Italian DPA issues the highest GDPR fine since its entry into force

Italian telecommunications provider TIM S.p.A. (TIM) was hit with a massive €27,802,946 fine by the Italian DPA after the authority received a huge number of reports against TIM. Complaints were made that the company was making unwanted promotional calls without data subjects’ consent, despite their being registered in the “opt-out” register, or in cases in which individuals had exercised the right to object to their data being processed.

What happened?

The DPA has been very tough in determining the amount of the penalty due to the fact that the same Company has been, even in recent times (2016 and 2017), already the addressee of various injunctions, prescriptive and punitive measures with regard to the same type of violations.

In particular, after a long investigation, the DPA newly discovered many illegal activities carried out on a continuous basis by TIM, and namely:

• marketing messages and calls (about 155 times in only one month to a single individual) to “prospective” clients without obtaining their express consent;
• phone calls to existing clients who however exercised their right not to be contacted for any marketing communication;
• information provided to clients within the TIM’s privacy notices or during its promotional campaigns, through emails or calls, were not transparent and unclear about the purpose of the processing of personal data; and
• incorrect data breach procedures: it filed multiple data breaches to the DPA during the last year, but each time failed to do so by the deadline of 72 hours following the breach and the measures the company took to lower the risks where not appropriate nor proportionated to the incidents occurred.

The above was also due to the fact that TIM has not correctly implemented its systems and services according to the privacy by design principles set out in the GDPR. For such reason the procedures for uploading withdrawals and denials to consent in the various archives were not suitable to guarantee a correct management of the right to object and – albeit in a circumscribed manner – to prevent the inclusion in promotional campaigns of users already on the “opt-out” register.

Hence, the wide range of TIM’s processing activities, the seriousness and the extent of the detected violations and the intentional nature of its conducts, especially involving the creation and development of its APPs and systems, led the DPA to issue the highest penalty ever inflicted since the entrance into force of GDPR.

What are the implications of this fine?

TIM S.p.A. was sanctioned with the highest penalty in Italy since the entry into force of GDPR. The rationale behind this was the fact that the DPA had already warned Italian telecommunications companies multiple times against conducting aggressive marketing campaigns and, in this case, used TIM as an example.

Moreover, this sector of businesses has recently been addressed also by the Italian Competition Authority which issued (last January) a fine for a total amount of €228m to four big Italian telecommunication providers (including the Company), since these companies forced almost 12 million clients to pay 13 monthly instalments in order to access the Wi-Fi services at their homes without informing them of such an increase.

The above demonstrates how often the Italian DPA and the Italian Competition Authority carry out investigations and act together and, more importantly, how businesses should now by even more aware of the possibility of undergoing inspections and investigations.