TIM SpA fined EUR 27.8 million

Essentials

Date of enforcement action:
15/Jan/2020
Jurisdiction: Fine imposed:
Italy Flag for Italy, which is the jurisdiction taking enforcement action EUR 27,802,946 (US$30,695,000)
Defendant company or entity: Industry segment:
TIM SpA Telecoms /

Case summary

The Italian Data Protection Authority has imposed a penalty of € 27,802,946 on Tim SpA for numerous illegal instances of data processing related to its marketing activities. The violations have affected a few million people overall.

From January 2017 to the first months of 2019, hundreds of reports were received by the Authority relating, in particular, to the reception of unwanted promotional calls made without consent or despite the registration of telephone users in the Public Register of oppositions, or even despite the fact that the people contacted had expressed their willingness not to receive promotional calls to the company. Irregularities in the processing of data were also complained in the context of the offer of prize competitions and in the forms submitted to users by Tim.

Numerous and serious violations of the personal data protection regulations have emerged from the complex preliminary investigation activity that resulted, also carried out with the contribution of the Special Protection and Privacy Fraud Unit of the Guardia di Finanza.

TIM has shown that it does not have sufficient knowledge of fundamental aspects of the data processing carried out in its operations.

Among the millions of promotional calls made in six months to “non customers”, the Authority ascertained that the call center companies commissioned by TIM have, in many cases, contacted the interested parties without their consent. One person was called 155 times in a month. In about two hundred thousand cases, numbers “off the list” were contacted, that is, not present in Tim’s lists of contactable people. Other illegal behaviors were then detected, such as the absence of control by the company on the work of some call centers; incorrect management and failure to update the black lists where people who do not want to receive advertising are registered; the compulsory acquisition of consent for promotional purposes in order to join the “Tim Party” program with its discounts and prizes.

Furthermore, in the management of some apps intended for customers, incorrect and non-transparent information on the processing of data was provided and invalid consent acquisition methods were adopted.In some cases, paper forms were used with a request for a single consent for various purposes, including marketing.

The management of data breaches was not efficient, just as the implementation and management by the Company of systems that process personal data (with violation of the principle of privacy by design ) were inadequate . Misalignments emerged between Tim’s black lists and those of the appointed call centers, as well as for the audio recordings of the contracts entered into by telephone (verbal order). The utilities of customers of other operators, held by Tim as manager of the Networks, have been kept for longer than the legal limits and included, without the consent of the interested parties, in some promotional campaigns.

In addition to the sanction, the Authority imposed 20 corrective measures on Tim, including prohibitions and prescriptions. In particular, he prohibited Tim from using the data for marketing purposes by those who had expressed their refusal to receive promotional calls to the call centers, those on the black list and the “non-customers” who had not given their consent.

The company will no longer be able to use customer data collected through the “My Tim”, “Tim Personal” and “Tim Smart Kid” apps for purposes other than the provision of services without free and specific consent.

Among the prescriptions, the Guarantor has ordered Tim to verify the consistency of the black lists used and to promptly acquire those possibly formed by the call centers to transfer them to its black list. Tim will also need to review the “Tim Party” program and allow customers access to discounts and sweepstakes by eliminating mandatory marketing consent. The company must also check the procedure for activating all the apps, always specify, in clear and understandable language, the treatments carried out with an indication of the purposes pursued and the methods of treatment used, as well as acquire a valid consent.

The required measures and implementations must be introduced and communicated to the Authority within set times, while the payment of the sanction must be made within thirty days.

(Italian Data Protection Authority)

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Italian Data Protection Authority Flag for Italy, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Yes

File or case number

Number 7 of 15 January 2020

Cite this fine in your work

Data Privacy Fines Index. (2020-01-15 05:48) TIM SpA fined EUR 27.8 million. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/tim-spa-fined-eur-27-8-million/

Entry last updated: 2020-02-04 05:54 GMT.