Sigma s.r.l. – €150,000 Fine (Italy, 2024)

The Italian Financial Police (Guardia di Finanza) sent a notice to the DPA regarding possible existence of administrative violations related to Sigma s.r.l., a company which operates two Vodafone Italia S.p.A. sale points in northern Italy (‘Sigma or ‘controller’). The Financial Police carried out an investigation following a complaint by a customer of Vodafone who claimed that Sigma charged them on their credit card relating to an activation of a new contract for telephone services. The contract was concluded in the name of her deceased husband. The investigation revealed that Sigma activated approximately 1,300 SIM cards, numerous telephone services under Vodafone brand and linked telephones to active users without their knowledge while they were made available for sale at the shop. Specifically, the company activated unsolicited services by inducing customers to sign, via a tablet, without clarifying the consequences of such consents. The company sold mobile phones without any request made by the customers that learned of the purchase by finding additional charges on their invoice. These services or devices were never delivered to the customers. Additionally, it emerged that Sigma used data of hundreds of users extracted from the Vodafone information systems. Vodafone clarified that its relationship with Sigma is governed by a franchising contract according to which Sigma is a dealer acting as an autonomous controller of personal data related to SIM card and telephone service activations. Employees of Sigma were authorized to identify all customers and make a copy of their IDs in case of activation of a new product. Additionally, the data entry and activation of services was carried out by the employees through a computer connected to the Vodafone systems. Consequently, circumventing the telephone operator’s controls and relevant processing provision amounted to a turnover of more than €80,000. It emerged that Sigma planned its activities precisely with the i