December 4, 2020

Italian data protection authority imposes €12.25 million fine for GDPR violations

On November 12, 2020, the Italian data protection supervisory authority (Garante per la protezione dei dati personali) imposed a €12,251,601 (approximately $14.9 million) fine on Vodafone Italia S.p.A., the Italian affiliate of a multinational telecommunications company doing business primarily in Europe and Africa, for violations of the Italian regulations implementing the General Data Protection Regulation. 

According to the Garante, Vodafone placed marketing calls using fake telephone numbers not registered with the national consolidated registry of communication operators, employed unauthorized call centers to carry out telemarketing activities, and purchased and made use of contact lists obtained by Vodafone business partners without the consumers’ consent.  The Garante found, additionally, that Vodafone’s customer data security measures were inadequate, and that unauthorized parties had used the information to contact customers – potentially for fraudulent purposes.  Indeed, the Garante determined that the personal data of over four million consumers had been obtained from Vodafone by third parties.

Following an investigation that included multiple information requests to the company, the Garante concluded that Vodafone’s conduct and practices had violated Articles 5, 24, 32 and 15 of the GDPR.  In assessing the penalty amount, the Garante took into consideration the severity and duration of the violations, as well as the large number of consumers involved and the negligent approach taken by Vodafone to the maintenance and protection of its customers’ information.  At the same time, the Garante viewed as mitigating factors the subsequent measures taken by the company — including audits of Vodafone’s network partners, and the implementation of platform management controls and enhanced security measures – as well as the company’s cooperation in the investigation.

In addition to the € 12,251,601 fine, Vodafone is enjoined from processing data for telemarketing or other commercial purposes without the fully informed and freely granted consent of the concerned consumers.  Furthermore, Vodafone will be required to implement enhanced data security measures, and to establish telemarketing policies and procedures to comply with legal consent requirements, and to document the use of registered telephone numbers by Vodafone and its third-party contractors.

Garante press release | Order