Italian DPA issued €12.25 million GDPR fine to Vodafone

On November 12, 2020, the Italian Data Protection Authority- Garante per la protezione dei dati personal, issued a €12.25 million ($14.5 million) fine to telecommunications company- Vodafone Italia for violation of the General Data Protection Regulation (GDPR).

After receiving hundreds of individual complaints about unsolicited calls from Vodafone, the Garante launched an investigation that uncovered flaws in the customer information storage system along with purchased lists from external providers with personal data of more than 4.5 million individuals gathered without proper consent.

The fine was issued for unlawful processing of personal data of millions of users for telemarketing purposes, violation of the accountability principle, and data protection by design.

As the EDPB stated, “one of the most worrying findings of the investigations was the use of fake telephone numbers or numbers that were not registered with the ROC (National Consolidated Registry of Communication Operators) in order to place the marketing calls. This practice is under Vodafone’s own spotlight and is seemingly related to a shady set of unauthorized call centers that carry out telemarketing activities in utter disregard of personal data protection legislation.”

Vodafone was ordered to implement systems to demonstrate that processing for telemarketing purposes complies with consent requirements, implement stronger security measures, and provide proof that the contracts were activated following telemarketing calls that were placed through their own sales network and with registered numbers.

Finally, Vodafone is banned from further processing data for marketing or commercial purposes where such data are acquired from third parties that have not obtained proper consent.

This is the third-largest fine the Italian Garante issued so far, right after the €27 800 000 issued to Italian telecommunications operator TIM, and €16,700,000 to Wind Tre S.p.A. telecommunication company.