TIM S.p.A. – €27,802,946 Fine (Italy, 2020)

The Garante examined different complaints relating to unsolicited promotional calls received by prospects without their consent or despite their express will not to receive them. Further irregularities complained of concerned the collect of consent for promotional purposes in different forms for customers and company’s programs and apps. Users also complained deficiencies in the response to data subjects’ requests, namely requests of access to one's own data and to oppose to data processing for promotional purposes. The Garante also examined several notifications TIM made concerning different data breaches that occurred, which have highlighted inconsistencies in the systems, both of TIM and its providers (namely, call centers), that process personal data of customers such as to cause, for instance, an inaccurate use of customers contact details. The Garante had to assess whether TIM lawfully processed prospects’ personal data in its commercial campaigns, namely by applying a legal basis (e.g. consent) to such processing, and ensuring that its providers process personal data accordingly. The Authority also had to determine whether the process of customers and prospects’ personal data complied with data subjects’ requests which object to processing. In this regard, the Authority also analyzed the validity of consent collected for promotional purposes and the related information provided in different forms submitted by the company, including in customers programs and apps. The Garante had to evaluate the compliance of the storage and use for promotional purposes of data relating to customers of others operators, to whom TIM provided network and infrastructure services. Finally, the Authority investigated the management of data breaches by the company namely in relation to customers data processing for promotional purposes, with regard to both the timeliness of the notification and the measures taken to reduce the risks to the rights and freedoms of data subjects