The company processed the personal data concerning millions of individuals, without any legitimacy when carrying out a marketing campaign. (art.6.1.a) GDPR).

The Italian DPA was satisfied that in the course of the 650  marketing campaings 50 million numbers were called.

During the relevant period there was no contract in place between TIM and the related companies such as the call centres, which laid down  the binding rules and control mechanisms when processing the personal data during the course of a marketing campaign.

The company called millions of people who had previously, and in several occasions, expressed their wish to not receive any type of commercial callings, and the willingness to exercise their right of opposition. Furthermore, they contact millions of people who were registered in the Italian public opposition register.

All the abovementioned, puts forward a systematic fail when responding to the rights of company clients and third interested parties. The data subjects rights were dismissed by default. Moreover, some interested that had previously exercise their right of opposition to the enterprise received 155 calls in one month. In this state of affairs, TIM contacted without any legitimate basis around 200.000 people which were not registered in their contact list.

Security breaches

During the investigation period, TIM stated that they had been subjected to several data breaches. Those statements and the following investigations brought light into the fact that, indeed, there was no aligement between the different systems in charged of the personal data processing. There was also a misalignment among the opt-out TIM lists and the other lists of their partners. Misalignment which develop into the incorrect attribution of telephone numbers to clients, or the incorrect association between the holders and the contact details used by the company.

Storage period.

The company storage for an undue period the personal data of third party clients, whit whom they have no other relation than provide network and infrastructural service. The storage period went far beyond of the limited period settled by law (10 years) or even the period settled down by the privacy policy of the company (5 years).

Unlawful consent.

The actual consent given by the interested parties when downloading or signing up the different social company apps or networks was unlawful due to the fact it was not given in a free way. Furthermore, the interested parties were not provided with all the relevant information.

With out considering the aforementioned, the information given in the privacy and data protection policies was unambiguous and lazy. They policy did not inform about the data gathering and the purposes of the gathering. Being so the consent, at any time, a unlawful one.

Moreover, the company try to encompass within one consent many different purposes.

Aggravation conducts:

  • Existence of numerous previous warnings and sanctions.
  • Large number of people affected.
  • The seriousness of the behaviour.
  • The economic benefits obtained by the company as a result of the offending conduct.
  • Difficulty of the parties to stop unwanted telemarketing.
  • Failure to respect the fundamental principles of data protection.
  • Serious organisational shortcomings in the design of the programmes, lack of integrity and security of the programmes.
  • Duration of violations.
  • Malicious nature of the violations.
  • The clear contrast between their actions and the applicable regulatory framework.
  • Ample time gr
  • he legislator to the phenomenon of telemarketing.
  • The current persistence of numerous complaints
  • anted to operators in the sector to allow them to adapt to the legislation.
  • The constant attention paid by the legislator to the phenomenon of telemarketing.
  • The current persistence of numerous complaints

Leave a Reply

Your email address will not be published. Required fields are marked *

The company processes your data to facilitate the publication and management of comments. You can exercise your rights of access, rectification, deletion and opposition, among others, according to our Privacy policy.