By Luigi Manna and Laura Spagnoli

By an order dated 29 November 2018, the Italian Data Protection Authority (Garante per la protezione dei dati personali) imposed a 600,000 EUR fine on Wind Tre S.p.A. for the infringement of several provisions of the (Italian) Personal Data Protection Code[1] (applicable to the activities here considered, which occurred before the entry into force of the GDPR) in the context of a telemarketing activity. The penalty followed the decision of 22 May 2018 with which the Authority had found the data processing connected to unsolicited promotional calls and SMS messages, carried out on behalf of the company, unlawful

In fact, the previous proceeding had revealed that Wind Tre customers were systematically contacted by the company or its partners despite their objection to the data processing for commercial purposes. This was due to a series of organisational shortcomings of the phone company. First of all, Wind Tre had not set up a “black list” concerning the subjects who had not given their consent (or withdrawn it at a later time) for some of the telemarketing activities carried out, in order to prevent customers from being further contacted. Moreover, the customers’ objection to the data processing at issue was often not promptly recorded in the systems. Ultimately, the operator had not carried out prior checks on its partners’ activities of so as to ensure that its lists of exemptions were respected.

These deficiencies, which resulted in an increase in unsolicited communications, were worsened by the lack of adequate checks following customers’ reports. Wind Tre addressed its commercial network with mere general warnings, or occasional reports indicating a very limited list of subjects not to be further contacted, or individualized communications in which, however, it simply recalled the applicable laws.

The Garante had also ascertained that Wind Tre had provided access to customer data to a very large number of commercial partners, incorrectly qualified as “data controllers” (and which, considering the type of activity carried out and their relationship with Wind, should have been identified as “data processors” instead). According to the Garante, this had resulted in a systematic and protracted unlawful disclosure of personal data to third parties, namely the same commercial partners, who had access to the company management systems in the absence of a specific designation as “data processors” regulating their activities and obligations.

Given the absence of appropriate informed consent of the concerned subjects, the DPA had found the data processing at issue unlawful pursuant to articles 13 and 23 of the Data Protection Code; forbidden any further use of the concerned data; ordered the company to adopt the required technical and organisational measures. The imposing of fines had been deferred to a separate proceedings , which is the subject of today’s comment.

In its second decision on the matter, the Garante found Wind responsible for three separate violations: the failure to acquire the customers’ consent in relation to promotional calls; the failure to acquire the customers’ consent for the disclosure of their personal data to the company’s commercial partners; and the carrying out of the above-mentioned activities in connection with massive databases.

While the penalty for the first two violations was settled with a reduced cash payment, the applicable law pre-empted to apply the same mechanism to the third violation. In determining the relevant fine, the DPA took into account: the remedial conducts that Wind Tre had put in place in order to eliminate the consequences of its unlawful activity; the seriousness of the infringement, due to the use of “different channels that led to an exponential increase in the level of invasiveness of promotional campaigns“; the numerous procedures (already concluded) in which the company was involved; and, finally, its economic conditions.

The resulting fine, amounting to 150,000 EUR, was however increased fourfold in consideration of the huge size of Wind Tre (the first phone company in Italy, with a very large market share), which otherwise would have made the penalty ineffective.

Following the entry into force of the GDPR, similar violations would today be subject to fines for a maximum of € 20,000,000 or up to 4% of the total annual worldwide turnover of the previous year, if higher.

[1]   In the version prior to the applicability date of the GDPR and the entry into force of national implementing provisions; in fact, the conducts here considered occurred before such time.