The Italian Data Protection Authority (“Garante”) on April 2 announced a fine of €4.5 million (U.S. $5.3 million) against telecommunications company Fastweb for misusing customer data for telemarketing purposes.

The fine is Italy’s fifth-largest handed down under the EU’s General Data Protection Regulation (GDPR). Three others in that group have targeted telecommunication companies for similar violations of the 2018 legislation.

In a translated press release, Garante noted an investigation into Fastweb was launched following hundreds of complaints from users regarding unwanted promotional calls received without their consent. The calls appeared to originate from unregistered numbers, and in some cases, customers also complained of receiving calls not meant for them. The scope of the problem was viewed as affecting Fastweb’s entire customer base.

“The security measures of the customer management systems were … inadequate,” Garante said. The regulator further criticized the maintenance of contact lists provided to Fastweb by external partners that did not acquire user consent to share such data.

Fastweb was viewed as a repeat offender in Garante’s judgment after being sanctioned under laws other than the GDPR in 2012 and 2018 for similar telemarketing violations. Another aggravating factor listed is the continued presence of the vulnerabilities in the customer database.

Garante has ordered Fastweb to strengthen security measures to prevent unauthorized access to its databases, overhaul its telemarketing practices to include enrolled customers only, and discontinue use of data obtained by third parties that did not first gain user consent.

Mitigating factors in the case included Fastweb’s cooperation in the investigation, stated intention to further improve its control systems, and participation in roundtables focused on combating the phenomenon of aggressive telemarketing.