Italian telecom operator facing fines for failure to abide by the GDPR

Italian telecom operator facing fines for failure to abide by the GDPR (1)

Since its inception, the strict General Data Protection Regulation (2016/679) known as GDPR has made a significant impact on data protection. European countries – the United Kingdom for example – have taken the data protection issue very seriously and they came up with their own national version of the law. The GDPR entered into force in Italy on May 25, 2018. On the other hand, the Italian Data Protection Code – “IDPC was amended in the same year. However, two years later, Italian Telecom operators are still facing failure to abide by the International law.

According to the GDRP Enforcement Tracker, on July 13, 2020, the Italian Data Protection Authority (Garante) issued € 16,700,000 ($18.6 million) fines against the Italian Telecommunication operator Wind Tre S.p.A for violating the EU General Data Protection Regulation (GDRP). The telecom operator violated articles 5-6-12-24 and 25 of the GDPR.

The Italian Data Protection Authority (IDPA) published a statement on July 13, saying that unlawful data processing that was mostly related to marketing were behind the fines. In fact, the IDPA has received complaints from users for unsolicited marketing communications via texting, emails, faxes, and automated phone calls.

On the same date, the authority had issued an € 800,000 fine against another phone operator Iliad Italia S.p.A. for violating Articles 5 and 25 of the GDPR. Fines concerned the processing of customer data for the activation of SIM cards and the manner in which payment data was recorded.

Violating GDPR in Italy is not happening for the first time. In January 2020, IDPA issued a €27.8 million ($31 million) fine against Italian telecommunications operator TIM. According to Data Privacy Manager, the Italian Data Protection Authority (Garante) has received hundreds of complaints against aggressive promotional calls without proper consent. The investigation found out that some numbers were contacted up to 155 times per month.

The GDPR has two-tiers of fines. Any failure in having proper database security measures in place, or non-implementation of a Data Protection Impact Assessment (DPIA) goes under tier 1 of the fines, according to Penta Security. On the other hand, tier 2 of the fines are related to data collection and usage. 

Italian Telecommunications operators have to work in compliance with the GDPR to gain the trust of their customers. Unlawful actions might cause a decrease in the Italian Telecom sector revenues.