Data Protection Academy » Data Protection News » Italian data protection supervisory authority imposed 27.8 million fine
Italian data protection supervisory authority imposed 27.8 million fine
Date: 01.02.2020
Reason for the data protection fine:
The Italian data protection supervisory authority imposed a fine of 27,802,496 euros on the Italian telecom "TIM S.p.A" for several cases of unlawful processing for marketing purposes. The offences affected millions of people in total.
Nature of the data protection violation:
From January 2017 to early 2019, the data protection supervisory authority received hundreds of complaints, in particular about unsolicited marketing calls made without any consent or despite the called party being included in the public opt-out register. In other cases, the called parties had clearly refused to give their consent to receive marketing calls. Furthermore, complaints mentioned unfair handling practices in connection with prize competitions.
Data protection violations of the telecommunications provider in detail
Complex investigations were also carried out with the assistance of a special unit of the Italian financial police, and brought to light a number of serious violations of personal data protection legislation.
- TIM S.p.A. proved to be insufficiently familiar with the basic functions of the processing activities they were carrying out.
- It was proven that millions of marketing calls were made to "non-customers" by the call centre operator commissioned by TIM S.p.A. without any consent. In one case, a person was contacted 155 times within one month. In about two hundred thousand cases, "off-list" numbers - i.e. numbers not included in TIM's list of marketing numbers - were called.
- Other types of illegal behaviour have also been identified, such as TIM's failure to monitor the activities of some call centres or to properly manage and update their blacklists (which list people who do not wish to receive marketing calls).
- Furthermore, only persons could join a rebate system if they were forced to accept the consent to marketing activities.
- Inaccurate, unclear information on data processing was given in connection with certain applications aimed at customers and the arrangements for obtaining the necessary consent were inadequate.
- In a few cases, paper forms had to be filled in when a single consent form was available for various purposes including marketing.
- The data breach management system also proved to be ineffective and there were no adequate implementation and management systems for the processing of personal data that did not meet the requirements of the "Privacy by Design" corresponded.
- It was found that TIM's blacklists did not match those of the contractors' call centres, and this also applied to the records of "verbal orders" - i.e. contracts agreed over the phone.
- The numbers of customers of other telephone operators that TIM received in its capacity as network operator were stored longer than legally permitted and used for marketing campaigns without the consent of the customers.
Measures imposed by the data protection supervisory authority in Italy
In addition to the fine, the Italian data protection supervisory authority imposed 20 corrective measures on TIM, including both bans and injunctions.
- In particular, the supervisory authority prohibited TIM from using the data of users who had refused to consent to marketing calls, blacklisted users and "non-customers" for marketing purposes.
- The company is no longer permitted to use customer data collected via the 'MyTim', 'TimPersonal' and 'TimSmartKid' apps for purposes other than the provision of the corresponding services.
- The orders issued by the Italian supervisory authority include an obligation for TIM to check the consistency of its black lists and to obtain the lists compiled by the call centres in time to update its own black lists.
- TIM needs to rethink the "TimParty" scheme and give customers access to discount schemes and competitions without them having to consent to marketing activities.
- TIM must also review the processes for activating the apps, always indicate in clear and understandable language the processing activities they perform, the purposes and the corresponding processing mechanisms, and obtain valid consent.
- TIM must adopt technical and organisational measures in relation to the data subjects' requests for information on their rights and improve the measures to ensure the quality, accuracy and timely updating of the personal data processed in its individual systems.
- The measures and implementing rules imposed must be put into effect and notified to the Italian data protection supervisory authority according to a specific timetable, while the fine must be paid within thirty days.
Categories of data: Names, addresses, telephone numbers
Country: Italy
Fines: 27.8 million euros
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023