The Italian data protection authority (Garante per la protezione dei dati personali) has issued a fine of 12,25 million euros against Vodafone for using personal data of millions of data subjects unlawfully for telemarketing purposes. In addition, Vodafone has been ordered to take series of measures to ensure compliance with the GDPR and ePrivacy Directive.
The DPA had received hundreds of complaints who had received ‘continuous nuisance calls’ promoting Vodafone’s telephone and internet services.
The DPA carried out investigations and found ‘critical violations’ not just regarding consent, but also regarding the accountability obligations. Vodafone had been using abusive call centers to promote its products “in total disregard of the protection of personal data”. The security measures were found ‘inadequate’, e.g. requesting data subjects to provide their identity documents via WhatsApp.
In addition, the DPA prohibited Vodafone from any further processing of personal data for promotional or commercial purposes obtained from third parties.
See the press release by the Italian DPA here.