The Italian Data Protection Authority (DPA) Garante fined TIM SpA EUR 27,802,496 for several instances of unlawful data processing for marketing purposes.
Complex investigations were carried out after the DPA received hundreds of complaints, from January 2017 to early 2019 regarding unlawful processing for marketing purposes, in particular, unsolicited marketing calls that had been performed without any consent, from call centers acting on behalf of TIM S.p.A. In some cases, the concerned parties either had denied their consent to receive marketing calls or were part of the public opt-out register. Some complaints also mentioned unfair prize competition processes and the applicable forms, among other issues. The investigations were carried out with the aid of a specialised unit of the Italian Financial Police and revealed several critical infringements of personal data protection legislation.
Unlawful ‘cold’ marketing calls
TIM SpA, Italy’s largest telecommunications service provider, was found to have had marketing calls placed to millions of consumers, by various call centers, on their behalf, to ‘non-customers’, without their consent. There were also calls made to several customers who are on a marketing black list. Furthermore, over two hundred thousand numbers were called, which were not included in TIM’s list of marketing numbers. According to the European Data Protection Board “Other types of illicit conduct were also found such as TIM’s failure to supervise the activities of some call centres or to properly manage and update their blacklists (listing individuals who do not wish to receive marketing calls), and the fact that consent to marketing activities was mandatory in order to join the ‘Tim Party’ incentive discount scheme.”
Measures issued by the Italian DPA
In addition to imposing fines on TIM, the Italian DPA also imposed certain injunctions and prohibitions. The injunctions require TIM to check the consistency of their blacklists, and to allow customers to access discount schemes and prize competitions without having to consent to marketing interactions. Also, TIM will have to check the app activation procedures; and always specify, in clear and understandable language, the processing activities they perform along with the purposes and the relevant processing mechanisms. They are to make sure they obtain valid consent. In addition, the company is no longer allowed to use customer data collected through their three apps; ‘MyTim’, ‘TimPersonal’ and ‘TimSmartKid’ for any purposes other than to provide the relevant services without the users’ free, specific consent. This is only part of the total of 20 corrective measures imposed on TIM by the Italian DPA, which must all be implemented and the progress thereof, reported to the Italian SA according to a specific timeline, in addition to having to pay the Euro 27.8 million fine within 30 days.
Should our business be worried?
One should keep in mind that the rules on ‘cold calls’ vary from country to country, even within the GDPR framework. It is therefore important to consult an expert before deciding to engage in cold marketing calls or cold emailing. The latter is generally prohibited in all the EU Member States and the UK, with some exceptions.