Toward GDPR Compliance: The Consequences Of a Data Breach. The Vodafone Case

Toward GDPR Compliance: The Consequences Of a Data Breach. The Vodafone Case

As we have already said, on 25th May 2018 the GDPR, the new European regulation for the protection of personal data of European citizens, will effectively  go into effect (unless unlikely to be extended). Many companies and professionals are starting to feel the pressure of the imminent date, but will it really be a huge revolution? Somehow yes, firstly from a conceptual and cultural point of view. Of course, there are also operational adjustments that are neither immediate nor always easy to understand. But it would be a mistake to believe that May 25th coincides with Armageddon for those who process and manage personal data. To prove it, here is a case history that shows how the Guarantor has sanctioned an important mobile phone operator even before the GDPR.

The sanctions before the GDPR: what happened to Vodafone

It happens to each of us every day, several times a day: we receive calls from call centers that have the aim to propose promotions or, more often, to try to convince us to switch from a phone operator or from an electricity supplier to another one. Nothing new for anyone with a mobile phone or landline. Pretty much everyone, nowadays.

Call center representatives do their job, this is for sure. But it is sure too that sometimes this type of call can be annoying, perhaps because they interrupt us in the middle of the work or because we are not interested in another change operator offer.

Generally, we fix the issue hanging up the phone, puffing and so on, we resume our work committed that any report to those who are duty is perfectly useless.
That’s wrong! Approximately a month ago, in fact, our privacy consultants Pier Giorgio Bollati and Debora Pagano of Deeperformance, astonished, received the newsletter of the Privacy Guarantor in regards to the measure against Vodafone following the inquiry conducted by the Guarantor. More or less at the same time, the news of a sanction against the phone company for “wild telemarketing” spread in the newspapers.

Vodafone case, what is the violation?

After a lot of reports sent to the Guarantor by citizens who complained of constant unsolicited commercial offers from the phone company and its business partners, inquiries began. Surveys lasted approximately 18 months, in which the authorities found the sending of 22 million text messages and the track of 2 million calls without a valid consent to the processing of personal data by the users. Calls and text messages also involved those who had unequivocally asked to “never to be called again“: these subjects were included in a list of “suspended” contacts but were never completely deleted from the company database.

The irregularities detected by the Guarantor regarding the processing and management of personal data and the acquisition of approvals are different and therefore it looks like that the controls are not ended but will keep moving to commercial headquarters.

It is not over. In addition to what has already been explained, the authorities also notified to Vodafone a part of the information provided to customers in regards to the phone refills. In fact, in the report, the sending of newsletters was inserted among the different purposes without the customer could express clearly an approval to the reception.

Ultimately, this way of operating was declared illegal by the Guarantor who underlined how the phone company did not consider the real will of customers.

Vodafone was therefore ordered to immediately end the existing activities. Not just that: among the requirements, the most interesting one is about “the implementation of appropriate technical and organizational measures“, an expression that ratifies the final transition from the “minimum measures” of the Privacy Code (Attached B) to the measures provided for by the European Regulation, the GDPR.

From its point of view, Vodafone said that “following the concerning the pipelines carried out during January 2016-June 2017, the company has already implemented, starting from the summer of 2017, measures for avoiding unwanted contacts with customers. Vodafone, currently engaged in a complex program of adjustment to European Regulation (GDPR), means to guarantee full compliance with the instructions on the processing of personal data “. Not necessarily this is enough for the Guarantor Authority, who could decide to impose a penalty, as happened in the past for Tim.

GDPR effect? Of course, we can not be sure, but as what happened must surely let us think about the future checks that the Guarantor will make, especially from 25th May.


Pier Giorgio Bollati e Debora Pagano – Privacy Consultants  Deeperformance