Vodafone Italy is alleged by the Italian data protection authorities to have used its data for “aggressive” telemarketing without the consent of the data subjects.
Violations of the basic principles
By using the data of data subjects for “aggressive” telemarketing, Vodafone Italy has, in the opinion of the Italian data protection authority Garante per la protezione dei dati personali, violated the General Data Protection Regulation (GDPR). The network operator is now to pay a fine of EUR 12.25 million for the “structural” violations. To this end, Vodafone Italy will also have to adapt its protective measures and implement further ones. The infringement became known through a large number of complaints from those affected. Customers complained about unwanted advertising calls by the mobile phone provider and other companies. These companies apparently all originate from Vodafone’s marketing network.
After it became known, an investigation was initiated, which revealed that Vodafone did not meet the requirements for the consent of the affected persons. This constitutes a violation of the GDPR. In particular, the basic principles of the GDPR were not observed by the mobile phone provider. Here the authorities determined that Vodafone was in breach of the principle of “Privacy by Design”, which is firmly anchored in the GDPR (Art. 25 GDPR) and means that personal data must be protected at an early stage by taking technical and organizational measures. With these protective measures, no access to customer data would have been possible. Vodafone seems to lack these completely. In addition, the authorities do not pay attention to traceability.
“Disturbing” practice of Vodafone
According to the reports available to the Italian regulatory authority, customers and also future customers were called using unregistered or fake numbers. All for marketing purposes. Following an internal investigation by the Group itself, it was found that these were unauthorized call centers “carrying out telemarketing activities in total disregard of legislation on the protection of personal data”. Unfortunately, this is not the end of the story.
The inspectors of the Italian supervisory authority also discovered additional violations in the handling of the contact lists. These lists were obtained by the mobile operator from third parties and business partners without the necessary consent of the users. Vodafone’s security measures in connection with the management of customer data are also inadequate. It remains to be seen whether the fine of 12.25 million will remain. As some gaps have to be closed by the mobile phone provider.