Vodafone’s Italian operations has been sanctioned with a GDPR penalty of over than €12.25 million (US$14.5m) as a result of what was deemed ‘aggressive’ telemarketing practices.
The fine comes following ‘hundreds’ of official complaints into unsolicited phone calls and a subsequent investigation by Garante, the Italian Data Protection Authority. The complaints alleged that Vodafone used these phones calls as part of a campaign to promote telephone services and internet. The garante investigation identified a range of issues with the method that Vodafone used to manage customer information and use of contact lists that Vodafone Italia purchased from external providers – in many cases no consent had been given for the information to be used to contact the data subjects. Vodafone Italia claimed that the breach was due to “human error”. This was deemed unacceptable by Garante.
The investigation also discovered that the GDPR breach impacted up to almost 4.5 million customers.
Garante also took into account a range of additional factors in calculating the ultimate fine to be face by the group including the recurrence of the misconduct that led to the initial complaint. Along with the fine Vodafone has been directed to improve telemarketing management and configure security processes for access to its databases “in order to eliminate or in any case significantly reduce the risk of unauthorized access and processing that does not comply with the purposes of the collection.” A;ognm with this the group is forbidden from conducting any more processing of personal data acquired from third parties for promotional and commercial purposes without first acquiring “free, specific and informed consent” from the impacted parties.
There was a degree of leniency applied due to the cooperation of Vodafone and the corrective measures it move to swiftly apply in order to address the shortcomings. As such the highest possible fine could have been more than €245m (US $290m). This is the figure that equates to 4% annual turnover for the previous financial year, the highest possible fine allowable under GDPR.
The fine it the third largest sanctioned by Garante during 2020, a year that has seen the authority register a total of more that €50m in GDPR fines applied. It is the first GDPR penalty that Vodafone Italia has faced.
Vodafone did not reply to a request to comment.