The Italian data protection authority (Garante per la protezione dei dati personali, Garante) imposed a fine of EUR 12,250,601 on the telecommunications giant Vodafone for breaches of the General Data Protection Regulation (GDPR). This decision marks the latest step in an investigation initiated by Garante following a series of consumer complaints and warnings about unsolicited calls from Vodafone, with which the company’s sales department sought to sell more Internet or mobile services.
During the investigation, Garante stated that Vodafone had illegally processed millions of users’ data for direct marketing purposes, and found that the company had not only violated the requirements for obtaining consumer consent, but also the basic data protection principles set out by the GDPR. It was found that the company used telephone numbers for marketing calls that were not registered in the register of communications operators, which leads to the conclusion that the company had “shadow” telephone marketing departments, which operated in complete disregard of personal data protection legislation. Garante also found that the telecommunications company used contact lists purchased from external suppliers and data subjects in those lists have not given their consent to receive direct marketing messages.
Finally, it was found that insufficient security measures were taken in customer databases, as Garante received complaints from the company’s customers who received messages via WhatsApp in which individuals pretended to be Vodafone operators and asked for customer ID photos.
In addition to the fine, Vodafone was required to review its personal data protection policy to comply with national and European Union law. The company has been instructed to set up a consent mechanism in its direct marketing channels, send direct marketing messages only to those who have given consent to receive such content, and organize marketing campaigns only through its official sales channels using the telephone numbers registered in the above-mentioned register. Besides, the company was obliged to fully respond to certain requests for data subjects’ and to ensure that the customer database is secure and inaccessible to unauthorized persons. Finally, Garante prohibited the company from further processing personal data for marketing or commercial purposes if such data is obtained from third parties and the data subject’s free, specific, and informed consent to use his data for direct marketing purposes has not been obtained.
These GDPR violations only reiterate the need for direct marketing campaigns to:
- Obtain the consent of the data subject before attempting to reach him by marketing messages or calls;
- Before using data lists purchased from third parties, make sure that all data subjects have given their prior consent to the processing of their data for marketing purposes;
- Take all security measures for IT systems to prevent intrusions and data leakage;
- Conduct direct marketing campaigns following the principles of GDPR and other personal data protection laws.
Prepared by attorney at law Loreta Andziulytė and legal asisstant Nojus Antanas Bendoraitis