Garante per la protezione dei dati personali - 9435753
|Garante per la protezione dei dati personali - 9435753|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1) GDPR|
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 24 GDPR
Article 25 GDPR
Article 58(2)(f) GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
Article 83(2) GDPR
Article 83(4)(a) GDPR
Article 83(5) GDPR
Article 83(5)(a) GDPR
Article 130 Codice Privacy
|Parties:||Wind Tre SpA|
|National Case Number/Name:||9435753|
|European Case Law Identifier:||n/a|
|Original Source:||Garante (in IT)|
The telephone operators Wind were fined 16729600 EUR by the Garante (Italian DPA) for several incidents of unlawful collection, processing and unauthorised marketing communications to customers. The Garante also prohibited Wind from carrying out any further processing of the data they had acquired without consent.
English Summary[edit | edit source]
Facts[edit | edit source]
The Italian DPA (Garante) received complaints from Wind and non-Wind users about unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several complaints, the complainants noted that they were unable to withdraw their consent or object to the processing of their data for marketing purposes, in part due to inaccurate contact information in Wind's privacy policies. Other complainants' personal data had been included in public phone directories despite objections being made by those complainants.
The investigation by the Garante also found that the MyWind and My3 apps had been "configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours." The investigation also uncovered a number of infringmenets affecting Wind Tre's business partners, including a fine of eur 200000 against a business partner who had subcontracted without a legal instrument whole sets of processing activities to call centres, who collected data on behalf of the business partner
Dispute[edit | edit source]
Was the collection of the personal data by Wind a breach of Articles 5, 6 and 24 GDPR?
Was the processing by Wind in violation of Articles 5 and 6 GDPR?
Was the information provided by Wind to the users in breach of Articles 12 and 13 GDPR?
Holding[edit | edit source]
The Garante held that Wind had violated the following articles of the GDPR: Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24 and 25. It subsequently fined Wind 16729600 EUR, prohibited any further processing and ordered Wind to bring their processing practices in line with the GDPR.
Regarding the size of the fine, the Garante found it was proportionate on the basis of the duration of the infringements, both the wilful and negligent violations of the GDPR committed by Wind, and the number of people affected by the breach. To quantify the former, the Garante based its assessment not on the number of complainants, but on the number of people in Wind's client base. The Garante also noted that previous sanctions against the telemarketing sector had not been sufficiently dissuasive.
Key excerpts from the Garante's decision include the following:
"... [T]he Company's responses revealed an uncertain and contradictory picture in the description of the technical and organizational measures taken to identify the parties concerned in a reasonable manner, representative of an insufficient assessment of the different interests at stake."
"pursuant to art. 58, paragraph 2, letter d), to adopt, without prejudice to the corrective measures already introduced, suitable procedures to verify the correctness of the procedures for the acquisition of consent by its sales network and that persons who have already expressed opposition to the treatment against Wind Tre are not contacted by third parties who operate as independent owners."
"The preliminary findings showed an overall picture unsuitable for satisfying this requirement of adequacy, since the lack of suitable technical and organisational measures was noted several times, in some cases adding the aggravating circumstance of pre-ordering the conduct (in cases relating to the collection of consent through apps and by signing the contract with dealers) and also having to note that, on several occasions, the Company has not been able to demonstrate compliance with the rules of the treatments put in place and the effectiveness of the measures taken, as required by Article 5, paragraph 2 of the Regulation."
"In fact, it cannot but be strongly noted that the lack of control of the supply chain involves the Company in a "market of personal data", already the subject of specific information from the Guarantor to the Public Prosecutor's Office at the Court of Rome, in which, in addition to the violation of the provisions concerning the processing of personal information, serious profiles of violation of labour law, tax law and probably criminal law emerge, fuelling an "undergrowth" which in some cases could also be the object of attention by criminals."
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.