€16.7M Direct Marketing Fine Issued by Italian Authority

Published On July 23, 2020 | By Plamena Gerovska, Zach Lerner and Mason Weisz | Data Security, International, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On July 9, 2020, the Italian Data Protection Authority (“Garante”) issued a 16.7 million euro fine against Wind Tre S.p.A., an Italian telecom operator, for a number of unlawful data processing activities related to direct marketing under the General Data Protection Regulation (“GPDR”). Following an extensive investigation and several complaints, the Garante found Wind Tre sent unsolicited marketing messages to numerous users via text, telephone, e-mail, fax, and automated calls, and, in many cases, the messages continued even after the data subjects had withdrawn their consent or exercised the right to object to processing of their personal data for direct marketing purposes. 

In addition, certain Wind Tre apps were set up so that every time users accessed these apps, they were required to provide consent for various data processing activities, including marketing, profiling, transfer of their personal data to third parties, data enrichment, and geolocation tracking, and, in some cases, Wind Tre claimed consent on the basis of language buried in contracts signed with customers years ago. In some cases, users were allowed to withdraw their “consent” only after a 24-hour window had passed, constituting a direct violation of Article 7 of the GDPR, which grants a data subject “the right to withdraw his or her consent at any time.” The investigation also found that the contact details of some users were included in public telephone directories irrespective of the users’ repeated objections.

Part of the violations committed by Wind Tre were attributed to its lack of control of third-party vendors. Specifically, the chain of partners who carry out promotional activities on behalf of the telecom provider. Wind Tre argued that all such partners were engaged as data processors under the GDPR. However, the investigation revealed a number of failures in Wind Tre’s due diligence process—for example, failing to verify or follow up on vendors’ answers that revealed inadequacies in their compliance practices. 

The Garante also pointed out that Wind Tre was unable to provide an appropriate legal basis for some of the promotional messages sent via text, fax, and automated calls that were initiated by those partners on its behalf. For these reasons, the Garante ordered Wind Tre to implement technical and organizational measures appropriate for the effective control and management of its business partners in order to avoid further marketing violations. 

This enforcement action reiterates the importance of complying with EU direct marketing rules, honoring data subjects’ rights to opt out of marketing messages, and instituting a rigorous due diligence system when engaging third-party vendors in the marketing space, among other data processors.

The Garante’s Decision is available here (in Italian only).

About The Authors

Prior to joining ZwillGen, Plamena served as a Privacy Analyst at Promontory Financial Group, an IBM company, where she assisted attorneys on compliance with the EU General Data Protection Regulation (“GDPR”), Russian data localization laws and other international privacy laws. Before that, Plamena spent a summer interning at different London law firms supporting the technology teams on issues related to the UK data protection laws and international data transfers.

Zach Lerner’s practice focuses on a variety of legal matters impacting Internet-based companies. He helps companies in a wide range of industries, including education technology, financial technology, and fantasy sports/skill and chance gaming, with issues related to privacy, data diligence, e-commerce, copyright enforcement, advertising, and regulatory compliance. In addition, he has a deep knowledge of the practical considerations for implementing blockchain and smart contract technology.

Mason helps clients navigate a constantly shifting web of domestic and international laws regulating data collection, marketing, data sharing, computer crime, data security, electronic surveillance, online content, children’s privacy, financial privacy, information management, and other areas of privacy and Internet law. A former web designer, he has extensive experience with issues relating to digital media, new technology and e-commerce.