Italian data protection supervisory authority imposed 27.8 million fine
Reason for the data protection fine:
The Italian data protection supervisory authority imposed a fine of EUR 27 802 496 on Italian Telecom "TIM S.p.A" for several cases of unlawful processing for marketing purposes. The infringements affected millions of persons in total.
Nature of the data protection violation:
From January 2017 to early 2019, the data protection supervisory authority received hundreds of complaints, in particular about unsolicited marketing calls made without any consent or despite the called party being included in the public opt-out register. In other cases, the called parties had clearly refused to give their consent to receive marketing calls. Furthermore, complaints mentioned unfair handling practices in connection with prize competitions.
Data protection violations of the telecommunications provider in detail
Complex investigations were also carried out with the assistance of a special unit of the Italian financial police, and brought to light a number of serious violations of personal data protection legislation.
- TIM S.p.A. proved to be insufficiently familiar with the basic functions of the processing activities they were carrying out.
- It has been proven that millions of marketing calls to "non-customers", made by the call center operator contracted by TIM S.p.A., were made without any consent. In one case, a person was contacted 155 times within one month. In about two hundred thousand cases, "off-list" numbers - i.e. numbers not included in TIM's list of marketing numbers - were called.
- Other types of illegal behaviour have also been identified, such as TIM's failure to monitor the activities of some call centres or to properly manage and update their blacklists (which list people who do not wish to receive marketing calls).
- Furthermore, only persons could join a rebate system if they were forced to accept the consent to marketing activities.
- Inaccurate, unclear information on data processing was given in connection with certain applications aimed at customers and the arrangements for obtaining the necessary consent were inadequate.
- In a few cases, paper forms had to be filled in when a single consent form was available for various purposes including marketing.
- The data breach management system was also found to be ineffective and there were no adequate implementation and management systems for the processing of personal data that did not comply with the requirements of the "Privacy by Design" corresponded.
- It was found that TIM's blacklists did not correspond to those of the contractors' call centres, and this also applied to the records of 'verbal orders' - i.e. contracts agreed over the telephone.
- The numbers of customers of other telephone operators that TIM received in its capacity as network operator were stored longer than legally permitted and used for marketing campaigns without the consent of the customers.
Measures imposed by the data protection supervisory authority in Italy
In addition to the fine, the Italian data protection supervisory authority imposed 20 corrective measures on TIM, including both bans and injunctions.
- In particular, the supervisory authority prohibited TIM from using the data of users for marketing purposes who had refused to give their consent to marketing calls, users included in the black lists and "non-customers".
- The company is no longer allowed to use the customer data collected via the apps 'MyTim', 'TimPersonal' and 'TimSmartKid' for other purposes than the provision of the corresponding services.
- The orders issued by the Italian supervisory authority include an obligation for TIM to check the consistency of its black lists and to obtain the lists compiled by the call centres in time to update its own black lists.
- TIM must rethink the "TimParty" scheme and allow customers to access discount systems and prize competitions without having to consent to marketing activities.
- TIM must also review the processes for activating the apps, always indicate in clear and understandable language the processing activities they perform, the purposes and the corresponding processing mechanisms, and obtain valid consent.
- TIM must adopt technical and organisational measures in relation to the data subjects' requests for information on their rights and improve the measures to ensure the quality, accuracy and timely updating of the personal data processed in its individual systems.
- The measures and implementing rules imposed must be put into effect and notified to the Italian data protection supervisory authority according to a specific timetable, while the fine must be paid within thirty days.
Categories of data: Names, addresses, telephone numbers
Fines: 27.8 million euros