The Italian Data Protection Authority imposed a fine of €12,250,000 on the telecommunication giant Vodafone for unlawfully processing the personal data of millions of users for telemarketing purposes.

The Italian authority initiated an investigation against Vodafone amid hundreds of complaints submitted by users alleging that the company has made unsolicited phone calls to promote its telephone and Internet services.

The investigation revealed that Vodafone violated the consent requirements as well as other GDPR key principles such as accountability and data protection by design.  Specifically, Vodafone was found to have used fake telephone numbers or numbers that were not registered with the National Consolidated Registry of Communication Operators, to place these marketing calls. Vodafone has also used contact lists purchased from third parties without ensuring the data subjects had given their free, informed, and specific consent. The authority also found that Vodafone's security measures were inadequate. Customers were sometimes contacted by operators purporting to be acting on Vodafone's behalf and requesting IDs to be sent to them via WhatsApp.

In addition to the fine imposed on the company, Vodafone was also required to implement several measures set out by the Italian authority to comply with national and EU data protection legislation.

CLICK HERE to read the Italian Data Protection Authority's press release regarding Vodafone.

Originally Published by Pearl Cohen, November 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.