On 16 November 2020, the Italian DPA (“Garante”) announced a fine of EUR 12.25 million against a telecom operator. Garante’s investigation was carried out following hundreds of reports and complaints from individuals who complained of continuous unwanted telemarketing calls. In a nutshell, Garante concluded that the telecom operator did not obtain data subjects’ consent for telemarketing calls and also breached the GDPR requirements on accountability, security of processing, and data protection by design and by default.
In addition to the fine, Garante imposed a series of corrective measures to ensure compliance with the national and European legislation on data protection. Among others, such measures include implementing mechanisms to prove compliance with the provisions on consent, strengthening security measures in order to prevent unauthorized access to customer databases, and providing full responses to the requests for exercising data subject’s rights.
Finally, Garante has prohibited the telecom operator from any further processing of data for promotional or commercial purposes carried out through the acquisition of personal data lists from third parties, without the latter having acquired specific, free, and informed consent from data subjects for the communication of their data.
The press release is available here (only in Italian).