Garante per la protezione dei dati personali (Italy) - 9435753

From GDPRhub
Garante per la protezione dei dati personali - 9435753
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 24 GDPR
Article 25 GDPR
Article 58(2)(f) GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
Article 83(2) GDPR
Article 83(4)(a) GDPR
Article 83(5) GDPR
Article 83(5)(a) GDPR
Article 130 Codice Privacy
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.07.2020
Published: 13.07.2020
Fine: 16729600 EUR
Parties: Wind Tre SpA
National Case Number/Name: 9435753
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: n/a

The telephone operator Wind Tre was fined 16,729,600 EUR by the Garante (Italian DPA) for several incidents of unlawful collection, processing and unauthorised marketing communications to customers. The Garante also prohibited Wind Tre from carrying out any further processing of the data they had acquired without consent.

English Summary

Facts

The Italian DPA (Garante) received complaints from Wind Tre and non-Wind Tre users about unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several complaints, the complainants noted that they were unable to withdraw their consent or object to the processing of their data for marketing purposes, in part due to inaccurate contact information in Wind Tre's privacy policies. Other complainants' personal data had been included in public phone directories despite objections being made by those complainants.

The investigation by the Garante also found that the MyWind and My3 apps had been "configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours." The investigation also uncovered a number of infringements affecting Wind Tre's business partners, including a fine of eur 200,000 against a business partner who had subcontracted without a legal instrument whole sets of processing activities to call centres, who collected data on behalf of the business partner.

An interesting finding of the DPA’s investigation concerned practices for the identification of data subjects. In many cases, the company stated that it did not act on data subjects’ requests to withdraw consent if these did not come with a copy of an ID. The Garante clarified that while indeed Article 12(6) GDPR allows controllers to request further information, this is possible “only if they have reasonable doubts about the identity of the person making the request”. Moreover, Recital 64 GDPR require the measures adopted to identify data subjects to be “reasonable”. This aims, according to the Garante, at discouraging “excessive requests aimed at discouraging the exercise of rights, but also to avoid the collection and retention of unnecessary data.” Utmost importance must here be given to the principles of proportionality, necessity and adequacy. In the specific context of data processing for commercial purposes, the illegitimate exercise of the right to withdraw consent from a third party poses, according to the Garante, an almost insignificant risk to the legal sphere of the data subject, so that the collection and processing of ID copies cannot be considered reasonable. Even more so, in cases where the person trying to withdraw her consent is not a customer of Wind Tre. In such cases, the request “appears even more disproportionate and may involve the acquisition of personal data that are not already available to the owner and are therefore not necessary.”

Dispute

Was the collection of the personal data by Wind Tre a breach of Articles 5, 6 and 24 GDPR?

Was the processing by Wind Tre in violation of Articles 5 and 6 GDPR?

Was the information provided by Wind Tre to the users in breach of Articles 12 and 13 GDPR?

Holding

The main violations of the GDPR and of the Italian Privacy Code observed by the Garante were due to the following behaviours: • The lack of transparency towards data subjects, concerning the information provided to them, including information regarding the company’s communications channels; • Consent collection contrary to data protection regulation, as well as various issues related to the exercise of data subjects’ rights; • Serious shortcomings in the management and control of Wind Tre supply chain, including the absence of compliance audits.

More specifically, the Garante held that Wind Tre had violated the following articles of the GDPR: Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24 and 25. It subsequently fined Wind Tre 16,729,600 EUR, prohibited any further processing and ordered the company to bring their processing practices in line with the GDPR.

The Italian DPA found that Wind Tre operating methods incentivised sellers to collect ‘as much consent as possible’ from data subjects, while impairing their ability to object to processing of data for promotional purposes. According to the Garante, the numerous complaints received suggest that, behind the lack of clarity, there was an intention to force the will of the users towards consenting to the processing of personal data for commercial purposes. A conduct that was “not only negligent, but deliberately designed to circumvent the rules set out to protect the freedom of expression of the will of data subjects.” As a result, the Authority found a lack of appropriate technical and organisational measures to enable interested parties to exercise their rights, with the consequence that the revocation of consent or the objection to data processing was unjustifiably hindered. As regards the management of consents by sellers in physical shops, the indications given to staff to gather as many consents as possible, the presence of a single button in the management system to facilitate the tick of all consent boxes, the small prints used to inform about consent collection and, in some cases, the bundling of consents, were considered further negative elements by the DPA.

Concerning the control of the supply chain, the Garante held that the fact itself that subcontractors were conducting promotional campaigns in the interest of Wind Tre, while the company disowned such activities, was a sign that marketing communications were carried out without the necessary control of the supply chain – which is necessary, according to the Italian DPA, also when subcontractors are considered as independent data controller. Moreover, discrepancies in the communications from contractors concerning the source of contact data, should have made the company aware of the illicit practices. Such conduct showed a lack of adequate technical and organisational measures, in this case “with particular regard to the inability to effectively control the chain of partners who carry out promotional activities for the benefit of the Company.” Controls across the procurement network should have been stricter, and the relationship among Wind Tre, its contractors and sub-contractors should have been framed in the context of the processing of personal data, as per Article 28 and 29 GDPR.

Taking into account all these elements, Wind Tre’s conduct was, according to the Italian DPA, generally elusive of the principles of accountability and privacy by design. In fact, "taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purpose of the processing, as well as the risks having different probability and seriousness for the rights and freedoms of individuals", the company had sufficient tools and knowledge to assess the risks associated with the data processing, and to prepare, consequently, adequate technical and organizational procedures. This was particularly due to well-established decisions of the Garante, some of which even directly addressed to Wind Tre.

Regarding the size of the fine, the Garante found it was proportionate on the basis of the duration of the infringements, both the wilful and negligent violations of the GDPR committed by Wind Tre, and the number of people affected by the breach. To quantify the former, the Garante based its assessment not on the number of complainants, but on the number of people in Wind Tre's client base. The Garante also noted that previous sanctions against the telemarketing sector had not been sufficiently dissuasive.

Key excerpts from the Garante's decision include the following:

"... [T]he Company's responses revealed an uncertain and contradictory picture in the description of the technical and organizational measures taken to identify the parties concerned in a reasonable manner, representative of an insufficient assessment of the different interests at stake."

"pursuant to art. 58, paragraph 2, letter d), to adopt, without prejudice to the corrective measures already introduced, suitable procedures to verify the correctness of the procedures for the acquisition of consent by its sales network and that persons who have already expressed opposition to the treatment against Wind Tre are not contacted by third parties who operate as independent owners."

"The preliminary findings showed an overall picture unsuitable for satisfying this requirement of adequacy, since the lack of suitable technical and organisational measures was noted several times, in some cases adding the aggravating circumstance of pre-ordering the conduct (in cases relating to the collection of consent through apps and by signing the contract with dealers) and also having to note that, on several occasions, the Company has not been able to demonstrate compliance with the rules of the treatments put in place and the effectiveness of the measures taken, as required by Article 5, paragraph 2 of the Regulation."

"In fact, it cannot but be strongly noted that the lack of control of the supply chain involves the Company in a "market of personal data", already the subject of specific information from the Guarantor to the Public Prosecutor's Office at the Court of Rome, in which, in addition to the violation of the provisions concerning the processing of personal information, serious profiles of violation of labour law, tax law and probably criminal law emerge, fuelling an "undergrowth" which in some cases could also be the object of attention by criminals."


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[Web doc. 9435753]

Order injunction against Wind Tre S.p.A. - 9 July 2020

Register of measures
No 143 of 9 July 2020

DATA PROTECTION SUPERVISOR

At today's meeting, in the presence of Dr. Antonello Soro, President, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members, and Dr. Giuseppe Busia, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "the Regulation");

HAVING REGARD to the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, laying down provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the complaints and reports received by the Guarantor, with regard to various personal data processing operations carried out by Wind Tre S.p.A. (hereinafter also referred to as: "Wind Tre" or "the Company");

HAVING REGARD to the results of the inspections carried out against Wind Tre and some of its business partners;

HAVING REGARD to the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to Article 15 of the Garante Regulation No. 1/2000;

REPORTER Dr. Antonello Soro;

PRESS RELEASE

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

A number of reports and complaints have brought to the Authority's attention various personal data processing operations carried out by Wind Tre, mainly (but not exclusively) related to promotional activities.

Considering that the Company has already received an injunction and prescriptive order for similar processing carried out under the previous regulatory framework (see provision no. 313 of 22 May 2018, in www.garanteprivacy.it, web doc. no. 8995285), the investigation conducted took into consideration only those requests received after 25 May 2018, which were subject to a cumulative investigation pursuant to art. 10, paragraph 4, of the internal regulations of the Guarantor no. 1/2019 (web doc. no. 9107633). This first investigative activity will also be indicated in the course of this measure as "procedure A".

With different proceedings (see files 139150, 139507, 139505, 140416, 141133), other aspects of the activity of the owner were then taken into consideration, connected to reports received by the Authority which informed of promotional activities, carried out for it by the chain of sub-agents of an accredited supplier, contacting the clients of another telephone operator whose personal data were acquired with illegitimate modalities.

This second procedure will also be referred to below as "procedure B".

As a result of these activities, a number of violations of data protection rules have emerged.

2. RESULTS OF THE INVESTIGATION

The investigations conducted involved the examination of over 100 files, in addition to carrying out inspections at Wind Tre itself, at some partners and at another telephone operator. It is also necessary to consider the topicality of the conduct or, in any case, its effects, given the requests, of similar content, received by the Authority even after the formal complaint sent to the Company on 13 May 2020, to be considered herein in full and to which reference should be made for any details.

2.1. Promotional activity by sms, e-mail, fax, telephone calls and automated calls

During the period under review, as mentioned above, the Guarantor received numerous complaints and reports relating to the receipt of unwanted promotional contacts made by telephone, sms, e-mail, fax or automated calls. In many cases the receipt of contacts has been complained about even after the withdrawal of consent or the exercise of the right of opposition.

In response to specific requests for information, the Company,

1. in some cases, has documented the acquisition of a specific consent by showing the contracts (purchase proposals - pda) signed by the parties concerned;

2. in other cases, it has documented the acquisition of consent which, in the light of the investigations carried out, proved to be unsuitable;

3. in the remaining cases it was unable to document the acquisition of consent.

2.1.1. Contacts made without consent

The Company, in some of the findings provided, stated that the contact was made by mistake (see files 128119, 127661, 130539, 123638,134545, 142932, 121112); in other cases, that the withdrawal had not been promptly implemented due to problems related to the management of correspondence or identification of the person concerned, which will be discussed more fully later (see files 141011, 134392, 130266, 130344, 145996, 124985, 134434, 133063, 133372, 134997, 128000, 128805, 130356, 129952, 127784).

2.1.2. Contacts made on the basis of a consent to be considered inappropriate

In other cases, the Company responded to specific requests for information by documenting the acquisition of a consensus which, in light of the assessments made, proved to be unsuitable.

2.1.2.1.  Consent dating back to and not in compliance with the new regulatory framework introduced by the Regulation

In particular, in three cases (see files 133088, 134927, 131464), consent was documented by attaching the contracts signed by clients. These, however, dating back to the years 1998/99, are no longer suitable with respect to the current regulatory framework because they do not allow to document a free, specific and informed will of the person concerned since only one consent is required for different processing purposes (promotional activities of the owner, third parties, evaluation of customer satisfaction, credit protection); in this regard, reference is made to articles. Articles 4(11) and 7 and the content of recital 171 of the Regulation, according to which 'where the processing is based on consent in accordance with Directive 95/46/EC, it is not necessary for the data subject to give his consent again, if it has been expressed in a manner that complies with the conditions of this Regulation, in order for the data controller to continue the processing in question after the date of application of this Regulation'. Therefore, it is up to the data controller to assess whether the consents already acquired are still to be considered in compliance with the rules in force; among these, we would also like to mention the regulatory changes occurred after 1999 aimed at regulating, with special provisions, the processing carried out within the electronic communication services (art. 130 of the Code and provisions on the Register of Objections) to be considered now known to all operators in the sector, also in the light of the numerous rulings of the Guarantor.

2.1.2.2.  Consent acquired directly from commercial partners

In one case (see file 130729), the receipt of an unwanted text message was justified on the grounds that it was sent directly by XX Srl, without using lists from Wind Tre, on the basis of an independently acquired consent for the promotion of third party services (which was not shown together with the reply).

In this regard, it should be noted that the Company, with attachment 1 to the note of July 15, 2019, provided a copy of a communication sent to its business partners to remind them to comply with current marketing regulations. Among the provisions contained in this communication is that indicated in point I), where the Company requests "to verify that, in the event of promotional activities for our offers being carried out, only the numbers agreed for the commercial contacts of which Wind Tre is the owner or legitimately authorized are contacted".
2.1.2.3. Consent acquired through MyWind and My3 apps.

In other cases, the Company has documented the consent by providing the screenshot of the internal information system from which consent is given through "interactive channels" or "SelfcareAppAndroid".

An examination of the attached documentation shows that the consent was provided by those concerned by accessing their personal area via the MyWind or My3 app.

In particular, in three cases (see files 134496, 138094 and 140940) the consent, originally not present, was acquired following a computer record described as a "variation", which, according to what was subsequently illustrated by the Company, would indicate the fact that the person concerned, operating directly through the Selfcare channels (of which the apps are an instrument), would have requested a change in the status of the consents, giving them where they were not present. In two of them (files 134496 and 138094) this change was made in December 2018, the date on which an amendment to the app was implemented. Moreover, under two circumstances (files 138094 and 140940), this change was made at the same time for all the types of processing listed on the app's home page (marketing, profiling, data enrichment, geolocation, transfer to third parties). In this last regard, one of the complainants (see file 138094), in response to Wind Tre's reply, reiterated its doubts regarding the consents given, pointing out that it had no idea, for some processing operations, even of the meaning of what was reported (e.g. for "data enrichment") and also noted that it would have no reason to provide the operator with all the consents at a time when, due to the numerous inefficiencies, it was no longer satisfied with the service provided.

In this regard, it is noted that the operation of the MyWind and My3 apps, which are responsible for managing the user profile connected to the telephone service, has been brought to the attention of the Guarantor with a number of other reports and complaints (files 116325, 133895, 133630, 132819, 132840, 132535, 134089, 135405). All the requests received complained, in a similar way and with the attachment of the relevant screenshots, that the apps in question obliged the user to provide, at each new access, a series of consents for different processing purposes (marketing, profiling, communication to third parties, enrichment and geolocalization) and then allow them to be revoked after 24 hours.

In a note dated 17 April 2019, the Company, in declaring that it had made some changes to the apps in question in the last quarter of 2018, attached the access screens of both, similar to those already presented by the reporters, from which the following emerged:

- the willingness of the owner to carry out the five treatments described was stated;

- it stated that "if you prefer, you can choose [...] which consents you wish to give on Management Consent. By pressing Accept you allow Wind Tre to collect and use the information listed above and customized by you. I also declare to accept the terms and conditions and to have read the privacy policy";

- by pressing the "Cancel" button, you could not use the app because, according to the Company, you did not accept the terms and conditions and did not read the privacy policy.

Wind Tre, in this regard, said that there was no obligation to provide consents because these were previously managed by the link "Management consents" in the body of the text and "probably some users may have misunderstood the contents of the page. In fact, by going to Manage Consents you could choose the individual preferences, then "made that choice, the customer going back to the previous page and pressing accept confirm the choice on consents just made and at the same time accept terms and conditions".

In such cases, therefore, it should be noted that the procedure followed was complex, inadequate for rapid use, typical of an application for smartphones and, for these reasons, capable of generating errors on the part of the person concerned with direct repercussions on the legitimate expression of consent. The Company, in any case, despite the reports received from time to time, did not deem it necessary to intervene promptly in the configuration described.

In the same way, it must be considered, in general terms, that the apps of the My3 and MyWind type fulfil the essential function of allowing the user to monitor consumption and the thresholds for the use of the services and, therefore, to control the overall telephone expenditure. The impossibility of keeping current expenses under control may have represented a further negative element for the person concerned, as a consumer.

In addition, with a complaint dated 8 January 2020 (file 145970), the conversation held in chat with customer service operators was documented, confirming that "...consents are revoked. if you found them temporarily granted, it may have been because of the last update of the customer area because, in order to access them, you are first asked to give consents and then they can be revoked again".

In a note dated February 17, 2020, the Company, reaffirming that the expression of specific consents was always possible through the link "Consent Management", added that, in order to make the use of the app more streamlined, by pressing the "Accept" button the customer could confirm at the same time the acceptance of terms and conditions but also of optional consents not previously expressed, except then the possibility to modify them later. The same has, moreover, added that "Mr. ... has repeatedly modified his will by lending and revoking the consents previously issued".

Finally, with a complaint dated February 5, 2020 (file 146873), she complained once again that it was impossible to use the app without necessarily clicking on the "Accept" button and without being able to clearly understand the effects of this expression of will. The complainant documented that, once "Accept" was indicated, all the consents in the personal area were given. The complainant also attached an exchange of correspondence with the box privacy@h3g.it from which it emerged that the Company provided feedback indicating, at first, that "once you have accessed the App, you may change the consents in the Tools - Settings - Consent Management section". In response to the Client's subsequent comments, the Company replied that "In order to facilitate and streamline the first access to the My3 App by our Clients, we have provided, in case the Client does not want to go to the Consent Management section to avoid a further step, which can be done at any time, to provide an Accept button both for the Terms of Service and for the Consents not previously expressed. The Accept referred to the privacy policy is not to be understood as a constraint of the consents to use the features but rather as an acknowledgment of the methods and purposes of treatment.

These justifications provided by the Company were not considered acceptable and a specific objection was therefore made pursuant to art. 166, par. 5 of the Regulation. On the basis of what Wind Tre stated, in fact, the intent of the request would have been to have the contractual conditions accepted and to demonstrate that the information had been read. To this, however, evidently had to be added the intention to acquire previously undisclosed consent.

On the basis of what was stated, therefore, these three different expressions of will (at the opening of the app, with a single request, it was asked: 1) to accept the contractual conditions; 2) to accept the information; 3) to provide - or "validate" all the required consents) should have been expressed with a single action, consisting in the selection of the "Accept" button. Even if such a procedure were to be admitted as useful, it should be noted that the provisions of art. 7, paragraph 2 of the Regulation as well as recitals 42 and 43 concerning the awareness of the person expressing consent in the context of a written declaration that also covers other issues should not be respected.

In addition, the proposition of the above mentioned requests also seems to lack logical sense since it is not clear why they are repeated at every access to the app. In this sense, even if the request is considered only as a confirmation that the information notice has been read, it appears completely pretextual in the absence of modifications to the information notice that would make it necessary to re-propose it. Similar consideration can be made with regard to the contractual conditions, which are supposed to have been made known at the time of signing the service contract (and not modified at each access).

The numerous reports received (all with similar content) lead one to believe that, behind the lack of clarity, there is therefore a rule of collection of consent to force the will of users, a rule that has not been modified even after the receipt of the numerous reports.

The provision of a mode of choice (allegedly preventive) through the link "Consent Management", in addition to proving difficult to understand, also appears to be legally insufficient to ensure the expression of a valid consensus since, in the absence of specifications in this sense, it could always be considered outdated by the expression of will subsequently expressed by pressing the "Accept" button. And, above all, it does not appear justified in its reiteration.

Finally, the remedy consisting in the possibility of revoking (however, not before 24 hours) the consents expressed involuntarily, since, as is well known, the expression of the will must be free and preventive. Wind Tre itself acknowledged that, in several cases, consents were given and then revoked several times. Remaining to be emphasized the risk of use of the data during the aforementioned 24 hours.

Such treatment, therefore, can not be considered lawful and the consent collected in the manner described above can not be considered suitable to prove a manifestation of free and specific will of the interested parties.

With the defensive statement of June 15, 2020, the Company stated that, to date, the two apps have been replaced by the only WINDTRE app, which no longer requires consent to access.
2.1.2.4.  Consent given in a non-legitimate manner (expression of consent not free).

As highlighted in point 2.1., in many cases the Company has documented the acquisition of consent by providing a copy of the contracts signed by customers (so-called pda).

Without prejudice to the specific anomalies already indicated above, we now wish to examine the general procedures for obtaining consent when signing a contract for the purchase of a mobile or fixed user. This is because several times over the years it has been brought to the attention of the Guarantor, the difficulty of expressing a free and specific consent for all the purposes of the processing, despite the statements made by the Company regarding the instructions given to its partners in this regard.

Finally, a report dated 13 March 2020 (see file 148352) is recalled with which, with notes also sent to Wind Tre, the impossibility of expressing free consent for promotional purposes, both before and after signing the contract activated at a retailer, was complained of.

We also refer to the complaint (see file 136370) with which it was represented, in a very timely manner, that the sales operator has prepared a contract with all the boxes relating to consents already pre-selected and, after some resistance to the customer's requests, has modified only the system selections without reprinting the contract. The Company, questioned on the matter, replied with a note dated July 17, 2019 representing that the customer's will was probably misunderstood by the operator. On the basis of these elements, the Office had ordered the closure of the investigation on 20 November 2019. However, in the light of certain events that have occurred, which are illustrated below, what emerged also from the investigation described above must be considered again, assessing differently the good faith of the statements provided by the Company at the time

In fact, with a complaint dated 17 June 2019 (cf. 139604) it was complained that, for the activation of a new user at a dealer, the dealer had prepared a contract containing the consents already selected for signature without having previously asked the customer to express a willingness to do so; given the size of the characters in which the text relating to the expression of consent was written, it would not have been possible to notice immediately what was presented for signature; to obtain the printing of a new contract without the consents selected, there would have been much resistance on the part of the salesperson.

In this case the Office requested an inspection at the retailer XX S.r.l. in Merano, where the user in question had been activated and who was acting as Wind Tre's data processor. The inspection activity, delegated to the Special Privacy Unit, was carried out on 11 and 12 December 2019 and revealed the following:

the registration of the consents was carried out using Wind Tre's application called "Wind Station";

with regard to the actual method of collecting the customer's will, the operator stated in the minutes that "following the instructions of the area manager Mr. ..., during each activation of sim cards, the operator of reference must flag of initiative all the consents provided therein. This operation, among other things, is facilitated by a special button within the management [...]. Only if, on signing the paper form printed by the system and submitted to the attention of the interested party for acceptance of the information and the issue of consents, the latter should express doubts about the consents present in the reference form, the operator shall amend them according to the indications provided directly by the interested party"; it follows that the operator, by default, enhances all the consents and prints the contract, thus prepared, for the signature of the customer;

the minutes have acquired a copy of the contract signed by the complainant on 21 May 2019 in which there is, on the right side at the top, a box called "stay in contact with Wind" containing a statement of acknowledgement of the information and authorization to process personal data for marketing purposes by Wind Tre and its partners; profiling; geolocation; communication to third parties and data enrichment. The size and spacing of the text contained in this box are significantly smaller than those of the characters that make up the attached contract so as to be objectively difficult to read both as regards the entire text and, above all, as regards the display of any flag in the boxes relating to individual consent;

the operator heard in this regard, stated that he had received verbal instructions regarding the operational practice described above for the acquisition of consents and, in order to document what was alleged, he delivered a copy of two e-mails received from the manager of Wind Tre: in one of them, dated May 25, 2019, there is a chart describing the consensus acquisition percentages achieved by the dealer with an invitation "once again to reach 100% on everything"; with the second e-mail, dated June 5, 2019, Wind Tre's sales representative sent the dealer a report of the performance made for supplier evaluation purposes; the text reads "pay attention to the quality data entered, in particular the flags must be 100% on everything"; a table is attached to this email from which it is clear that obtaining high percentages of consensus flags is included among the quality indicators;

finally, by examining the content of the management system provided by Wind Tre to the retailer, access was given to the communication published by Wind Tre on 22 March 2019 entitled "New consents from POS NG". This notice informed the partners of the change made on the list of consents from 25 March 2019 which concerned, in particular, the merging of the first two consents into a single manifestation of will, presented to the subscriber with the following text: "Wind commercial communications: I consent to the processing of my personal data for the receipt, by Wind, of communications relating to special offers, discounts and promotions relating to products and services Wind and partners selected by Wind"; thus a single consent was required to receive promotional communications from both Wind Tre and third parties. In addition, in the case of "change Offer for customers already acquired before January 9, 2017, only 2 old consents are displayed as expressed in the activation phase and 4 new consents not valorized (blank). It is possible to modify the first 2 and acquire the 4 new consents [...] but if the reseller tries to acquire only some of the 4 new consents or modify one of the 2 old ones, the blocking warning will be displayed, where it will be indicated to value all 6 consents. […]. For the customers acquired since January 9, 2017, by Modifica Offerta, all 6 consents are already valued with the possibility to modify them together with the commercial variation of the offer".
2.1.2.5. Consents of clients of another operator acquired by illegal means

Here we refer to the results of the investigations of the so-called "procedure B" referred to in the introduction and carried out after the Authority learnt, from a report, of the existence in Rome of a call-center that would have carried out activities of contacting potential customers and offering telephone services on behalf of the Company, through the acquisition of data of customers of another telephone operator in an unlawful manner and in any case outside the regulatory framework outlined by the Regulations and the Code.

The Office, having carried out the necessary verifications relative to the personal information of the subjects indicated in the report, delegated to the Guardia di Finanza, Special Unit for the protection of privacy and technological fraud, the carrying out of inspections at said call-center.

The audit revealed that the activities carried out there were carried out by Alessandro Corbelli Sunrise s.r.l.s. and, despite the fact that, at the time of access, they were presented as training activities for the start-up of future call-center operators, the results of access to the workstations showed that - at the time of the audit - activities were underway for telephone contacts promoting the services of the company Wind Tre.

The telephone contacts of potential customers, addressed to the business area, provided for the setting of appointments for the compilation of contract proposals, appointments that were "uploaded" in the electronic diaries of people who would have to go to customers.

In the call-centre, a large number of Wind contract forms were found, prepared for business customers, and numerous Wind branded sim-cards.

Contact activities were carried out at seven workstations using personal computers and mobile phones. In the history of these phones was found trace of hundreds of calls made in the three days prior to the inspection. From the access to the computers used by the operators it was possible to acquire numerous files in excel format containing directories consisting of personal data and telephone contact information of companies and individuals. All the operators questioned stated that these files were uploaded daily to the desktop of the PCs by the contact person and that they contained the names and telephone numbers of the persons to be contacted. In the contact person's PC and at another workstation, excel files containing personal data (name, surname, company name, tax code, landline phone number and mobile phone number) of over 500,000 users were found. Computer traces of virtual machine access to another telephone company's database were also found.

With reference to the origin of the personal data found in the different work stations of the call-center, a specific inspection carried out at the headquarters of the telephone operator from which - according to the above mentioned report - these would have been stolen, did not allow to acquire full evidence in this sense, while the referent present in the call-center at the time of the assessment declared that "the activity in a typical day of this call center provides that I distribute to operators the lists of subjects to contact who are present in my PC of which I do not know how to define the origin [...]; with reference to the SIMs present in the call centre and the contractual documentation and brochures, I represent that all this material comes from Wind's agencies whose names and company names I do not know and are intended, presumably, for agents [...] whom I do not know personally'.

Such declarations of the referent, paradoxical, unreliable and made in contempt of the duties of collaboration towards the Authority, were not able to prove that the acquisition of the personal data of potential customers had occurred in compliance with the provisions of the Regulation and the Code, with particular reference to the discipline of consent, and, in any case, showed that the call-center activities took place outside the procedures implemented by Wind Tre to regulate the telemarketing and teleselling activities. In addition, the methods of contacting potential customers took place without providing the necessary information required by art. 14 of the Regulation, as evidenced by the absence of information on the processing of personal data in the call script acquired during the assessment, thus corroborating the consideration that any consent collected can not be considered valid due to lack of the necessary prior information.

In good substance, the activity of the call-center was presented as completely abusive, in violation not only of the provisions on the subject of the protection of personal data, but also of those in the fiscal, tax and work ambit for which the privacy nucleus proceeded to interest the competent articulations of the Guardia di Finanza. Furthermore, it was conducted by a company not present in the Register of the communication operators, using numbers not recorded in the same register, in an extremely worrying framework of disinterest for the rights of the interested parties and for the necessary guarantees of security which should have presided over every operation of treatment.

During the investigation carried out at this call-center, documentary evidence was obtained of a significant operational link between it and the agency Merlini s.r.l., which carries out marketing activities for Wind Tre products at its operational headquarters in Ponsacco (PI).

The Office then delegated the Guardia di Finanza to carry out an inspection of the aforementioned agency, from which it emerged that Merlini s.r.l. operates exclusively on behalf of Wind Tre, under an agency contract that also provides for its designation as data processor. Merlini s.r.l. carries out its activity through collaborators present on the national territory, called "procacciatori". Among the "procacciatori" who collaborate with this company was also the company Alessandro Corbelli Sunrise s.r.l.s. and, with reference to it, Merlini s.r.l. produced some invoices, lists of contracts acquired and e-mails containing copies of customer documents.

As regards the activity of the procurers, Merlini s.r.l. showed a copy of some letters of assignment in which it is reported verbatim: "its activity must be carried out in full autonomy following only the indications and dispositions that will be given to it about our products, the conditions of sale and other commercial dispositions. The activity may, however, be carried out in collaboration with production and/or marketing staff, with our own agents". Merlini s.r.l. declared not to have identified the procurers as responsible for the processing or authorized to carry out processing operations because they "operate autonomously" and "each procurer is free and, therefore, autonomous in the search for subjects to whom to direct commercial proposals".

With a note dated October 25, 2019, the Office requested Merlini s.r.l. to show a copy of the letter of assignment given to the company Alessandro Corbelli Sunrise s.r.l., and of any other legal transaction entered into with the same. Merlini s.r.l. provided feedback by e-mail dated November 4, 2019, representing "not to have further documentation and in particular copies of other mandates. As already stated during the assessment of July 9, with many employees (including Corbelli) are and were in progress verbal agreements and the relationship has materialized with the sending of proposals for Wind contract by employees and the timely payment of business procacciati by our company" and also adding "that at the time of starting new collaborations to procacciatori the written mandate is the last thing that interests [...]".

With specific reference to the above case, the Office also delegated to the Guardia di Finanza two inspections which took place at the Wind Tre headquarters in Rome.

With regard to relations with Merlini s.r.l., Wind Tre produced the agency agreement between the two companies and a summary of the documentation acquired and the process carried out to affiliate the sales agents to Wind Tre's network. This affiliation process includes, among other things, the acquisition of chamber of commerce surveys, due diligence and scoping questionnaires, banking and tax documentation and the curriculum vitae of legal representatives.

Among the documentation, a questionnaire was submitted to the sales agent regarding personal data protection requirements. Among the answers provided by Merlini s.r.l., there were many elements that raised doubts about the correct handling of personal data and the effective management of employees. For example:

- to the question (present in section 6 "Composition of commercial contact lists" of the questionnaire) "does the partner acquire lists of subjects to be contacted by telephone through channels other than Wind Tre?", Merlini s.r.l. replied in the affirmative without indicating the acquisition channels of the aforementioned lists;

- to the question "does the partner guarantee the correct use of the lists of contacts within their temporal validity previously communicated by Wind Tre and does he delete them, after the deadline, from any system/memory support?", Merlini s.r.l. replied negatively;

- Merlini s.r.l. replied to all the questions concerning the "obligations related to the processing of data for commercial calls" and the "code of conduct for telemarketing activities" Merlini s.r.l. replied that they were not conferring with respect to its activities, although they concerned the rules of conduct and operating instructions in sections I and L of the agency contract signed by Merlini s.r.l. itself.

No checks were carried out by Wind Tre, in the light of the feedback provided by Merlini s.r.l., regarding the network of collaborators of the latter company and, in particular, whether such collaborators were identified on the basis of the same requirements required by Wind Tre, as well as started promotional activities on the basis of the same operating procedures identified in the agency agreement signed between Wind Tre and Merlini s.r.l..
2.1.3. Contacts made without the acquisition of appropriate consent being documented

The Company, in a number of circumstances, has been unable to document the acquisition of consent:

a) that the calling numbers indicated by the reporters were not traceable to those in the possession of the partners or,

(b) that the user called was not on the lists to be contacted for promotional purposes (cf. files 128220, 127687, 132667, 132114, 131606, 131684, 135017, 136153, 136903, 137035, 136371, 136650, 137157, 137392, 137186, 138316, 138667, 139253, 140782, 139839, 140716, 140463, 140391, 142109, 144236, 146789) or again,

(c) that the methods used to carry out the promotional campaign were not recognised as complying with the company's communication policies (cf. files 134997, 130266, 145996, 123638, 130729, 113495, 133984, 134569, 132667, 133372, 134927, 132256, 132114, 131606, 131897, 131464, 135017, 136903, 136945, 137003, 137392, 139253, 140782, 139839, 140343, 140391, 144236, 146789);

i.e:

(d) not providing any information or documentary evidence that the person concerned has been blacklisted (see files 134569, 132256, 133372, 131897, 136945, 137035, 139126, 142352, 139839);

(e) by documenting consent by attaching copies of contracts which are illegible or which prove only the contractual intentions and not also the choices concerning personal data (see files 128208, 130787, 113495, 131896).

2.2. Methods of responding to requests by data subjects to exercise their rights

In many cases, the failure to respond to the requests made by the data subjects to exercise their rights has been complained of, even repeatedly, with particular regard to the opposition to processing for promotional purposes or the exercise of the right of withdrawal.

The Company, with the notes sent in response to the various requests for information made by the Authority, represented that some instances were not found or were not promptly found because:

a) received at an address not in charge of handling this type of request (see files 130344, 133911, 142614, 145996, 124985, 134434, 133063, 133372, 137580);

(b) in accordance with a farm procedure which was subsequently outdated, it was requested to identify itself by sending a document (see files No 130344, 128000, 128805, 130356, 129952, 127784, 128208);

(c) there were errors or problems in receiving paper or electronic mail (see files No 141011, 134392, 130266, 130539).

2.2.1. Requests received at incorrect addresses

With regard to what is represented in point a), in particular, the Company has pointed out that the communications that did not have an adequate response have been received to email addresses or pecs not manned by personnel suitable to handle requests relating to the protection of personal data. The Company has also pointed out that in a complex structure, such as that of Wind Tre, it is not possible to ensure the correct management of requests if they do not reach the correct addresses, as indicated in the information on the Wind and Tre brand websites.

The office therefore verified, on 26 February 2020, the publication of these contact details on the Company's websites, and found the following:

a) regarding the references for the Wind brand,

- on the website www.wind.it at the link "privacy" there was a list of different information followed by the "cookie policy" at the bottom of which it is stated that "Any requests pursuant to Articles 15 to 22 of the European Regulation, should be addressed to Wind Tre S.p.A. - Ref. Privacy CC, Casella Postale 14155- Ufficio Postale Milano 65, 20152 Milano (MI)";

- if, on the other hand, the link to "New Privacy Policy art. 13 and 14 of GDPR as a modification of the information already provided pursuant to art. 13 Legislative Decree 196/03, so-called Privacy Code" was followed, it was stated that, for various purposes of processing, the consent given "may be revoked at any time by writing to Wind Tre S.p.A. - Privacy Ref. CC Casella Postale 14155, Ufficio Postale Milano 65 20152 Milano (MI) or by calling 155". Finally, in the same notice, it was indicated that requests relating to the exercise of the rights of the interested parties "may be addressed to Wind Tre Spa - Privacy Ref. CC Casella Postale 14155, Ufficio Postale Milano 65 20152 Milano (MI) and providing, attached to the request, an identity document in order to allow WIND TRE to verify the origin of the request";

therefore, only the physical address of a P.O. box was made available to Wind customers or, alternatively, they were invited to call customer service;

(b) with regard to the references for WIND TRE,

- on the website www.tre.it under the link "privacy" there was a list of different information followed by a document called "Privacy policy" in which it was specified that "Any requests pursuant to Articles 15 to 22 of the European Regulation, should be addressed to Wind Tre S.p.A. - Ref. Privacy CC, Casella Postale 14155- Ufficio Postale Milano 65, 20152 Milano (MI)";

- if, on the other hand, the link to "New Privacy Policy art. 13 and 14 of GDPR as a modification of the information already provided pursuant to art. 13 Legislative Decree 196/03, so-called Privacy Code" was followed, it was stated that, for different purposes of processing, the consent given "may be revoked at any time, by writing to Wind Tre S.p.A. - Rif. CC Privacy - Via Alessandro Severo 246, 00145 Rome, or by writing to privacy@tre.it or by calling 133";

- finally, in the same statement, it was indicated that requests relating to the exercise of the rights of the interested parties "may be addressed to Wind Tre Spa - Rif. CC Privacy - Via Alessandro Severo 246, 00145 Rome, or by writing to privacy@tre.it. and providing, attached to the request, an identity document in order to allow WIND TRE to verify the origin of the request";

For WIND TRE's customers, therefore, a physical address was made available, referring first to a P.O. box and, subsequently, to the address Via Alessandro Severo 246, Rome, without clarifying which was the correct address to use; furthermore, an ordinary e-mail address was provided or, alternatively, customers were invited to call customer service.

It should be noted, however, that the numerous requests received all complained, in a similar way, the failure to respond to requests sent almost always to the same addresses: windtrespa@pec.windtre.it, servizioclienti155@pec.windtre.it and windtreitaliaspa@pec.windtre.it.

The recurrent use of the same contact details by many complainants, instead of those given in the information notices, can be considered indicative of the fact that, first of all, they were somehow made known to customers (probably in the contractual documentation or, as reported in some reports, provided by telephone by the customer service itself). The same Wind Tre, with the feedback provided on November 26, 2019, in contesting the use of a non-existent pec address, said that "the correct address is servizioclienti155@pec.windtre.it as reported in the General Conditions of Contract".

Moreover, taking into account the technology currently available, it cannot be considered sufficient - and in these terms it was contested to the Company - to set up only the physical channel for sending applications, obliging those concerned to send a letter or a registered letter (possibly also with acknowledgement of receipt, to have confirmation of receipt), bearing the related costs.

The alternative of telephone contact with customer service or the ordinary e-mail address (which is provided only for the Tre brand and not for Wind) does not meet the needs of those who want to prove the sending of an application.

In this regard, reference is made to the provisions of art. 12, par. 2 of the Regulation according to which the data controller facilitates the exercise of the rights of the data subject, as well as the provisions of art. 7, par. 3 according to which consent is revoked as easily as it is granted.

Finally, while we understand the Company's need to channel the requests relating to the protection of personal data to a single "channel", the number of complaints received has made it clear that the parties concerned are not always able to independently address their own requests to issues related to data protection.

As can be seen from the numerous reports submitted to this Company, not only the average user but also various professionals (engineers, lawyers, etc.), have made use of the above mentioned contact details considering them correct and only in very few cases has the dpo contact been used (mostly after previous unsuccessful attempts). Likewise, reference is made to the difficulties represented by those who, although never having been clients or no longer clients, have been the subject of promotional campaigns without, however, having had the possibility of identifying a correct address to which to address their refusal to be treated (given that even in these cases the first attempt was made using the customer service channel).

It follows that the customer service, which in fact represents a primary interlocutor for those concerned, was not sufficiently trained for the correct management of the requests received (at least at a first level of reception and sorting), with the consequence that many requests remained unanswered or were treated improperly.

We acknowledge, however, what the Company communicated in a note dated March 6, 2020 regarding the preparation of a new disclosure, introduced following the establishment of the unique Wind Tre brand, which indicates, as channels of communication with the owner, a physical address, a pec and a telephone number. Wind Tre itself wished to point out, in its defence brief, that this corrective measure was put in place prior to receipt of the notice of initiation of proceedings by the Guarantor, received on 13 May 2020.

2.2.2. Applications not accompanied by identification documents.

In other cases, as mentioned above, the Company then declared that it did not promptly find the requests of the parties concerned because they were not accompanied by identification documents. In particular, in the various response notes received, the Company stated several times that initially the Company's procedures required the presentation of an identity document. Subsequently, also as a result of the numerous reports forwarded by the Guarantor, a simplification has been made, ensuring the withdrawal of consent for marketing purposes even in the absence of the document, provided that the same came from an e-mail address traceable to the customer, "requiring at a later date the identification of the person concerned".

In the current regulatory framework, the identification of the interested party exercising their rights is a necessary prerequisite for the correct response to requests. It is, in fact, clear that the data controller, in responding to the requests of the interested parties, must guarantee them from any prejudices, including access to unauthorized third parties. Therefore, art. 12, par. 6 of the Regulation allows the data controller to request further information that may be necessary to confirm the identity of the data subject, but only if it has reasonable doubts about the identity of the person making the request. This parameter of reasonableness is also referred to in recital 64, which suggests the adoption of "reasonable measures" to verify the identity. This is in order to avoid excessive requests aimed at discouraging the exercise of rights but also to avoid the collection and retention of unnecessary data. The identification of reasonable measures should therefore be guided by compliance with the principles of proportionality, necessity and adequacy.

In the light of these principles, the reasonableness of the measures taken can be assessed taking into account the context and potential risks but also the usefulness of achieving the purpose (of achieving correct identification).

In the case in question, it is possible to quantify the risk associated with the withdrawal of consent for commercial purposes differently from that deriving from the exercise of other rights (such as, for example, rectification, cancellation, portability, access). This is first of all in view of the limited consequences that the withdrawal of consent for commercial purposes may have in the legal sphere of the person concerned compared to those, which are much more prejudicial, deriving from the exercise of other rights, if it were a third party with malicious intent to exercise them. In addition, a request for revocation of consent or opposition for marketing purposes can probably be considered traceable to the person who proposes it, since other persons who could have an interest in this sense cannot be hypothesized (unlike what could happen with the exercise of other rights).

Finally, the measures adopted must, as mentioned above, limit the acquisition and storage of unnecessary data. This eventuality could instead occur in the case of persons who, although not customers of Wind Tre, but who have been contacted (correctly or not) for a campaign of the latter, want to submit a specific refusal to receive promotional messages: the request addressed also to these subjects to provide an identity document seems even more disproportionate and may involve the acquisition of personal data that are not already available to the owner and are therefore not necessary.

In conclusion, the Company's responses revealed an uncertain and contradictory picture in the description of the technical and organisational measures adopted to identify the parties concerned in a reasonable manner, representative of an insufficient evaluation of the different interests at stake.

The initial request for a copy of the identity document for all parties, both customers and non-customers, and for any type of request, as stated, was subsequently revised, providing for an immediate response to the exercise of revocation of consent; it is not clear, however, what is the need, once the interested party's request has been accepted, to request in any case, albeit at a later stage, the sending of the identity document.
2.2.3. Undetected instances of errors or problems in receiving paper or electronic mail

In a remaining number of cases Wind Tre justified the failure to respond to the requests sent by the parties concerned by suggesting the recording of episodes in which correspondence was lost or not received by the correct recipients due to errors or problems of reception.

These events should be evaluated in the light of the observations made so far regarding the suitability of the organizational measures taken by the Company.

2.3. Information to interested parties

Referring to the previous point, it should be noted that, prior to the corrective action taken with the introduction of the single brand, the information made available on the websites of Wind and Tre indicated contact details that were not unique and different from the customer service addresses, also communicated by the Company and used more frequently by those concerned. According to the Company, this has led to difficulties and delays in the management of requests.

With regard to compliance with the provisions on transparency, as set forth in art. 12 of the Regulation, it should also be added what emerged from the preliminary investigation activity initiated following a complaint (see file 143394) concerning the exercise of the right of access to traffic data stored for billing control purposes.

In a note dated November 26, 2019, the Company justified the failure to respond to the requests made by the complainant by stating that they had been sent to non-existent addresses and, therefore, since more than six months had elapsed, access to such data was no longer possible. Without prejudice to the specific fact, probably caused by the customer's error, it must however be noted that, as also disputed in the same complaint, the information given to the parties concerned pursuant to art. 13 of the Regulation did not indicate the period of retention of data provided for by art. 123 of the Code. This resulted, in the case in point, in the erroneous reliance on the much longer data retention period indicated by the Company for the execution of the contract (10 years and six months).

The provisions of art. 123, paragraph 4 of the Code must, in fact, be considered with regard to the obligation of the service provider to include, in the information provided pursuant to articles 13 and 14 of the Regulation, also the information regarding the storage of traffic data.

In this context, therefore, one cannot simply oppose the user's lack of knowledge of the rules, since the purpose of the provision violated - art. 123, paragraph 4 - is precisely to balance the information asymmetry towards users.

2.4. Publication and updating of data in telephone directories

The Authority has also received numerous complaints about the publication, never authorised, of personal data in telephone directories, as well as the impossibility of obtaining their cancellation from Wind Tre. In response to specific requests for information, the Company provided the following reasons:

a) the publication was due to material error or misalignment (see files 137276, 128170, 128336, 133645, 146363);

b) the request for cancellation was not promptly accepted due to difficulties in communicating with the client (see files 134918, 142978); in the latter case, reference is made to what has already been made to the adequacy of the organisational measures aimed at ensuring communication with the parties concerned, to which these further cases are added as an example of the prejudicial consequences.

In particular, it should be noted that, in a note dated November 28, 2019, addressed to the Guarantor and the complainant, the Company stated that the latter was published in the lists by the previous operator "therefore the cancellation request had to be forwarded to the Company Italia on Line S.p.A.". In reality, as has been known for some time now (see measures of the Guarantor of July 15, 2004, doc web 1032381 and April 1, 2010, doc web 1711492 on the publication of personal data in public directories), the telephone operator to which it belongs, as data controller, is the only person to whom users must address requests for changes to the publication of data in the directory. It is therefore incomprehensible the reference made by Wind Tre to the need to contact Italia on Line directly. At the same time it should be noted that, despite the assurances provided by the Company in the same note, as of March 16, 2020 the data of the complainant was still present on the site www.paginebianche.it.

With regard to the complaint in file 146363, which also complained about the failure to respond to the request for deletion from the lists, it should be noted that, in a note dated March 12, 2020, the Company stated that "the competent department of the writer promptly manages the request by attempting to activate the cancellation process, which was not successful". However, it was not specified why the cancellation was unsuccessful, nor was it documented whether, contrary to what was complained in the complaint, the request submitted by the client had been responded to. Also in this note, the Company stated that the user had been entered by the previous operator and that the complainant should have turned to Italia on Line.

3. THE OWNER'S DEFENCE

Following the notices of initiation of the procedure for the adoption of corrective and sanctioning measures sent by the Office pursuant to art. 166, paragraph 5, of the Code (note of 13 May 2020 - procedure A and note of 19 December 2019 - procedure B), the contents of which are to be understood herein in full, the Company provided its comments, supplemented by memoranda of 15 June 2020 (procedure A) and 3 February 2020 (procedure B), during the hearing on 25 June 2020 (procedure A) and 25 May 2020 (procedure B), of which the respective minutes were drawn up. The party's defensive considerations must also be reproduced in full here.

In addition to what has been reported in relation to the individual points at issue, Wind Tre has provided the following additional specific elements to justify its conduct.

3.1. Promotional activity not authorised by the parties concerned

With regard to the activities contested in point 2.1., Wind Tre, in particular, referring also to the measures already implemented, stated that all partners and agents have been appointed as data controllers. They were required to comply with the instructions conveyed through communications on the dedicated portal and with specific training activities. In addition, the single-firm agency, consumer, microbusiness and business contracts have been integrated with the recent introduction of a "decalogue" of rules on the protection of personal data (non-compliance with which can be assessed as a prerequisite for contract termination). One of these rules imposed on partners concerns the obligation to present the calling line unencrypted and to communicate to Wind Tre, following a specific procedure, all the numbering used; this declaration is essential to assign the partner a code in the company system.

The Company then recalled the use of the Campaign Management system, already in use and mentioned several times in the answers given to the Authority's requests for information; this system has the function of centralising the implementation of individual promotional campaigns by conveying initial instructions and lists of names to be contacted to the partners and receiving as input any revocations of consent collected during the calls made. In this regard, Wind Tre has made it clear that the lists are mainly provided by the owner, who is also responsible for checks at the Register of Objections, but it is also possible for partners to make use of their own lists: in the latter case, Wind Tre's prior authorization to use the list is required.

In addition, again with regard to the measures taken to ensure greater control of the supply chain, the Company has added that "...requested the partners of the physical channel who intend to use lists of contacts for activities of mere appointment, to give appropriate evidence and request prior authorization, which will in any case be subsequent and possible compared to the sample checks carried out by the Writing Company. The partners of the physical channel were also asked to keep a register of all possible contacts (both successful and unsuccessful) with an indication of the source of the contact and evidence of consent. Said register, upon request, shall be available to the Company, in its capacity as data controller, and shall be produced at the request of the competent Authority. A process has also been set up internally according to which, following the activation of contracts (in outbound mode, physical channel), the entire chain that followed the activation, including therefore the origin of the contact made, is verified by the undersigned company". This register can be filled in from 4 February 2020.

Finally, Wind Tre has adopted an internal procedure to formalise the checks to be carried out following the subscription proposals from customers: among these is a section dedicated to the collection of personal data and consent.

In view of the measures described above which, in the Company's intentions, should make it possible to trace each call back to the partner who made it, the Company has however added that, as it does not have other means of investigation, it is unable to identify individuals who make calls without complying with these measures.

The Company has also added that, as already pointed out in previous discussions with the Guarantor, all agents have received specific instructions and are subject to periodic checks, carried out through answers to questionnaires and, on a sample basis, through on-site checks.

In this regard, the specific defensive considerations that the Company has carried out in relation to "Procedure B" (point 2.1.2.5. above), in relation to which it represented that:

a) the scope of the activities of the company Merlini s.r.l. on behalf of Wind Tre is not telemarketing or teleselling but is represented by the so-called "physical channel", which provides for the promotion of contracts for the sale of telecommunication services and products offered by Wind Tre in a specific geographical area, through a direct interview and therefore without carrying out distance selling activities; the customers to whom this channel is dedicated is the business, mainly consisting of legal entities, for which the regulations on the protection of personal data should not apply;

b) since the activity carried out by Merlini Srl should not have configured telemarketing activities aimed at teleselling, Wind Tre has never provided Merlini s.r.l. with lists of contacts of potential customers, except for customers and former customers who had given specific commercial consent during the signing of the contract and had not revoked it, on which Merlini had to carry out tasks of loyalty; therefore, it cannot be stated that at the call-center inspected was in progress a promotional activity of the telephone services of the company Wind Tre;

c) Wind Tre has on several occasions provided training and awareness raising activities on the protection of personal data, both with reference to the internal corporate population and with reference to its Partners and Agents; as shown by the last extraction requested to the Human Resources department, the training was completed by all Area Managers, District Managers and Channel Managers authorized to control the Business Agencies (including the Agency managed by Mr. Merlini);

d) since the contract concluded by Wind Tre with Merlini Srl did not constitute an agency contract for the performance of telemarketing activities aimed at teleselling and, in any case, should have concerned exclusively the offer of products and services to legal persons, the Company had no suspicions precisely because, according to the contract, they did not detect either teleselling activities or the processing of data of individuals.

With specific regard to the disputed unsuitability of the methods of collecting consent, formulated on the basis of the checks carried out at partner XX (point 2.1.2.4 above), the Company stated that the conduct described does not fall within the company procedures provided for and does not correspond to the instructions given to its dealers also through the competent commercial agents in the territory.

Therefore, "any verbal or written instructions given by the Agent to the sales outlets managed by them and not explicitly mentioned in the official procedures, are to be considered an initiative not attributable to the Company". The same company also added that the systems in charge of printing the contracts have the default consents set to "blank" and that "with regard to the graphs sent by e-mail by the Agent to the point of sale, it should be noted that nothing is said about the procedures for acquiring consents, nor do they appear to be contrary to such procedures". Furthermore, with regard to the ascertained presence of a single consent for the receipt of promotional messages from Wind Tre and third parties, the Company has clarified that this method of collecting consent does not involve the communication of data to third parties but offers the interested party the possibility of receiving promotional messages in which the content conveyed may be for the benefit of Wind Tre or a third party. Therefore, the only purpose of the processing remains the same and the content of the messages that remain conveyed by Wind Tre changes.

With specific regard to the disputed methods of collecting consent through the apps MyWind and My3, (point 2.1.2.3 above), the Company has stated that it has made changes to the same prior to the receipt of the initiation of the procedure by the Guarantor, providing to set the request for consent only during the first configuration of the app. Subsequently, in view of the adoption of the single brand, the two apps mentioned above are no longer available and have been replaced by a single WINDTRE app; this no longer requires the expression of consent, even in the first configuration phase, but simply reports the customer's wishes as recorded and already present in the systems, allowing them to be modified by the same app.

More in general, with regard to the extent of the violations ascertained, the Company has finally observed that "considering that the reports in this measure are about 95 for the years 2018-2019, it should be noted that they represent about 0.026% of the total management carried out by the Company" and therefore the disputed cases, taking into account that the Company has about 32 million customers, can be considered attributable to a margin of physiological error with the exclusion of some specific cases that are considered to be attributable to fraudulent activities of third parties and have already been the subject of specific complaints to the judicial authorities.

3.2. Exercise of rights by the parties concerned

With the note of June 15, 2020, the Company also provided its comments on what is represented in point 2.2. above and, in particular, on the availability of suitable contact channels and the procedures adopted to ensure the exercise of the rights of the parties concerned.

The Company has preliminarily recalled that, with the birth of the single brand, all contact channels have been unified and made known through the new information notice and by sending individual communications to customers; therefore, to date, a P.O. box, the customer service pec and the telephone number 159 are available (and for about one year the previous contact channels will be maintained).

The customer service is duly trained in the protection of personal data, but the Company has ensured that every request received, even to non-dedicated channels, is handled, although it must highlight the difficulties encountered in a complex structure.

With regard to the measures adopted to guarantee the exercise of rights, the Company has preliminarily observed that some cases contested by the Guarantor, which complained about the receipt of promotional contacts even after the withdrawal of consent, were due to the timing of alignment of the systems which, in the years immediately following the company merger, took longer to integrate. However, the Company stated that, to date, "the consent is updated every 15 minutes and at the latest 24 hours after the revocation has been entered into the system".

Finally, with respect to the procedures adopted to ensure the exercise of the right of revocation, the Company reiterated that it originally required the request to be accompanied by an identity document but, as early as the beginning of 2018, this procedure was simplified by executing the revocation request provided it was received from an email address of the customer known to the Company and postponing receipt of the document to a later date.

The choice of this method originated from the fact that, for the activation of each user, the Company was required to acquire a copy of a document and therefore considered it consistent to identify the persons concerned using the same means. In addition, the Company added that the request for identification by document had become necessary in the past as a result of numerous requests for revocation of consent received from third parties in the name and on behalf of various interested parties.

To date, however, she confirms that she has changed the procedure by allowing the request even without the attachment of the document as long as it comes from an email address traceable to the customer.
3.3. Information to interested parties

With reference to what is represented in point 2.3. above, the Company, following the complaint received, has assured that it has already supplemented the information with the specific mention required by Article 123, paragraph 4, of the Code and has in any case noted that the details of the telephone traffic carried out can be consulted independently through the app or the Customer Area.

3.4. Updating the data of the persons concerned in the telephone directories

Finally, with regard to the matters contested in point 2.4 above, the Company has articulated its defence by representing that the cases brought to the attention of the Guarantor represent individual events for which the cancellation process was not successful.

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the declarations of the Company for which we are responsible pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

4.1. On the methods of collection and withdrawal of consent and opposition to processing for promotional purposes

The conduct described, with particular regard to the settings of the apps and the results of the investigation carried out at dealer XX, highlighted an operating method strongly oriented to encourage the collection of consent for promotional purposes, while opposition procedures made more cumbersome.

While it is true that the Company has stated that it has implemented specific corrective measures, the effectiveness of which will be discussed below, an assessment of the unlawfulness of past conduct is still essential, particularly with regard to the possibility of continuing to use such data for promotional purposes.

It should also be borne in mind that, with specific regard to case XX, the Company did not deem it necessary to intervene at the procedural level, but merely disavowed the incident, qualifying it as an autonomous initiative of the Agent, against which no "recall" activity was however carried out.

It should also be noted that in the same defensive memory, Wind Tre has described in detail the numerous activities carried out to train and control the persons appointed to operate on its behalf, to the point of declaring that it has "no reason to question the legitimacy of the activities carried out by Partner-Agents given the training, awareness and control tools put in place".

Therefore, if the instructions given to the dealer by the commercial agent are the result of an autonomous initiative of the latter, it follows that the training and control measures would have been completely unsuccessful. If, on the other hand, it is more likely that the agent would not have had any personal advantage in requiring the dealer to obtain maximum approval, it must be considered that the interest in encouraging this practice is generally shared at company level. And such interest is easily identifiable in the economic benefit resulting from the conveyance of third party promotional campaigns, made possible thanks to the request, described above, for a single overall consent for promotional purposes. This would also explain the various complaints received over time to the Guarantor with which it was represented, in a similar way, that the contracts had been submitted for signature with the consent boxes already pre-selected, opposing the requests for modification. Cases robbed by the Company as "misunderstandings", which nevertheless left intact the questions regarding the reasons underlying the described behaviour of the various dealers and the related personal interest in forcing the will of the customers. Given the presence of formally correct instructions and systems, the investigations conducted in relation to these claims had not so far made it possible to ascertain these elements. In the case in question, in fact, they emerged only thanks to the acquisition of documentation generated by the company's activities but not subject to specific procedures.

Moreover, contrary to Wind Tre's assertion, the graphs attached to the agent's e-mails are extremely explanatory of the fact that the dealer is required to obtain maximum consent; these, in fact, contain unequivocal references to the percentages of the flags obtained on the processing of personal data, divided according to the consent expressed with the first flag (promotional purposes of Wind Tre and third parties) and with all the other flags, and are even counted among the dealer's quality indicators.

Having said this, it is clear that it is of no importance to underline the correctness of the instructions given and the setting up of the systems, since the will of the person concerned can be easily circumvented if the person who has to collect it is encouraged to do so.

In addition, it should be added that the model of PDA acquired in the deeds had such a small print font size compared to the rest of the text that it is very difficult for the person concerned to verify the consensus expressed. On this last point, Wind Tre did not provide specific comments, but attached a copy of the new pda model (see Annex 7 to the submission of 15 June 2020) in which the same font size is used throughout the text.

Also the described investigations on the functioning of the apps showed a behaviour strongly oriented to circumvent the will of the users. The numerous reports received (all with similar content) suggest that, behind the lack of clarity, there was a preordained rule of consensus gathering to force the will of users. Such treatment, therefore, cannot be considered lawful and the consent collected in the manner described above, before the changes, can not be considered suitable to prove a free and specific manifestation of will of the interested parties.

Furthermore, again with regard to the carrying out of promotional activities in the absence of consent, reference should be made to what is described in point 2.1. with regard to entrusting third parties who, using their own lists, act as data controllers. Although considered a residual activity, the Company made use of these services without, however, ensuring that the contacts made did not prejudice the willingness, specifically expressed by the interested parties towards Wind Tre, not to receive promotional contacts. The acquisition by the partner of a generic consent for promotional activities of third parties cannot be considered, in fact, sufficient to circumvent the desire not to be (no longer) contacted, specifically expressed towards Wind Tre. It is therefore the responsibility of the latter to verify that the parties who have revoked the consent or have expressed a specific refusal are no longer the subject of promotional activity on behalf of Wind Tre. The Company was already required to do so by order no. 313 of 22 May 2018.

At the same time, the observations made with regard to the manner in which the opposition or the right of revocation was accepted must be taken into consideration. In fact, numerous petitions received complained about the receipt of promotional contacts even after expressing a specific refusal to process and, from the preliminary findings, it emerged that the procedures adopted by the Company did not turn out to be suitable for correctly transposing the requests of those concerned or unnecessarily aggravated the presentation of requests by requiring the attachment of an identity document.

In this last regard, without prejudice to the need to adopt, if necessary, measures to identify the persons concerned, we reiterate what has already been observed in point 2.2.2 regarding compliance with the proportionality of such measures to the protected right, since it may be considered sufficient for the exercise of the revocation of consent even to send an email from a recognisable address. Moreover, the request for an identity document is also valid in the case of persons who do not have a contractual relationship with the Company but who, contacted for promotional purposes, wish to oppose their refusal.

Therefore, the described conduct acknowledges the lack of adequate technical and organizational measures to allow the parties concerned to exercise their rights, in violation of art. 24 of the Regulation, with the consequence of unjustifiably aggravating the revocation of consent or opposition to processing for promotional purposes and, in many cases, to frustrate the effects completely.

In addition, the Company has processed the personal data of the reporters in the absence of appropriate consent, in violation of Article 130 of the Code and Articles 6, paragraph 1, letter a) and 7 of the Regulation. Such processing, systematic and not occasional, must also be considered as potentially carried out with regard to a very high number of data subjects (customers and not customers).

At the same time, the described conduct acknowledges the lack of adequate technical and organizational measures, in violation of art. 24 of the Regulation, with particular regard to the inability to effectively control the chain of partners who carry out promotional activities to its advantage.

In addition, the manner in which consent is obtained at the time the contract is signed with the dealers constitutes a total lack of fairness and transparency towards the parties concerned, in violation of Article 5, paragraph 1, letter a) of the Regulation, highlighting conduct that is not only negligent but deliberately designed to circumvent the rules protecting the freedom of expression of the will of the parties concerned. In this regard, art. 25, par. 1 of the Regulation must also be considered violated, with regard to the definition of the procedures imposed on dealers, through strong incentive mechanisms, for the acquisition of consent. And, again, this conduct, as well as the entire method of managing consents, must be assessed in light of the considerable economic benefit to the Company of acquiring the largest number of consents for promotional purposes since, having prepared the box with the request for a single consent for itself and third parties, it has every interest in expanding the pool of subjects to whom promotional messages should be conveyed.

Finally, with specific reference to the results of "Procedure B", it must be considered that the entire system of the Regulation is based on the accountability of the data controller. The latter, due to the fact that the personal data of the persons contacted who have adhered to the promotional offers are destined to be included in the company's databases, should adopt measures of particular guarantee in order to prove that the contracts and activations recorded in their systems originate from contacts made in full compliance with the provisions on the protection of personal data, in particular those set out in Articles 5, 6 and 7 of the Regulation relating to consent.

From this point of view, even the implementation of strict procedures governing telemarketing and teleselling activities cannot constitute a valid barrier to the widespread practices of undue contact by users of telephone services if they are not accompanied by equally strict procedures for monitoring contracts and activations, to be perfected only if the legitimacy of the processing is proven from the first contact.

In the case in question, even the measures recently implemented, such as the adoption of the register of contacts, when they do not allow an automatic and selective link between activities of promotion of offers and procedures for activation of services, are not suitable to prevent that contacts made through the processing of illegal data are then perfected contracts and activations, feeding that "undergrowth" of abusive dealers who act, as ascertained, as well as in disregard of relevant provisions on employment and social security, also in violation of the provisions on the protection of personal data indicated in articles. 5, paragraphs 1 and 2, 6 and 7 of the Regulation and 1, paragraph 11, of Law no. 5/2018, in relation to paragraph 12 below and art. 130, paragraph 3, of the Code. The data controller must also be held liable for these latter violations due to the weakness of the above mentioned control procedures.

Moreover, again with specific reference to procedure B, it must be pointed out that the consideration that the above mentioned processing operations were addressed to the business area and therefore, for the most part, to legal persons, given that Article 130, paragraphs 3 and 3-bis, of the Code also extends to these subjects the provisions on consent and opposition to processing provided for natural persons.

Having ascertained the unlawfulness of the processing in the terms described above, it is deemed to be unlawful:

- to prohibit Wind Tre, pursuant to art. 58, par. 2, letter f), the processing of personal data for promotional purposes collected through the apps MyWind and My3 before the changes, as well as the personal data of persons whose acquisition and validity of a freely given consent cannot be demonstrated;

- to enjoin the same, pursuant to art. 58, paragraph 2, letter d), to adopt, without prejudice to the corrective measures already introduced, suitable procedures to verify the correctness of the procedures for the acquisition of consent by its sales network and that the subjects who have already expressed opposition to the processing against Wind Tre are not contacted by third parties operating as independent owners;

- to have to adopt an injunction against Wind Tre, pursuant to articles 58, paragraph 2, letter i), of the Regulations, 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application of the administrative fines provided for by articles 83, paragraphs 4 and 5, of the Regulations and 166, paragraph 2 of the Code.
4.2.  On the control of the supply chain

The results of the preliminary investigation activity reconstructed above with regard to the numerous promotional contacts complained of which, also in consideration of the number of reports, appear to be assisted by a reasonable presumption of validity, are attributable to a common conduct, the carrying out of promotional contacts in the interest of Wind Tre, for which the Company was not able to provide a legal basis and limited itself to disavowing the authorship of such contacts. Moreover, in the case of text messages, faxes and automated calls, the textual indication of the content proves that the promotional activity was undoubtedly carried out for the benefit of Wind Tre even though the Company itself claims not to have authorised it: it follows that a promotional activity was in fact carried out for the benefit of Wind Tre but, since it is not recognised by the latter, it is in any case carried out in the absence of the necessary control of the supply chain.

Despite the assurances given and all the corrective action taken, there is still a situation in which, despite the preparation of procedures that in some cases are even formally correct, in practice conduct that does not comply with the regulations is carried out by persons who, even where they remain unknown to Wind Tre, operate in the latter's interest.

In this regard, reference is made to the considerations expressed in general terms by the Guarantor with the measure of 15 June 2011 (in www.garanteprivacy.it, web document no. 1821257), according to which persons acting on behalf of the principal, by generating a legitimate expectation in the recipients of communications regarding the effective ownership of the promotional campaign, are qualified as data controllers. And this qualification with regard to the legal relationships between the parties can be considered existing even in the case in which the subject who materially makes the contact, while remaining unknown to the data controller, actually creates a contractual relationship similar to the one in place with the partners contracted directly. Art. 1, paragraph 11, of Law no. 5/2018, has also introduced into our system an express principle of joint and several liability of the data controller for promotional activities entrusted to third party call centers, establishing that "The data controller is jointly and severally liable for violations of the provisions of this law even in the case of entrusting call center activities to third parties for making telephone calls".

Moreover, the Company, in various feedback notes, has represented that the persons carrying out a promotional activity on their own behalf have been appointed as data processors and are "subject to supervision, by means of a questionnaire, reporting a good level of compliance". With regard to the suitability of this control procedure by means of questionnaires, express reference should be made to "procedure B" which has demonstrated the ineffectiveness of instruments based largely on the exchange of correspondence. In this case, there were many elements that should have led Wind Tre to carry out additional checks such as:

a. the origin of the activations not only from the territorial operating area of Merlini s.r.l.;

b. the answers to the verification questionnaires in which the activities carried out by external parties were acknowledged with the use of lists not acquired by Wind Tre and without being able to guarantee compliance with privacy regulations;

c. the absence of any form of communication relating to the work of external collaborators, even in relation to a significant contractual activity that could not reasonably be supported by a company of modest size.

In view of these elements, Wind Tre should have carried out stricter controls on the network of procurers organized by Merlini s.r.l., which should be correctly framed in the context of the processing of personal data, according to the provisions on managers and sub-responsibles provided by Articles 28 and 29 of the Regulation.

As for the training and awareness raising activities regarding the overall change in the legal framework for the protection of personal data, the defensive arguments were contradicted by the statements made by Merlini s.r.l. which represented that "Wind Tre S.p.A. has not carried out courses or conventions on personal data protection for agents, not even in conjunction with the entry into force of EU Regulation 679/2016".

Finally, it must be noted that, as confirmed by Wind Tre during the hearing, the company, following the very serious events relating to Alessandro Corbelli Sunrise s.r.l.s., has addressed to Merlini s.r.l. a simple reminder for a more careful application of the rules and provisions of the agency contract, instead of taking more incisive actions.

The described conduct acknowledges the lack of adequate technical and organizational measures, in violation of Articles 24 and 25 of the Regulation, with particular regard to the inability to effectively control the chain of partners who carry out promotional activities for the benefit of the Company.

Therefore, having ascertained the unlawfulness of the conduct outlined above, it is considered that

to have to prohibit Wind Tre, pursuant to Article 58, paragraph 2, letter f), also in relation to the results of "procedure B", the processing of personal data of persons for whom it cannot demonstrate that they have acquired adequate consent;

to enjoin the same, pursuant to Article 58, paragraph 2, letter d), to take appropriate corrective measures to ensure effective control of the processing chain;

to have to adopt an injunction against Wind Tre, pursuant to art. 58, par. 2, letter i), of the Regulation, 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application of the administrative fines provided for by art. 83 of the Regulation. 

4.3. On the information to the interested parties

As described in point 2.2, the information on the company's websites provided non-unambiguous contact data while, in practice, those concerned made greater use of the customer service channels, conveyed by the company itself and indicated as the correct channel also in one of the responses provided to the Guarantor. This approach, confused and plethoric, led to some difficulties and delays in responding to the requests of those concerned. To this must be added the presence of a procedure for identifying the data subject which, as mentioned above, has proved disproportionate with regard to the exercise of revocation of consent and opposition to processing.

It is acknowledged, however, that the Company, with the introduction of the single brand, has modified the information to the interested parties by unifying it in a single information and identifying in the customer service only the point of contact with the interested parties. The same has also simplified the procedure for identifying and responding to requests.

In addition, as described in point 2.3, it was ascertained that the information prepared by the Company did not contain any indication of the terms of retention of traffic data and was only correctly integrated following receipt of the notice of initiation of the procedure.

It must therefore be noted, in any case, that there has been a violation of Article 12, paragraphs 1 and 2 of the Regulations and Article 123, paragraph 4 of the Code with regard to the information published on the website before the change, as well as the excessively onerous procedures for exercising rights.

Having ascertained the unlawfulness of the conduct summarised above, however, having taken note of the corrective measures already implemented, it is not considered necessary to intervene further on this point.

Instead, it is necessary to adopt an injunction against the Company itself, pursuant to Article 58, paragraph 2, letter i), of the Regulation, Article 166, paragraph 7, of the Code and Article 18 of Law no. 689/1981, for the application of the administrative fines provided for by Article 83, paragraphs 4 and 5, of the Regulation and Article 166, paragraph 1 of the Code. 

4.4. On the publication of the data in the list

Based on the requests received by the Guarantor and the feedback from time to time provided by Wind Tre, it is noted that in some cases customer data were found to be present in telephone directories despite the request, sometimes repeated, for cancellation.

This would have happened, according to the Company, by mistake or for communication problems with the applicant. In this context, the suggestion, made by Wind Tre to some complainants, to make a request directly to the directory operator is also inappropriate, since, as is now known, the latter merely publishes what has been communicated by telephone operators and is not able to satisfy users' requests directly. Instead, it is the telephone operators who are responsible for updating the data contained in the single database(1).

Therefore, recalling what is stated in point 2.4, it must be acknowledged the failure to adopt suitable procedures to allow the rectification and deletion of data from public telephone directories, in violation of art. 5, par. 1, letter d) of the Regulation, as well as the publication of personal data in the absence of consent, in violation of art. 6, par. 1, letter a) of the Regulation.

Therefore, having ascertained the unlawfulness of the conduct in the terms just outlined, it is deemed:

to order Wind Tre, pursuant to art. 58, paragraph 2, letter d), to take corrective measures to resolve the repeated misalignment of the systems;

to adopt an injunction order against the Company, pursuant to Article 58(2)(i) of the Regulation, Article 166(7) of the Code and Article 18 of Law no. 689/1981, for the application of the administrative fines provided for in Article 83(5) of the Regulation. 

4.5. Respect for the principles of accountability and privacy by design

In addition to what has already been challenged in detail in the previous points, it is necessary to highlight, also in a more general way, a conduct that has proven to be altogether elusive of the principles of accountability and privacy by design, set forth in Articles 5, paragraph 2, 24, paragraph 1 and 25, paragraph 1 of the Regulation.

In fact, "taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing, as well as the risks having different probability and seriousness for the rights and freedoms of individuals", the Company had suitable tools and sufficient knowledge, also conveyed by the well-established rulings of the Guarantor (also directly addressed to Wind Tre), to assess the risks associated with the processing and to prepare, consequently, adequate technical and organizational procedures.

On the contrary, the preliminary findings showed an overall picture unsuitable for meeting this requirement of adequacy, since the lack of suitable technical and organizational measures was noted several times, in some cases adding the aggravating circumstance of the pre-ordering of the conduct (in cases relating to the collection of consent through apps and by signing the contract with dealers) and also having to note that, on several occasions, the Company was unable to demonstrate compliance with the rules of the treatments put in place and the effectiveness of the measures taken, as required by art. 5, paragraph 2 of the Regulations.

On the other hand, in acknowledging the corrective measures taken, in part already prior to the notification of the initiation of the procedure by the Guarantor, potential solutions to strengthen the guarantees can be glimpsed. This refers in particular to the centralization of promotional activity in the Campaign management system or the provision of a register of contacts to be kept - for the moment only - by the agents of the physical channel. These measures, however, will only be able to develop a potential, which at the moment can be defined as embryonic, when they will be supported with greater contractual consequences for those responsible who do not scrupulously follow these instructions.

For example, the centralized Campaign management system, which has been in use at the Company for some time, has not, however, prevented the occurrence of contacts, brought to the attention of the Guarantor, for which the Company was unable to provide explanations, not to mention the fact that many of these were made using contact channels other than telephone. Such a fervent promotional activity cannot be simply disowned and rubricated as an autonomous initiative of unauthorized persons, since the interest in acting does not seem to be solely of the latter. And this interest, of course, does not disappear as long as this activity, even if unauthorised, is nevertheless remunerated. But even the provision of a register of contacts, which for the moment is addressed only to the agents of the physical channel and not to all the partners, while functional in its intent to go back up the chain, seems weak if left entirely to the arbitrary compilation of the agent. This is also in consideration of the fact that the Company has not at the moment envisaged direct consequences in case of undocumented contact, reserving only the right to use the termination clause in the contract. In other words, despite the feared (but entirely possible) consequences at the contractual level, the activation of a contract is always possible and unlawful conduct is not, therefore, discouraged.

Even the very possibility of immediately accepting the revocation, at the time of the call, although appreciable in the intentions, is in fact unprofitable, being entrusted solely to the intervention of the call centre operator who makes the contact. In fact, in view of the constant complaints received by the Guarantor regarding the annoyance of receiving continuous promotional calls and the protests allegedly made several times by complainants already against the caller, the Company stated that, in the first half of 2020, only 0.3% of the persons contacted requested the revocation of consent during the call (see table attached to the minutes of the hearing of 25 June 2020). Also in this case, similarly to what was observed for the procedures for activating contracts with dealers, it is of little use to have set up a formally correct system if the person in charge who is to use it has an incentive to acquire (or maintain) consent.

Recalling also the investigation conducted in "procedure B", it is evident that the Company had adopted control measures on suppliers and had set up control measures (only) on the activity carried out by the directly contracted partner (Merlini S.r.l.). These measures, however, did not prevent this agent from making use of other parties who, through illegal conduct, procured contracts from which Wind Tre itself benefited economically, despite its alleged unawareness.

Moreover, still in procedure B, it appeared that the measures formally provided for, in particular the monitoring of suppliers by means of questionnaires, had proved to be unnecessary since the replies provided by the partner, although questionable, had not given rise to any consequences or control.

In fact, once the violations and critical issues concerning consent and the correct identification of the chain of responsibility for processing had been ascertained, it was clear that the consolidation of such anomalous conduct was facilitated:

a) the lack of preparation of effective procedures and controls to ensure compliance, by the data controller Merlini s.r.l. and the company Alessandro Corbelli Sunrise s.r.l.s., with the principles indicated in art. 5, par. 1, of the Regulation;

b) the failure to verify that the data entered in its database following the promotional activity carried out by Merlini s.r.l. and Alessandro Corbelli Sunrise s.r.l.s., had been legitimately acquired;

c) the underestimation of the need to ensure the "chain" of processing from the acquisition phase of personal data to carry out marketing campaigns. These circumstances reveal an incomplete assimilation and application, by Wind Tre, of the principle of privacy by design to guarantee the rights of the data subjects.

It is believed, therefore, that the measures described by the Company must be accompanied by greater effectiveness on a practical level in order to be considered sufficient to stem a phenomenon, that of promotional contacts, which generates constant and widespread social alarm as well as encouraging, taking advantage of the tolerance of operators, illegal conduct such as that described in the Merlini case.

In fact, it cannot but be strongly noted that the lack of control of the supply chain involves the Company in a "market of personal data", already the subject of specific information from the Guarantor to the Public Prosecutor's Office at the Court of Rome, where, in addition to the violation of the provisions on the processing of personal information, serious profiles of violation of labor law, tax and probably criminal law emerge, feeding a "undergrowth" that in some cases could also be the object of attention by criminals.

On the basis of the above elements, the violation of Articles 5, par. 2, 24, par. 1 and 25, par. 1 of the Regulation is considered necessary:

to enjoin Wind Tre pursuant to art. 58, paragraph 2, letter d) of the Regulation, to adopt technical and organizational measures to implement effective control over the processing chain in order to prevent illegal practices and promotional contacts with persons who have not given appropriate consent;

adopt an injunction against the Company itself, pursuant to Articles 58, paragraph 2, letter i), of the Regulation, 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application of the administrative fines provided for in Articles 83, paragraph 4, letter a) and 83, paragraph 5, of the Regulation. 

With regard to the provisions indicated in this section, it should be noted that in case of non-compliance, the sanction provided for in Article 83(5)(e) of the Regulation shall be applied at administrative level.

With regard to the conduct attributable to Merlini s.r.l. and Alessandro Corbelli Sunrise s.r.l., the Authority will proceed with an autonomous prescriptive and sanctioning procedure.
5. INJUNCTION ORDER FOR THE APPLICATION OF THE FINANCIAL PENALTY

5.1. Methods of collection and withdrawal of consent and opposition to processing for promotional purposes.

The conduct ascertained in point 4.1 includes the following violations: art. 5, par. 1 and 2 of the Regulations; art. 6, par. 1, letter a) and 7 of the Regulations; art. 24 and 25 of the Regulations; art. 130 of the Code.

Therefore, the pecuniary administrative sanction referred to in Articles 83, paragraphs 4 and 5 of the Regulation and 166, paragraph 2 of the Code is considered applicable.

5.2. Control of the supply chain

The conduct ascertained in point 4.2 integrates the violation of art. 24 of the Regulation.

Therefore, the pecuniary administrative sanction set forth in art. 83 of the Regulation is considered applicable.

5.3. Information to the interested parties.

The conduct ascertained in point 4.3 integrates the following violations: art. 12, paragraphs 1 and 2 of the Regulation and art. 123, paragraph 4 of the Code.

Therefore, the pecuniary administrative sanction referred to in Articles 83, paragraphs 4 and 5, of the Regulation and 166, paragraph 1, of the Code is considered applicable.

5.4. Publication of data in the list.

The conduct ascertained in point 4.4 includes the following violations: art. 5, par. 1, letter d) of the Regulation and art. 6, par. 1, letter a) of the Regulation.

Therefore, the pecuniary administrative sanction set forth in art. 83, par. 5 of the Regulation is considered applicable.

5.5. Respect for the principles of accountability and privacy by design.

The conduct ascertained in point 4.5 includes the following violations: articles 5, paragraph 2, 24, paragraph 1 and 25, paragraph 1 of the Regulation.

Therefore, the pecuniary administrative sanction referred to in Articles 83, paragraph 4, letter a) and 83, paragraph 5, letter a) of the Regulation is considered applicable.

5.6. Quantification of the pecuniary administrative sanction.

The violations found in the proceedings described above must be assessed in the light of the fact that the same Company, with regard only to the period following the merger between Wind S.p.A. and H3G S.p.A., was the subject of an injunction and prescriptive measure with regard to similar types of violations (see provision of 22 May 2018, web document no. 8995285), which was followed by an injunction adopted with provision of 29 November 2018 (web document no. 9079005). As a result of these measures, it has implemented certain corrective measures also referred to in this Decision.

However, it has been noted that numerous reports and complaints, received by the Guarantor, have persisted; as a result of the analysis of the overall documentation acquired in deeds, in view of all the elements that have emerged, this Authority - having also assessed the measures already implemented by the Company - deems it necessary to take a wide-ranging action (injunction, prescriptive and punitive), in order to ensure compliance with current legislation of the treatments covered by this measure.

The above mentioned violations ascertained against Wind Tre, in fact, represent proof, on the one hand, of company choices aimed at bending the rules to market requirements; on the other hand, of the alarming context in which the phenomenon of unwanted promotional calls must take place. This phenomenon has been the subject, for over fifteen years, of social alarm on the part of the citizens and of attention on the part of the legislator and the Guarantor. The numerous regulatory interventions connected with the regulation of the sector have been accompanied by constant control activities by the Authority, carried out in a capillary manner with reference to all aspects of the phenomenon, from the relationships between the various parties involved, to the correct acquisition of the lists of interested parties that can be contacted, from the management of telephone directories and the Public Register of Objections, to the use of call centres. The numerous measures adopted in this area have all been published and carefully reported in the media, without this resulting in a significant reduction in the phenomenon, so much so that in April 2019, as mentioned above, the Authority sent a general disclosure to the Public Prosecutor at the Court of Rome to highlight the criminal consequences of telemarketing activities carried out in violation of the provisions governing the protection of personal data.

The Company has raised an exception with regard to the number of cases reported to the Guarantor which, in its opinion, cannot be considered significant in relation to the approximately 32 million users activated, therefore considering that the relative scope should be reduced and framed within a physiological margin of error.

In this respect, however, it should be noted that: (a) for various reasons (character, availability of time, instruments, etc.), the amount of the amount of the service provided cannot be considered significant. b) for obvious reasons of procedural cost-effectiveness, several reports (of the order of about one hundred), having proved to be repetitive or less detailed, were not forwarded by the Authority to the Company; c) even after the formal notification of violations, similar complaints continued to be received from various users.

Finally, beyond the numerical quantification, the findings in terms of content and effects were taken into account. Moreover, as seen, two individual cases (the aforementioned XX and Merlini) were sufficient to bring to light conduct which, due to its characteristics, lack of controls and repressive actions on the part of the Company, can certainly be considered to have a more general scope.

On the basis of the elements set out above, having noted the violations indicated in paragraph 4 of this measure, it is considered necessary to adopt an injunction against Wind Tre, pursuant to Articles 58, paragraph 2, letter i), of the Regulation, 166, paragraph 7, of the Code, and 18 of Law no. 689/1981, for the application of the pecuniary administrative sanction provided for in Article 83, paragraphs 4 and 5, of the Regulation.

In fact, various provisions of the Regulation and the Code in relation to related processing carried out by Wind Tre have been violated, so it is necessary to apply art. 83, par. 3, of the Regulation, according to which, if, in relation to the same processing or related processing, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sanction provided for in art. 83, par. 5, of the Regulation.

For the purposes of determining the amount of the pecuniary sanction, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation, which, in the present case, are relevant from the following points of view:

1. the wide scope of the processing, concerning the generality of customers and users of the telephone service and related services, as well as the large number of data subjects involved, including non-customers, who have been recipients of unwanted promotional contacts (art. 83, par. 2, letter a, of the Regulation);

2. the seriousness of the breaches detected, in reason:

a) the illegitimate contacts made in the context of telemarketing and teleselling activities (potentially damaging to various fundamental rights and, in particular, in addition to the right to the protection of personal data, the right to individual peace of mind and the right to confidentiality);

b) data collection procedures, such as those provided for the MyWind and My3 Apps or the one found at the dealer subject to inspection, such as, in fact, to constrain the free expression of the will of the data subjects with regard to the processing of their data and therefore also to undermine the fundamental right to self-determination of the data subjects;

(c) the difficulties encountered by the data subjects in curbing the phenomenon of unwanted marketing, also in view of the inadequate management of the right to object;

d) the multiplicity and variety of the conduct that can be referred to Wind Tre in violation of several provisions of the Regulations and the Code;

e) the serious organizational deficiencies that have been found:

- inadequate implementation of the fundamental principles of data protection from the design stage (privacy by design) and accountability;

- the violation of the fundamental principles of data accuracy with regard to the publication of personal data in telephone directories (art. 83, par. 2, letter a, of the Regulation);

- the creation of a parallel chain of data collection of possible customers in contempt of the legislation on the protection of personal data and other relevant provisions, also probably of a criminal nature, with the feeding of an illegal "undergrowth" potentially suitable to promote forms of crime widespread in the country;

3. the significant duration of the violations, which began at least from 25th May 2018, the date of full operation of the Regulation and not yet fully regulated or still the subject of the complaints received by the Guarantor (Article 83, paragraph 2, letter a, of the Regulation);

4. the malicious nature of the following conduct, with particular regard to their conception and implementation, in relation to the following profiles: the incorrect information provided to the interested parties in the installation procedure of the above mentioned apps and the methods for obtaining the consent of the interested parties who have not freely expressed it; the methods for obtaining consent, not free, by signing pda with dealers (Article 83, paragraph 2, letter b, of the Regulation);

5. the seriously negligent nature of other processing operations, such as: the inadequate implementation of the fundamental principles of privacy by design, privacy by default and accountability, proven by the obvious difficulties in proving ownership of the promotional activities carried out in its interest; the failure to share black lists with marketing service providers operating as independent owners; the inadequate monitoring of the work of its partners despite obvious elements of alarm (Article 83, paragraph 2, letter b, of the Regulation);

6. the existence of a previous measure - adopted by this Authority against Wind Tre - an injunction, prescriptive and punitive, relating to conduct relevant to those covered by this decision (Article 83, paragraph 2, letter e, of the Regulation);

7. the existence of significant current and potential economic advantages deriving from promotional activities, also taking into account that the choice to use a single consent for own and third party promotions entails, if the maximum number of consents is reached, a significant benefit in terms of offering commercial communication services on the market (art. 83, paragraph 2, letter k, of the Regulations);

8. as a partial mitigating factor, the adoption - considered insufficient in any case - of technical and organizational measures to bring the processing under greater control by the owner (Article 83, paragraph 2, letter c, of the Regulation);

9. as a mitigating factor, partially compromised by the answers given at the time regarding the reported procedures for the acquisition by default of all possible consents by the dealers, the cooperation provided during the on-site inspections and during the subsequent course of the investigation, while showing, overall, clear difficulties in reporting to the Authority on the actual processing activities carried out by third parties on their own behalf (Article 83, paragraph 2, letter f, of the Regulation);

10. as a mitigating factor - despite the intrusiveness of the violations found - the type of data used with respect to the total data held by the Company, i.e. identification and contact data (telephone numbers) of the parties involved in marketing activities (Article 83, paragraph 2, letter g, of the Regulation);

11. the economic conditions of the offender, taking into account the value of production with reference to the financial statements for the year 2019 (art. 83, par. 2, letter k, of the Regulation).

Moreover, in application of the principles of effectiveness, proportionality and dissuasiveness with which this Authority must comply when determining the amount of the sanction (art. 83, par. 1, of the Regulation), it is further necessary to take into consideration the following additional elements:

- the wide margin of time granted to all operators in the sector in order to allow them a complete and consistent adaptation of the systems and procedures to the new European legislation, in force since 25 May 2016 and fully operational since 25 May 2018; adaptation that Wind does not appear to have properly completed;

- that the above mentioned provisional activity, with which indications and clarifications have been provided on the subject (see general provisions and Guidelines cited in this measure), and the constant interaction of the Authority with the parties operating in the telemarketing sector can reasonably lead all operators to believe that a sufficient awareness of the provisions that must be unfailingly observed has been achieved;

- the inadequate dissuasiveness of the sanctions contested to date to Wind Tre, also taking into account the fact that the phenomenon of unwanted calls in the telemarketing sector has been the subject of constant and punctual attention by the legislator (see, lastly, Law no. 5/2018) and the Guarantor, as well as complaints from users;

- the current persistence of reports and complaints, received by the Authority after the date of the investigations carried out at the Company until today, similar to those covered by this measure.

However, from an overall viewpoint of the necessary balance between the rights of the parties concerned and the freedom to conduct a business, and as the first application of the administrative pecuniary sanctions provided for by the Regulation, it is necessary to prudently assess the above various criteria, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company.

Therefore, it is considered that - on the basis of all the elements indicated above and taking particular account - also with respect to similar checks carried out on other operators - of the seriousness and effects of the conduct found following the inspections, with respect to the maximum fine (€ 209,120,000.00, equal to 4% of Wind Tre SpA's turnover, or € 5,228,000,000.00) - the administrative sanction of payment of a sum of € 16,729,600, equal to 8% of the aforementioned maximum fine should be applied to the same Company.

In this context, it is also considered - also in consideration of the invasiveness of the contested unlawful processing with respect to the fundamental rights of the parties concerned; the high number of the same, even potentially, involved; the misalignments detected in the Company's information systems; the inadequate control of the same with respect to its partners and, finally, the scarce dissuasiveness of the measures adopted so far by the Guarantor with respect to the Company itself - that, in accordance with Article. 166, paragraph 7, of the Code, and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this measure must be published on the website of the Guarantor, as an accessory sanction.

Finally, it is believed that the conditions set out in Article 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met;

HAVING SAID ALL THIS, THE GUARANTOR

the unlawfulness of the processing of personal data, in the terms set out in the above statement, carried out by Wind Tre S.p.A., with registered office in largo Metropolitana, 5, Rho (MI), C.F. 02517580920:

a) pursuant to art. 58, par. 2, letter f) of the Regulation, provides for the immediate prohibition of processing:

i) of personal data relating to subjects for whom consent has been given through the MyWind and My3 apps;

ii) for marketing purposes, personal data relating to subjects for whom it is not possible to document the collection of an appropriate consent;

b) pursuant to art. 58, par. 2, letter d), of the Regulations, enjoins the same Company, within 180 days of receipt of this receipt, to

i) adopt suitable procedures to ensure that persons who have expressed an objection to the processing of their data to Wind Tre are not contacted by third parties who operate as independent owners;

ii) adopt suitable technical and organizational measures to carry out effective control over the processing chain in order to prevent promotional contacts with persons who have not given appropriate consent and to be able to document the contacts made;

(iii) take appropriate corrective measures to resolve system misalignments in order to prevent the unauthorised publication of personal data in public telephone directories;

c) pursuant to art. 157 of the Code, requires Wind Tre S.p.A. to communicate, within 30 days of receipt of this measure, what initiatives have been taken or intend to take in order to implement what is prescribed herein and to provide adequately documented feedback; failure to do so may result in the application of the administrative fine provided for in art. 83, paragraph 5, of the Regulations;

ORDER

pursuant to art. 58, par. 2, letter i) of the Regulations, to the aforementioned Wind Tre S.p.A., in the person of its legal representative, to pay the sum of Euro 16,729,600 (sixteen million seven hundred and twenty-nine thousand six hundred) as an administrative fine for the violations indicated in the statement of reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by payment, within 30 days, of an amount equal to half of the penalty imposed;

INGIUNGE

the aforesaid Company, in the event of failure to settle the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of Euro 16,729,600 (sixteen million, seventeen hundred and twenty-nine thousand six hundred), according to the methods indicated in the attachment, within 30 days of notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of Law no. 689/1981;

AVAILABLE

pursuant to art. 166, paragraph 7, of the Code, the publication of this measure in its entirety on the website of the Guarantor and it is considered that the requirements of art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

It should be noted that pursuant to art. 170 of the Code, anyone who, being required to do so, fails to comply with this prohibition of processing shall be punished by imprisonment from three months to two years and that, in the event of non-compliance with the same provision, the sanction referred to in art. 83, paragraph 5, letter e) of the Regulation shall also be applied administratively; moreover, failure to comply with the injunction issued shall be sanctioned administratively pursuant to art. 83, paragraph 5, letter e) of the Regulation.

Pursuant to Article 78 of Regulation (EU) 2016/679, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, opposition to this measure may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, or, alternatively, with the court of the place of residence of the data subject, within thirty days from the date of communication of the measure itself, or sixty days if the claimant resides abroad.

Rome, 9 July 2020

THE PRESIDENT
Soro

THE REPORTER
Soro

THE SECRETARY GENERAL
Busia