On May 3, 2024, the Italian data protection authority (Garante) published its decision in Case No. 159 as issued on February 22, 2024, in which it imposed a fine of €150,000 on Sigma srl (Sigma) for violations of the General Data Protection Regulation (GDPR) following an information note sent by the Special Privacy Protection and Technological Fraud Unit of the Financial Police.  

Background to the decision

The investigation carried out by the Financial Police started following a complaint filed on March 10, 2022, by a customer who complained about charges on their card in 2021, including charges derived from the activation of a new contract in the name of their partner, who had passed in 2020. Based on these investigations, it was found that Sigma had activated 1,300 SIM cards using personal data from the systems of telephone operators whose products it sold or unduly stored by shops and that Sigma had activated unsolicited services by getting customers to sign digital forms without clarifying the consequences of giving their consent.

Findings of the Garante

Following its investigation, the Garante determined that the processing carried out by Sigma conflicted with the principles of lawfulness, accuracy, and accountability.  As well as this, Sigma was found to have processed personal data without an appropriate legal basis.

Outcomes

In light of the above, the Garante found Sigma to have violated Articles 5(1)(a), 5(2), 6, 13, 24(1), and 25(1) of the GDPR and imposed the abovementioned fine. Additionally, the Garante imposed a prohibition of any further customer data processing aimed at activating SIM cards, telephone and television services, sale and charging of the cost of purchasing mobile phones and GPS trackers, and adopted an injunction order.

The Garante also ordered Sigma to communicate to them, within 30 days of notification, the initiatives undertaken to implement the abovementioned measures.

You can read the newsletter here and the decision here, both only available in Italian.