Fastweb S.p.A. – €1,000,000 Fine (Italy, 2024)

The DPA received several complaints and informal reports about unsolicited phone calls made by Fastweb, a telecommunication provider, to data subjects. Moreover, an investigation carried out by the DPA showed that 7,75% of the phone calls were made to data subjects who had signed up for the Italian opt-out registry (Registro Pubblico delle Opposizioni – RPO). The RPO is an Italian registry extended to all national phone numbers, which allows citizens to opt-out of unwanted telemarketing calls. According to [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:2018-01-11;5~art1 Article 1(5) of Law 5/2018], when a data subject signs up for the RPO, this has the effect of revoking their previous consent given for marketing purposes. However, pursuant to the same article, consent is deemed valid if it was given in the context of a contract which is still in place. The controller classified its phone calls in 3 categories: * “inbound” calls, made by the data subject to the controller’s customer service; * “websales” calls, made by the controller to the data subject after acquiring their specific consent through a comparison website or after the data subject entered their phone number because they wanted to be called back. In the case the data subject had signed up to the RPO, this consent would however be valid since it was given after the registration pursuant to to [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:2018-01-11;5~art1 Article 1(6) of Law 5/2018]; * “outbound” calls, made by the controller (or its processor) to the data subject. As for this type, the controller pointed out that if the call is directed to a non-client, it always relies on consent acquired in a legitimate way. On the other hand, if it is directed to a client, the legal basis is the legitimate interest to propose better offers to the data subject. Finally, data subjects complained about the fact that they were provided with a form that had pre-ticked consent boxes as for the r