The Italian SA (Garante per la protezione dei dati personali) fined TIM SpA EUR 27,802,496 on account of several instances of unlawful processing for marketing purposes. The infringements concerned on the whole millions of individuals.
From January 2017 to the beginning of 2019, the SA received hundreds of complaints regarding, in particular, unsolicited marketing calls that had been performed without any consent or in spite of the called parties’ inclusion in the public opt-out register; in yet other cases, the called parties had clearly denied their consent to receiving marketing calls. Allegedly unfair processing practices were also mentioned in the complaints with regard to prize competitions and the relevant forms as submitted by TIM to users.
Complex investigations were carried out also with the support provided by a specialised unit of the Italian Financial Police and brought to light a number of severe infringements of personal data protection legislation.
TIM were proven to be insufficiently familiar with fundamental features of the processing activities they performed (accountability).
In many cases out of the millions of marketing calls that had been placed in a six-month period with ‘non-customers’, the SA could establish that the call centre operators relied upon by TIM had contacted the data subjects in the absence of whatever consent. In one case, a person was contacted 155 times in one month. In about two hundred thousand cases, ‘off-list’ numbers – that is, numbers not included in TIM’s list of marketing numbers – had been called. Other types of illicit conduct were also found such as TIM’s failure to supervise the activities of some call centres or to properly manage and update their blacklists (listing individuals who do not wish to receive marketing calls), and the fact that consent to marketing activities was mandatory in order to join the ‘Tim Party’ incentive discount scheme.
Inaccurate, unclear data processing information was provided in connection with certain apps targeted to customers and the arrangements for obtaining the required consent were inadequate. In a few cases paper forms were to be filled in where a single consent statement was available in respect of different purposes including marketing.
The data breach management system proved ineffective as well and no adequate implementation and management systems were in place regarding personal data processing, which fell short of privacy by design requirements. TIM’s blacklists were found not to match those of the contractor call centres, and this also applied to the recordings of the ‘verbal orders’ - that is, the contracts stipulated on the phone. The numbers relating to other phone operators’ customers, which TIM held in their capacity as network provider, were stored for longer than permitted by the law and had been used for marketing campaigns without the customers’ consent.
As well as the fine, the Italian SA imposed 20 corrective measures on TIM including both prohibitions and injunctions. In particular, the SA banned TIM from using, for marketing purposes, the data of the users that had denied their consent to marketing calls when contacted by call centres, of the users included in the black lists, and of the ‘non-customers’ that had not given their consent.
The company is not permitted to use any longer the customer data that were collected via the ‘MyTim’, ‘TimPersonal’ and ‘TimSmartKid’ apps for purposes other than the provision of the relevant services without the users’ free, specific consent.
The injunctions issued by the Italian SA include the obligation for TIM to check consistency of their blacklists and to timely acquire those put together by call centres so as to update their own blacklists. TIM will have to reconsider the ‘TimParty’ scheme and enable customers to access discount schemes and prize competitions without having to consent to marketing activities. TIM will also have to check the app activation procedures; always specify, in clear and understandable language, the processing activities they perform along with the purposes and the relevant processing mechanisms; and obtain valid consent. TIM will have to implement technical and organisational measures in respect of data subject rights requests and enhance the measures to ensure quality, accuracy and timely updates of the personal data that are processed in their individual systems.
The measures and implementing arrangements imposed will have to be in place and notified to the Italian SA according to a specific timeline, whilst the fine will have to be paid within thirty days.
For further information, please contact the Italian SA: ufficiostampa@gpdp.it