Italian DPA issues 27.8M euros fine for GDPR violations

On February 1, 2020, Italy's data protection authority, the Garante Per la Protezione Dei Dati Personali (the "Garante") issued a fine totaling 27.8 million Euros for several unlawful marketing data processing practices against TIM SpA, an Italian telecommunications company that also operates under the name 'Telecom Italia'. In particular, the Garante highlighted that the company made unsolicited marketing phone calls without consent and, in some cases, despite the customer's refusal to receive such calls.

The Garante stated that from January 2017 to the first months of 2019, it had received numerous complaints from individuals (including individuals who were not existing customers of the company) claiming that they received unsolicited marketing phone calls. According to the Garante, some individuals were still receiving marketing calls despite having registered on an opt-out list (the Public Opposition Register) or having previously indicated to the company that they do not wish to receive such calls. The Garante further noted that the violations affected several million individuals.

The Garante indicated that its investigation uncovered "numerous and serious" data protection infringements and a general lack of accountability from the company. For instance, the Garante noted the absence of control by the company over the work of some call centers, the failure to update the list of individuals who had opted-out of receiving marketing communications, and the mandatory consent to marketing communications in order to enroll in the 'TIM Party' program to receive discounts and participate in sweepstakes.

In addition, the Garante stated that the company provided "incorrect and non-transparent information" to users via its apps and that invalid methods were used to obtain consent from users, including bundled consent whereby a single consent was used for various purposes such as marketing.

Last but not least, the Garante found that the company's data breach management was insufficient and that the systems used by the company to process personal data was inadequate and was not in line with the 'privacy by design' principle (for example, customer information was kept for longer than legally permitted).

In addition to fines totaling 27.8 million Euros, the Garante ordered the company to verify the accuracy of its opt-out lists, to keep such lists up to date and to ensure that its call centers no longer call people who had expressed their refusal to receive promotional calls. The Garante also ordered the company to remove the mandatory consent to marketing communications in order for customers to enroll in the 'TIM Party' program to receive discounts and participate in sweepstakes. The company is also banned from using customer data collected through their apps (e.g. the MyTIM, TIMPersonal and TIM Smart Kid apps) for purposes other than the provision of services unless they obtain specific customer consent.