On November 12, 2020, Vodafone, the multinational telecommunications company, was fined €12.25 million by Garante, Italy's data protection authority. The fine is the third largest ordered by the regulator. Garante's investigation was prompted by hundreds of complaints of unwanted telephone calls by Vodafone promoting its services. The investigation unveiled an information storage system that had up to 4.5 million contact lists purchased from external providers without user consent. The violations were found to have affected Vodafone's entire Italian customer base.

In response, Vodafone justified the unwanted communication on "human error." Galante, however, did not accept that excuse, reasoning that other aggravating factors, such as significant neglect and reoccurring calls, were present. In addition to the fine, Galante ordered Vodafone to overhaul its telemarketing controls, adapt security measures for access to its databases, and is prohibited from further processing personal data acquired from third parties for promotional or commercial purposes.

Vodafone is no stranger to these types of fines. In February 2020, Spain's data protection authority fined Vodafone €302,000 for various GDPR violations, including improper processing of personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.