The Italian telecom operator TIM has been fined €27 800 000 by the Italian DPA for breaches of the GDPR.

Numerous and serious violations of the GDPR have emerged from the complex preliminary investigation, that was carried out with the contribution of the Special Protection and Privacy Fraud Unit of the Guardia di Finanza.

Tim has shown that they do not have sufficient knowledge of the fundamental aspects of personal data processing.

Tim had ordered millions of promotional calls, made in six months to “non customers”, the call center companies commissioned by Tim have, in many cases, contacted the interested parties without their consent. One person was called 155 times in a month. 

In about two hundred thousand cases, “off-list” numbers were contacted, that is, not at all present in Tim’s lists of contactable people. Other illegal behaviors were then detected, such as the absence of control by the company on the work of some call centers; incorrect management and failure to update the black lists where people who do not want to receive advertising are registered; the compulsory acquisition of consent for promotional purposes in order to join the “Tim Party” program with its discounts and prizes.

Furthermore, in the management of some apps intended for customers, incorrect and non-transparent information on the processing of data was provided and invalid consent acquisition methods were adopted, paper forms were used with a request for a single consent for various purposes, including marketing.

It is surprising to see such ignorance from a company that are largely dependent on the processing of personal data, especially since it is almost two years after the GDPR entered into effect.

It will be interesting to follow the internal proceedings of TIM, since top management should have corrected these issues a long time ago.