Search Privacy Fines

A huge fine of €27,8 million was issued to the Italian telecom company TIM. The Italian Data Protection Authority (Garante) revealed that TIM was fined due to numerous unlawful data processing activities related to marketing and advertising, which included unsolicited promotional calls and prize competitions in which data subjects were entered without consent.One of the reasons for the large fine was the fact that the unlawful data processing activities involved several million individuals. One individual, for example, was called a total of 155 times in a month while TIM refused to add the affected individual on a no-call list even after several requests. The DPA determined that the company lacked control over the call centers and did not have adequate measures to add people to no-call lists.TIM also did not provide accurate and detailed enough privacy policies and data processing policies, and as such consumers were not efficiently informed about the data collected and processed. The company’s management of data breaches was also not efficient according to Garante.Besides the fine, Garante also imposed 20 corrective measures according to Art. 58(2) GDPR which prohibits TIM from processing marketing-related data of those individuals who have refused to receive promotional calls, individuals who asked to be blacklisted and individuals who are not clients of TIM.The company was also forbidden from using customer data collected from the “My Tim”, “Tim Personal” and “Tim Smart Kid” apps.

Articles: Art. 58(2) GDPR

Articles: Art. 58(2) GDPR

Articles: Art. 5 (1) a), d) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR, Art. 130 (1), (2), (4) Codice della privacy

Articles: Art. 5 (1) a), b), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 27 GDPR

Facial recognition company unlawfully processed biometric data of people in Italy.

Articles: Art. 5, Art. 6, Art. 9, Art. 14, Art. 27

Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR. Art. 24 GDPR, Art. 25 GDPR

Articles: Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 15 (1) GDPR, Art. 16 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 32 GDPR, Art. 33 GDPR

The Italian Data Protection Authority (Garante) imposed two fines of €11,5 million total on Eni Gas and Luce because of the unlawful processing of personal data during an advertising campaign as well as for the activation of unsolicited contracts. This first fine of €8,5 million was issued for the unlawful processing of personal data in the context of a marketing campaign. The company made promotional calls without the consent of the contacted people and refused to acknowledge people’s wishes to be added onto a “do not contact” list. The company also did not provide an opt-out procedure for these unsolicited calls. The DPA also determined that the company lacked sufficient technical and organizational measures to protect users’ personal data. Data was also processed longer than the allowed retention period. According to the DPA, some data was also collected from third party entities that did not have consent from the data subjects to disclose that data.

Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR

Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR

AI chatbot GDPR violations.

Articles: Art. 5, Art. 6

AI chatbot GDPR violations.

Articles: Art. 5, Art. 6

Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1), (2), (3) GDPR, Art. 21 (2) GDPR, Art. 24 (1), (2) GDPR, Art. 25 (1) GDPR

Articles: Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 12 (2) GDPR, Art. 14 GDPR, Art. 21 GDPR, Art. 28 GDPR, Art. 29 GDPR

Articles: Art. 5 GDPR, Art. 6 GDPR

The Italian Data Protection Authority (Garante) imposed two fines of €11,5 million total on Eni Gas and Luce because of the unlawful processing of personal data during an advertising campaign as well as for the activation of unsolicited contracts. This second fine of €3 million was issued for the opening of unsolicited contracts for the provision of electricity and gas. A large number of individuals have reported that they have only learned of the new contracts after they received a termination letter from their old provider. Some complaints even reported false data as well as forged signatures.

Articles: Art. 5 GDPR, Art. 6 GDPR

Articles: Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 (1) GDPR

Articles: Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) a), b), c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR

Articles: Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR

Articles: Art. 5 (1) a), e), f) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 27 (4) GDPR, Art. 28 GDPR, Art. 32 GDPR, Art. 35 GDPR

Articles: Art. 5 (1) b), e) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 (2) a) GDPR, Art. 24 GDPR, Art. 25 (1) GDPR

Articles: Art. 5 (1) d), e) GDPR, Art. 5 (2) GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 24 GDPR

Articles: Art. 5 GDPR, Art. 25 GDPR

Articles: Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR

Articles: Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 (2), (3) GDPR, Art. 32 GDPR

Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 130 (1), (2), (3) Codice della privacy