D.A.A.A. (Complainant) v. Wind Tre SpA

€ 16,729,600 in fines

Excerpt

Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.

Our analysis

Wind Tre, an Italian telecommunications company, has been found to have violated several articles of the GDPR and Italian Privacy Code by the Italian DPA (Garante) following complaints from both Wind Tre and non-Wind Tre users. The complaints related to unsolicited marketing communications made without their consent through texting, emails, faxes, and automated phone calls. This is an example of the deceptive pattern of hidden information, where Wind Tre did not provide clear information to data subjects regarding their communications channels and methods. Many complainants noted that they were unable to withdraw their consent or object to the processing of their data for marketing purposes, partly due to inaccurate contact information in Wind Tre's privacy policies. This is an example of the hard to cancel pattern, where Wind Tre made it difficult for data subjects to withdraw their consent, as their contact information was not accurate. The Garante's investigation revealed that Wind Tre's operating methods incentivized sellers to collect "as much consent as possible" from data subjects while impairing their ability to object to processing of data for promotional purposes. This is an example of the deceptive pattern of forced action, where Wind Tre pressured data subjects to give their consent to the processing of their personal data for commercial purposes. 
Deceptive patterns such as hidden information, hard to cancel, bundling of consents, and forced action were also used by the company to gain consents from data subjects. The presence of a single button in the management system to facilitate the tick of all consent boxes and small prints used to inform about consent collection were considered further negative elements by the DPA, indicating bundling of consents. Wind Tre's practices for the identification of data subjects were also found to be in violation of GDPR regulations. The company stated that it did not act on data subjects’ requests to withdraw consent if these did not come with a copy of an ID. This is an example of the deceptive pattern of hidden information, where Wind Tre did not provide clear information to data subjects regarding the information required to withdraw their consent. Overall, Wind Tre's deceptive patterns violated various GDPR articles, including Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24, and 25.

Outcome

Wind Tre was found to have violated several articles of the GDPR, including Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24 and 25, by the Garante. As a result, Wind Tre was fined 16,729,600 EUR, prohibited from any further processing and was ordered to align their processing practices with the requirements of the GDPR.

Parties

D.A.A.A. (Complainant) and Wind Tre SpA

Case number

9435753

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us