On November 12^th , the Italian Data Protection Authority imposed a fine of 12,251,601 euros to a telephone company for illegally processing the data of millions of users for the purpose of carrying out direct marketing activities, in violation of provisions on the processing of personal data, which regulate consent and several fundamental principles set out in the GDPR.

The preliminary investigation, which began last July following the receipt of several reports and complaints from company users, concerned the telemarketing activities carried out by the commercial department for the promotion of telephone and internet services.

In particular, the Supervisory Authority proceeded with six different objections against the company:

• "violation of Articles 5, paragraphs 1 and 2, and 25, paragraph 1, of the Regulation, since the Company has not implemented control systems for the collection of personal data since the first contact with the prospective customer, in view of the significant number of reports and complaints as well as promotional contacts in relation to which it has disavowed the origin, in order to rule out with certainty that unlawful or unwanted promotional calls for services or the signing of contracts that were then included in the telephone company's databases. The violation involves the entire client base of the company;
• infringement of art. 5, paragraphs 1 and 2, art. 6, paragraph 1, and art. 7 of the Regulation, since the Company acquired, from SeiSicuro.it, Innovairre s.r.l., formerly IDMC s.r.l., Nos s.r.l.s., Cooperativa Nuovi Orizzonti, Intercom Data Service - IDS Sh.p.k. and Problem Solving s.r.l., lists of personal data that the aforementioned companies had in turn acquired from other parties. The transfer of data to the telephone company took place without the prescribed consent for the communication of personal data between independent data controllers. The breach involved approximately 4,500,000 data subjects in 2019;
• violation of Articles 5, 6 and 7 and 21 of the Regulation, also in relation to Article 130, paragraphs 1, 2, 3 and 3-bis of the Code, with reference to several complaints regarding undesirable contacts by telephone and text message, which the telephone company ascribed to generic human errors or undocumented system failures, even after the exercise of the right to object”.

In addition to the unlawfulness concerning non-compliance with the principles set out in Articles 5 and 6 of the Regulation, the company has received specific fines regarding security measures deemed inadequate with respect to the risks to the rights and freedoms of the data subjects and omissions regarding the duty of notification pursuant to Article 33 GDPR of a data breaches, which occurred in November 2019, and the obligation to assist and respond to requests for the exercise of rights by the users concerned.

Detailed analysis is available in Italian: Telemarketing aggressivo: l’Autorità Garante per la protezione dei dati personali sanziona una compagnia telefonica per 12 milioni 250 mila euro