Garante per la protezione dei dati personali - 9435753
|Garante per la protezione dei dati personali - 9435753|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1) GDPR|
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 24 GDPR
Article 25 GDPR
Article 58(2)(f) GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
Article 83(2) GDPR
Article 83(4)(a) GDPR
Article 83(5) GDPR
Article 83(5)(a) GDPR
Article 130 Codice Privacy
|Parties:||Wind Tre SpA|
|National Case Number/Name:||9435753|
|European Case Law Identifier:||n/a|
|Original Source:||Garante (in IT)|
The telephone operator Wind Tre was fined 16,729,600 EUR by the Garante (Italian DPA) for several incidents of unlawful collection, processing and unauthorised marketing communications to customers. The Garante also prohibited Wind Tre from carrying out any further processing of the data they had acquired without consent.
English Summary[edit | edit source]
Facts[edit | edit source]
The Italian DPA (Garante) received complaints from Wind Tre and non-Wind Tre users about unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several complaints, the complainants noted that they were unable to withdraw their consent or object to the processing of their data for marketing purposes, in part due to inaccurate contact information in Wind Tre's privacy policies. Other complainants' personal data had been included in public phone directories despite objections being made by those complainants.
The investigation by the Garante also found that the MyWind and My3 apps had been "configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours." The investigation also uncovered a number of infringements affecting Wind Tre's business partners, including a fine of eur 200,000 against a business partner who had subcontracted without a legal instrument whole sets of processing activities to call centres, who collected data on behalf of the business partner.
An interesting finding of the DPA’s investigation concerned practices for the identification of data subjects. In many cases, the company stated that it did not act on data subjects’ requests to withdraw consent if these did not come with a copy of an ID. The Garante clarified that while indeed Article 12(6) GDPR allows controllers to request further information, this is possible “only if they have reasonable doubts about the identity of the person making the request”. Moreover, Recital 64 GDPR require the measures adopted to identify data subjects to be “reasonable”. This aims, according to the Garante, at discouraging “excessive requests aimed at discouraging the exercise of rights, but also to avoid the collection and retention of unnecessary data.” Utmost importance must here be given to the principles of proportionality, necessity and adequacy. In the specific context of data processing for commercial purposes, the illegitimate exercise of the right to withdraw consent from a third party poses, according to the Garante, an almost insignificant risk to the legal sphere of the data subject, so that the collection and processing of ID copies cannot be considered reasonable. Even more so, in cases where the person trying to withdraw her consent is not a customer of Wind Tre. In such cases, the request “appears even more disproportionate and may involve the acquisition of personal data that are not already available to the owner and are therefore not necessary.”
Dispute[edit | edit source]
Was the collection of the personal data by Wind Tre a breach of Articles 5, 6 and 24 GDPR?
Was the processing by Wind Tre in violation of Articles 5 and 6 GDPR?
Was the information provided by Wind Tre to the users in breach of Articles 12 and 13 GDPR?
Holding[edit | edit source]
The main violations of the GDPR and of the Italian Privacy Code observed by the Garante were due to the following behaviours: • The lack of transparency towards data subjects, concerning the information provided to them, including information regarding the company’s communications channels; • Consent collection contrary to data protection regulation, as well as various issues related to the exercise of data subjects’ rights; • Serious shortcomings in the management and control of Wind Tre supply chain, including the absence of compliance audits.
More specifically, the Garante held that Wind Tre had violated the following articles of the GDPR: Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24 and 25. It subsequently fined Wind Tre 16,729,600 EUR, prohibited any further processing and ordered the company to bring their processing practices in line with the GDPR.
The Italian DPA found that Wind Tre operating methods incentivised sellers to collect ‘as much consent as possible’ from data subjects, while impairing their ability to object to processing of data for promotional purposes. According to the Garante, the numerous complaints received suggest that, behind the lack of clarity, there was an intention to force the will of the users towards consenting to the processing of personal data for commercial purposes. A conduct that was “not only negligent, but deliberately designed to circumvent the rules set out to protect the freedom of expression of the will of data subjects.” As a result, the Authority found a lack of appropriate technical and organisational measures to enable interested parties to exercise their rights, with the consequence that the revocation of consent or the objection to data processing was unjustifiably hindered. As regards the management of consents by sellers in physical shops, the indications given to staff to gather as many consents as possible, the presence of a single button in the management system to facilitate the tick of all consent boxes, the small prints used to inform about consent collection and, in some cases, the bundling of consents, were considered further negative elements by the DPA.
Concerning the control of the supply chain, the Garante held that the fact itself that subcontractors were conducting promotional campaigns in the interest of Wind Tre, while the company disowned such activities, was a sign that marketing communications were carried out without the necessary control of the supply chain – which is necessary, according to the Italian DPA, also when subcontractors are considered as independent data controller. Moreover, discrepancies in the communications from contractors concerning the source of contact data, should have made the company aware of the illicit practices. Such conduct showed a lack of adequate technical and organisational measures, in this case “with particular regard to the inability to effectively control the chain of partners who carry out promotional activities for the benefit of the Company.” Controls across the procurement network should have been stricter, and the relationship among Wind Tre, its contractors and sub-contractors should have been framed in the context of the processing of personal data, as per Article 28 and 29 GDPR.
Taking into account all these elements, Wind Tre’s conduct was, according to the Italian DPA, generally elusive of the principles of accountability and privacy by design. In fact, "taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purpose of the processing, as well as the risks having different probability and seriousness for the rights and freedoms of individuals", the company had sufficient tools and knowledge to assess the risks associated with the data processing, and to prepare, consequently, adequate technical and organizational procedures. This was particularly due to well-established decisions of the Garante, some of which even directly addressed to Wind Tre.
Regarding the size of the fine, the Garante found it was proportionate on the basis of the duration of the infringements, both the wilful and negligent violations of the GDPR committed by Wind Tre, and the number of people affected by the breach. To quantify the former, the Garante based its assessment not on the number of complainants, but on the number of people in Wind Tre's client base. The Garante also noted that previous sanctions against the telemarketing sector had not been sufficiently dissuasive.
Key excerpts from the Garante's decision include the following:
"... [T]he Company's responses revealed an uncertain and contradictory picture in the description of the technical and organizational measures taken to identify the parties concerned in a reasonable manner, representative of an insufficient assessment of the different interests at stake."
"pursuant to art. 58, paragraph 2, letter d), to adopt, without prejudice to the corrective measures already introduced, suitable procedures to verify the correctness of the procedures for the acquisition of consent by its sales network and that persons who have already expressed opposition to the treatment against Wind Tre are not contacted by third parties who operate as independent owners."
"The preliminary findings showed an overall picture unsuitable for satisfying this requirement of adequacy, since the lack of suitable technical and organisational measures was noted several times, in some cases adding the aggravating circumstance of pre-ordering the conduct (in cases relating to the collection of consent through apps and by signing the contract with dealers) and also having to note that, on several occasions, the Company has not been able to demonstrate compliance with the rules of the treatments put in place and the effectiveness of the measures taken, as required by Article 5, paragraph 2 of the Regulation."
"In fact, it cannot but be strongly noted that the lack of control of the supply chain involves the Company in a "market of personal data", already the subject of specific information from the Guarantor to the Public Prosecutor's Office at the Court of Rome, in which, in addition to the violation of the provisions concerning the processing of personal information, serious profiles of violation of labour law, tax law and probably criminal law emerge, fuelling an "undergrowth" which in some cases could also be the object of attention by criminals."
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.