Yesterday, the Italian data protection supervisory authority (Garante per la protezione dei dati personali) ordered Vodafone to pay a fine in excess of 12,250,000 Euros for the unlawful processing of personal data of millions of users for telemarketing purposes.

Investigations were initiated following hundreds of complaints and alerts submitted by users against unsolicited phone calls made by Vodafone. The investigations unearthed poor GDPR compliance and criticalities of a "structural" nature having to do with the violation not only of consent requirements but also of key principles such as accountability and data protection by design as outlined in the GDPR.

As well as having to pay the fine, Vodafone is required to implement several measures set out by the Italian data protection supervisory authority to comply with national and EU data protection legislation.

The fine follows a series of fines recently issued within the EU for breaches of the GDPR. Most notably, the ICO's recent decision to fine Ticketmaster £1.25 million on 13 November and Marriot £18.4 million on 30 October.