This article is written in collaboration with Elena Mandarà (associate, Portolano Cavallo) and Alberto Camera (stagiaire, Portolano Cavallo)

On December 12, 2024, the Italian Data Protection Authority (Garante per la protezione dei dati personali, "Garante") issued a decision1 against Wind Tre S.p.A. ("Wind Tre"), highlighting significant concerns regarding the processing of personal data for advertising and telemarketing purposes. This decision underscores the crucial importance of the burden of proof regarding the validity of consent, which has become a focal point in data protection practices.

The decision against Wind Tre resulted from several proceedings based on investigations carried out between 2023 and 2024, initiated ex officio by the Garante, as well as complaints from data subjects.

Specifically, the Garante found that:

Wind Tre did not adequately assess whether third-party contact list providers had lawfully collected data subjects' consent. Specifically, investigations revealed that Wind Tre relied on "cold" lists, i.e., contact lists obtained by third parties referring to data subjects who never directly interacted with Wind Tre. Wind Tre was unable to provide sufficient evidence that these contacts had knowingly consented to the processing of their personal data for marketing purposes. The timestamp system used to substantiate the valid collection of data subjects' consent did not distinguish between the time of user registration on the website/platform and the moment when consent was provided. Therefore, the Garante concluded that it was not possible to verify that consent was valid at the time of a marketing contact;

In some cases, consents were "renewed" without a clear and valid indication of the moment when consent was obtained;

the Garante found out that Wind Tre's technical systems allowed unauthorized access to customer data (e.g., a customer complained that he had been able to see another customer's personal data due to inadequate control measures). Wind Tre failed to report data breaches, violating Article 33 of the GDPR.

As a result of the proceedings, the Garante imposed an administrative fine of €347,520 on Wind Tre. However, it did not impose further corrective measures, as Wind Tre had already implemented several measures during the proceeding, such as:

Stopping the use of cold lists in favor of lead-qualified contacts generated from direct interactions;

Implementing systems that generate detailed and separate timestamps for registration, consent provision, and any subsequent changes or revocations;

Strengthening security protocols.

Footnote

1 Decision No. 774/2024 of the Italian Data Protection Authority.

