On February 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Garante”) announced that it had levied a fine of €27,802,946 on TIM S.p.A. (“TIM”), a telecommunications company, for several unlawful marketing data processing practices. Between 2017 and 2019, the Garante received numerous complaints from individuals (including from individuals who were not existing customers of TIM) claiming that they had received unwanted marketing calls, without having provided their consent or despite having registered on an opt-out list. The Garante indicated that the violations impacted several million individuals.
According to the Garante, the investigation revealed numerous data protection infringements and a general lack of accountability from the Italian telecom company. In particular, the investigation revealed that TIM was (1) not appropriately managing the call centers hired to make the marketing calls; (2) not updating the list of individuals who had opted-out of receiving marketing communications; and (3) was making consent to marketing communications a condition for customers to receive discounts and participate in sweepstakes. In addition, the Garante’s investigation revealed infringements related to TIM’s apps. In particular, the Garante found that the information TIM provided to users via its apps was incorrect and not transparent, and that TIM was using invalid methods to collect users’ consent (e.g., bundled consent was used for various processing purposes, including marketing). Furthermore, TIM’s data breach management and data processing system management were also considered insufficient by the Garante, in light of the Privacy by Design principle of the EU General Data Protection Regulation. For example, customer data was kept for longer than legally permitted and the systems used to record opt-outs were not up-to-date.
In addition to the fine, the Garante imposed 20 corrective measures on TIM, including:
- Prohibition on the use of data of customers who had opted-out from receiving marketing communications, data of individuals registered on opt-out lists or non-customers who had not given consent to receive such marketing communications;
- Prohibition on the use of data collected via some of TIM’s apps (including ‘My TIM,’ ‘TIM Personal’ and ‘TIM Smart Kid’) for purposes other than the provision of the services requested by users, unless TIM collects free and specific consent from users to legitimize the processing for these additional purposes;
- Order to verify the accuracy of the opt-out lists used and to align with the lists used by the call centers hired to conduct marketing campaigns on TIM’s behalf;
- Order to provide customers with discounts and access to sweepstakes without being forced to consent to marketing;
- Order to review the processing activities taking place in the context of TIM’s apps, including by providing users with appropriate notice and implementing valid consent collection methods; and
- Order to implement appropriate measures to facilitate the exercise of data subjects rights.
The fine corresponds to 0.2% of the Italian telecom company’s total annual turnover.