Publications - 23/11/20

Italian Data Protection Supervisory Authority (“Garante”) imposes a million-dollar fine on Vodafone for user data processing abuse

The giant telecommunication company Vodafone was ordered to pay a fine of more than  €12 million by the Italian Data Protection Supervisory Authority (Garante per la Protezione dei Dati Personali – “Garante”). The aforementioned decision was made after the investigation conducted discovered that the company used millions of users illegal data for telemarketing purposes. In addition to being obliged to this financial fine, Vodafone must also implement several measures in order to comply with Italian domestic laws and the European Union legislation on data protection.

The investigation conducted by the Garante was a response to numerous complaints submitted by users, informing the receipt of unsolicited calls made by Vodafone and/or by the group´s commercial network to promote the internet and telephone services offered by the company.

During the process, it was discovered: (i) that the company used fake phone numbers to make the unsolicited marketing calls, (ii) the improper way that Vodafone had access to the users contact lists, through external suppliers and without free, informed and specific consent from users; and (iii) inadequate security measures for the management of clients resources.

From the infractions found in the course of the process, which demonstrated the company´s total disregard for the personal data protection legislation, the Italian Guarante imposed a fine in the amount of  €12,251,601,00 to Vodafone, in addition to other measures of a non-pecuniary nature that the company will need to comply with.

Accordingly, Vodafone must: (i) implement a system that will guarantee and demonstrate that data processing for telemarketing purposes is in compliance with users´ consent requirements, (ii) provide evidence that contractual agreements are activated only after telemarketing calls made by their own sales network through legally registered numbers, and (iii) implement more stringent security measures to prevent unauthorized access to customer databases.

Finally, it was determined that Vodafone is obliged to fully response to certain data subject rights requests, and prohibited to process data for marketing or commercial purposes, when such data is acquired from third parties who did not obtain free, specific and informed permission from users for the dissemination of such information.