Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Vodafone €500,000 for unlawful use of personal data in promotional campaigns

The Italian data protection authority ('Garante') announced, on 28 November 2022, in its monthly newsletter, the publication of its Decision No. 379, as issued on 10 November 2022, in which it imposed a fine of €500,000 on Vodafone Italia S.p.A., for violations of Articles 5(1), 5(1)(a), 6, 7, 12(1), and 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and Articles 130(1), 130(2), and 130(3) of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('the Code'), following an investigation.

Background to the decision

In particular, the Garante explained that its investigation had been initiated following the submission of a complaint from a consumer of Vodafone, who alleged that they had been contacted by a call center of the Vodafone sales network, and that, as a result of this call, a contract for the activation of fixed line telephone services was stipulated, without the consent of the same consumer.

Findings of the Garante

Following its investigation, the Garante found that Vodafone had committed the following violations:

  • Articles 12(1) and 13 of the GDPR, for having made a promotional contact with the complainant without having given the interested party the necessary information under the aforementioned provisions;
  • Articles 5(1), 6, and 7 of the GDPR, as well as Article 130(3) of the Code, for having made the aforementioned promotional contact without having acquired the required consent from the complainant;
  • Articles 5(1)(a), 6, and 7 of the GDPR, as well as Articles 130(1), 130(2), and 130(3) of the Code, for having acquired from the interested party, during the aforementioned promotional contact, consent that was not specific; and
  • Article 5(1)(a) of the GDPR, for having carried out the processing of personal data aimed at concluding a contract for the activation of telephone services for the complainant, in violation of the principles of fairness and transparency of the personal data processing.

Outcomes

In conclusion, the Garante imposed a fine of €500,000 on Vodafone in light of the aforementioned violations.

You can read the newsletter here and the decision here, both only available in Italian.