Garante per la protezione dei dati personali - 9570997

From GDPRhub
Garante per la protezione dei dati personali - 9570997
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
Article 33(1) GDPR
Article 34 GDPR
Article 58(2)(d) GDPR
Article 58(2)(f) GDPR
Article 83(3) GDPR
Article 83(5) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 25.03.2021
Fine: 4501868 EUR
Parties: n/a
National Case Number/Name: 9570997
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA imposed multiple corrective measures and a fine of €4.501.868 on an Italian telecommunication company for unlawfully processing the personal data of millions of users for telemarketing purposes.

English Summary[edit | edit source]

Facts[edit | edit source]

Following hundreds of complaints for continuous and insistent unwanted telephone calls from Fastweb with the aim of promoting its offers, the Italian DPA opened an Investigation.

The Garante found out firstly, that a large part of the telephone numbers selected came from abusive call centers that process personal data without respecting GDPR. Secondly, the Garante found out a wrongful management of contact lists, provided to Fastweb by external partners, without the latter having acquired the free, specific and informed consent of data subjects to the processing of their data. Thirdly, the Garante also noted the absence of adequate security measures for customer management systems. In fact, many users reported that they had been contacted by false Fastweb operators probably for the purpose of spamming, phishing and for carrying out other fraudulent activities. Other critical issues were found by the Guarantor in the promotional activity carried out by Fastweb in partnership with another party (e.g. Eni Gas e Luce S.p.A.) for using customer lists provided by the latter without consent to the marketing activity. Other violations concerned procedures adopted for the “Call me back” service, which prevented users from giving free, specific and informed consent and from deactivating the service in an automated manner.

Dispute[edit | edit source]

The Italian DPA accused the violation of articles 5(1) and (2), 6 (1), 7, 12, 13, 21, 24, 25, 32, 33(1), and 34 GDPR. Fastweb presented defensive writings that were unable to overcome the allegations of violation.

Holding[edit | edit source]

The Garante ascertained the violation of:

1. Violation of articles 5(1) and (2), 6(1), 7, 24 and 25(1) GDPR, since Fastweb has not proceeded to implement control systems of the "chain" of collection of personal data suitable to exclude with certainty that illegal or unwanted promotional calls have been followed by activations of services or signing of contracts which are then merged into the Fastweb databases.

2. Violation of articles 5(1) and (2), 6(1), and 7 GDPR, since Fastweb S.p.A. acquired lists of personal data from third parties who, in turn, had acquired them as independent data controllers and who have transferred them to Fastweb systems. The data transfer to Fastweb has occurred in the absence of the prescribed consent for the communication of personal data between independent data controllers.

3. Violation of Articles 5, 6, 7, 12, 13, and 21 GDPR in relation to the methods of activation, release of the information and revocation of the "Call me back" service.

4. Violation of Articles 24 and 32 GDPR, in relation to the multiple and systematic accesses to corporate databases containing personal data for failing to implement measures of proportionate effectiveness to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the Regulation, to ensure the confidentiality and integrity of the systems and services on a permanent basis.

5. Violation of Articles 33(1) and 34 GDPR, for failing to submit to the Garante and interested parties the notification of a personal data breach.

6. Violation of Article 5(1)(d) GDPR in relation to the various requests for exercising the rights proposed by the interested parties for whom they have been detected system errors and delays in realigning and correcting data.

7. Violation of Article 5 (1) and (2), 6, and 7 GDPR, in relation to the processing of personal data carried out for promoting products and services, made in the absence of the required consent and pending the unsuitability of the legal base of legitimate interest.

For these reasons the Italian DPA, with the power conferred by Article 58(2)(d) and (f) and Article 83(3) and (5) GDPR, imposed to Fastweb multiple corrective measures and a fine of € 4.501.868.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.