Thanks to Marianna Riedo for collaborating on this article.
On November 12, 2020, the Italian Data Protection Authority (“Garante”) fined Vodafone Italia S.p.A. (“Vodafone” or “Company”) more than EUR 12,250,000 for aggressive telemarketing practices (decision No. 224 of November 12, 2020, doc. Web No. 9485681). This case is in line with several prior Garante decisions, which during the course of this year have led the Garante to sanction major companies operating in the telecommunications sector for their aggressive telemarketing practices.
More specifically, a long and detailed investigation revealed the systematic use of marketing calls made from fake telephone numbers or numbers that were not registered in the ROC (i.e., the Registry of Communication Operators kept by the Italian Communications Authority).
The investigation was triggered by hundreds of reports from customers complaining about constant unsolicited phone calls for commercial purposes. Confronted with the many reports received over the last 15 years, Vodafone itself acknowledged the problematic and systematic nature of this practice, which is seemingly related to a shady set of call centers that carry out unauthorized telemarketing activities with utter disregard for the rules set out in Regulation (EU) 2016/679 (“GDPR”). Moreover, Vodafone operators often asked customers to provide copies of their personal identification documents via WhatsApp – risky behavior, since those documents are then likely to be exploited for spamming, phishing, and other fraudulent activities.
The reported practices were aimed at both the Company’s existing and potential customers. With reference to potential customers, the Garante reported that Vodafone’s commercial partners received contact lists from third-party companies that were then delivered to the phone operator without customers being asked to provide prior free, informed, and specific consent.
Among other practices, the Garante found that Vodafone was not able to implement control mechanisms that would make it possible to prevent unlawful or unsolicited calls from resulting in contracts with Vodafone that were then entered into the Company’s database. As the Garante observed, the incidence of such a practice increases exponentially as unauthorized operators become aware of their virtual impunity in the matter.
Finally, the Garante reported a violation of Art. 33 par. 1 of the GDPR, as Vodafone had failed to report a data breach relating to one of the contested behaviors (namely, requests for identification documents to be sent via WhatsApp).
Overall, the larger picture emerging from the investigations revealed systemic weakness of the security measures put in place by Vodafone, often in opposition to the basic principles of the GDPR: specific, free, and informed consent; accountability; privacy by design; etc. In addition, the Garante also opposed Vodafone’s argument that customer complaints about unsolicited calls and text messages should be ascribed to a limited number of human errors or undocumented system failures. By contrast, according to the Garante, Vodafone failed to demonstrate the unavoidability of such cases. Thus, the Company’s good faith could not be called upon as a point in its favor for lowering the amount of the sanction.
The investigation revealed that the general vulnerabilities and inadequacies of Vodafone’s security measures and CRM systems had not been addressed, “taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons,” pursuant to Art. 32 of the GDPR.
In light of the above, Vodafone was fined EUR 12,251,601. The Garante expressed its concerns regarding the phenomenon of unsolicited telemarketing calls, which for over 15 years have been causing social alarm among citizens and drawing the attention of the legislature and the public authorities.
Considering this, the Garante forbade Vodafone to conduct any further processing of data for promotional or commercial purposes through the acquisition of customer lists from third-party companies without the latter having obtained the specific, free, and informed consent of users to the communication of their data.
Finally, the Authority deemed necessary, and accordingly ordered, the introduction of systems allowing Vodafone to verify that processing for telemarketing purposes is carried out in compliance with the provisions regarding consent. It also required the Company to be able to demonstrate that contracts are concluded only as a result of promotional calls made by its authorized sales network through numbers that have been registered with the ROC. Vodafone will also have to strengthen security measures in order to prevent abusive access to customer databases and provide full feedback regarding requests for the exercise of rights made by some users.
The Garante’s decision is available at this link.
 Further analysis of such decisions are available here and here.