an unnamed data subject – €500,000 Fine (Italy, 2022)

An 85-year-old woman (the data subject) received a call from an Albanian call centre, working for Italian telecom provider Vodafone (the data controller) and allegedly concluded a contract with Vodafone over the phone. During the call, the telemarketer provided the data subject with information about the processing of her personal data. The operator collected a generic consent for the two distinct purposes of performing the contract and forwarding promotional information. All information regarding the contract was delivered at a speed of 200 words per minute, including the information on the processing of the subject's personal data. The data subject's son later contacted the controller and protested that she never concluded a contract. The controller cancelled the contract and refunded all expenses. Three months later, the son of the data subject filed a complaint with the Italian DPA, claiming that the contract was concluded in violation of the GDPR. During the investigation, the data controller claimed that the data subject herself previously contacted the call centre to conclude the contract. However, the controller failed to provide conclusive proof of the data subject's first call. The DPA dismissed the controller's version as highly unlikely and noted that the burden of proof of consent lies on the data controller according to the accountability principle laid down in Article 5(2) GDPR. For this reason, the DPA concluded that the call centre first contacted the data subject. The DPA held that the controller processed her personal data for direct marketing purposes with no legal basis and without providing any information on the processing, in violation of Articles 5(1), 6, 7, 12(1) and 13 GDPR. The DPA also held that the data controller failed to collect specific consent for processing personal data for promotion purposes, in violation of Article 4(11) that requires that such consent is distinct from the other matters like the contract. Therefore, the DPA h