Garante per la protezione dei dati personali (Italy) - 9256486

From GDPRhub
Revision as of 14:32, 17 February 2020 by Juliette Leportois (talk | contribs)

15 January 2020, the Italian Data Protection Authority (Garante) imposed a fine of € 27.802.946 on a telecommunications company, TIM S.p.A. Following hundreds complaints related to the receipt of unsolicited promotional calls, investigations pursued by the Italian Authority revealed several unlawful processes of personal data for the purpose of promotional activities.

Garante per la protezione dei dati personali - doc. web. n. 9256486
Garante per la protezione dei dati personali Italy.jpg
Court: Tribunal of Rome (Italy)
Jurisdiction: Italy
Relevant Law:

Article 13 ePrivacy (Directive 2002/58/EC)

Article 130 (1) Italian Civil Code

Decided: n/a
Published: 15. 1. 2020
Parties:

TIM S.p.A.

Vs. anonymous

National Case Number: doc. web. n. 9256486
European Case Law Identifier: n/a
Appeal from: n/a
Language:

Italian

Original Source: Garante per la protezione dei dati personali

English Summary

Facts

The Garante examined different complaints relating to unsolicited promotional calls received by prospects without their consent or despite their express will not to receive them. Further irregularities complained of concerned the collect of consent for promotional purposes in different forms for customers and company’s programs and apps. Users also complained deficiencies in the response to data subjects’ requests, namely requests of access to one's own data and to oppose to data processing for promotional purposes. The Garante also examined several notifications TIM made concerning different data breaches that occurred, which have highlighted inconsistencies in the systems, both of TIM and its providers (namely, call centers), that process personal data of customers such as to cause, for instance, an inaccurate use of customers contact details.

Dispute

The Garante had to assess whether TIM lawfully processed prospects’ personal data in its commercial campaigns, namely by applying a legal basis (e.g. consent) to such processing, and ensuring that its providers process personal data accordingly. The Authority also had to determine whether the process of customers and prospects’ personal data complied with data subjects’ requests which object to processing. In this regard, the Authority also analyzed the validity of consent collected for promotional purposes and the related information provided in different forms submitted by the company, including in customers programs and apps. The Garante had to evaluate the compliance of the storage and use for promotional purposes of data relating to customers of others operators, to whom TIM provided network and infrastructure services. Finally, the Authority investigated the management of data breaches by the company namely in relation to customers data processing for promotional purposes, with regard to both the timeliness of the notification and the measures taken to reduce the risks to the rights and freedoms of data subjects.

Holding

The Garante found that the processing of prospects’ personal data was not based on a valid consent nor on another lawful basis, hence violating namely Articles 6 and 7 GDPR. Process of prospects and customers’ personal data for marketing purposes was also conducted against the objection from data subjects, thus in breach of Article 21 (2) (3) GDPR. In different forms submitted by the company, as well as in programs and customers apps, consent collected for promotional purposes was not specific and freely given, nor the related information provided was transparent and unambiguous, thus violating articles 4 (11), 7, (1), (2), (4), 12 (1) and 13 GDPR. Moreover, the Authority found that data relating to customers of others operators was stored and used infringing the principles of fairness, purpose limitation, storage limitation, accuracy and integrity referred to in Article 5 (1) GDPR. Concerning the management of data breaches, the Garante considered TIM did not ensure, by appropriate technical and organizational measures, an appropriate level of integrity and confidentiality, nor the accuracy of data, as required by Articles 5 (1) (d), (f), 32 and 33 GDPR. In general, the Garante considered TIM was not able to account and prove compliance for various fundamental aspects of the data processing carried out directly or through its providers, thus not respecting its obligations in terms of accountability (Article 5 (2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). Consequently, the Garante issued a sanction of € 27.802.946, together with different corrective measures.

Comment

Share you comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Italian original for more details.