Garante per la protezione dei dati personali (Italy) - 9435753: Difference between revisions

Garante per la protezione dei dati personali - 9435753
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 12(1) GDPR Article 12(2) GDPR Article 24 GDPR Article 25 GDPR Article 58(2)(f) GDPR Article 58(2)(d) GDPR Article 58(2)(i) GDPR Article 83(2) GDPR Article 83(4)(a) GDPR Article 83(5) GDPR Article 83(5)(a) GDPR Article 130 Codice Privacy
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	09.07.2020
Published:	13.07.2020
Fine:	16729600 EUR
Parties:	Wind Tre SpA
National Case Number/Name:	9435753
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	n/a

The telephone operators Wind were fined 16729600 EUR by the Garante (Italian DPA) for several incidents of unlawful collection, processing and unauthorised marketing communications to customers. The Garante also prohibited Wind from carrying out any further processing of the data they had acquired without consent.

English Summary

Facts

The Italian DPA (Garante) received complaints from Wind and non-Wind users about unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several complaints, the complainants noted that they were unable to withdraw their consent or object to the processing of their data for marketing purposes, in part due to inaccurate contact information in Wind's privacy policies. Other complainants' personal data had been included in public phone directories despite objections being made by those complainants.

The investigation by the Garante also found that the MyWind and My3 apps had been "configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours." The investigation also uncovered a number of infringmenets affecting Wind Tre's business partners, including a fine of eur 200000 against a business partner who had subcontracted without a legal instrument whole sets of processing activities to call centres, who collected data on behalf of the business partner

Dispute

Was the collection of the personal data by Wind a breach of Articles 5, 6 and 24 GDPR?

Was the processing by Wind in violation of Articles 5 and 6 GDPR?

Was the information provided by Wind to the users in breach of Articles 12 and 13 GDPR?

Holding

The Garante held that Wind had violated the following articles of the GDPR: Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24 and 25. It subsequently fined Wind 16729600 EUR, prohibited any further processing and ordered Wind to bring their processing practices in line with the GDPR.

Regarding the size of the fine, the Garante found it was proportionate on the basis of the duration of the infringements, both the wilful and negligent violations of the GDPR committed by Wind, and the number of people affected by the breach. To quantify the former, the Garante based its assessment not on the number of complainants, but on the number of people in Wind's client base. The Garante also noted that previous sanctions against the telemarketing sector had not been sufficiently dissuasive.

Key excerpts from the Garante's decision include the following:

"... [T]he Company's responses revealed an uncertain and contradictory picture in the description of the technical and organizational measures taken to identify the parties concerned in a reasonable manner, representative of an insufficient assessment of the different interests at stake."

"pursuant to art. 58, paragraph 2, letter d), to adopt, without prejudice to the corrective measures already introduced, suitable procedures to verify the correctness of the procedures for the acquisition of consent by its sales network and that persons who have already expressed opposition to the treatment against Wind Tre are not contacted by third parties who operate as independent owners."

"The preliminary findings showed an overall picture unsuitable for satisfying this requirement of adequacy, since the lack of suitable technical and organisational measures was noted several times, in some cases adding the aggravating circumstance of pre-ordering the conduct (in cases relating to the collection of consent through apps and by signing the contract with dealers) and also having to note that, on several occasions, the Company has not been able to demonstrate compliance with the rules of the treatments put in place and the effectiveness of the measures taken, as required by Article 5, paragraph 2 of the Regulation."

"In fact, it cannot but be strongly noted that the lack of control of the supply chain involves the Company in a "market of personal data", already the subject of specific information from the Guarantor to the Public Prosecutor's Office at the Court of Rome, in which, in addition to the violation of the provisions concerning the processing of personal information, serious profiles of violation of labour law, tax law and probably criminal law emerge, fuelling an "undergrowth" which in some cases could also be the object of attention by criminals."

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[Web doc. 9435753]

Order injunction against Wind Tre S.p.A. - 9 July 2020

Register of measures
No 143 of 9 July 2020

DATA PROTECTION SUPERVISOR

At today's meeting, in the presence of Dr. Antonello Soro, President, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members, and Dr. Giuseppe Busia, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "the Regulation");

HAVING REGARD to the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, laying down provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the complaints and reports received by the Guarantor, with regard to various personal data processing operations carried out by Wind Tre S.p.A. (hereinafter also referred to as: "Wind Tre" or "the Company");

HAVING REGARD to the results of the inspections carried out against Wind Tre and some of its business partners;

HAVING REGARD to the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to Article 15 of the Garante Regulation No. 1/2000;

REPORTER Dr. Antonello Soro;

PRESS RELEASE

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

A number of reports and complaints have brought to the Authority's attention various personal data processing operations carried out by Wind Tre, mainly (but not exclusively) related to promotional activities.

Considering that the Company has already received an injunction and prescriptive order for similar processing carried out under the previous regulatory framework (see provision no. 313 of 22 May 2018, in www.garanteprivacy.it, web doc. no. 8995285), the investigation conducted took into consideration only those requests received after 25 May 2018, which were subject to a cumulative investigation pursuant to art. 10, paragraph 4, of the internal regulations of the Guarantor no. 1/2019 (web doc. no. 9107633). This first investigative activity will also be indicated in the course of this measure as "procedure A".

With different proceedings (see files 139150, 139507, 139505, 140416, 141133), other aspects of the activity of the owner were then taken into consideration, connected to reports received by the Authority which informed of promotional activities, carried out for it by the chain of sub-agents of an accredited supplier, contacting the clients of another telephone operator whose personal data were acquired with illegitimate modalities.

This second procedure will also be referred to below as "procedure B".

As a result of these activities, a number of violations of data protection rules have emerged.

2. RESULTS OF THE INVESTIGATION

The investigations conducted involved the examination of over 100 files, in addition to carrying out inspections at Wind Tre itself, at some partners and at another telephone operator. It is also necessary to consider the topicality of the conduct or, in any case, its effects, given the requests, of similar content, received by the Authority even after the formal complaint sent to the Company on 13 May 2020, to be considered herein in full and to which reference should be made for any details.

2.1. Promotional activity by sms, e-mail, fax, telephone calls and automated calls

During the period under review, as mentioned above, the Guarantor received numerous complaints and reports relating to the receipt of unwanted promotional contacts made by telephone, sms, e-mail, fax or automated calls. In many cases the receipt of contacts has been complained about even after the withdrawal of consent or the exercise of the right of opposition.

In response to specific requests for information, the Company,

1. in some cases, has documented the acquisition of a specific consent by showing the contracts (purchase proposals - pda) signed by the parties concerned;

2. in other cases, it has documented the acquisition of consent which, in the light of the investigations carried out, proved to be unsuitable;

3. in the remaining cases it was unable to document the acquisition of consent.

2.1.1. Contacts made without consent

The Company, in some of the findings provided, stated that the contact was made by mistake (see files 128119, 127661, 130539, 123638,134545, 142932, 121112); in other cases, that the withdrawal had not been promptly implemented due to problems related to the management of correspondence or identification of the person concerned, which will be discussed more fully later (see files 141011, 134392, 130266, 130344, 145996, 124985, 134434, 133063, 133372, 134997, 128000, 128805, 130356, 129952, 127784).

2.1.2. Contacts made on the basis of a consent to be considered inappropriate

In other cases, the Company responded to specific requests for information by documenting the acquisition of a consensus which, in light of the assessments made, proved to be unsuitable.

2.1.2.1.  Consent dating back to and not in compliance with the new regulatory framework introduced by the Regulation

In particular, in three cases (see files 133088, 134927, 131464), consent was documented by attaching the contracts signed by clients. These, however, dating back to the years 1998/99, are no longer suitable with respect to the current regulatory framework because they do not allow to document a free, specific and informed will of the person concerned since only one consent is required for different processing purposes (promotional activities of the owner, third parties, evaluation of customer satisfaction, credit protection); in this regard, reference is made to articles. Articles 4(11) and 7 and the content of recital 171 of the Regulation, according to which 'where the processing is based on consent in accordance with Directive 95/46/EC, it is not necessary for the data subject to give his consent again, if it has been expressed in a manner that complies with the conditions of this Regulation, in order for the data controller to continue the processing in question after the date of application of this Regulation'. Therefore, it is up to the data controller to assess whether the consents already acquired are still to be considered in compliance with the rules in force; among these, we would also like to mention the regulatory changes occurred after 1999 aimed at regulating, with special provisions, the processing carried out within the electronic communication services (art. 130 of the Code and provisions on the Register of Objections) to be considered now known to all operators in the sector, also in the light of the numerous rulings of the Guarantor.

2.1.2.2.  Consent acquired directly from commercial partners

In one case (see file 130729), the receipt of an unwanted text message was justified on the grounds that it was sent directly by XX Srl, without using lists from Wind Tre, on the basis of an independently acquired consent for the promotion of third party services (which was not shown together with the reply).

In this regard, it should be noted that the Company, with attachment 1 to the note of July 15, 2019, provided a copy of a communication sent to its business partners to remind them to comply with current marketing regulations. Among the provisions contained in this communication is that indicated in point I), where the Company requests "to verify that, in the event of promotional activities for our offers being carried out, only the numbers agreed for the commercial contacts of which Wind Tre is the owner or legitimately authorized are contacted".
2.1.2.3. Consent acquired through MyWind and My3 apps.

In other cases, the Company has documented the consent by providing the screenshot of the internal information system from which consent is given through "interactive channels" or "SelfcareAppAndroid".

An examination of the attached documentation shows that the consent was provided by those concerned by accessing their personal area via the MyWind or My3 app.

In particular, in three cases (see files 134496, 138094 and 140940) the consent, originally not present, was acquired following a computer record described as a "variation", which, according to what was subsequently illustrated by the Company, would indicate the fact that the person concerned, operating directly through the Selfcare channels (of which the apps are an instrument), would have requested a change in the status of the consents, giving them where they were not present. In two of them (files 134496 and 138094) this change was made in December 2018, the date on which an amendment to the app was implemented. Moreover, under two circumstances (files 138094 and 140940), this change was made at the same time for all the types of processing listed on the app's home page (marketing, profiling, data enrichment, geolocation, transfer to third parties). In this last regard, one of the complainants (see file 138094), in response to Wind Tre's reply, reiterated its doubts regarding the consents given, pointing out that it had no idea, for some processing operations, even of the meaning of what was reported (e.g. for "data enrichment") and also noted that it would have no reason to provide the operator with all the consents at a time when, due to the numerous inefficiencies, it was no longer satisfied with the service provided.

In this regard, it is noted that the operation of the MyWind and My3 apps, which are responsible for managing the user profile connected to the telephone service, has been brought to the attention of the Guarantor with a number of other reports and complaints (files 116325, 133895, 133630, 132819, 132840, 132535, 134089, 135405). All the requests received complained, in a similar way and with the attachment of the relevant screenshots, that the apps in question obliged the user to provide, at each new access, a series of consents for different processing purposes (marketing, profiling, communication to third parties, enrichment and geolocalization) and then allow them to be revoked after 24 hours.

In a note dated 17 April 2019, the Company, in declaring that it had made some changes to the apps in question in the last quarter of 2018, attached the access screens of both, similar to those already presented by the reporters, from which the following emerged:

- the willingness of the owner to carry out the five treatments described was stated;

- it stated that "if you prefer, you can choose [...] which consents you wish to give on Management Consent. By pressing Accept you allow Wind Tre to collect and use the information listed above and customized by you. I also declare to accept the terms and conditions and to have read the privacy policy";

- by pressing the "Cancel" button, you could not use the app because, according to the Company, you did not accept the terms and conditions and did not read the privacy policy.

Wind Tre, in this regard, said that there was no obligation to provide consents because these were previously managed by the link "Management consents" in the body of the text and "probably some users may have misunderstood the contents of the page. In fact, by going to Manage Consents you could choose the individual preferences, then "made that choice, the customer going back to the previous page and pressing accept confirm the choice on consents just made and at the same time accept terms and conditions".

In such cases, therefore, it should be noted that the procedure followed was complex, inadequate for rapid use, typical of an application for smartphones and, for these reasons, capable of generating errors on the part of the person concerned with direct repercussions on the legitimate expression of consent. The Company, in any case, despite the reports received from time to time, did not deem it necessary to intervene promptly in the configuration described.

In the same way, it must be considered, in general terms, that the apps of the My3 and MyWind type fulfil the essential function of allowing the user to monitor consumption and the thresholds for the use of the services and, therefore, to control the overall telephone expenditure. The impossibility of keeping current expenses under control may have represented a further negative element for the person concerned, as a consumer.

In addition, with a complaint dated 8 January 2020 (file 145970), the conversation held in chat with customer service operators was documented, confirming that "...consents are revoked. if you found them temporarily granted, it may have been because of the last update of the customer area because, in order to access them, you are first asked to give consents and then they can be revoked again".

In a note dated February 17, 2020, the Company, reaffirming that the expression of specific consents was always possible through the link "Consent Management", added that, in order to make the use of the app more streamlined, by pressing the "Accept" button the customer could confirm at the same time the acceptance of terms and conditions but also of optional consents not previously expressed, except then the possibility to modify them later. The same has, moreover, added that "Mr. ... has repeatedly modified his will by lending and revoking the consents previously issued".

Finally, with a complaint dated February 5, 2020 (file 146873), she complained once again that it was impossible to use the app without necessarily clicking on the "Accept" button and without being able to clearly understand the effects of this expression of will. The complainant documented that, once "Accept" was indicated, all the consents in the personal area were given. The complainant also attached an exchange of correspondence with the box privacy@h3g.it from which it emerged that the Company provided feedback indicating, at first, that "once you have accessed the App, you may change the consents in the Tools - Settings - Consent Management section". In response to the Client's subsequent comments, the Company replied that "In order to facilitate and streamline the first access to the My3 App by our Clients, we have provided, in case the Client does not want to go to the Consent Management section to avoid a further step, which can be done at any time, to provide an Accept button both for the Terms of Service and for the Consents not previously expressed. The Accept referred to the privacy policy is not to be understood as a constraint of the consents to use the features but rather as an acknowledgment of the methods and purposes of treatment.

These justifications provided by the Company were not considered acceptable and a specific objection was therefore made pursuant to art. 166, par. 5 of the Regulation. On the basis of what Wind Tre stated, in fact, the intent of the request would have been to have the contractual conditions accepted and to demonstrate that the information had been read. To this, however, evidently had to be added the intention to acquire previously undisclosed consent.

On the basis of what was stated, therefore, these three different expressions of will (at the opening of the app, with a single request, it was asked: 1) to accept the contractual conditions; 2) to accept the information; 3) to provide - or "validate" all the required consents) should have been expressed with a single action, consisting in the selection of the "Accept" button. Even if such a procedure were to be admitted as useful, it should be noted that the provisions of art. 7, paragraph 2 of the Regulation as well as recitals 42 and 43 concerning the awareness of the person expressing consent in the context of a written declaration that also covers other issues should not be respected.

In addition, the proposition of the above mentioned requests also seems to lack logical sense since it is not clear why they are repeated at every access to the app. In this sense, even if the request is considered only as a confirmation that the information notice has been read, it appears completely pretextual in the absence of modifications to the information notice that would make it necessary to re-propose it. Similar consideration can be made with regard to the contractual conditions, which are supposed to have been made known at the time of signing the service contract (and not modified at each access).

The numerous reports received (all with similar content) lead one to believe that, behind the lack of clarity, there is therefore a rule of collection of consent to force the will of users, a rule that has not been modified even after the receipt of the numerous reports.

The provision of a mode of choice (allegedly preventive) through the link "Consent Management", in addition to proving difficult to understand, also appears to be legally insufficient to ensure the expression of a valid consensus since, in the absence of specifications in this sense, it could always be considered outdated by the expression of will subsequently expressed by pressing the "Accept" button. And, above all, it does not appear justified in its reiteration.

Finally, the remedy consisting in the possibility of revoking (however, not before 24 hours) the consents expressed involuntarily, since, as is well known, the expression of the will must be free and preventive. Wind Tre itself acknowledged that, in several cases, consents were given and then revoked several times. Remaining to be emphasized the risk of use of the data during the aforementioned 24 hours.

Such treatment, therefore, can not be considered lawful and the consent collected in the manner described above can not be considered suitable to prove a manifestation of free and specific will of the interested parties.

With the defensive statement of June 15, 2020, the Company stated that, to date, the two apps have been replaced by the only WINDTRE app, which no longer requires consent to access.
2.1.2.4.  Consent given in a non-legitimate manner (expression of consent not free).

As highlighted in point 2.1., in many cases the Company has documented the acquisition of consent by providing a copy of the contracts signed by customers (so-called pda).

Without prejudice to the specific anomalies already indicated above, we now wish to examine the general procedures for obtaining consent when signing a contract for the purchase of a mobile or fixed user. This is because several times over the years it has been brought to the attention of the Guarantor, the difficulty of expressing a free and specific consent for all the purposes of the processing, despite the statements made by the Company regarding the instructions given to its partners in this regard.

Finally, a report dated 13 March 2020 (see file 148352) is recalled with which, with notes also sent to Wind Tre, the impossibility of expressing free consent for promotional purposes, both before and after signing the contract activated at a retailer, was complained of.

We also refer to the complaint (see file 136370) with which it was represented, in a very timely manner, that the sales operator has prepared a contract with all the boxes relating to consents already pre-selected and, after some resistance to the customer's requests, has modified only the system selections without reprinting the contract. The Company, questioned on the matter, replied with a note dated July 17, 2019 representing that the customer's will was probably misunderstood by the operator. On the basis of these elements, the Office had ordered the closure of the investigation on 20 November 2019. However, in the light of certain events that have occurred, which are illustrated below, what emerged also from the investigation described above must be considered again, assessing differently the good faith of the statements provided by the Company at the time

In fact, with a complaint dated 17 June 2019 (cf. 139604) it was complained that, for the activation of a new user at a dealer, the dealer had prepared a contract containing the consents already selected for signature without having previously asked the customer to express a willingness to do so; given the size of the characters in which the text relating to the expression of consent was written, it would not have been possible to notice immediately what was presented for signature; to obtain the printing of a new contract without the consents selected, there would have been much resistance on the part of the salesperson.

In this case the Office requested an inspection at the retailer XX S.r.l. in Merano, where the user in question had been activated and who was acting as Wind Tre's data processor. The inspection activity, delegated to the Special Privacy Unit, was carried out on 11 and 12 December 2019 and revealed the following:

the registration of the consents was carried out using Wind Tre's application called "Wind Station";

with regard to the actual method of collecting the customer's will, the operator stated in the minutes that "following the instructions of the area manager Mr. ..., during each activation of sim cards, the operator of reference must flag of initiative all the consents provided therein. This operation, among other things, is facilitated by a special button within the management [...]. Only if, on signing the paper form printed by the system and submitted to the attention of the interested party for acceptance of the information and the issue of consents, the latter should express doubts about the consents present in the reference form, the operator shall amend them according to the indications provided directly by the interested party"; it follows that the operator, by default, enhances all the consents and prints the contract, thus prepared, for the signature of the customer;

the minutes have acquired a copy of the contract signed by the complainant on 21 May 2019 in which there is, on the right side at the top, a box called "stay in contact with Wind" containing a statement of acknowledgement of the information and authorization to process personal data for marketing purposes by Wind Tre and its partners; profiling; geolocation; communication to third parties and data enrichment. The size and spacing of the text contained in this box are significantly smaller than those of the characters that make up the attached contract so as to be objectively difficult to read both as regards the entire text and, above all, as regards the display of any flag in the boxes relating to individual consent;

the operator heard in this regard, stated that he had received verbal instructions regarding the operational practice described above for the acquisition of consents and, in order to document what was alleged, he delivered a copy of two e-mails received from the manager of Wind Tre: in one of them, dated May 25, 2019, there is a chart describing the consensus acquisition percentages achieved by the dealer with an invitation "once again to reach 100% on everything"; with the second e-mail, dated June 5, 2019, Wind Tre's sales representative sent the dealer a report of the performance made for supplier evaluation purposes; the text reads "pay attention to the quality data entered, in particular the flags must be 100% on everything"; a table is attached to this email from which it is clear that obtaining high percentages of consensus flags is included among the quality indicators;

finally, by examining the content of the management system provided by Wind Tre to the retailer, access was given to the communication published by Wind Tre on 22 March 2019 entitled "New consents from POS NG". This notice informed the partners of the change made on the list of consents from 25 March 2019 which concerned, in particular, the merging of the first two consents into a single manifestation of will, presented to the subscriber with the following text: "Wind commercial communications: I consent to the processing of my personal data for the receipt, by Wind, of communications relating to special offers, discounts and promotions relating to products and services Wind and partners selected by Wind"; thus a single consent was required to receive promotional communications from both Wind Tre and third parties. In addition, in the case of "change Offer for customers already acquired before January 9, 2017, only 2 old consents are displayed as expressed in the activation phase and 4 new consents not valorized (blank). It is possible to modify the first 2 and acquire the 4 new consents [...] but if the reseller tries to acquire only some of the 4 new consents or modify one of the 2 old ones, the blocking warning will be displayed, where it will be indicated to value all 6 consents. […]. For the customers acquired since January 9, 2017, by Modifica Offerta, all 6 consents are already valued with the possibility to modify them together with the commercial variation of the offer".
2.1.2.5. Consents of clients of another operator acquired by illegal means

Here we refer to the results of the investigations of the so-called "procedure B" referred to in the introduction and carried out after the Authority learnt, from a report, of the existence in Rome of a call-center that would have carried out activities of contacting potential customers and offering telephone services on behalf of the Company, through the acquisition of data of customers of another telephone operator in an unlawful manner and in any case outside the regulatory framework outlined by the Regulations and the Code.

The Office, having carried out the necessary verifications relative to the personal information of the subjects indicated in the report, delegated to the Guardia di Finanza, Special Unit for the protection of privacy and technological fraud, the carrying out of inspections at said call-center.

The audit revealed that the activities carried out there were carried out by Alessandro Corbelli Sunrise s.r.l.s. and, despite the fact that, at the time of access, they were presented as training activities for the start-up of future call-center operators, the results of access to the workstations showed that - at the time of the audit - activities were underway for telephone contacts promoting the services of the company Wind Tre.

The telephone contacts of potential customers, addressed to the business area, provided for the setting of appointments for the compilation of contract proposals, appointments that were "uploaded" in the electronic diaries of people who would have to go to customers.

In the call-centre, a large number of Wind contract forms were found, prepared for business customers, and numerous Wind branded sim-cards.

Contact activities were carried out at seven workstations using personal computers and mobile phones. In the history of these phones was found trace of hundreds of calls made in the three days prior to the inspection. From the access to the computers used by the operators it was possible to acquire numerous files in excel format containing directories consisting of personal data and telephone contact information of companies and individuals. All the operators questioned stated that these files were uploaded daily to the desktop of the PCs by the contact person and that they contained the names and telephone numbers of the persons to be contacted. In the contact person's PC and at another workstation, excel files containing personal data (name, surname, company name, tax code, landline phone number and mobile phone number) of over 500,000 users were found. Computer traces of virtual machine access to another telephone company's database were also found.

With reference to the origin of the personal data found in the different work stations of the call-center, a specific inspection carried out at the headquarters of the telephone operator from which - according to the above mentioned report - these would have been stolen, did not allow to acquire full evidence in this sense, while the referent present in the call-center at the time of the assessment declared that "the activity in a typical day of this call center provides that I distribute to operators the lists of subjects to contact who are present in my PC of which I do not know how to define the origin [...]; with reference to the SIMs present in the call centre and the contractual documentation and brochures, I represent that all this material comes from Wind's agencies whose names and company names I do not know and are intended, presumably, for agents [...] whom I do not know personally'.

Such declarations of the referent, paradoxical, unreliable and made in contempt of the duties of collaboration towards the Authority, were not able to prove that the acquisition of the personal data of potential customers had occurred in compliance with the provisions of the Regulation and the Code, with particular reference to the discipline of consent, and, in any case, showed that the call-center activities took place outside the procedures implemented by Wind Tre to regulate the telemarketing and teleselling activities. In addition, the methods of contacting potential customers took place without providing the necessary information required by art. 14 of the Regulation, as evidenced by the absence of information on the processing of personal data in the call script acquired during the assessment, thus corroborating the consideration that any consent collected can not be considered valid due to lack of the necessary prior information.

In good substance, the activity of the call-center was presented as completely abusive, in violation not only of the provisions on the subject of the protection of personal data, but also of those in the fiscal, tax and work ambit for which the privacy nucleus proceeded to interest the competent articulations of the Guardia di Finanza. Furthermore, it was conducted by a company not present in the Register of the communication operators, using numbers not recorded in the same register, in an extremely worrying framework of disinterest for the rights of the interested parties and for the necessary guarantees of security which should have presided over every operation of treatment.

During the investigation carried out at this call-center, documentary evidence was obtained of a significant operational link between it and the agency Merlini s.r.l., which carries out marketing activities for Wind Tre products at its operational headquarters in Ponsacco (PI).

The Office then delegated the Guardia di Finanza to carry out an inspection of the aforementioned agency, from which it emerged that Merlini s.r.l. operates exclusively on behalf of Wind Tre, under an agency contract that also provides for its designation as data processor. Merlini s.r.l. carries out its activity through collaborators present on the national territory, called "procacciatori". Among the "procacciatori" who collaborate with this company was also the company Alessandro Corbelli Sunrise s.r.l.s. and, with reference to it, Merlini s.r.l. produced some invoices, lists of contracts acquired and e-mails containing copies of customer documents.

As regards the activity of the procurers, Merlini s.r.l. showed a copy of some letters of assignment in which it is reported verbatim: "its activity must be carried out in full autonomy following only the indications and dispositions that will be given to it about our products, the conditions of sale and other commercial dispositions. The activity may, however, be carried out in collaboration with production and/or marketing staff, with our own agents". Merlini s.r.l. declared not to have identified the procurers as responsible for the processing or authorized to carry out processing operations because they "operate autonomously" and "each procurer is free and, therefore, autonomous in the search for subjects to whom to direct commercial proposals".

With a note dated October 25, 2019, the Office requested Merlini s.r.l. to show a copy of the letter of assignment given to the company Alessandro Corbelli Sunrise s.r.l., and of any other legal transaction entered into with the same. Merlini s.r.l. provided feedback by e-mail dated November 4, 2019, representing "not to have further documentation and in particular copies of other mandates. As already stated during the assessment of July 9, with many employees (including Corbelli) are and were in progress verbal agreements and the relationship has materialized with the sending of proposals for Wind contract by employees and the timely payment of business procacciati by our company" and also adding "that at the time of starting new collaborations to procacciatori the written mandate is the last thing that interests [...]".

With specific reference to the above case, the Office also delegated to the Guardia di Finanza two inspections which took place at the Wind Tre headquarters in Rome.

With regard to relations with Merlini s.r.l., Wind Tre produced the agency agreement between the two companies and a summary of the documentation acquired and the process carried out to affiliate the sales agents to Wind Tre's network. This affiliation process includes, among other things, the acquisition of chamber of commerce surveys, due diligence and scoping questionnaires, banking and tax documentation and the curriculum vitae of legal representatives.

Among the documentation, a questionnaire was submitted to the sales agent regarding personal data protection requirements. Among the answers provided by Merlini s.r.l., there were many elements that raised doubts about the correct handling of personal data and the effective management of employees. For example:

- to the question (present in section 6 "Composition of commercial contact lists" of the questionnaire) "does the partner acquire lists of subjects to be contacted by telephone through channels other than Wind Tre?", Merlini s.r.l. replied in the affirmative without indicating the acquisition channels of the aforementioned lists;

- to the question "does the partner guarantee the correct use of the lists of contacts within their temporal validity previously communicated by Wind Tre and does he delete them, after the deadline, from any system/memory support?", Merlini s.r.l. replied negatively;

- Merlini s.r.l. replied to all the questions concerning the "obligations related to the processing of data for commercial calls" and the "code of conduct for telemarketing activities" Merlini s.r.l. replied that they were not conferring with respect to its activities, although they concerned the rules of conduct and operating instructions in sections I and L of the agency contract signed by Merlini s.r.l. itself.

No checks were carried out by Wind Tre, in the light of the feedback provided by Merlini s.r.l., regarding the network of collaborators of the latter company and, in particular, whether such collaborators were identified on the basis of the same requirements required by Wind Tre, as well as started promotional activities on the basis of the same operating procedures identified in the agency agreement signed between Wind Tre and Merlini s.r.l..
2.1.3. Contacts made without the acquisition of appropriate consent being documented

The Company, in a number of circumstances, has been unable to document the acquisition of consent:

a) that the calling numbers indicated by the reporters were not traceable to those in the possession of the partners or,

(b) that the user called was not on the lists to be contacted for promotional purposes (cf. files 128220, 127687, 132667, 132114, 131606, 131684, 135017, 136153, 136903, 137035, 136371, 136650, 137157, 137392, 137186, 138316, 138667, 139253, 140782, 139839, 140716, 140463, 140391, 142109, 144236, 146789) or again,

(c) that the methods used to carry out the promotional campaign were not recognised as complying with the company's communication policies (cf. files 134997, 130266, 145996, 123638, 130729, 113495, 133984, 134569, 132667, 133372, 134927, 132256, 132114, 131606, 131897, 131464, 135017, 136903, 136945, 137003, 137392, 139253, 140782, 139839, 140343, 140391, 144236, 146789);

i.e:

(d) not providing any information or documentary evidence that the person concerned has been blacklisted (see files 134569, 132256, 133372, 131897, 136945, 137035, 139126, 142352, 139839);

(e) by documenting consent by attaching copies of contracts which are illegible or which prove only the contractual intentions and not also the choices concerning personal data (see files 128208, 130787, 113495, 131896).

2.2. Methods of responding to requests by data subjects to exercise their rights

In many cases, the failure to respond to the requests made by the data subjects to exercise their rights has been complained of, even repeatedly, with particular regard to the opposition to processing for promotional purposes or the exercise of the right of withdrawal.

The Company, with the notes sent in response to the various requests for information made by the Authority, represented that some instances were not found or were not promptly found because:

a) received at an address not in charge of handling this type of request (see files 130344, 133911, 142614, 145996, 124985, 134434, 133063, 133372, 137580);

(b) in accordance with a farm procedure which was subsequently outdated, it was requested to identify itself by sending a document (see files No 130344, 128000, 128805, 130356, 129952, 127784, 128208);

(c) there were errors or problems in receiving paper or electronic mail (see files No 141011, 134392, 130266, 130539).

2.2.1. Requests received at incorrect addresses

With regard to what is represented in point a), in particular, the Company has pointed out that the communications that did not have an adequate response have been received to email addresses or pecs not manned by personnel suitable to handle requests relating to the protection of personal data. The Company has also pointed out that in a complex structure, such as that of Wind Tre, it is not possible to ensure the correct management of requests if they do not reach the correct addresses, as indicated in the information on the Wind and Tre brand websites.

The office therefore verified, on 26 February 2020, the publication of these contact details on the Company's websites, and found the following:

a) regarding the references for the Wind brand,

- on the website www.wind.it at the link "privacy" there was a list of different information followed by the "cookie policy" at the bottom of which it is stated that "Any requests pursuant to Articles 15 to 22 of the European Regulation, should be addressed to Wind Tre S.p.A. - Ref. Privacy CC, Casella Postale 14155- Ufficio Postale Milano 65, 20152 Milano (MI)";

- if, on the other hand, the link to "New Privacy Policy art. 13 and 14 of GDPR as a modification of the information already provided pursuant to art. 13 Legislative Decree 196/03, so-called Privacy Code" was followed, it was stated that, for various purposes of processing, the consent given "may be revoked at any time by writing to Wind Tre S.p.A. - Privacy Ref. CC Casella Postale 14155, Ufficio Postale Milano 65 20152 Milano (MI) or by calling 155". Finally, in the same notice, it was indicated that requests relating to the exercise of the rights of the interested parties "may be addressed to Wind Tre Spa - Privacy Ref. CC Casella Postale 14155, Ufficio Postale Milano 65 20152 Milano (MI) and providing, attached to the request, an identity document in order to allow WIND TRE to verify the origin of the request";

therefore, only the physical address of a P.O. box was made available to Wind customers or, alternatively, they were invited to call customer service;

(b) with regard to the references for WIND TRE,

- on the website www.tre.it under the link "privacy" there was a list of different information followed by a document called "Privacy policy" in which it was specified that "Any requests pursuant to Articles 15 to 22 of the European Regulation, should be addressed to Wind Tre S.p.A. - Ref. Privacy CC, Casella Postale 14155- Ufficio Postale Milano 65, 20152 Milano (MI)";

- if, on the other hand, the link to "New Privacy Policy art. 13 and 14 of GDPR as a modification of the information already provided pursuant to art. 13 Legislative Decree 196/03, so-called Privacy Code" was followed, it was stated that, for different purposes of processing, the consent given "may be revoked at any time, by writing to Wind Tre S.p.A. - Rif. CC Privacy - Via Alessandro Severo 246, 00145 Rome, or by writing to privacy@tre.it or by calling 133";

- finally, in the same statement, it was indicated that requests relating to the exercise of the rights of the interested parties "may be addressed to Wind Tre Spa - Rif. CC Privacy - Via Alessandro Severo 246, 00145 Rome, or by writing to privacy@tre.it. and providing, attached to the request, an identity document in order to allow WIND TRE to verify the origin of the request";

For WIND TRE's customers, therefore, a physical address was made available, referring first to a P.O. box and, subsequently, to the address Via Alessandro Severo 246, Rome, without clarifying which was the correct address to use; furthermore, an ordinary e-mail address was provided or, alternatively, customers were invited to call customer service.

It should be noted, however, that the numerous requests received all complained, in a similar way, the failure to respond to requests sent almost always to the same addresses: windtrespa@pec.windtre.it, servizioclienti155@pec.windtre.it and windtreitaliaspa@pec.windtre.it.

The recurrent use of the same contact details by many complainants, instead of those given in the information notices, can be considered indicative of the fact that, first of all, they were somehow made known to customers (probably in the contractual documentation or, as reported in some reports, provided by telephone by the customer service itself). The same Wind Tre, with the feedback provided on November 26, 2019, in contesting the use of a non-existent pec address, said that "the correct address is servizioclienti155@pec.windtre.it as reported in the General Conditions of Contract".

Moreover, taking into account the technology currently available, it cannot be considered sufficient - and in these terms it was contested to the Company - to set up only the physical channel for sending applications, obliging those concerned to send a letter or a registered letter (possibly also with acknowledgement of receipt, to have confirmation of receipt), bearing the related costs.

The alternative of telephone contact with customer service or the ordinary e-mail address (which is provided only for the Tre brand and not for Wind) does not meet the needs of those who want to prove the sending of an application.

In this regard, reference is made to the provisions of art. 12, par. 2 of the Regulation according to which the data controller facilitates the exercise of the rights of the data subject, as well as the provisions of art. 7, par. 3 according to which consent is revoked as easily as it is granted.

Finally, while we understand the Company's need to channel the requests relating to the protection of personal data to a single "channel", the number of complaints received has made it clear that the parties concerned are not always able to independently address their own requests to issues related to data protection.

As can be seen from the numerous reports submitted to this Company, not only the average user but also various professionals (engineers, lawyers, etc.), have made use of the above mentioned contact details considering them correct and only in very few cases has the dpo contact been used (mostly after previous unsuccessful attempts). Likewise, reference is made to the difficulties represented by those who, although never having been clients or no longer clients, have been the subject of promotional campaigns without, however, having had the possibility of identifying a correct address to which to address their refusal to be treated (given that even in these cases the first attempt was made using the customer service channel).

It follows that the customer service, which in fact represents a primary interlocutor for those concerned, was not sufficiently trained for the correct management of the requests received (at least at a first level of reception and sorting), with the consequence that many requests remained unanswered or were treated improperly.

We acknowledge, however, what the Company communicated in a note dated March 6, 2020 regarding the preparation of a new disclosure, introduced following the establishment of the unique Wind Tre brand, which indicates, as channels of communication with the owner, a physical address, a pec and a telephone number. Wind Tre itself wished to point out, in its defence brief, that this corrective measure was put in place prior to receipt of the notice of initiation of proceedings by the Guarantor, received on 13 May 2020.

2.2.2. Applications not accompanied by identification documents.

In other cases, as mentioned above, the Company then declared that it did not promptly find the requests of the parties concerned because they were not accompanied by identification documents. In particular, in the various response notes received, the Company stated several times that initially the Company's procedures required the presentation of an identity document. Subsequently, also as a result of the numerous reports forwarded by the Guarantor, a simplification has been made, ensuring the withdrawal of consent for marketing purposes even in the absence of the document, provided that the same came from an e-mail address traceable to the customer, "requiring at a later date the identification of the person concerned".

In the current regulatory framework, the identification of the interested party exercising their rights is a necessary prerequisite for the correct response to requests. It is, in fact, clear that the data controller, in responding to the requests of the interested parties, must guarantee them from any prejudices, including access to unauthorized third parties. Therefore, art. 12, par. 6 of the Regulation allows the data controller to request further information that may be necessary to confirm the identity of the data subject, but only if it has reasonable doubts about the identity of the person making the request. This parameter of reasonableness is also referred to in recital 64, which suggests the adoption of "reasonable measures" to verify the identity. This is in order to avoid excessive requests aimed at discouraging the exercise of rights but also to avoid the collection and retention of unnecessary data. The identification of reasonable measures should therefore be guided by compliance with the principles of proportionality, necessity and adequacy.

In the light of these principles, the reasonableness of the measures taken can be assessed taking into account the context and potential risks but also the usefulness of achieving the purpose (of achieving correct identification).

In the case in question, it is possible to quantify the risk associated with the withdrawal of consent for commercial purposes differently from that deriving from the exercise of other rights (such as, for example, rectification, cancellation, portability, access). This is first of all in view of the limited consequences that the withdrawal of consent for commercial purposes may have in the legal sphere of the person concerned compared to those, which are much more prejudicial, deriving from the exercise of other rights, if it were a third party with malicious intent to exercise them. In addition, a request for revocation of consent or opposition for marketing purposes can probably be considered traceable to the person who proposes it, since other persons who could have an interest in this sense cannot be hypothesized (unlike what could happen with the exercise of other rights).

Finally, the measures adopted must, as mentioned above, limit the acquisition and storage of unnecessary data. This eventuality could instead occur in the case of persons who, although not customers of Wind Tre, but who have been contacted (correctly or not) for a campaign of the latter, want to submit a specific refusal to receive promotional messages: the request addressed also to these subjects to provide an identity document seems even more disproportionate and may involve the acquisition of personal data that are not already available to the owner and are therefore not necessary.

In conclusion, the Company's responses revealed an uncertain and contradictory picture in the description of the technical and organisational measures adopted to identify the parties concerned in a reasonable manner, representative of an insufficient evaluation of the different interests at stake.

The initial request for a copy of the identity document for all parties, both customers and non-customers, and for any type of request, as stated, was subsequently revised, providing for an immediate response to the exercise of revocation of consent; it is not clear, however, what is the need, once the interested party's request has been accepted, to request in any case, albeit at a later stage, the sending of the identity document.
2.2.3. Undetected instances of errors or problems in receiving paper or electronic mail

In a remaining number of cases Wind Tre justified the failure to respond to the requests sent by the parties concerned by suggesting the recording of episodes in which correspondence was lost or not received by the correct recipients due to errors or problems of reception.

These events should be evaluated in the light of the observations made so far regarding the suitability of the organizational measures taken by the Company.

2.3. Information to interested parties

Referring to the previous point, it should be noted that, prior to the corrective action taken with the introduction of the single brand, the information made available on the websites of Wind and Tre indicated contact details that were not unique and different from the customer service addresses, also communicated by the Company and used more frequently by those concerned. According to the Company, this has led to difficulties and delays in the management of requests.

With regard to compliance with the provisions on transparency, as set forth in art. 12 of the Regulation, it should also be added what emerged from the preliminary investigation activity initiated following a complaint (see file 143394) concerning the exercise of the right of access to traffic data stored for billing control purposes.

In a note dated November 26, 2019, the Company justified the failure to respond to the requests made by the complainant by stating that they had been sent to non-existent addresses and, therefore, since more than six months had elapsed, access to such data was no longer possible. Without prejudice to the specific fact, probably caused by the customer's error, it must however be noted that, as also disputed in the same complaint, the information given to the parties concerned pursuant to art. 13 of the Regulation did not indicate the period of retention of data provided for by art. 123 of the Code. This resulted, in the case in point, in the erroneous reliance on the much longer data retention period indicated by the Company for the execution of the contract (10 years and six months).

The provisions of art. 123, paragraph 4 of the Code must, in fact, be considered with regard to the obligation of the service provider to include, in the information provided pursuant to articles 13 and 14 of the Regulation, also the information regarding the storage of traffic data.

In this context, therefore, one cannot simply oppose the user's lack of knowledge of the rules, since the purpose of the provision violated - art. 123, paragraph 4 - is precisely to balance the information asymmetry towards users.

2.4. Publication and updating of data in telephone directories

The Authority has also received numerous complaints about the publication, never authorised, of personal data in telephone directories, as well as the impossibility of obtaining their cancellation from Wind Tre. In response to specific requests for information, the Company provided the following reasons:

a) the publication was due to material error or misalignment (see files 137276, 128170, 128336, 133645, 146363);

b) the request for cancellation was not promptly accepted due to difficulties in communicating with the client (see files 134918, 142978); in the latter case, reference is made to what has already been made to the adequacy of the organisational measures aimed at ensuring communication with the parties concerned, to which these further cases are added as an example of the prejudicial consequences.

In particular, it should be noted that, in a note dated November 28, 2019, addressed to the Guarantor and the complainant, the Company stated that the latter was published in the lists by the previous operator "therefore the cancellation request had to be forwarded to the Company Italia on Line S.p.A.". In reality, as has been known for some time now (see measures of the Guarantor of July 15, 2004, doc web 1032381 and April 1, 2010, doc web 1711492 on the publication of personal data in public directories), the telephone operator to which it belongs, as data controller, is the only person to whom users must address requests for changes to the publication of data in the directory. It is therefore incomprehensible the reference made by Wind Tre to the need to contact Italia on Line directly. At the same time it should be noted that, despite the assurances provided by the Company in the same note, as of March 16, 2020 the data of the complainant was still present on the site www.paginebianche.it.

With regard to the complaint in file 146363, which also complained about the failure to respond to the request for deletion from the lists, it should be noted that, in a note dated March 12, 2020, the Company stated that "the competent department of the writer promptly manages the request by attempting to activate the cancellation process, which was not successful". However, it was not specified why the cancellation was unsuccessful, nor was it documented whether, contrary to what was complained in the complaint, the request submitted by the client had been responded to. Also in this note, the Company stated that the user had been entered by the previous operator and that the complainant should have turned to Italia on Line.

3. THE OWNER'S DEFENCE

Following the notices of initiation of the procedure for the adoption of corrective and sanctioning measures sent by the Office pursuant to art. 166, paragraph 5, of the Code (note of 13 May 2020 - procedure A and note of 19 December 2019 - procedure B), the contents of which are to be understood herein in full, the Company provided its comments, supplemented by memoranda of 15 June 2020 (procedure A) and 3 February 2020 (procedure B), during the hearing on 25 June 2020 (procedure A) and 25 May 2020 (procedure B), of which the respective minutes were drawn up. The party's defensive considerations must also be reproduced in full here.

In addition to what has been reported in relation to the individual points at issue, Wind Tre has provided the following additional specific elements to justify its conduct.

3.1. Promotional activity not authorised by the parties concerned

With regard to the activities contested in point 2.1., Wind Tre, in particular, referring also to the measures already implemented, stated that all partners and agents have been appointed as data controllers. They were required to comply with the instructions conveyed through communications on the dedicated portal and with specific training activities. In addition, the single-firm agency, consumer, microbusiness and business contracts have been integrated with the recent introduction of a "decalogue" of rules on the protection of personal data (non-compliance with which can be assessed as a prerequisite for contract termination). One of these rules imposed on partners concerns the obligation to present the calling line unencrypted and to communicate to Wind Tre, following a specific procedure, all the numbering used; this declaration is essential to assign the partner a code in the company system.

The Company then recalled the use of the Campaign Management system, already in use and mentioned several times in the answers given to the Authority's requests for information; this system has the function of centralising the implementation of individual promotional campaigns by conveying initial instructions and lists of names to be contacted to the partners and receiving as input any revocations of consent collected during the calls made. In this regard, Wind Tre has made it clear that the lists are mainly provided by the owner, who is also responsible for checks at the Register of Objections, but it is also possible for partners to make use of their own lists: in the latter case, Wind Tre's prior authorization to use the list is required.

In addition, again with regard to the measures taken to ensure greater control of the supply chain, the Company has added that "...requested the partners of the physical channel who intend to use lists of contacts for activities of mere appointment, to give appropriate evidence and request prior authorization, which will in any case be subsequent and possible compared to the sample checks carried out by the Writing Company. The partners of the physical channel were also asked to keep a register of all possible contacts (both successful and unsuccessful) with an indication of the source of the contact and evidence of consent. Said register, upon request, shall be available to the Company, in its capacity as data controller, and shall be produced at the request of the competent Authority. A process has also been set up internally according to which, following the activation of contracts (in outbound mode, physical channel), the entire chain that followed the activation, including therefore the origin of the contact made, is verified by the undersigned company". This register can be filled in from 4 February 2020.

Finally, Wind Tre has adopted an internal procedure to formalise the checks to be carried out following the subscription proposals from customers: among these is a section dedicated to the collection of personal data and consent.

In view of the measures described above which, in the Company's intentions, should make it possible to trace each call back to the partner who made it, the Company has however added that, as it does not have other means of investigation, it is unable to identify individuals who make calls without complying with these measures.

The Company has also added that, as already pointed out in previous discussions with the Guarantor, all agents have received specific instructions and are subject to periodic checks, carried out through answers to questionnaires and, on a sample basis, through on-site checks.

In this regard, the specific defensive considerations that the Company has carried out in relation to "Procedure B" (point 2.1.2.5. above), in relation to which it represented that:

a) the scope of the activities of the company Merlini s.r.l. on behalf of Wind Tre is not telemarketing or teleselling but is represented by the so-called "physical channel", which provides for the promotion of contracts for the sale of telecommunication services and products offered by Wind Tre in a specific geographical area, through a direct interview and therefore without carrying out distance selling activities; the customers to whom this channel is dedicated is the business, mainly consisting of legal entities, for which the regulations on the protection of personal data should not apply;

b) since the activity carried out by Merlini Srl should not have configured telemarketing activities aimed at teleselling, Wind Tre has never provided Merlini s.r.l. with lists of contacts of potential customers, except for customers and former customers who had given specific commercial consent during the signing of the contract and had not revoked it, on which Merlini had to carry out tasks of loyalty; therefore, it cannot be stated that at the call-center inspected was in progress a promotional activity of the telephone services of the company Wind Tre;

c) Wind Tre has on several occasions provided training and awareness raising activities on the protection of personal data, both with reference to the internal corporate population and with reference to its Partners and Agents; as shown by the last extraction requested to the Human Resources department, the training was completed by all Area Managers, District Managers and Channel Managers authorized to control the Business Agencies (including the Agency managed by Mr. Merlini);

d) since the contract concluded by Wind Tre with Merlini Srl did not constitute an agency contract for the performance of telemarketing activities aimed at teleselling and, in any case, should have concerned exclusively the offer of products and services to legal persons, the Company had no suspicions precisely because, according to the contract, they did not detect either teleselling activities or the processing of data of individuals.

With specific regard to the disputed unsuitability of the methods of collecting consent, formulated on the basis of the checks carried out at partner XX (point 2.1.2.4 above), the Company stated that the conduct described does not fall within the company procedures provided for and does not correspond to the instructions given to its dealers also through the competent commercial agents in the territory.

Therefore, "any verbal or written instructions given by the Agent to the sales outlets managed by them and not explicitly mentioned in the official procedures, are to be considered an initiative not attributable to the Company". The same company also added that the systems in charge of printing the contracts have the default consents set to "blank" and that "with regard to the graphs sent by e-mail by the Agent to the point of sale, it should be noted that nothing is said about the procedures for acquiring consents, nor do they appear to be contrary to such procedures". Furthermore, with regard to the ascertained presence of a single consent for the receipt of promotional messages from Wind Tre and third parties, the Company has clarified that this method of collecting consent does not involve the communication of data to third parties but offers the interested party the possibility of receiving promotional messages in which the content conveyed may be for the benefit of Wind Tre or a third party. Therefore, the only purpose of the processing remains the same and the content of the messages that remain conveyed by Wind Tre changes.

With specific regard to the disputed methods of collecting consent through the apps MyWind and My3, (point 2.1.2.3 above), the Company has stated that it has made changes to the same prior to the receipt of the initiation of the procedure by the Guarantor, providing to set the request for consent only during the first configuration of the app. Subsequently, in view of the adoption of the single brand, the two apps mentioned above are no longer available and have been replaced by a single WINDTRE app; this no longer requires the expression of consent, even in the first configuration phase, but simply reports the customer's wishes as recorded and already present in the systems, allowing them to be modified by the same app.

More in general, with regard to the extent of the violations ascertained, the Company has finally observed that "considering that the reports in this measure are about 95 for the years 2018-2019, it should be noted that they represent about 0.026% of the total management carried out by the Company" and therefore the disputed cases, taking into account that the Company has about 32 million customers, can be considered attributable to a margin of physiological error with the exclusion of some specific cases that are considered to be attributable to fraudulent activities of third parties and have already been the subject of specific complaints to the judicial authorities.

3.2. Exercise of rights by the parties concerned

With the note of June 15, 2020, the Company also provided its comments on what is represented in point 2.2. above and, in particular, on the availability of suitable contact channels and the procedures adopted to ensure the exercise of the rights of the parties concerned.

The Company has preliminarily recalled that, with the birth of the single brand, all contact channels have been unified and made known through the new information notice and by sending individual communications to customers; therefore, to date, a P.O. box, the customer service pec and the telephone number 159 are available (and for about one year the previous contact channels will be maintained).

The customer service is duly trained in the protection of personal data, but the Company has ensured that every request received, even to non-dedicated channels, is handled, although it must highlight the difficulties encountered in a complex structure.

With regard to the measures adopted to guarantee the exercise of rights, the Company has preliminarily observed that some cases contested by the Guarantor, which complained about the receipt of promotional contacts even after the withdrawal of consent, were due to the timing of alignment of the systems which, in the years immediately following the company merger, took longer to integrate. However, the Company stated that, to date, "the consent is updated every 15 minutes and at the latest 24 hours after the revocation has been entered into the system".

Finally, with respect to the procedures adopted to ensure the exercise of the right of revocation, the Company reiterated that it originally required the request to be accompanied by an identity document but, as early as the beginning of 2018, this procedure was simplified by executing the revocation request provided it was received from an email address of the customer known to the Company and postponing receipt of the document to a later date.

The choice of this method originated from the fact that, for the activation of each user, the Company was required to acquire a copy of a document and therefore considered it consistent to identify the persons concerned using the same means. In addition, the Company added that the request for identification by document had become necessary in the past as a result of numerous requests for revocation of consent received from third parties in the name and on behalf of various interested parties.

To date, however, she confirms that she has changed the procedure by allowing the request even without the attachment of the document as long as it comes from an email address traceable to the customer.