The Italian arm of multinational telecommunications company Vodafone is facing a fine of more than €12.25 million (U.S. $14.5 million) under the General Data Protection Regulation (GDPR) for aggressive telemarketing practices.

The fine, ordered Nov. 12, is the third-largest handed down by the Italian Data Protection Authority (“Garante”) this year and addresses multiple alleged violations of the EU’s landmark privacy legislation. The penalty is the first Vodafone has faced in Italy but far from the first the company has had levied against it under the GDPR.

Garante’s investigation was triggered by “hundreds” of complaints of unwanted telephone calls received by Vodafone and its sales network to promote telephone services and internet. The probe discovered multiple flaws in the way in which Vodafone stored customer information and in the way the company handled contact lists purchased from external providers. The details procured from those contact lists were often obtained without user consent, a violation affecting nearly 4.5 million customers, Garante found.

Regarding the unwanted communication, Vodafone primarily cited “human error” as the reason for the excessive telemarketing calls, which Garante did not deem suitable for eliminating the responsibility of the company. The violations in this area were assessed as affecting Vodafone Italy’s entire customer base.

Other aggravating factors in the fine determination include the “significantly negligent nature” and recurrence of the misconduct, which is still said to be taking place. As such, Garante ordered Vodafone to overhaul its telemarketing controls and adapt security measures for access to its databases “in order to eliminate or in any case significantly reduce the risk of unauthorized access and processing that does not comply with the purposes of the collection.”

Further, Vodafone is prohibited from any further processing of personal data acquired from third parties for promotional and commercial purposes without acquiring “free, specific and informed consent” from the affected parties. The company has been ordered to communicate its progress with the requests to Garante.

Vodafone received leniency on the financial penalty for cooperation and the measures it has already adopted to improve audit procedures and security measures. The maximum fine in the case could have been north of €245 million (U.S. $290 million) had Garante pursued 4 percent of annual turnover as is allowed under the GDPR.

Vodafone has been a frequent offender of the GDPR in Spain, where Vodafone España has been on the receiving end of 29 fines alone, according to the GDPR Enforcement Tracker. Only one of those penalties has surpassed €100,000. The company has also been fined twice this year by Romania’s data protection authority.

Vodafone did not reply to a request to comment.

Kyle Brasseur is managing editor—digital for Compliance Week, leading the day-to-day web-related tasks of the editorial team while also handling social media and user analytics. His background includes expertise in user personalization with ESPN.com.

Topics