It has been revealed that the Italian Data Protection Authority ‘Garante’ is sanctioning a €16,729,600 fine on telecoms provider Wind Tre in relation to a number of data processing activities, mostly related to direct marketing, that were in breach of the European Union’s General Data Protection Regulation (GDPR).
The Garante conducted a GDPR investigation into the marketing activity of the mobile communications company after a number of complaints were submitted in relation to unsolicited marketing communications. The communications were not consented to by the recipients. There were also a number of complaint that those who had signed up to the marketing communications were unable to withdraw their consent for this.
It was discovered, during the subsequent investigation that the contact details supplied in Wind Tre’s privacy notice were not 100% accurate. To confound matters further, a number of users had their contact details listed in a public phone directory even though they had expressly stated that this did not want this to happen. Another violation that was identified was that a number of mobile apps requested that consent for the processing of users’ data for various aims, such as direct marketing and geolocation, had to be provided every time that someone logged in. Withdrawal of this permissions could only be revoked after a 24-hour waiting period.
There were also some penalties applied to business associates of Wind Tre’s in relation to other breaches. In one instance a business partner was fined €200,000 for having unlawfully subcontracted parts of its processing activities to call centers that were collecting data illegally.
In announced these GDPR penalties the Garante revealed that an earlier prohibitory injunction had already been issued to Wind Tre in relation to similar infringements in the past. These infringements happened before GDPR became enforceable on May 25 2018.
The total penalty applied by the Garante was €16,729,600. In addition to this Wind Tre are forbidden, by law, of any processing of the personal data obtained unlawfully and directed the group to create technical and organizational measures ensuring an effective management of its business partners.
This is the second largest fine applied by the Garante. Earlier, in January 2020, a fine of €27,800,000 was sanctioned against telecommunications operator TIM following hundreds of complaints in relation to unsolicited commercial communications made without the permission of the data subjects or despite their registration in the public register of objections and irregularities in data processing in connection with competitions were also complained about. In December 2019 there were also two separate fines totalling €11,500,000 applied to utility company Eni gas and electricity following unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts.
The increase in activity by the Garante mirrors the increased policing of the GDPR legislation by the EU member states’ data protection authorities, in the first 12 months after GDPR was enforceable the body applied just €50,000 in GDPR fines.