Garante per la protezione dei dati personali (Italy) - 9256486: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
15 January 2020, the Italian Data Protection Authority (Garante) imposed a fine of € 27.802.946 on a telecommunications company, TIM S.p.A. Following hundreds complaints related to the receipt of unsolicited promotional calls, investigations pursued by the Italian Authority revealed several unlawful processes of personal data for the purpose of promotional activities. | |||
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" | {| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" | ||
| Line 44: | Line 44: | ||
===Facts=== | ===Facts=== | ||
The | The Garante examined different complaints relating to unsolicited promotional calls received by prospects without their consent or despite their express will not to receive them. Further irregularities complained of concerned the collect of consent for promotional purposes in different forms for customers and company’s programs and apps. Users also complained deficiencies in the response to data subjects’ requests, namely requests of access to one's own data and to oppose to data processing for promotional purposes. | ||
The Garante also examined several notifications TIM made concerning different data breaches that occurred, which have highlighted inconsistencies in the systems, both of TIM and its providers (namely, call centers), that process personal data of customers such as to cause, for instance, an inaccurate use of customers contact details. | |||
===Dispute=== | ===Dispute=== | ||
The | The Garante had to assess whether TIM lawfully processed prospects’ personal data in its commercial campaigns, namely by applying a legal basis (e.g. consent) to such processing, and ensuring that its providers process personal data accordingly. The Authority also had to determine whether the process of customers and prospects’ personal data complied with data subjects’ requests which object to processing. | ||
In this regard, the Authority also analyzed the validity of consent collected for promotional purposes and the related information provided in different forms submitted by the company, including in customers programs and apps. | |||
The Garante had to evaluate the compliance of the storage and use for promotional purposes of data relating to customers of others operators, to whom TIM provided network and infrastructure services. | |||
Finally, the Authority investigated the management of data breaches by the company namely in relation to customers data processing for promotional purposes, with regard to both the timeliness of the notification and the measures taken to reduce the risks to the rights and freedoms of data subjects. | |||
=== Holding=== | === Holding=== | ||
The | The Garante found that the processing of prospects’ personal data was not based on a valid consent nor on another lawful basis, hence violating namely Articles 6 and 7 GDPR. Process of prospects and customers’ personal data for marketing purposes was also conducted against the objection from data subjects, thus in breach of Article 21 (2) (3) GDPR. | ||
In different forms submitted by the company, as well as in programs and customers apps, consent collected for promotional purposes was not specific and freely given, nor the related information provided was transparent and unambiguous, thus violating articles 4 (11), 7, (1), (2), (4), 12 (1) and 13 GDPR. | |||
Moreover, the Authority found that data relating to customers of others operators was stored and used infringing the principles of fairness, purpose limitation, storage limitation, accuracy and integrity referred to in Article 5 (1) GDPR. | |||
Concerning the management of data breaches, the Garante considered TIM did not ensure, by appropriate technical and organizational measures, an appropriate level of integrity and confidentiality, nor the accuracy of data, as required by Articles 5 (1) (d), (f), 32 and 33 GDPR. | |||
In general, the Garante considered TIM was not able to account and prove compliance for various fundamental aspects of the data processing carried out directly or through its providers, thus not respecting its obligations in terms of accountability (Article 5 (2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). | |||
Consequently, the Garante issued a sanction of € 27.802.946, together with different corrective measures. | |||
==Comment== | ==Comment== | ||
Revision as of 14:28, 17 February 2020
15 January 2020, the Italian Data Protection Authority (Garante) imposed a fine of € 27.802.946 on a telecommunications company, TIM S.p.A. Following hundreds complaints related to the receipt of unsolicited promotional calls, investigations pursued by the Italian Authority revealed several unlawful processes of personal data for the purpose of promotional activities.
| Tribunal of Rome - 10789/2019 | |
|---|---|
 | |
| Court: | Tribunal of Rome (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: |
Article 13 ePrivacy (Directive 2002/58/EC) Article 130 (1) Italian Civil Code |
| Decided: | 1. 8. 2019 |
| Published: | 1. 8. 2019 |
| Parties: |
WIND TELECOMUNICAZIONI S.P.A. and |
| National Case Number: | doc. web. n. 9256486 |
| European Case Law Identifier: | n/a |
| Appeal from: | n/a |
| Language: | Italian |
| Original Source: | |
English Summary
Facts
The Garante examined different complaints relating to unsolicited promotional calls received by prospects without their consent or despite their express will not to receive them. Further irregularities complained of concerned the collect of consent for promotional purposes in different forms for customers and company’s programs and apps. Users also complained deficiencies in the response to data subjects’ requests, namely requests of access to one's own data and to oppose to data processing for promotional purposes. The Garante also examined several notifications TIM made concerning different data breaches that occurred, which have highlighted inconsistencies in the systems, both of TIM and its providers (namely, call centers), that process personal data of customers such as to cause, for instance, an inaccurate use of customers contact details.
Dispute
The Garante had to assess whether TIM lawfully processed prospects’ personal data in its commercial campaigns, namely by applying a legal basis (e.g. consent) to such processing, and ensuring that its providers process personal data accordingly. The Authority also had to determine whether the process of customers and prospects’ personal data complied with data subjects’ requests which object to processing. In this regard, the Authority also analyzed the validity of consent collected for promotional purposes and the related information provided in different forms submitted by the company, including in customers programs and apps. The Garante had to evaluate the compliance of the storage and use for promotional purposes of data relating to customers of others operators, to whom TIM provided network and infrastructure services. Finally, the Authority investigated the management of data breaches by the company namely in relation to customers data processing for promotional purposes, with regard to both the timeliness of the notification and the measures taken to reduce the risks to the rights and freedoms of data subjects.
Holding
The Garante found that the processing of prospects’ personal data was not based on a valid consent nor on another lawful basis, hence violating namely Articles 6 and 7 GDPR. Process of prospects and customers’ personal data for marketing purposes was also conducted against the objection from data subjects, thus in breach of Article 21 (2) (3) GDPR. In different forms submitted by the company, as well as in programs and customers apps, consent collected for promotional purposes was not specific and freely given, nor the related information provided was transparent and unambiguous, thus violating articles 4 (11), 7, (1), (2), (4), 12 (1) and 13 GDPR. Moreover, the Authority found that data relating to customers of others operators was stored and used infringing the principles of fairness, purpose limitation, storage limitation, accuracy and integrity referred to in Article 5 (1) GDPR. Concerning the management of data breaches, the Garante considered TIM did not ensure, by appropriate technical and organizational measures, an appropriate level of integrity and confidentiality, nor the accuracy of data, as required by Articles 5 (1) (d), (f), 32 and 33 GDPR. In general, the Garante considered TIM was not able to account and prove compliance for various fundamental aspects of the data processing carried out directly or through its providers, thus not respecting its obligations in terms of accountability (Article 5 (2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). Consequently, the Garante issued a sanction of € 27.802.946, together with different corrective measures.
Comment
Share you comment here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Italian original for more details.
