Legal Area: TIM has been fined more than 27 million euros by the italian DPA for the unlawful data processing regarding marketing activities.

Key-words: italian data protection authority - TIM - data breach - fines

The Italian DPA has imposed on TIM S.p.a. an administrative fine of 27.802,946 euros for numerous unlawful processing of personal data relating to marketing activities.

In fact, between January 2017 and the first months of 2019, hundreds of users’ reports relating to the reception of unwanted promotional calls made without their consent or despite the entry of telephone lines in the Public Register of Oppositions, or despite the fact that users had expressed to TIM their will not receive promotional calls (which entails inclusion in TIM's blacklist).

Irregularities in the data processing were also complained in the context of the offer of ' TIM Party' rewards and discounts, and in the forms submitted to users by the company.

Besides, incorrect and non-transparent information on data processing was provided in the management of some apps and unlawful methods of acquiring consent were adopted.

Furthermore, TIM has not sufficiently applied the principles of the GDPR, first of all, the principle of accountability. Furthermore, data breach management was not efficient, just as the applications of the privacy by design principle were inadequate. 

The Italian DPA, in addition to the administrative fine, has imposed on TIM twenty corrective measures, including the prohibition of the use of personal data for marketing purposes without the consent of the user, or if the user is included in the Public Register of Oppositions, or in TIM's blacklists. These blacklists, among other things, must be verified and updated in order to also include those possibly formed by the call centers. The company will then have to review the " TIM Party" program by deleting the mandatory consent to marketing activities. TIM will also have to check the procedure for activating all the apps, always specifying in a clear and understandable language the data processing carried out with the indication of the purposes and the methods of the processing, acquiring a valid consent. TIM will also have to implement the technical and organizational measures relating to the management of requests to exercise the rights of the data subjects.

As for the timing for the implementation of the provisions of the Italian DPA, the payment of the administrative fine must be made within thirty days, while the other required measures must be introduced and communicated to the Authority within established times.


Source: Italian Data Protection Authority.



» View: document (Italian DPA provision 15 January 2020 n.7) 


To read the PDF click here.