Garante Fines Home Protection, Services Managment Companies for GDPR Breaches
Italian DPA Garante fined Verisure Italy and Aimaq hundreds of thousands of euros for serious data protection violations, it said Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Verisure's fine of 400,000 euros ($469,000) arose from unlawful processing of personal data for marketing purposes, Garante said. A former customer complained of continuing to get unwanted promotional text messages after objecting to the processing of their data, and another potential customer reported that after requesting a quote, they began receiving advertising phone calls, email and text messages, the DPA said.
Garante found "numerous and serious violations," including delayed action on requests to object to processing and incorrect consent collection from potential customers for direct marketing purposes, according to a translation. Verisure then combined that consent with the request for a quote from a potential customer, thereby considering the "mere fact of providing your phone number to obtain a personalized quote" as a "behavior comparable to consent to receiving advertising phone calls."
On top of that, Garante said, the company retained potential customers' data for teleselling for an "excessive" 12 months.
The DPA also ordered Verisure to stop processing illegally acquired personal data, cancel any information collected without valid consent, and report within 60 days on its compliance measures. It said it took note of initiatives the company launched during the investigation.
Aimaq, a company that manages services in the energy, water, environmental and district heating sectors, was hit with a 300,000 euro ($352,000) fine for processing customers' personal data without adequate security measures and an appropriate legal basis for telemarketing, Garante said.
The DPA investigated after a complaint about the lack of security measures for verifying the identity of users who registered in a reserved area of the company's website used for viewing bills and consumer history. It found that anyone could register on someone's behalf by entering the service holder's tax code and email, allowing illegal access to other personal information such as phone numbers and home addresses.
Among many violations, the regulator found that the company treated user data for promotional purposes without a legal basis and without providing adequate information. For example, it noted, the registration process showed several forms for providing consent that were premarked "Yes," in violation of the GDPR.
The fine was based on the seriousness of the offenses, which continued during the investigation, and the large number of subjects involved, the watchdog said.