Garante per la protezione dei dati personali (Italy) - 9485681

From GDPRhub
Garante per la protezione dei dati personali - 9485681
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 15(1) GDPR
Article 16 GDPR
Article 21 GDPR
Article 24 GDPR
Article 25(1) GDPR
Article 32 GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 12.11.2020
Published: 16.11.2020
Fine: 12250601.00 EUR
Parties: Vodafone Italy S.p.A
National Case Number/Name: 9485681
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Edda Pernice

The Italian DPA (Garante) imposed a fine of €12.25 million on Vodafone Italia S.p.A, following an inquiry into their telemarketing practices which revealed that Vodafone was in violation of several GDPR articles. Vodafone was ordered to implement more appropriate measures to prevent the unauthorized access of customer databases and to ban the further processing of personal data.

The Garante initiated the inquiry after multiple complaints from people who received constant unwanted phone-calls from Vodafone telemarketers. Among other things, the inquiry found that Vodafone was using contacts lists purchased from external providers without user consent for telemarketing, and that the security measures implemented by Vodafone to protect their client’s data were inappropriate, as unauthorized parties were calling customers and requesting IDs by pretending to be Vodafone.

English Summary


The Garante per la Protezione dei Dati Personali, Italy’s DPA, led an investigation into Vodafone Italy S.p.A following various complaints by Vodafone users and non-users, which highlighted multiple issues on the phone company’s practices.

The first group of claimants complained about constant unwanted promotional phone calls and SMS from Vodafone, with one example being a person claiming that they have been receiving at least 4/5 messages a month by Vodafone since 2018, even after he communicated to the company that he no longer wanted to receive such messages. Vodafone blamed this last mishap on a “system error” that failed to register the client’s request to stop the promotional messages.

The second set of complaints concerned the way that the company stored their client’s data. More specifically, costumers complained about being approached by Vodafone operators, usually after reporting issues with their internet service. However, it turned out that those were call-centres that worked for other phone companies or third party callers that used Vodafone’s logo in their WhatsApp profile. These unauthorized individuals would often ask about the issues the users reported, point out that Vodafone would increase their costumer service fees and offer to subscribe the user to a different phone provider. Other times, they would just request for the user’s IDs, possibly for fraudulent or phishing purposes. Vodafone claimed to have been aware of these practices in the past, confirmed that those were indeed unauthorized parties under false pretences, and explained that they were trying to improve security on their databases by applying 2 Factor Authentication.

Lastly, several users complained that Vodafone was not responding appropriately to their requests in exercise of their rights under Articles 15-22 GDPR. For example, one user complained that Vodafone had not replied at all to a request sent to them via email. Another one explained that Vodafone did reply, but did not promptly correct the user’s personal information as requested, therefore breaching Article 16 GDPR. A last user complained that Vodafone refused to provide the client with information about the purposes of processing his personal data under Article 15(1) because he did not provide them with appropriate Identification, as he used a document with a digital signature.


In light of these facts, Italy’s DPA found Vodafone S.p.A in violation of the following GDPR provisions:

Article 5(1) and Article 5(2) and Article 25(1): for failing to implement control systems of the personal data collection databases from the first time that they received clients’ complaints, in order to exclude with certainty that services or subscriptions were activated on Vodafone’s databases through illicit or unwanted calls by unrecognized third parties.

Article 5(1), Article(2), Article 6(1) and Article 7, because Vodafone received personal data lists by business partners, that those had received from third parties, this all without the user’s appropriate consent. This affected 4,500,000 people in 2019.

Violation of Article 5, Article 6 , Article 7 and Article 21 , due to many complaints of undesired contacts from Vodafone through phone call and SMS, that Vodafone blamed on human errors or system errors that were not documented, even following the data subject used their right to object to processing.

Violation of Article 24 and Article 32, due to the constant access to databases containing personal data, including full names, phone numbers, phone usage details and payment details. For failing to place appropriate measures to guarantee, or be able to prove, that processing of that data was done in compliance with GDPR and ensuring security and integrity of the data processing techniques used and verify the efficacy of the technical and organisational measures in place to guarantee security of processing.

Violation of Article 33(1) for failing to notify the Garante of the violation of personal data

Violation of Article 15(1) and Article 16 for failing to act on the requests of the data subjects


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.