Vodafone Italy has received a €12.25 million GDPR financial penalty from the Italian Data Protection Authority for its telemarketing practices, which were deemed to be aggressive with calls made without first obtaining consent. The mobile phone carrier had conducted a telemarketing campaign promoting its mobile phone and internet services, which the Italian DPA Garante investigated after receiving hundreds of complaints about unsolicited phone calls from its customers and other data subjects.
Garante took issue with the methods used by Vodafone to manage customer information and its use of contact lists that had been purchased from third parties for use in its telemarketing campaign. In many cases, individuals on the list had not given their consent to be contacted by telephone. Contacting those individuals when consent could not be proven was in violation of the General Data Protection Regulation.
Vodafone argued that contact was made with those individuals as a result of human error; however, that response was not acceptable to Garante, especially considering the scale of the campaign. Almost 4.5 million customers were found to have been impacted, including virtually all of the company’s customer base in Italy.
When determining an appropriate financial penalty, Garante considered how Vodafone continued in the misconduct that resulted in the complaint after it was aware that it was under investigation and the significant negligent nature of its telemarketing campaign. However, Garante did take into consideration Vodafone’s willingness to cooperate in the investigation and the measures the company has adopted to improve audit procedures and security, which saw the fine reduced.
In addition to paying the financial penalty, Vodafone is required to overhaul its telemarketing controls and adopt new security measures to reduce the risk of unauthorized accessing of its customer databases and to ensure that customer data is only used and processed for the reasons why the personal data was collected. Vodafone has also been prohibited from acquiring and processing third party data for commercial or promotional purposes, unless it first obtains free, specific, and informed consent from the data subjects concerned.
Vodafone is certainly no stranger to GDPR fines. While this is the first time that Vodafone Italy has been fined, the company’s Spanish arm has received 29 GDPR fines and two have been imposed on the company in Romania.