Italy: Garante fines TIM €27.8M for unlawful marketing data processing practices
The Italian data protection authority ('Garante') announced, on 1 February 2020, that it had issued a decision ('the Decision') against TIM S.p.A., a telecommunications company, fining the same €27,802,946 for several unlawful data processing practices related to marketing. In particular, the Garante highlighted that TIM had made unwanted promotional phone calls without consent and despite the consumer's refusal to receive promotional calls, or without activating the specific verification procedures of the Public Register of Oppositions.
In addition, the Garante noted that certain apps provided to clients presented incorrect and not transparent information regarding data processing, as well as invalid methods for obtaining consent. Furthermore, the Garante outlined that TIM's data breach management and data processing system management were insufficient, in violation of the principle of Privacy by Design. Finally, the Garante stated that it had, in addition to the fine, imposed 20 corrective measures, including banning TIM from processing data of those who refused to receive promotional telephone calls for marketing purposes, and from using customer data collected from the 'My Tim,' 'Tim Personal,' and 'Tim Smart Kid' apps without free and specific consent for purposes excepting the provision of services.
UPDATE (1 February 2020)
EDPB issues statement on TIM fine
The European Data Protection Board ('EDPB') issued, on 1 February 2020, a statement ('the Statement') on Garante's decision to fine TIM on account of several instances of unlawful processing for marketing purposes. In particular, the EDPB highlighted that Garante had received multiple complaints regarding unsolicited marketing calls and competition-related forms, despite users' inclusion in the public opt-out register. In addition, the EDPB noted that TIM provided unclear and inaccurate data processing information in connection to certain apps targeted to customers, and that it failed to meet the Privacy by Design requirements. Moreover, the EDPB noted that Garante imposed 20 corrective measures on TIM on top of the €27,802,946 fine.
You can read the Statement here.