Vodafone Italy S.p.A – €12,250,601 Fine (Italy, 2020)

The Garante per la Protezione dei Dati Personali, Italy’s DPA, led an investigation into Vodafone Italy S.p.A following various complaints by Vodafone users and non-users, which highlighted multiple issues on the phone company’s practices. The first group of claimants complained about constant unwanted promotional phone calls and SMS from Vodafone, with one example being a person claiming that they have been receiving at least 4/5 messages a month by Vodafone since 2018, even after he communicated to the company that he no longer wanted to receive such messages. Vodafone blamed this last mishap on a “system error” that failed to register the client’s request to stop the promotional messages. The second set of complaints concerned the way that the company stored their client’s data. More specifically, costumers complained about being approached by Vodafone operators, usually after reporting issues with their internet service. However, it turned out that those were call-centres that worked for other phone companies or third party callers that used Vodafone’s logo in their WhatsApp profile. These unauthorized individuals would often ask about the issues the users reported, point out that Vodafone would increase their costumer service fees and offer to subscribe the user to a different phone provider. Other times, they would just request for the user’s IDs, possibly for fraudulent or phishing purposes. Vodafone claimed to have been aware of these practices in the past, confirmed that those were indeed unauthorized parties under false pretences, and explained that they were trying to improve security on their databases by applying 2 Factor Authentication. Lastly, several users complained that Vodafone was not responding appropriately to their requests in exercise of their rights under Articles 15-22 GDPR. For example, one user complained that Vodafone had not replied at all to a request sent to them via email. Another one explained that Vodafone did reply, but did