Wind Tre SpA – €16,729,600 Fine (Italy, 2020)

The Italian DPA (Garante) received complaints from Wind Tre and non-Wind Tre users about unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several complaints, the complainants noted that they were unable to withdraw their consent or object to the processing of their data for marketing purposes, in part due to inaccurate contact information in Wind Tre's privacy policies. Other complainants' personal data had been included in public phone directories despite objections being made by those complainants. The investigation by the Garante also found that the MyWind and My3 apps had been "configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours." The investigation also uncovered a number of infringements affecting Wind Tre's business partners, including a fine of eur 200,000 against a business partner who had subcontracted without a legal instrument whole sets of processing activities to call centres, who collected data on behalf of the business partner. An interesting finding of the DPA’s investigation concerned practices for the identification of data subjects. In many cases, the company stated that it did not act on data subjects’ requests to withdraw consent if these did not come with a copy of an ID. The Garante clarified that while indeed Article 12(6) GDPR allows controllers to request further information, this is possible “only if they have reasonable doubts about the identity of the person making the request”. Moreover, Recital 64 GDPR require the measures adopted to identify data subjects to be “reasonable”. This aims, according to the Garante, at discouraging “excessive requests aimed at discouraging the exercise of rights, but also to avoid the collection and retention of unneces