Vodafone Italy has been fined more than €12 million for illegally processing users’ personal data for commercial purposes.
The Italian authority demonstrated through its investigation that not only the consent of users was violated but also the key principles that define the GDPR, such as accountability and data protection by design, through the use of fake phone numbers by the giant company, numbers that were not registered in the National Consolidated Registry of Communication Operators.
Moreover, it appears that the contact lists that came from external suppliers were obtained illegally without the specific consent of the users.
‘’ Several complaints and alerts had been submitted to the Garante by customers who had been contacted by operators purporting to be acting on Vodafone’s behalf and requesting IDs to be sent to them via WhatsApp – quite likely for purposes related to spamming, phishing or other fraudulent activities.’’
Therefore, Vodafone Italy will have to pay a fine of €12,251,601.00, and will have to obtain a clear specific and explicit consent of its users. The telemarketing will be made only by using telephone numbers registered with the ROC (National Consolidated Registry of Communication Operators).
The company was also ordered to increase the security of its databases that contain personal data and no longer process it for commercial purposes obtained from third parties without the specific consent of the users.
Sovy’s GDPR Essentials can help you with each of the steps laid out above:
- Walk through a data mapping exercise and build your data inventory.
- Train your employees with industry-standard eLearning courses.
- Maintain your compliance program in the cloud
- Manage cookie consent and data rights