Within the framework of the Italian SA’s enforcement activities regarding telephone operators, Wind Tre SpA was fined about EUR 17 million on July 9th on account of several instances of unlawful data processing that were mostly related to marketing. The Italian SA had already issued a prohibitory injunction against the company, on account of similar infringements that had occurred when the previous data protection law was in force.
The fine was imposed following complex investigations and inspections. Complaints were received from users against unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several cases, the complainants had declared they had not been enabled to exercise their right to withdraw consent or object to the processing of their data for marketing purposes, partly on account of the inaccurate contact information provided in the information notices. In yet other cases, users’ personal data had been included in public phone listings despite the (at times reiterated) objections made by those users.
The investigation showed that the MyWind and My3 apps had been configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours.
Beyond these overarching flaws, the investigations by the Italian SA shed light on multifarious infringements affecting Wind Tre’s business partners. On account of those infringements, one such business partner was fined EUR 200,000 by the Italian SA and was banned from using the data its agents had collected and processed in the national territory without any consideration for data protection rules. This business partner had subcontracted – without relying on any legal instrument – whole sets of processing activities to call centres, which collected data in breach of the law.
The pleadings submitted by Wind Tre and the corrective measures implemented by the company, as also related to the centralised approach applying to marketing campaigns, were found inadequate by the Italian SA, which accordingly fined Wind Tre EUR 16,729,600 and prohibited any further processing of the data they had acquired without consent. The Italian SA also ordered the company to take technical and organisational measures to ensure effective oversight of their business partners, along with implementing procedures to respect users’ indications to be left alone.
During its 9 July meeting, the Italian SA also assessed the findings of the investigations regarding another phone operator, i.e. Iliad; in that case, shortcomings were detected under different respects, in particular concerning employees’ access to traffic data. Accordingly, the company was fined EUR 800,000.
Rome, 13 July 2020
You can find a link to the press release on the Italian DPA’s offical webiste here.
