Italian ISPs Bashed With Multi-Million Fines Due to GDPR Violations

Last updated June 28, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The Italian data protection authority (Garante per la Protezione dei Dati Personali) has stunned three telcos in the country with injunction orders and multi-million fines for various GDPR violations. The agency carried out investigations that were launched in 2019, after receiving numerous reports and complaints about the data collection methods followed by ‘Iliad Italia SpA,’ ‘Wind Tre SpA,’ and ‘Merlini SRL.’

Merlini isn’t an ISP but a promoter of services who was contracted by Wind to call people and try to convert them to clients. The Italian investigators have confirmed the violations below.

Wind violated articles 5, 6, 12, 24, and 25 of the GDPR (General Data Protection Regulation), engaging in unlawful data processing activities for marketing purposes. The company was confirmed to have sent a large number of emails, telephone calls, or SMSs to people who had never given their consent for this. Some even objected to this annoying communication and specifically asked to be excluded, but Wind ignored these requests and proceeded to publish their contact details on public lists.

Finally, any apps created by Wind for marketing purposes only gave an option to withdraw consent after 24 hours of use. For all these reasons, “Garante” has imposed a €16,729,600 fine (about $19.1 million) to Wind.

Next is Merlini, the Milan-based marketing firm, and the close collaborator of Wind. Garante has found that the firm violated articles 5, 6, 7, 28, and 29 of the GDPR. Operating on behalf of Wind, Merlini launched communications to people who had never given their consent for third parties to use their contact information for marketing purposes.

Besides, Merlini held that data locally without having the right to do so. Thus, Garante has decided to impose a fine of €200,000 ($228,000) to Merlini.

Finally, there is the investigation against ‘Iliad Italia,’ who violated articles 5 and 25 of the GDPR. The ISP processed customer data for the activation of SIM cards in a manner that resulted in the recording of this data without the acquisition of consent. By doing so discretely, the company has also violated principles of lawfulness, fairness, transparency, and integrity, storing that data for direct marketing purposes.

For these violations, Iliad is now called to pay €800,000 ($912,300) - which is 4% of 20 million euros considering Iliad’s yearly turnover.

Read More:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: