Wind Tre, and Italian telecoms provider, has been hit with a €16,729,600 General Data Protection Regulation fine in relation to after an investigation that delved in its data processing activities, mostly linked to direct marketing.
Following the investigation, conducted by the Italian data protection agency Garante, it was found that these processes are not in line with GDPR requirements. Some complaints had been filed that were linked to unsolicited marketing communications. Those who received the marketing communications had not given their authorization to be send messages like this. Additionally it was discovered that subscribers to the service were not given any process for unsubscribing.
The official investigation showed that:
- The contact details listed in Wind Tre’s privacy notice were not correct.
- Certain users had their contact details included in a public phone directory even though they had not agreed to this.
- Some mobile apps required consent for the processing of users’ data for different aims and had to be provided every time that someone logged in. However, removing this authorization took 24-hours.
This comes as Garante revealed that an earlier prohibitory injunction had resulted in GDPR fines which have already been sent to Wind Tre in relation to similar breaches in the past, before the introduction of GDPR.
Wind Tre now have to pay the €16,729,600 penalty and implement technical and organizational measures that will allow effective management of its business partners going forward.
This is the second largest fine applied by the Garante. Previously this year a penalty of €27,800,000 was applied to telecommunications provider TIM following many complaints linked to unsolicited commercial communications made without the authorization permission of the data subjects or despite their registration in the public register of objections and irregularities in data processing linked with competitions were also subject to official complaints. In December 2019 there were also two different fines that added up to €11,500,000 applied to utility group Eni gas and electricity following illegal processing of personal data for advertising purposes and activation of unsolicited contracts.
The increase in activity by the Garante is similar to more stringent application of the GDPR rules by many EU member states’ data protection authorities.