Garante per la protezione dei dati personali - 9435807
|Garante per la protezione dei dati personali - 9435807|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 25 GDPR
Article 58(2)(d) GDPR
Article 83(5)(e) GDPR
|National Case Number/Name:||9435807|
|European Case Law Identifier:||n/a|
|Original Source:||Garante (in IT)|
The Italian DPA (Garante) fined telecoms operator Iliad €800,000 for violating multiple GDPR and Italian Privacy code provisions.
English Summary[edit | edit source]
Facts[edit | edit source]
As a number of different complainants brought similar issues to the Garante's attention regarding Iliad's processing practices, they decided to carry out a single inspection addressing all the complaints. The issues concerned the following:
- Iliad's requesting of consent for processing for marketing purposes, without having any specific intention or plan to do so;
-Iliad's use of "Simboxes", special machines with which customers could independently activate their simcard, by entering their data and ending the procedure by scanning the document and recording a video message of consent to the conclusion of the contract, the installation of Simboxes in raliway stations, shopping centres and Iliad shops, and the storage of the videos in Iliad's central databases;
- the accessibility (by certain staff members) and storage measures (retention periods over six months, a lack of authentication requirements beyond username and password, failure to store different types of data in separate computer systems) for customer's telephone and telematic traffic data.
Dispute[edit | edit source]
Holding[edit | edit source]
The Garante held the following:
The use of the mandatory tick of the box constituted an infringement of the fairness, lawfulness and transparency principle under Article 5(1)(a), because the formulation of the wording lacked the requirements of intelligibility and clarity that data customers would tick the box and be aware that by ticking the box, there would be a possibility of processing. The Garante did not accept that the box ticking could be considered consent, because that did not appear to be the controller's intention. The Garante did not issue further corrective measures on this aspect, as Iliad had subsequently adopted changes to more clearer separate information obligations from the collection of consent.
The collection of consent for marketing purposes "just in case" also constituted an infringement of Article 5(1)(a). The Garante did not issue further corrective measures on this aspect, because Iliad declared that it considered the consent for marketing given by anyone before July 2019 (when the issue was discovered) to be invalid and not given.
The use of the Simboxes, while not considered an outright breach of the data integrity and confidentiality principle in Article 5(1)(f), was still considered insufficient for containing potential risks of unauthorised access, particularly where the Simboxes were located in public spaces. Applying Articles 58(2)(a) and (d), the Garante ordered Iliad to adopt appropriate corrective measures, to guarantee greater confidentiality, including adopting specific measures for the positioning and placement of the machines.
The data storage measures constituted a violation of Articles 123(2) and 132-ter of the Italian Privacy Code. Applying Articles 58(2)(d) and (2)(i), the Garante ordered Iliad to adapt appropriate security measures and stop the processing, and issued a fine pursuant to Article 83.
Comment[edit | edit source]
In setting the quantity of the fine, the Garante considered the following to be factors justifying the size of the fine:
-the wide scope of the processing operations relating to the storage of traffic data;
-the fact that the storage could be considered "systemic", since it extended to all customers of Iliad's mobile telephone services, which included approximately 3 million users at the date of the Garante's inspection;
-the gravity of the violations, given the inadequacy of the security measures in places and the type of personal data (telephone traffic data) subject to the processing;
-the controller's inadequate technical and organisational measures;
-Iliad's general approach to processing, which showed "an overall negligent picture in the application";
- the degree of cooperation of Iliad with the Garante;
-the fact that the Garante discovered the violation during an inspection activity.
The Garante considered the following to be mitigating factors for the size of the fine:
-the measures adopted by Iliad to mitigate some of the consequences of the violations;
- the significant losses recorded by Iliad in 2018.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.