Fine in the amount of EUR 12,250,000 applied to the mobile network operator, Vodafone, by Italian data protection supervisory authority

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of EUR 12,250,000 applied by Italian data protection supervisory authority (Garante per la protezione dei dati personali) to the mobile network operator, Vodafone, for having unlawfully processed the personal data of millions of users for telemarketing purposes.

This decision marks the final step in a complex proceeding that Italian data protection supervisory authority had initiated following hundreds of complaints and alerts submitted by users against unsolicited phone calls made by Vodafone and/or the company’s sales network in order to promote telephone and Internet services.

The investigations carried out by Italian data protection supervisory authority brought to light major criticalities of a ‘structural’ nature having to do with the violation not only of consent requirements, but also of key principles such as accountability and data protection by design as set forth in the EU GDPR.

Finally, the Italian data protection supervisory authority, not only fined the mobile network operator, Vodafone, with EUR 12,250,000, but also banned from further processing data for marketing or commercial purposes where such data are acquired from third parties that have not obtained the users’ free, specific, and informed consent to data disclosure.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.