On 16th November, the Italian Data Protection Authority (Garante per la protezione dei dati personali) announced its decision to impose a fine of €12.2M on Vodafone Italia SpA (“Vodafone”) on account of unlawful processing of personal user data for its telemarketing activities. The Authority concluded the investigation, which originated from the receipt of hundreds of complaints and reports of repeated unsolicited promotion phone calls by Vodafone, by holding Vodafone’s conduct in violation of Articles 5(1) and (2), 6(1), 7, 15(1), 16, 21, 24, 25(1), 32, and 33 of the General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679).
The transfer of contact lists to Vodafone from its partners was carried out without the mandated free, informed and specific consent of users. In addition to violation of consent requirements, the Authority held Vodafone’s conduct to be violative of key principles of accountability and data protection by design contained in the EU GDPR. The complaints received by the Authority also stated that customers were asked to send their IDs through WhatsApp by operators purporting to act on behalf of Vodafone. Considering this to be related to spamming and phishing activities, the Authority found Vodafone’s customer resource management security measures to be inadequate. The investigation also brought to light Vodafone’s questionable practice of using fake telephone numbers that were not registered with the National Consolidated Registry of Communication Operators to make the marketing calls.
In addition to the imposition of a €12.2M fine, the Italian Authority ordered Vodafone to adopt a series of measures to ensure data protection compliance. The Authority prohibited Vodafone from further processing data for marketing or commercial activities, where the data is obtained from third parties that do not have free, specific, and informed consent to disclose such data. The company was also directed to implement systems to demonstrate compliance with consent requirements in its telemarketing activities and strengthen security measures to prevent unauthorized access to customer data. Further, the company must prove that contractual arrangements are activated only through calls made by registered numbers belonging to their sales network.
The Italian Authority has previously taken similar action in the case of unlawful processing of personal data of consumers for marketing by TIM SpA, wherein as many as 20 corrective measures including injunctions and prohibitions were imposed along with the €27.8M fine. This is also not the first time Vodafone has been penalized for flouting EU’s data protection law. In August this year, in a similar investigation carried out by the Spanish Data Protection Authority, La Agencia Española de Protección de Datos (AEPD), Vodafone España was fined €75,000 for processing the claimant’s data for telemarketing post the claimant’s exercise of his right to erasure, thereby violating Article 6(1) of the GDPR. Furthermore, earlier this year, the AEPD had also imposed fines of €48,000 and €9,000 on Vodafone for the violation of Article 32 and Article 5(1)(d) of GDPR respectively.
Reported by Priyanshi Rastogi, Student Ambassador