Privacy & Cybersecurity Law Blog

On July 13, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it levied a €16,729,600 fine on telecoms provider Wind Tre S.p.A. (“Wind Tre”) for several unlawful data processing activities, mostly related to direct marketing.

The Garante indicated that it had already issued a prohibitory injunction against Wind Tre for similar infringements in the past, prior to the EU General Data Protection Regulation.

Following its investigation, the Garante found that numerous complaints were filed by users against Wind Tre for unsolicited marketing communications sent to them without their consent. In several instances, complainants declared that they had not been able to withdraw their consent or object to the processing of their personal data for marketing purposes, partly because the contact details provided to them in Wind Tre’s privacy notice were not accurate. In addition, some users’ contact details were included in public phone listings despite their prior objections. The Garante also found that Wind Tre’s apps were configured in a way that required users’ consent to the processing of their data for various purposes, including direct marketing and geolocation, on each access. Such consent could only be withdrawn after a 24-hour waiting period.

Furthermore, the investigation revealed various infringements related to Wind Tre’s business partners. One business partner was fined €200,000 for having unlawfully subcontracted parts of its processing activities to call centers that were collecting data unlawfully.

For these reasons, the Garante (1) fined Wind Tre €16,729,600; (2) prohibited any further processing of the personal data obtained unlawfully; and (3) ordered the telecoms provider to implement technical and organizational measures ensuring an effective management of its business partners.

Read the Garante’s decision (in Italian).