On July 9, 2020, the Italian Data Protection Authority (“Garante”) issued a 16.7 million euro fine against Wind Tre S.p.A., an Italian telecom operator, for a number of unlawful data processing activities related to direct marketing under the General Data Protection Regulation (“GPDR”). Following an extensive investigation and several complaints, the Garante found Wind Tre sent unsolicited marketing messages to numerous users via text, telephone, e-mail, fax, and automated calls, and, in many cases, the messages continued even after the data subjects had withdrawn their consent or exercised the right to object to processing of their personal data for direct marketing purposes.
In addition, certain Wind Tre apps were set up so that every time users accessed these apps, they were required to provide consent for various data processing activities, including marketing, profiling, transfer of their personal data to third parties, data enrichment, and geolocation tracking, and, in some cases, Wind Tre claimed consent on the basis of language buried in contracts signed with customers years ago. In some cases, users were allowed to withdraw their “consent” only after a 24-hour window had passed, constituting a direct violation of Article 7 of the GDPR, which grants a data subject “the right to withdraw his or her consent at any time.” The investigation also found that the contact details of some users were included in public telephone directories irrespective of the users’ repeated objections.
Part of the violations committed by Wind Tre were attributed to its lack of control of third-party vendors. Specifically, the chain of partners who carry out promotional activities on behalf of the telecom provider. Wind Tre argued that all such partners were engaged as data processors under the GDPR. However, the investigation revealed a number of failures in Wind Tre’s due diligence process—for example, failing to verify or follow up on vendors’ answers that revealed inadequacies in their compliance practices.
The Garante also pointed out that Wind Tre was unable to provide an appropriate legal basis for some of the promotional messages sent via text, fax, and automated calls that were initiated by those partners on its behalf. For these reasons, the Garante ordered Wind Tre to implement technical and organizational measures appropriate for the effective control and management of its business partners in order to avoid further marketing violations.
This enforcement action reiterates the importance of complying with EU direct marketing rules, honoring data subjects’ rights to opt out of marketing messages, and instituting a rigorous due diligence system when engaging third-party vendors in the marketing space, among other data processors.
The Garante’s Decision is available here (in Italian only).