076), and to the primary market position of the Telecom group, and, in particular, of TIM in the telecommunications sector (Article 83, paragraph 2, letter k, of Regulation);

8. as a mitigating circumstance, the adoption of measures - albeit limited, if considered with respect to the variety and severity of the violations detected - to mitigate or eliminate the consequences of the violations. In particular, TIM declared (with a note dated 10/10/2019) that it had changed the installation procedure (including information and consent) of the "My TIM" and "TIM Smart Kid" App in February 2019 and of the "TIM Personal "in July 2019; with the note dated 10/5/2019, he communicated that he had terminated the contracts with two of the partners who highlighted critical issues in the management of promotional phone calls and that he had applied contractual penalties to another partner, due to similar problems. With the memory of 10 October 2019, the Company has represented that it has modified the aforementioned self-certification forms for the possession of a prepaid line - without it being documented, however, that it has checked the possible use of forms with similar (incorrect) methods of obtaining consent - as well as having solicited its partners to suspend the promotional contacts of the "referenced" subjects, proposing possible sanctions as provided for by the contracts. The Company also appears to have proposed, mostly between 10 October and 12 November 2019 - but not yet implemented - some remedies, also with specific regard to calls to "referenced" users (in particular: selection and reorganization of its sales network with incentive mechanisms, including regulatory compliance; request to partners to provide suitable documentation to prove the actual fulfillment of the relevant obligations, such as those relating to information and consent; periodic checks of their work, also with access to their information systems). However, to date, no intervention appears to have been made on the unauthorized acquisition of consent for the processing of "TIM Party" for promotional purposes (Article 83, paragraph 2, letter c, of the Regulations);

9. as mitigating circumstances, the cooperation provided in the context of on-site investigations and in the subsequent course of the investigation, while demonstrating, overall, evident difficulties in reporting to the Authority on its actual processing activities and related obligations (Article 83 , paragraph 2, letter f, of the Regulation);

10. as an extenuating circumstance - despite the invasiveness of the violations found, the type of data used compared to those overall held by the Company, ie identification and contact data (telephone numbers) of the interested parties involved in the data breach events; contact details of "referenced" subjects and other interested parties (customers and prospects) not authorized for invasive promotional purposes (Article 83, paragraph 2, letter g, of the Regulation);

11. as an extenuating circumstance, the proposed "participation in round tables with trade associations for the definition of rules and codes of conduct applicable to market operators (telesellers)" (see TIM 10/10/2019 memorandum; art. 83 , paragraph 2, letter j, of the Regulations);

12. as mitigating circumstances, the loss of turnover achieved in 2018 compared to the previous year (2017), together with the declared decrease in its market share (Article 83, paragraph 2, letter k, of the Regulation), as well as the proposed employment situation of the Company, which declared that its personnel have been in solidarity since 2011 (Article 83, paragraph 2, letter k, of the Regulations).

Moreover, in application of the principles of effectiveness, proportionality and dissuasiveness to which this Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), it is further necessary to take into consideration the following additional elements :

- the ample time margin granted to all operators in the sector in order to allow them a complete and consistent adaptation of systems and procedures to the new European legislation, in force since 25 May 2016 and fully operational since 25 May 2018; adjustment that TIM does not appear to have made in a suitable manner;

- that the aforementioned provisional activity, with which indications and clarifications on the matter were provided (see general provisions and Guidelines cited in this provision), and the constant dialogue of the Authority with subjects operating in the telemarketing sector, and in particular with TIM (as the most reported operator and, therefore, the recipient of numerous investigations) - they can reasonably lead to believe that all operators (including TIM) have achieved sufficient awareness of the provisions that must be unfailingly observed;

- therefore, in light of the above, the inadequate dissuasiveness of the sanctions so far contested against TIM, also taking into account the fact that the phenomenon of unwanted calls in the context of telemarketing has been the subject of constant and accurate attention by the legislator (see ., most recently, ln 5/2018) and the Guarantor, as well as complaints from citizens;

- the current persistence of numerous reports and complaints, received by the Authority after the date of the investigations carried out at the Company up to today's date, similar to those covered by this provision.

However, with an overall view of the necessary balance between the rights of the interested parties and freedom of enterprise and in the process of first applying the administrative pecuniary sanctions provided for by the Regulation, it is necessary to prudently evaluate the aforementioned various criteria, also in order to limit the economic impact of the sanction. on the organizational, functional and employment needs of the Company.

Therefore it is believed that - on the basis of all the elements indicated above, against the maximum legal sanction (556,058,923.00 euros, equal to 4% of the turnover of TIM, i.e. 13,901,473,076 euros, and not the higher turnover of the Telecom group) - the administrative sanction of the payment of a sum equal to 0.2% of the aforementioned turnover corresponding to euro 27,802,946.00 twenty-seven million eight hundred two thousand nine hundred and forty-six must be applied to the same company).

It is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

In this context, it is also considered - also in consideration of the invasiveness of the illegal processing disputed with respect to the fundamental rights of the interested parties; the high number of them, even potentially, involved; serious misalignments found in the Company's information systems; the inadequate control of the same with regard to its partners and, finally, the scarce dissuasiveness of the measures adopted up to now by the Guarantor against the Company itself - which, pursuant to art. 166, paragraph 7, of the Code, and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor, as an ancillary sanction.

Please note that pursuant to art. 170 of the Code, anyone who, being required to do so, does not observe this provision of definitive limitation of the processing is punished with imprisonment from three months to two years and who, in the event of non-compliance with the same provision, is also applied in the administrative referred to in art. 83, par. 5, lett. e), of the Regulations; furthermore, failure to comply with the injunction is fined administratively pursuant to art. 83, par. 5, lett. e), Regulation.

ALL OF THE PREVIOUSLY

detected the unlawfulness, in the terms of which in motivation of the treatments in the terms carried out by TIM SpA, with registered office in Via Gaetano Negri n.1, Milan, CF 00488410010:

1) pursuant to art. 58, par. 2, lett. f), of the Regulations, establishes the definitive limitation of the processing within 60 days of receipt of this provision:

a) for marketing purposes, to number the subjects already reached by commercial contacts with a "denial" outcome, as well as those on the black list;

b) for marketing purposes, of numbers relating to "referenced" subjects in the absence of suitable consent;

c) for marketing purposes, the data of OLO customers present in the residential CRM, in the absence of suitable consent;

d) for purposes other than the provision of services through the aforementioned Apps, customer data collected through the "My TIM", "TIM Personal" and "TIM Smart Kid" applications - prior to the changes made by the Company - in absence of suitable consent;

e) for marketing purposes, customer data which, before joining the "TIM Party" program, appears to have expressed a denial to the same purpose or have not expressed any will;

f) for marketing and profiling purposes, of the data collected through the self-certification forms of the possession of a prepaid line, in the absence of suitable consent;

2) pursuant to art. 58, par. 2, lett. d), of the Regulations, orders the same Company to carry out, within 180 days of receipt of this receipt:

a) the timely verification of the consistency of the black lists used, both with respect to the insertion of the numbers of subjects who have opposed or oppose the processing through the Customer care, and with respect to the insertion of the numbers of those who have opposed or object to processing in the course of a business contact through partners;

b) the timely acquisition of any black lists used by the partners for the purpose of the subsequent prompt transfer, in the so-called denial black list, of the numbers present therein, relating to commercial contacts made on behalf of the Company;

c) the verifiable verification, at regular intervals, of the effective and timely modification of the valorisation of the consent for marketing activities and of the actual inclusion in the black list, in relation to the numbers reached by commercial contacts with a "denial" outcome that belong to active customers present in the CRM of the Company or to non-customer subjects;

d) the implementation of technical and organizational measures regarding the management of the requests to exercise the rights of the interested parties - and in particular the right to oppose the promotional purposes - which allow to give feedback to the interested parties, as well as identify and correctly implement their effective will , without undue delay, and in any case, at the latest, within 30 days of receipt of the request, without prejudice to overriding legitimate reasons and without prejudice to the need, promptly communicated to the interested parties, for a possible extension for the reply;

e) the implementation of a technical and organizational procedure, in the campaign management system, which allows the Company to know and govern correctly, as well as to adequately document, the phenomenon of calls addressed to so-called "unlisted" users, as well as to ensure that these users are contacted for promotional purposes only if they have suitable consent or on the basis of another detailed and documentable legal basis pursuant to art. 6 and 7 of the Regulations;

f) the adoption of organizational and technical measures aimed at documenting and respecting the denials of the “unlisted” subjects, as well as circulating such denials also among their partners, so that they do not proceed to contact the users concerned;

g) the implementation of an organizational procedure, regularly verified and documented, aimed at a more efficient management of any future violations of personal data, guaranteeing, in particular, the relative communication without undue delay to the person responsible for the protection of personal data of this Company for the necessary assessments and communications to the Guarantor, as well as, where the conditions are met, to the interested parties whose personal data are involved in the violations; 

h) the adoption of organizational and technical measures, such as to ensure, constantly and effectively, the retention of OLO customer data in compliance with the principles of correctness, legitimacy, purpose and minimization of processing, in order to proceed with the processing of data only adequate, relevant and limited to what is necessary for the pursuit of legitimate purposes, as well as access to the same data exclusively to specifically authorized personnel;

i) the cancellation of OLO customer data, if the terms expressly provided for by the law have expired (including the provisions of AGCOM and this Authority) and / or the legitimate processing purposes have been exhausted, provided that no legitimate reason is recognizable prevailing to proceed with conservation;

l) the strengthening of measures aimed at ensuring the quality, accuracy and timely updating of personal data processed by the various systems of the Company;

m) carrying out specific and documented regression tests aimed at verifying, for each change (corrective or evolutionary) concerning the systems that process personal data of customers, that the impact of the change does not reduce the quality of the treatments carried out and accuracy of the data processed;

n) the review of the procedure relating to all the Apps that, if necessary, present gaps similar to those noted above, in such a way that they are fully described - in clear and easily understandable language and, if necessary, also by graphic means - which treatments they are actually carried out by the Company with specific indication of the purposes pursued and the processing methods actually used; a free and specific consent is acquired - distinct from the acceptance of the "terms of service" - for each of the purposes other than the provision of the service, as well as the administrative and accounting purposes;

o) the modification of the procedure for joining the "TIM Party" program, integrating the information provided in this regard, with an indication of the processing methods for promotional purposes (eg: paper mail; telephone calls with operator; automated methods, such as mail electronic, sms and / or pre-recorded telephone calls) and making the acquisition of consent free for these purposes;

p) the modification of any forms similar to the self-declaration form of possession of the prepaid line so that suitable consent is collected for purposes other than contractual, administrative, accounting purposes;

3) pursuant to art. 157 of the Code, requests TIM SpA to communicate, within 30 days of receipt of this provision, which initiatives have been undertaken or which they intend to undertake in order to implement the provisions therein and to provide in any case adequately documented feedback; any non-response may result in the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulations;

4) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor;

ORDER

pursuant to art. 58, par. 2, lett. i), of the Regulations, to the aforementioned TIM SpA, in the person of its pro-tempore legal representative, to pay the sum of € 27,802,946.00 (twenty seven million eight hundred two thousand nine hundred and forty-six), by way of a pecuniary administrative sanction for the violations indicated in the motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed;

INJUNCES

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 27,802,946.00 (twenty-seven million eight hundred two thousand nine hundred and forty-six), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant 'art. 27 of the law n. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor.

Pursuant to art. 152 of the Code and 78 of the Regulations, an opposition to this provision may be proposed to the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, January 15, 2020

THE PRESIDENT
Soro

THE RAPPORTEUR
Califano

THE SECRETARY GENERAL
Busia