The fine was issued for violation of the General Data Protection Regulation, with emphasis on unlawful data processing, non-compliant aggressive marketing strategy, invalid collection of consents and excessive data retention period.
The Garante identified violations of:
- Principles relating to processing of personal data Article 5;
- Lawfulness of processing Article 6;
- Right to erasure (‘right to be forgotten’) Article 17;
- Right to object Article 21;
- Security of processing Article 32 of the GDPR.
From January 2017 to the first months of 2019, Garante received several hundreds of complaints regarding aggressive promotional campaigns, and a thorough investigation confirmed the continuing violation of the General Data Protection Regulation by the TIM.
The reports were made regarding promotional calls without proper consent or despite registration of the contacted individuals in the public do not call registry, even after they exercised the right to object.
Further complaints pointed to a failure to respond to the data subjects’ requests with regard to their GDPR rights, in particular regarding access to their data and objection to the processing for promotional purposes.
The results of the investigation
The investigation, which was conducted from November 2018 to February 2019, and again between March and June 2019, revealed:
Lack of proper consent
- Call center companies, commissioned by the TIM, have made millions of cold calls and marketing calls aimed at non-customers (prospects) without proper consent or other suitable legal bases, with certain numbers contacted up to 155 times a month!
- As stated in Garantes’ press release, In about two hundred thousand cases, numbers outside Tim’s contact lists or off-list numbers were contacted
- The company collected consents in paper forms with a single opt-in for multiple purposes. Therefore, making consents indistinguishable and unspecific.
- There was also issue with the data collected through TIM apps and promotional programs, like “TIM Party” that conditioned consent for service. Therefore, to access the program and related benefits, customers had to express consent to promotional purposes.
Improper management of consent lists
- TIM failed to properly manage lists of data subjects who wanted to be excluded from commercial campaigns.
- The company did not update lists which led to gaps in the accuracy and quality of the data in the corporate information systems, with inconsistencies of the data on TIM’s blacklists when compared to their partners’ lists, which represents a violation of the principle of privacy by design.
- Data subjects would be included on the lists many days after they expressed they wanted to be taken off the lists.
Excessive data retention
- TIM stored data relating to customers of other Operators (to whom TIM provided network and infrastructure service), in their CRM system, for a time exceeding the limits required by law (10 years).
- Not only did they keep the data longer than necessary, but that data was also visible to customer service operators beyond the time limits established by company policies (5 years) and used these numbers for promotional purposes without consent.
- The personal information included name, surname or company name; tax code or VAT number; telephone line; address; contact details.
The truth is, if we ask companies if their data removal process is compliant, there are very few that would be bold enough to say yes. The number one challenge in the data removal process is realizing where the data is stored and getting a real insight into the technical and business implications of the data removal process.
Automation is the only way to avoid the possibility of human error and reduce the risk of non-compliance. Data Privacy Manager automatically gives instructions to a different system when data deletion needs to be executed and enables you to define data retention and data removal operationalization on different data categories.
- TIM did not manage data breaches according to the GDPR requirements, missing the timeframes in which the supervisory authority must be notified. The company also ignored taking actions to reduce the risks a breach could cause to the data subjects.
- Non-compliant management of data breaches, both with regard to the timeliness of notification to the Authority and with regard to the measures put in place to reduce the risks to the rights and freedoms of the data subjects.
Is the GDPR fine to TIM telecom justifiable?
One of the reasons for the large fine was the fact that the unlawful data processing activities involved several million individuals.
The TIM consistently demonstrated a ruthless violation of data subjects’ rights. The company tried to justify its company policies and individual cases, however, issues were found that refuted their claims.
The supervisory authority imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centers.
You can read about the entire case explained in more detail in the official Garante release.