Italian Data Protection Authority fines Vodafone a record of 12 M € for breach of GDPR over agressive telemarketing practices

The Italian data protection supervisory authority  ordered Vodafone to pay a fine in excess of Euro 12,250,000 on account of having unlawfully processed the personal data of millions of users for telemarketing purposes. As well as having to pay the fine, the company is required to implement several measures set out by the Garante in order to comply with national and EU data protection legislation.

The investigations carried out by the Garante brought to light major criticalities of a ‘structural’ nature having to do with the violation not only of consent requirements, but also of key principles such as accountability and data protection by design as set forth in the EU GDPR. These criticalities could be traced down to the processing activities performed both in respect of Vodafone’s customer database and – more broadly – with regard to prospective users of electronic communications services.

More specifically, one of the most worrying findings of the investigations was the use of fake telephone numbers or numbers that were not registered with the ROC (i.e. the National Consolidated Registry of Communication Operators) in order to place the marketing calls. This practice is under Vodafone’s own spotlight and is seemingly related to a shady set of unauthorised call centres that carry out telemarketing activities in utter disregard of personal data protection legislation.

Additional violations could be established as for the handling of contact lists purchased from external providers. Those lists had been obtained by Vodafone business partners from other companies and had been transferred to Vodafone without the users’ required free, informed, and specific consent.

Taking account of the infringements found in the course of the proceeding, the Italian Garante imposed a fine amounting to Euro 12,251,601.00.