Garante per la protezione dei dati personali (Italy) - 10043007
From GDPRhub
| Garante per la protezione dei dati personali - 10043007 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 28(3) GDPR Art. 30-ter(5)(a) d.lgs. 141/2010 Art. 30-ter(7-bis) d.lgs. 141/2010 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 25.03.2021 |
| Decided: | 06.06.2024 |
| Published: | |
| Fine: | 1,000,000 EUR |
| Parties: | CA Autobank S.p.A. |
| National Case Number/Name: | 10043007 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | fb |
The DPA fined a bank €1,000,000 after it unlawfully accessed a government database on behalf of a subsidiary car leasing company.
English Summary
Facts
The data subject wanted to rent a car from Drivalia Leasys Rent S.p.A. (controller), a company owned by CA Autobank S.p.A. (processor). The controller performed a background check on the data subject through the processor. The background check had a negative outcome and, therefore, the data subject was denied the rental.
On 28 October 2020, the data subject filed an access request to the processor to know which information led to the negative outcome of the check. Since she did not receive any answer, she filed a complaint with the DPA on 25 March 2021. At the request of the DPA, the processor pointed out, first of all, that the two companies belong to the same corporate group and that they had concluded a Data Protection Agreement between themselves.
Moreover, the processor argued that this check had been performed by consulting the SCIPAFI system. The latter is a database managed by the Ministry of Economics and Finance (Ministero dell’Economia e delle Finanze – MEF) for fraud prevention. Only certain entities are allowed (and obliged) to access it in order to verify if the documents provided by the client are authentic or not.
According to Article 30-ter(5)(a) d.lgs. 141/2010, a bank is obliged to consult SCIPAFI before performing certain banking services to a client. The processor was authorised to do so for its own clients.
Pursuant to Article 30-ter(7-bis) d.lgs. 141/2010, also other entities can access SCIPAFI. For this reason, on 6 July 2022 (later than when the accesses were performed), MEF authorised the processor to access SCIPAFI also on behalf of the controller.
Holding
First of all, the DPA noted that when the accesses to SCIPAFI were made, the processor was authorised to access this database only for its own purposes. Only later, the processor was authorised to consult the database on behalf of the controller at hand.
Moreover, the DPA pointed out that the purpose of SCIPAFI is to compare the document provided by the client to a copy of the authentic one uploaded in the system. In this case, the processor accessed the copy of the tax declaration of the data subject. However, the client had never provided such a document, which would have been needed to operate a comparison.
Therefore, the DPA held that this processing was unlawful and found a violation of Article 5(1)(a) GDPR.
Secondly, the DPA noted that the agreement between the controller and the processor was quite unclear. However, it held that the contract could still be regarded as a binding agreement under Article 28(3) GDPR. The DPA found a violation of this article since the processor was not authorised to carry out this processing on behalf of the controller.
On these grounds, the DPA fined the processor €1,000,000.
Comment
The DPA also fined the controller €250,000 with a separate decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10043007] Provision of 6 June 2024 Register of provisions no. 341 of 6 June 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, GDPR); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter, the Code); HAVING SEEN the complaint filed pursuant to art. 77 of the GDPR by Mrs. XX, through the lawyer XX against Drivalia Leasys Rent S.p.A. (abbreviated to Leasys Rent S.p.A.) and CA Autobank S.p.A. (formerly FCA Bank S.p.A.); HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER the lawyer Guido Scorza; WHEREAS 1. Complaint. With a complaint dated 25 March 2021, the applicant stated that Drivalia Leasys Rent S.p.A. (abbreviated to Leasys Rent S.p.A., hereinafter, the Company) had denied her the voucher for the rental of a car because she was “included in a black list”. In particular, in response to the request to exercise the rights submitted on 28 October 2020 by the interested party to the Company, the latter communicated that “during the booking phase, […] proceeds to verify the contractor’s data through the databases of the FCA Bank S.p.A. Group. with the specific purpose of preventing fraud and insolvency or other similar events […and] that each rental request is subjected to an examination based on objective elements that take into account all the elements present in the databases of the FCA Bank Group in order to attribute a synthetic judgment on the degree of reliability and solvency of the applicant.” Subsequently, on 9 December 2020, the interested party sent to the Company and to CA Autobank S.p.A. (formerly, FCA Bank S.p.A., hereinafter, the Bank), a further request aimed at knowing “what data and/or personal information they had in their possession that caused the denial to enter into a contractual agreement, the inclusion of the same in the "Black List" and lastly also the accusation of being a "bad payer" (although nothing appears in CRIF)”. Since this request, according to the complainant, remained unanswered, the complainant submitted the complaint in question to this Authority. 2. The investigation activity. 2.1 Requests for information. In relation to the facts referred to in the complaint, the office proceeded to start a complex investigation activity both against the Company and against the Bank (with reference to the latter, the related outcomes are contained in a separate provision, adopted on the same date). In this context, the Company, with notes dated 7 July 2021 and 15 July 2022, was invited to provide the necessary clarifications regarding the facts that are the subject of the complaint. With feedback provided, respectively, on 26 July 2021 and 3 August 2022, the Company represented: - that there was “no complaint dated 9.12.2020 from you or your lawyer” and that “the DPO […] did not receive any request to the email address […] indicated in the information that [the interested party] viewed on the [Company] website at the time of booking”; - that it had carried out, as also specified in the information provided to (potential) customers, “[…] the verification of your data through databases of the FCA Bank S.p.A. Group with the specific purpose of preventing fraud and insolvency or other similar events”. In the same document it is expressly indicated that “in the event of a negative outcome of the analysis described above, it will not be possible to provide the requested rental service”; - that “as a company subject to the management and coordination of FCA Bank Spa pursuant to art. 2497 cc, shall request, by virtue of intra-group relationships, the verification of the data communicated by the interested parties in the databases used by the same”; - to have “defined a Data Processing Agreement (hereinafter for brevity “DPA”), signed between FCA Bank, as the parent company, and its subsidiaries, including Leasys Rent. The logic underlying the DPA is to regulate, with a view to simplification, the relationship between a Controller (each of the subsidiaries) and a Processor (the parent company), delegating to the latter the possibility of both managing certain types of service, on behalf of the Controller, which also imply personal data processing activities, such as, by way of example and not limited to, within the limits of this document, control activities, administrative and reporting services, accounting services, and of carrying out verification activities on the correctness of personal data relating to subjects interested in renting a vehicle at the Leasys Rent Mobility Store or through online methods”; - to ask customers during the preliminary phase of a car rental contract: “Personal data: Name, Surname, Date of birth, Tax code, Residential address, Email address, collected by Leasys Rent directly from the interested party or during the booking phase or via web portal, credit card (the latter can also be provided at the time of delivery of the vehicle)” and not to collect income data, but to carry out “only checks of legitimacy on the correctness of the information provided by customers and in general on the absence of potential prejudices in compliance with the ordinary control measures typical and characterizing a group with a prevalent banking component and this also in order to prevent fraud, theft or other similar events”; - that the income data “were verified by FCA Bank Spa which provided a negative opinion to the Undersigned, with respect to the provision of the requested rental service. In particular, the analyses carried out by FCA Bank resulted in a negative output regarding the Income Documents from the Scipafi application (Centralized Computerized System for the Administrative Prevention of Identity Theft, a tool of the Ministry of Economy and Finance). This circumstance prevented us from being able to accept your request” and was further confirmed by the Company itself both in the communication of 26 July 2021 and in the integration of the following 3 August 2022, in which it stated that: “it is undoubted that Leasys Rent, during the investigation carried out during the vehicle booking phase, made use of the checks carried out through FCA Bank, from which, as already communicated to your Authority on 26 July 2021, “a negative output resulted in relation to the Income Documents from the Scipafi application (Centralized Computerized System for the Administrative Prevention of Identity Theft, a tool of the Ministry of Economy and Finance)”; - that the “processing of the [complainant’s] data was, therefore, carried out for the purposes and according to the methods set out in the Notice which provides that “In the preliminary phase, Leasys Rent will proceed to verify your data through the databases of the FCA Bank S.p.A. Group with the specific purpose of preventing fraud and insolvency or other similar events.” 2.2 The request for clarification submitted to the Ministry of Economy and Finance. The office requested clarification from the Ministry of Economy and Finance (MEF) regarding access to the complainant’s income data contained in the SCIPAFI System, carried out by the Bank on behalf of the Company, in order to assess whether to accept the rental request. The MEF, in the response provided, stated that the Bank, pursuant to art. 30-ter, paragraph 5, letter. a) of Legislative Decree 141/2010, is required to participate, as a direct member, in the fraud prevention system, The Ministry also stated that it had authorized, with a note dated 6 July 2022, the same Bank "to carry out queries on the SCIPAFI System on behalf of Leasys Rent S.p.A. [...], by virtue of the provision in paragraph 7-bis of art. 30-ter of Legislative Decree 141/2010: this is because Leasys Rent S.p.A., a long-term rental company, is not a company included among the companies participating in the Identity Theft Prevention System pursuant to art. 30-ter, paragraph 5. of the aforementioned Legislative Decree". In particular, the MEF has assessed whether to include the long-term rental category in Legislative Decree 141/2010, in line with the provisions of the Circular issued on 17 July 2014 by Directorate V Prevention of the use of the financial system for illegal purposes. The latter, in fact, establishes that, without prejudice to the subjective scope of application of the legislation (as defined by art. 30-ter of Legislative Decree 141/2010), paragraph 7-bis of the aforementioned art. 30-ter of the decree, should be interpreted in the sense of broadening the objective scope of application of the law, thus allowing the adhering subjects to avail themselves of the prevention system even outside the cases provided for by paragraph 7 of the same regulatory provision. 2.3. Inspection activity. In the exercise of the control powers referred to in art. 58, par. 1 of the GDPR (see also articles 157 and 158 of the Code) and for the purpose of a complete examination of the matter, the Authority carried out an investigation at the Company (see the minutes of operations carried out on 3 April 2023), during which the representatives of the same declared that: - “Drivalia changed its name from Leasys rent in October 2022 in view of the acquisition of 100% of FCA Bank, the direct parent company of Drivalia, by Credit Agricole Consumer Finance.The previous parent company Leasys, previously controlled by FCA Bank, which deals with long-term rental, was sold to a company owned by Credit Agricole CF and Stellantis. Drivalia deals with short-term rental, subscription, long-term rental, start-up and car sharing”; - “an agreement was signed between Drivalia and FCA bank for the provision of services for the outsourcing of certain functions, including, for example, the DPO function or internal audit. The last renewal of the agreement dates back to December 2020. In this context, FCA can process personal data owned by Drivalia, as data controller, based on the DPA in place, since 2019, between WinRent (previous name of the company) and FCA Bank”; - “when a customer requests a rental service from Drivalia, by going to a mobility store or using an Amazon voucher, they must provide their personal data, creating their own account, and reading the privacy policy by scanning a special QR code. The personal data and the data relating to the payment instrument (credit card) are recorded and compared with Drivalia’s databases, to verify the presence of elements that prevent the rental”; - “FCA Bank periodically carries out activities to identify unwanted parties, for anti-fraud purposes, also through the interrogation of SCIPAFI. If these automated checks highlight anomalies, FCA analysts verify this outcome. The list of unwanted parties, the so-called watchlist, is made available to Drivalia for checks during the acceptance phase of rental requests”, specifying “that these checks are carried out on all subscription rentals, which amount to approximately 12,000 per year. To this end, FCA bank processes the data and stores it as indicated in the service contract”; - in relation to the position of the complainant, the Company represented that it had proceeded to “permanently delete the personal data of the interested party from the watchlist in use by Drivalia itself and provided by FCA Bank since December 2021, also requesting cancellation from the FCA bank watchlist” (cancellation email of which the Company attached a copy). On 21 April 2023, the Company, in sending the supplementary documentation to resolve the reservations, has: - presented the “summary of the relationships between the complainant […] and the companies of the CA Auto Bank S.p.A. Group”, with which (in referring to the reconstruction of the matter carried out by the Parent Company) it is specified that “the refusal of the reservation occurred because the name of the Complainant was present in the Watch List of FCA Bank S.p.A. (now “CA Auto Bank S.p.A.”) related to the code “10” i.e. “counterfeit income documentation” also in relation to the sole proprietorship” headed by the interested party. “This Watch List was and is made available to Drivalia for the purposes of preventing fraud and insolvency and other similar events, as specified in the privacy policy published on the site and made available during the booking phase, as regulated by the Data Processing Agreement (DPA) between Drivalia (Data Controller) and FCA Bank (Data Processor)”; - represented that “the DPA was drawn up to regulate the relationships relating to data processing between the Parent Company and the subsidiaries: in other words, the activities relating to the management of certain types of services were delegated by the Controllers (each of the subsidiaries) to the Processor (the Parent Company). In the aforementioned Intercompany DPA, in fact, the following are listed, by way of example and not limited to, control activities, accounting services, credit-related activities, the latter being limited to the activities of checks on fleet management companies and not referring, as repeatedly specified, to investigative activities on natural persons relating to short-term service offers”; 3. The initiation of the proceedings. With note prot. 134255 of 28 September 2023, the Office, on the basis of the declarations made by the parties and the elements acquired during the investigation, notified the Company of the act of initiation of the proceedings for the adoption of the provisions referred to in Articles 58, par. 2, and 83 of the Regulation, in compliance with the provisions of Article 166, paragraph 5, of the Code, in relation to the violation of the provisions referred to in Articles 5, par. 1, letter a), 13 and 28 of the GDPR. In particular, the following were contested: - the lawfulness of the control activity carried out by the Company on the data of potential customers in order to verify the presence of causes that prevent the conclusion of the car rental contract, as it was carried out through access to the SCIPAFI System (a public system for the prevention of identity theft established by Legislative Decree no. 141/2010, the operation of which is governed by the decree of the Ministry of Economy and Finance of 19 May 2014, no. 95), through the Bank on behalf of the Company, as well as the acquisition and related processing of such data (including, to the extent of interest in the specific case, those of the interested party) for the declared "purpose of preventing fraud and insolvency or other similar events" (see "Privacy Policy - Leasys Rent short-term rental service" updated to 13.03.2020 and in the documents). This is because the accesses to SCIPAFI carried out by the Bank, on behalf of the Company, in order to assess the position of the complainant, occurred in a period (between 2019 and 2020) in which the Ministry had not yet authorised the Bank to query the SCIPAFI System also on behalf of the Company which, therefore, could not process the related data (even if reprocessed and made available through the watchlist created by the Bank) in order to assess whether or not to enter into car rental contracts; - the circumstance that the information provided to the interested party (see attachment 1 to the Company's note of 3 August 2022, referred to above) did not contain any specific reference to the purposes and related methods of processing of personal data carried out through the Bank through the use of the SCIPAFI System, limiting itself to a generic reference to the "verification of the data [of the interested party] through databases of the FCA Bank group", thus resulting in violation of art. 13 of the GDPR. In this regard, it should also be noted that this reference was formulated in such a way as not to allow the identification of the databases consulted, nor whether access to the latter was carried out by the Company itself or by other companies of the group (and possibly which ones), not even specifying whether the latter acted as data controllers or data processors. - the circumstance that the documentation produced during the investigation did not reveal what was declared, even during the inspection, regarding the role of data controller played by the Bank in accessing SCIPAFI on behalf of the Company. In particular, if it is true that based on the DPA in force since 2019, between WinRent (previous name of the Company) and the Bank, the latter would hold the role of data controller in relation to some processing operations defined as "exemplary and not exhaustive", it should be noted that this would be in violation of art. 28, par. 3 of the GDPR, since it concerns the processing of data of the interested parties that the Bank could not carry out, as data controller, on behalf of the Company, since the latter is not among the subjects that can access SCIPAFI either directly or through the subjects adhering to the System. Secondly, it should be noted that the "renewal" of this agreement, stipulated between the Company and the Bank in December 2020, gives account, in art.10.1, that "with regard to the data that will be provided in the performance of the Services, Each of the Parties, as an independent data controller, undertakes to fully comply with the legislation on the protection of personal data [...]". From reading the text, therefore, the independent ownership of both subjects emerges. On 27 October 2023, the Company submitted its defence papers in which it: - confirmed that the MEF's authorisation for the Company's (indirect) access "to SCIPAFI occurred after the latter's actual access to the information [...], present in the watchlist made available by the Bank". - reiterated that it had never processed the specific personal information present in SCIPAFI relating to the Complainant, but had only been able to view, by consulting the watchlist made available by the Bank, a numeric code corresponding to "counterfeit income documentation"; - specified, with regard to the roles (owner and data controller) to be attributed to the Company and the Bank in relation to the processing of the data in question, the qualification as "exemplifying and not exhaustive" of the profiles listed in the 2019 Data Processing Agreement (DPA), contained in the communication dated 3 August 2022 in response to the request for information sent by the Authority on 15 July 2002, had the sole "purpose of avoiding reporting all the cases listed, instead, exhaustively in the 2019 DPA", therefore the Company "although perfectly aware of the fact that the 2019 DPA could indisputably be improved" believes "that such information deficiencies [cannot] even undermine the requirements established by Article 28(3) GDPR with consequent de facto lack of regulation in this sense. In fact, the requirements set out in the aforementioned Article 28(3) cannot be considered as not present: in the premises, in addition to the specific purposes of the processing, the subject matter and the nature of the processing are also present and/or deducible; the categories of data subjects and the type of personal data are reported, respectively, in Articles 2 and 3; the obligations and rights of the owner can be found in numerous articles including, for example, in Article 5 relating to sub-processors"; - specified that "the renewal of the aforementioned DPA 2019 is not, in reality, a renewal or even an agreement pursuant to Article 28 GDPR, but rather a real contract for the provision of services (hereinafter, also, "Service Contract") to which the aforementioned DPA, necessarily, approaches even if not explicitly referred to"; - recalling art. 10.1 of the aforementioned Contract which establishes that "with regard to the data that will be provided in the performance of the Services, each of the Parties, as independent data controller, undertakes to fully comply with the legislation on the protection of personal data [...]", and confirmed "the ambiguity of the aforementioned wording [...] in relation to the independent ownership of the parties, specifying that "this provision must necessarily be interpreted in compliance with the principles of contractual interpretation set out in articles 1362 et seq.of the Civil Code. These provisions require an organic reading that takes into account not only the DPA 2019, but also, and above all, the following paragraph of the same article 10 which states that the Bank is "authorized to process personal data exclusively in compliance with the obligations set out in this contract and, in particular, for the performance of the services covered by the same". The presence of this provision is a clear indicator of the impossibility" of attributing autonomous ownership to each of the parties and would instead confirm "a relationship between the owner (Drivalia) and the data controller (Bank) in compliance with the aforementioned DPA 2019; - confirmed "the involvement of the data protection officer in relation to the aforementioned contracts. However, there is no formal opinion from the latter as it is not required by law; - communicated that it has proceeded to cancel the name of the complainant from the watchlist; - as regards the inadequacy of the information provided to the interested parties, in agreeing with the Authority on "the non-exhaustiveness of the aforementioned information and, in particular, the lack of mention of the databases consulted", it underlined that, "in said information the purpose of the processing in question was expressly specified as "prevention of fraud and insolvency or other similar events" and that, "although it is true that it is not specified whether access occurs through the Bank or directly from Drivalia or the roles of the same, the regulatory requirement relating to the indication of the "recipients" or "categories of recipients" of the personal data" is nevertheless present within the same information. 4. The reference regulatory framework. 4.1. The Scipafi system: art. 30-ter of Legislative Decree 13 August 2010, n. 141. The SCIPAFI system, established at the Ministry of Economy and Finance - which has entrusted its management to Consap S.p.A - is a public system for the prevention, on an administrative level, of fraud in the sector of consumer credit and deferred or deferred payments, with specific reference to identity theft (see Legislative Decree no. 141/2010 and Decree of the Ministry of Economy and Finance of 19 May 2014, no. 95). Only those subjects specifically identified by the legislation, qualified as members, are required to access the System and the information contained therein (art. 30-ter, paragraph 5 and 5-bis, Legislative Decree cited). The processing of personal data of interested parties within the archive (both by the MEF and by Consap and the members) is permitted for the sole purposes identified by art. 2, paragraph 2 of the Ministerial Decree. 95/2014, or the verification of the authenticity or otherwise of the data contained in the documentation provided by natural persons (as interested parties), who request a deferral or postponement of payment, financing or other similar financial facilitation, a deferred payment service and "in cases where they deem it useful, on the basis of the evaluation of the elements acquired, to ascertain the identity of the same" (art. 30-ter paragraphs 7 and 7-bis of Legislative Decree 141/2010 cit.). 4.2. The relevant provisions on the protection of personal data. The processing of personal data must take place in compliance with the principles indicated in art. 5 of the GDPR, including those of "lawfulness, correctness and transparency" (art. 5, par. 1, letters a) of the GDPR). In particular, the principle of transparency translates into the obligation, on the part of the data controller, to provide the data subject with all information relating to the processing of personal data concerning him/her, in an accessible and comprehensible manner, making him/her aware, at the time the personal data are obtained, also of the purposes and methods of the processing and of the legal basis of the same, as well as of all the additional information necessary to ensure that the processing is correct and transparent also in relation to any data controllers in compliance with the provisions of art. 13 of the Regulation (see also cons. 39 of the GDPR). The legislation on the protection of personal data identifies the subjects - controller and data controller - who, in different capacities, can process the personal data of the data subjects, also establishing their relative attributions. In this context, the data controller is the entity on which decisions fall regarding the purposes and methods of processing of the personal data of the interested parties as well as a "general responsibility" (accountability) for the processing carried out by the data controller himself or by others who carry out such processing "on his behalf", or the data processors (cons. 81, art. 4, point 8) and 28 of the Regulation). The relationship between the data controller and the processor is regulated by a contract, or by another legal act stipulated in writing, which, in addition to mutually binding the two figures, provides instructions to the processor and provides in detail (and in an exhaustive and non-explanatory manner) what the subject matter is regulated, the duration, nature and purposes of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller. 5. The assessments of the Authority and the outcome of the investigation. Following the examination of the statements made by the Company during the proceedings (the author is responsible for the veracity of which pursuant to and for the purposes of art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”) as well as the documentation acquired in the files, the following is represented. In particular: a. in relation to the profile of the lawfulness of the processing of the data of the interested party taken from SCIPAFI, the Company, in confirming that the authorization of the MEF for the access carried out by the Bank on behalf of the Company to the SCIPAFI System was issued on 6 July 2022 and, therefore, on a date subsequent to that on which the processing of the data of the interested party took place, also specified that it had never "proceeded to the processing of the specific personal information present in SCIPAFI relating to the Complainant", having exclusively viewed the numerical code (present in the above-mentioned watchlist made available by the Bank to the companies of the group) which indicated as "counterfeit", the income documentation presented by the same. In this specific case, therefore, it is proven that the accesses to SCIPAFI carried out by the Bank, on behalf of the Company, in order to assess the position of the complainant, occurred between 2019 and 2020, a period in which, as shown by the documentation in the files, the Company (which is not among the members of the SCIPAFI System, specifically identified by art. 30-ter, paragraph 5, Legislative Decree no. 141/2010 cit.), was not authorized, not even through the Bank, to access SCIPAFI and to acquire and process the data present therein and referring to the interested party (even if reworked and made available to the Company through the so-called watchlist created by the Bank), in order to assess whether or not to enter into the car rental contract. This processing is therefore unlawful. It is also noted that the SCIPAFI system allows the verification of the authenticity of the data contained in the documents (identity or income) presented by the interested party for the purposes of evaluating a request. It therefore presupposes that the member carries out a specific check with respect to a specific document presented to obtain the requested service; In this case, the access carried out by the Bank on behalf of the Company is unlawful as it occurred without having carried out such a check; it appears, in fact, that the tax return of the claimant, an essential document for carrying out the comparison with the income information relating to the same contained in SCIPAFI, has never been acquired. b. in relation to the subjective role (of owner or manager) held by the Company and the Bank, with reference to access to the interested party's data taken from SCIPAFI and subject to subsequent processing and inclusion in the watchlist, the Company itself, while declaring itself aware that the documentation produced (in particular, the 2019 DPA and the subsequent act called "renewal" of 2020), is unclear on the point, believes, however, that such deficiencies do not affect the requirements set out in art. 28, par. 3 of the GDPR and that in any case a relationship of owner and manager would emerge from the documents respectively between the Company and the Bank. In this regard, it should be noted that at the time of the facts, the Bank, as an independent data controller, was required to access SCIPAFI exclusively in the context of carrying out its specific activity (art. 30-ter, paragraphs 7 and 7-bis, Legislative Decree, 141/2010, cit.); otherwise, in this case, access was carried out to assess the interested party's position for the purposes of entering into a rental agreement (which is outside the Bank's own activities) with the Company (which is a different entity from the Bank, although belonging to the same group). It follows that the Company, which was not among the entities that, at the time of the facts, could access SCIPAFI either directly or through entities adhering to the System, could not process the interested party's data either as data controller or by designating the Bank as data processor for this purpose, with the effect that the attribution of this role to the Bank by the Company was in violation of art. 28 of the GDPR; c. while confirming the unsuitability of the information provided to the interested party, as it is generic and in any case not suitable to allow the latter to identify the type of data processed, the origin of the same, with specific reference to the databases consulted and whether access to the latter was carried out by the same Company or by others in the group, the Authority takes note of what has been declared and documented by the Company in relation to the replacement of the previous information with the one "present on the Company's website available at the following address: https://www.drivalia.it/it/customer-service/privacyservizio/. 6. Conclusions: unlawfulness of the processing carried out. In light of the above assessments, it is noted that the statements made by the data controller in the defense documents ˗ the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗ do not allow all the findings notified by the Office with the act of initiation of the procedure to be overcome and are insufficient to allow its archiving, since none of the cases provided for by art. 11 of the regulation of the Guarantor no. 1/2019, concerning the internal procedures of the Authority having external relevance, do not apply. The processing carried out by the Company is unlawful in the terms set out above, in relation to art. 5, par. 1, letter a), 13 and 28 of the GDPR. Violation of the provisions referred to above entails the application of the administrative sanction provided for by art. 83, par. 4, letter a); par. 5, lett. a) and b), of the GDPR. 7. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, lett. i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83, par. 5, of the Regulation, by adopting an injunction order (art. 18. Law 24 November 1981 n. 689). The violation, ascertained in the terms set out in the reasons, cannot be considered "minor", taking into account the nature, gravity, degree of responsibility and the manner in which the supervisory authority became aware of the violation (recital 148 of the Regulation). With reference to the elements listed in art. 83, par. 2, of the Regulation for the purposes of applying the administrative pecuniary sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in the specific case, the following circumstances were considered: - in relation to the nature and gravity of the violation, the nature of the violation that concerned the organization of the entire processing with reference to the roles respectively covered by the Company and the Bank at the time the fact occurred and, specifically, the lawfulness of the processing of the data relating to the interested party were considered relevant; - in relation to the intentional or negligent nature of the violations, the conduct of the Company must be taken into account which - despite being aware of the lack of authorization from the MEF to know, also through the Bank, the information contained in SCIPAFI - decided to access the watchlist made available by the Bank which contained information also taken from the aforementioned System, albeit subsequently reworked; - the cooperation provided by the Company during the investigation and the adjustments arranged in compliance with the principle of accountability (through the establishment of a new, more structured contractual arrangement, having signed a new service contract with an annexed new agreement pursuant to Article 28 of the GDPR) and the principles of privacy by design and privacy by default through the implementation of measures aimed at eliminating the visibility of the prejudicial motivation linked to the numerical causality as transmitted by the Bank through the watchlist; - the absence of previous rulings by the Authority against the Bank with respect to the same case, as well as complaints similar to the one subject of this provision. Finally, it is noted that, during the proceedings, the Company updated the information in accordance with the provisions contained in Articles 5, par. 1, letter a) and 13 of the GDPR, therefore, there is no basis for ordering that the processing be brought into conformity with the provisions of the GDPR with respect to this profile. Taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the fine (Article 83, par. 1, of the Regulation), it is believed that the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022, are relevant in this case. Also, it is considered necessary to apply paragraph 3 of Article 83 of the Regulation which provides that “If, in relation to the same processing or linked processing, a controller […] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation”, the total amount of the sanction is calculated so as not to exceed the maximum amount set forth in the same art. 83, par. 5, letter a), of the Regulation. In light of the elements indicated above and the assessments carried out, it is deemed necessary to adopt, against Drivalia Leasys Rent S.p.A. (in abbreviated form Leasys Rent S.p.A.) - C.F./P.I. 05406791003, with registered office in Turin, Corso Orbassano 367, the administrative sanction of the payment of a sum equal to Euro 250,000.00 (two hundred and fifty thousand euros, 00). In this context, it is also believed, in consideration of the type of violations ascertained, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor and that the conditions set out in art. 17 of Regulation no. 1/2019 exist. GIVEN ALL THE ABOVE, THE GUARANTOR determines the unlawfulness of the processing carried out by Drivalia Leasys Rent S.p.A. (in abbreviated form Leasys Rent S.p.A.) - C.F./P.I. 05406791003 - in the person of the legal representative pro tempore, with registered office in Turin, Corso Orbassano 367, pursuant to art. 143 of the Code, for the violation of arts. 12, par. 3, and 15 of the Regulation; ORDERS pursuant to art. 58, par. 2, letter i), of the Regulation, to Drivalia Leasys Rent S.p.A. (abbreviated to Leasys Rent S.p.A.), to pay the sum of Euro 250,000.00 (two hundred and fifty thousand euros. 00) as a pecuniary administrative sanction for the violations indicated in this provision; ORDERS therefore the same Company to pay the aforementioned sum of Euro 250,000.00 (two hundred and fifty thousand euros. 00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. Please note that the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code); ORDERS the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019, and believes that the conditions referred to in art. 17 of Regulation no. 1/2019 exist. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 6 June 2024 THE PRESIDENT Stanzione THE REPORTER Scorza THE GENERAL SECRETARY Mattei SEE ALSO: Newsletter of 9 August 2024 [web doc. n. 10043007] Provision of 6 June 2024 Register of provisions n. 341 of 6 June 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN TODAY'S meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, Members and Council Member Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, GDPR); SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter, Code); SEEN the complaint filed pursuant to art. 77 of the GDPR by Mrs. XX, through Attorney XX against Drivalia Leasys Rent S.p.A. (abbreviated to Leasys Rent S.p.A.) and CA Autobank S.p.A. (formerly FCA Bank S.p.A.); HAVING EXAMINED the documentation in the file; SEEN the observations formulated by the general secretary pursuant to art. 15 of the regulation of the Guarantor no. 1/2000; REPORTER, lawyer Guido Scorza; WHEREAS 1. Complaint. With a complaint dated 25 March 2021, the applicant represented that Drivalia Leasys Rent S.p.A. (abbreviated to Leasys Rent S.p.A., hereinafter, the Company) had denied her the voucher for the rental of a car because she was “included in a black list”. In particular, in response to the request to exercise the rights submitted on 28 October 2020 by the interested party to the Company, the latter communicated that “during the booking phase, […] it verifies the contractor’s data through databases of the FCA Bank S.p.A. Group with the specific purpose of preventing fraud and insolvency or other similar events […and] that each rental request is subjected to an examination based on objective elements that take into account all the elements present in the databases of the FCA Bank Group in order to attribute a synthetic judgment on the degree of reliability and solvency of the applicant.” Subsequently, on 9 December 2020, the interested party sent to the Company and to CA Autobank S.p.A. (formerly, FCA Bank S.p.A., hereinafter, the Bank), a further request aimed at knowing "what personal data and/or information they had in their possession that caused the refusal to enter into a contractual agreement, the inclusion of the same in the "Black List" and lastly also the accusation of being a "bad payer" (although nothing appears in CRIF)". Since this request, according to the complainant, remained unanswered, the complainant submitted the complaint in question to this Authority. 2. The investigation activity. 2.1 Requests for information. In relation to the facts referred to in the complaint, the office proceeded to start a complex investigation activity both against the Company and against the Bank (with reference to the latter, the related outcomes are contained in a separate provision, adopted on the same date). In this context, the Company, with notes dated 7 July 2021 and 15 July 2022, was invited to provide the necessary clarifications regarding the facts that are the subject of the complaint. With feedback provided, respectively, on 26 July 2021 and 3 August 2022, the Company represented: - that there was “no complaint dated 9.12.2020 from you or your lawyer” and that “the DPO […] did not receive any request to the email address […] indicated in the information that [the interested party] viewed on the [Company] website at the time of booking”; - that it had carried out, as also specified in the information provided to (potential) customers, “[…] the verification of your data through databases of the FCA Bank S.p.A. Group with the specific purpose of preventing fraud and insolvency or other similar events”. In the same document it is expressly indicated that “in the event of a negative outcome of the analysis described above, it will not be possible to provide the requested rental service”; - that “as a company subject to the management and coordination of FCA Bank Spa pursuant to art. 2497 cc, shall request, by virtue of intra-group relationships, the verification of the data communicated by the interested parties in the databases used by the same”; - to have “defined a Data Processing Agreement (hereinafter for brevity “DPA”), signed between FCA Bank, as the parent company, and its subsidiaries, including Leasys Rent. The logic underlying the DPA is to regulate, with a view to simplification, the relationship between a Controller (each of the subsidiaries) and a Processor (the parent company), delegating to the latter the possibility of both managing certain types of service, on behalf of the Controller, which also imply personal data processing activities, such as, by way of example and not limited to, within the limits of this document, control activities, administrative and reporting services, accounting services, and of carrying out verification activities on the correctness of personal data relating to subjects interested in renting a vehicle at the Leasys Rent Mobility Store or through online methods”; - to ask customers during the preliminary phase of a car rental contract: “Personal data: Name, Surname, Date of birth, Tax code, Residential address, Email address, collected by Leasys Rent directly from the interested party or during the booking phase or via web portal, credit card (the latter can also be provided at the time of delivery of the vehicle)” and not to collect income data, but to carry out “only checks of legitimacy on the correctness of the information provided by customers and in general on the absence of potential prejudices in compliance with the ordinary control measures typical and characterizing a group with a prevalent banking component and this also in order to prevent fraud, theft or other similar events”; - that the income data “were verified by FCA Bank Spa which provided a negative opinion to the Undersigned, with respect to the provision of the requested rental service. In particular, the analyses carried out by FCA Bank resulted in a negative output regarding the Income Documents from the Scipafi application (Centralized Computerized System for the Administrative Prevention of Identity Theft, a tool of the Ministry of Economy and Finance). This circumstance prevented us from being able to accept your request” and was further confirmed by the Company itself both in the communication of 26 July 2021 and in the integration of the following 3 August 2022, in which it stated that: “it is undoubted that Leasys Rent, during the investigation carried out during the vehicle booking phase, made use of the checks carried out through FCA Bank, from which, as already communicated to your Authority on 26 July 2021, “a negative output resulted in relation to the Income Documents from the Scipafi application (Centralized Computerized System for the Administrative Prevention of Identity Theft, a tool of the Ministry of Economy and Finance)”; - that the “processing of the [complainant’s] data was, therefore, carried out for the purposes and according to the methods set out in the Notice which provides that “In the preliminary phase, Leasys Rent will proceed to verify your data through the databases of the FCA Bank S.p.A. Group with the specific purpose of preventing fraud and insolvency or other similar events.” 2.2 The request for clarification submitted to the Ministry of Economy and Finance. The office requested clarification from the Ministry of Economy and Finance (MEF) regarding access to the complainant’s income data contained in the SCIPAFI System, carried out by the Bank on behalf of the Company, in order to assess whether to accept the rental request. The MEF, in the response provided, stated that the Bank, pursuant to art. 30-ter, paragraph 5, letter. a) of Legislative Decree 141/2010, is required to participate, as a direct member, in the fraud prevention system, The Ministry also stated that it had authorized, with a note dated 6 July 2022, the same Bank "to carry out queries on the SCIPAFI System on behalf of Leasys Rent S.p.A. [...], by virtue of the provision in paragraph 7-bis of art. 30-ter of Legislative Decree 141/2010: this is because Leasys Rent S.p.A., a long-term rental company, is not a company included among the companies participating in the Identity Theft Prevention System pursuant to art. 30-ter, paragraph 5. of the aforementioned Legislative Decree". In particular, the MEF has assessed whether to include the long-term rental category in Legislative Decree 141/2010, in line with the provisions of the Circular issued on 17 July 2014 by Directorate V Prevention of the use of the financial system for illegal purposes. The latter, in fact, establishes that, without prejudice to the subjective scope of application of the legislation (as defined by art. 30-ter of Legislative Decree 141/2010), paragraph 7-bis of the aforementioned art. 30-ter of the decree, should be interpreted in the sense of broadening the objective scope of application of the law, thus allowing the adhering subjects to avail themselves of the prevention system even outside the cases provided for by paragraph 7 of the same regulatory provision. 2.3. Inspection activity. In the exercise of the control powers referred to in art. 58, par. 1 of the GDPR (see also articles 157 and 158 of the Code) and for the purpose of a complete examination of the matter, the Authority carried out an investigation at the Company (see the minutes of the operations carried out on 3 April 2023), during which the representatives of the same declared that: - “Drivalia changed its name from Leasys rent in October 2022 in view of the acquisition of 100% of FCA Bank, the direct parent company of Drivalia, by Credit Agricole Consumer Finance. The previous parent company Leasys, previously controlled by FCA Bank, which deals with long-term rental, was sold to a company owned by Credit Agricole CF and Stellantis. Drivalia deals with short-term rental, subscription, long-term rental, start-up and car sharing”; - “an agreement has been signed between Drivalia and FCA Bank for the provision of services for the outsourcing of certain functions, including, for example, the DPO function or internal audit. The last renewal of the agreement dates back to December 2020. In this context, FCA may process personal data owned by Drivalia, as data controller, based on the DPA in place since 2019 between WinRent (previous name of the company) and FCA Bank”; - “when a customer requests a rental service from Drivalia, by going to a mobility store or via Amazon voucher, he or she must provide his or her personal data, creating his or her own account, and viewing the privacy policy by scanning a special QR code. The personal data and the data relating to the payment instrument (credit card) are recorded and compared with Drivalia’s databases, to verify the presence of elements that prevent the rental”; - “FCA Bank periodically carries out activities to identify unwanted subjects, for anti-fraud purposes, also through the interrogation of SCIPAFI. If these automated checks highlight anomalies, FCA analysts verify this outcome. The list of unwanted subjects, the so-called watchlist, is made available to Drivalia for checks during the acceptance of rental requests”, specifying “that these checks are carried out on all subscription rentals, which amount to approximately 12,000 per year. To this end, FCA bank processes the data and stores it as indicated in the service contract”; - in relation to the position of the complainant, the Company represented that it had proceeded to “permanently delete the personal data of the interested party from the watchlist in use by Drivalia itself and provided by FCA Bank since December 2021, also requesting cancellation from the FCA bank watchlist” (deletion email of which the Company attached a copy). On 21 April 2023, the Company, in sending the supplementary documentation to resolve the reservations, has: - submitted the “summary of the relationships between the complainant […] and the companies of the CA Auto Bank S.p.A. Group”, with which (in referring to the reconstruction of the matter carried out by the Parent Company) it is specified that “the refusal of the reservation occurred because the name of the Complainant was present in the Watch List of FCA Bank S.p.A. (now “CA Auto Bank S.p.A.”) related to the code “10” or “counterfeit income documentation” also in relation to the sole proprietorship” headed by the interested party. “This Watch List was and is made available to Drivalia for the purposes of preventing fraud and insolvency and other similar events, as specified in the privacy policy published on the site and made available during the booking phase, as regulated by the Data Processing Agreement (DPA) between Drivalia (Data Controller) and FCA Bank (Data Processor)”; - represented that “the DPA was drawn up to regulate the relationships relating to data processing between the Parent Company and the subsidiaries: in other words, the activities relating to the management of certain types of services were delegated by the Controllers (each of the subsidiaries) to the Processor (the Parent Company). In fact, the aforementioned Intercompany DPA lists, by way of example and not exhaustively, control activities, accounting services, activities relating to credit, the latter, limited to the activities of verifications on fleet management companies and not referring, as repeatedly specified, to investigative activities on natural persons relating to short-term service offers”; 3. The initiation of the procedure. With note prot. 134255 of 28 September 2023, the Office, on the basis of the declarations made by the parties and the elements acquired during the investigation, notified the Company of the act of initiation of the procedure for the adoption of the provisions referred to in Articles 58, par. 2, and 83 of the Regulation, in compliance with the provisions of Article 166, paragraph 5, of the Code, in relation to the violation of the provisions referred to in Articles 5, par. 1, letter a), 13 and 28 of the GDPR. In particular, the following were contested: - the lawfulness of the control activity carried out by the Company on the data of potential customers in order to verify the presence of causes that prevent the conclusion of the car rental contract, as it was carried out through access to the SCIPAFI System (a public system for the prevention of identity theft established by Legislative Decree no. 141/2010, the operation of which is governed by the decree of the Ministry of Economy and Finance of 19 May 2014, no. 95), through the Bank on behalf of the Company, as well as the acquisition and related processing of such data (including, to the extent of interest in the specific case, those of the interested party) for the declared "purpose of preventing fraud and insolvency or other similar events" (see "Privacy Policy - Leasys Rent short-term rental service" updated to 13.03.2020 and in the documents). This is because the accesses to SCIPAFI carried out by the Bank, on behalf of the Company, in order to assess the position of the complainant, occurred in a period (between 2019 and 2020) in which the Ministry had not yet authorised the Bank to query the SCIPAFI System also on behalf of the Company which, therefore, could not process the related data (even if reprocessed and made available through the watchlist created by the Bank) in order to assess whether or not to enter into car rental contracts; - the circumstance that the information provided to the interested party (see attachment 1 to the Company's note of 3 August 2022, referred to above) did not contain any specific reference to the purposes and related methods of processing of personal data carried out through the Bank through the use of the SCIPAFI System, limiting itself to a generic reference to the "verification of the data [of the interested party] through databases of the FCA Bank group", thus resulting in violation of art. 13 of the GDPR. In this regard, it should also be noted that this reference was formulated in such a way as not to allow the identification of the databases consulted, nor whether access to the latter was carried out by the Company itself or by other Companies of the group (and possibly which ones), not even specifying whether the latter acted as data controllers or data processors. - the circumstance that the documentation produced during the investigation did not reveal what was declared, even during the inspection, regarding the role of data controller played by the Bank in accessing SCIPAFI on behalf of the Company. In particular, if it is true that based on the DPA in force since 2019, between WinRent (previous name of the Company) and the Bank, the latter would hold the role of data controller in relation to some processing operations defined as "exemplary and not exhaustive", it should be noted that this would be in violation of art. 28, par. 3 of the GDPR, since it concerns the processing of data of the interested parties that the Bank could not carry out, as data controller, on behalf of the Company, since the latter is not among the subjects that can access SCIPAFI either directly or through the subjects adhering to the System. Secondly, it should be noted that the "renewal" of this agreement, stipulated between the Company and the Bank in December 2020, gives account, in art.10.1, that "with regard to the data that will be provided in the performance of the Services, Each of the Parties, as an independent data controller, undertakes to fully comply with the legislation on the protection of personal data [...]". From reading the text, therefore, the independent ownership of both subjects emerges. On 27 October 2023, the Company submitted its defence papers in which it: - confirmed that the MEF's authorisation for the Company's (indirect) access "to SCIPAFI occurred after the latter's actual access to the information [...], present in the watchlist made available by the Bank". - reiterated that it had never processed the specific personal information present in SCIPAFI relating to the Complainant, but had only been able to view, by consulting the watchlist made available by the Bank, a numeric code corresponding to "counterfeit income documentation"; - specified, with regard to the roles (owner and data controller) to be attributed to the Company and the Bank in relation to the processing of the data in question, the qualification as "exemplifying and not exhaustive" of the profiles listed in the 2019 Data Processing Agreement (DPA), contained in the communication dated 3 August 2022 in response to the request for information sent by the Authority on 15 July 2002, had the sole "purpose of avoiding reporting all the cases listed, instead, exhaustively in the 2019 DPA", therefore the Company "although perfectly aware of the fact that the 2019 DPA could indisputably be improved" believes "that such information deficiencies [cannot] even undermine the requirements established by Article 28(3) GDPR with consequent de facto lack of regulation in this sense. In fact, the requirements set out in the aforementioned Article 28(3) cannot be considered as not present: in the premises, in addition to the specific purposes of the processing, the subject matter and the nature of the processing are also present and/or deducible; the categories of data subjects and the type of personal data are reported, respectively, in Articles 2 and 3; the obligations and rights of the owner can be found in numerous articles including, for example, in Article 5 relating to sub-processors"; - specified that "the renewal of the aforementioned DPA 2019 is not, in reality, a renewal or even an agreement pursuant to Article 28 GDPR, but rather a real contract for the provision of services (hereinafter, also, "Service Contract") to which the aforementioned DPA, necessarily, approaches even if not explicitly referred to"; - recalling art. 10.1 of the aforementioned Contract which states that "with regard to the data that will be provided in the performance of the Services, each of the Parties, as independent data controller, undertakes to fully comply with the legislation on the protection of personal data [...]", and confirmed "the ambiguity of the aforementioned wording [...] in relation to the independent ownership of the parties, specifying that "this provision must necessarily be interpreted in compliance with the principles of contractual interpretation set out in articles 1362 et seq. of the Civil Code. These provisions require an organic reading that takes into account not only the DPA 2019, but also, and above all, the subsequent paragraph of the same article 10 which states that the Bank is "authorized to process personal data exclusively in compliance with the obligations set out in this contract and, in particular, for the performance of the services covered by the same". The presence of such a provision is a clear indicator of the impossibility” of attributing autonomous ownership to each of the parties and would instead confirm “a relationship between the owner (Drivalia) and the data controller (Bank) in execution of the aforementioned DPA 2019; - confirmed “the involvement of the data protection officer in relation to the aforementioned contracts. However, there is no formal opinion from the latter as it is not required by the legislation; - communicated that it has proceeded to cancel the name of the complainant from the watchlist; - as regards the inadequacy of the information provided to the interested parties, in agreeing with the Authority on "the non-exhaustiveness of the aforementioned information and, in particular, the lack of mention of the databases consulted", it underlined that, "in said information the purpose of the processing in question was expressly specified as "prevention of fraud and insolvency or other similar events" and that, "although it is true that it is not specified whether access occurs through the Bank or directly from Drivalia or the roles of the same, the regulatory requirement relating to the indication of the "recipients" or "categories of recipients" of the personal data" is nevertheless present within the same information. 4. The reference regulatory framework. 4.1. The Scipafi system: art. 30-ter of Legislative Decree 13 August 2010, n. 141. The SCIPAFI system, established at the Ministry of Economy and Finance - which has entrusted its management to Consap S.p.A - is a public system for the prevention, on an administrative level, of fraud in the sector of consumer credit and deferred or deferred payments, with specific reference to identity theft (see Legislative Decree no. 141/2010 and Decree of the Ministry of Economy and Finance of 19 May 2014, no. 95). Only those subjects specifically identified by the legislation, qualified as members, are required to access the System and the information contained therein (art. 30-ter, paragraph 5 and 5-bis, Legislative Decree cited). The processing of personal data of interested parties within the archive (both by the MEF and by Consap and the members) is permitted for the sole purposes identified by art. 2, paragraph 2 of the Ministerial Decree. 95/2014, or the verification of the authenticity or otherwise of the data contained in the documentation provided by natural persons (as interested parties), who request a deferral or postponement of payment, financing or other similar financial facilitation, a deferred payment service and "in cases where they deem it useful, on the basis of the evaluation of the elements acquired, to ascertain the identity of the same" (art. 30-ter paragraphs 7 and 7-bis of Legislative Decree 141/2010 cit.). 4.2. The relevant provisions on the protection of personal data. The processing of personal data must be carried out in compliance with the principles set out in art. 5 of the GDPR, including those of “lawfulness, fairness and transparency” (art. 5, par. 1, letters a) of the GDPR). In particular, the principle of transparency translates into the obligation, on the part of the data controller, to provide the data subject with all the information relating to the processing of personal data concerning him or her, in an accessible and comprehensible manner, making him or her aware, at the time the personal data are obtained, also of the purposes and methods of the processing and of the legal basis thereof, as well as of all the additional information necessary to ensure that the processing is fair and transparent also in relation to any data controllers in compliance with the provisions of art. 13 of the Regulation (see also cons. 39 of the GDPR). The legislation on the protection of personal data identifies the subjects - owner and manager - who, in different capacities, can process the personal data of the interested parties, also establishing their relative attributions. In this context, the owner is the subject on whom decisions fall regarding the purposes and methods of processing the personal data of the interested parties as well as a "general responsibility" (accountability) on the processing carried out by the same owner or by others who carry out such processing "on his behalf", or the data processors (cons. 81, art. 4, point 8) and 28 of the Regulation). The relationship between the owner and the manager is governed by a contract, or by another legal act stipulated in writing, which, in addition to mutually binding the two figures, provides instructions to the manager and provides in detail (and in an exhaustive and non-explanatory manner) what the subject matter is regulated, the duration, the nature and the purposes of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the owner. 5. The Authority's assessments and the outcome of the investigation. Following the examination of the declarations made by the Company during the proceedings (the author is responsible for the veracity of which pursuant to and for the purposes of art. 168 of the Code "False declarations to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor") as well as the documentation acquired in the files, the following is represented. In particular: a. in relation to the profile of the lawfulness of the processing of the data of the interested party taken from SCIPAFI, the Company, in confirming that the authorization of the MEF for the access carried out by the Bank on behalf of the Company to the SCIPAFI System was issued on 6 July 2022 and, therefore, on a date subsequent to that on which the processing of the data of the interested party took place, also specified that it had never "proceeded to the processing of the specific personal information present in SCIPAFI relating to the Complainant", having exclusively viewed the numerical code (present in the above-mentioned watchlist made available by the Bank to the companies of the group) which indicated as "counterfeit", the income documentation presented by the same. In this specific case, therefore, it is proven that the accesses to SCIPAFI carried out by the Bank, on behalf of the Company, in order to assess the position of the complainant, occurred between 2019 and 2020, a period in which, as shown by the documentation in the files, the Company (which is not among the members of the SCIPAFI System, specifically identified by art. 30-ter, paragraph 5, Legislative Decree no. 141/2010 cit.), was not authorized, not even through the Bank, to access SCIPAFI and to acquire and process the data present therein and referring to the interested party (even if reworked and made available to the Company through the so-called watchlist created by the Bank), in order to assess whether or not to enter into the car rental contract. This processing is therefore unlawful. It is also noted that the SCIPAFI system allows the verification of the authenticity of the data contained in the documents (identity or income) presented by the interested party for the purposes of evaluating a request. It therefore presupposes that the member carries out a specific check with respect to a specific document presented to obtain the requested service; In this case, the access carried out by the Bank on behalf of the Company is unlawful as it occurred without having carried out such a check; it appears, in fact, that the tax return of the claimant, an essential document for carrying out the comparison with the income information relating to the same contained in SCIPAFI, has never been acquired. b. in relation to the subjective role (of owner or manager) held by the Company and the Bank, with reference to access to the interested party's data taken from SCIPAFI and subject to subsequent processing and inclusion in the watchlist, the Company itself, while declaring itself aware that the documentation produced (in particular, the 2019 DPA and the subsequent act called "renewal" of 2020), is unclear on the point, believes, however, that such deficiencies do not affect the requirements set out in art. 28, par. 3 of the GDPR and that in any case a relationship of owner and manager would emerge from the documents respectively between the Company and the Bank. In this regard, it should be noted that at the time of the facts, the Bank, as an independent data controller, was required to access SCIPAFI exclusively in the context of carrying out its specific activity (art. 30-ter, paragraphs 7 and 7-bis, Legislative Decree, 141/2010, cit.); otherwise, in this case, access was carried out to assess the interested party's position for the purposes of entering into a rental agreement (which is outside the Bank's own activities) with the Company (which is a different entity from the Bank, although belonging to the same group). It follows that the Company, which was not among the entities that, at the time of the facts, could access SCIPAFI either directly or through entities adhering to the System, could not process the interested party's data either as data controller or by designating the Bank as data processor for this purpose, with the effect that the attribution of this role to the Bank by the Company was in violation of art. 28 of the GDPR; c. while confirming the unsuitability of the information provided to the interested party, as it is generic and in any case not suitable to allow the latter to identify the type of data processed, the origin of the same, with specific reference to the databases consulted and whether access to the latter was carried out by the same Company or by others in the group, the Authority takes note of what has been declared and documented by the Company in relation to the replacement of the previous information with the one "present on the Company's website available at the following address: https://www.drivalia.it/it/customer-service/privacyservizio/. 6. Conclusions: unlawfulness of the processing carried out. In light of the preceding assessments, it is noted that the declarations made by the data controller in the defensive documents ˗ the truthfulness of which one can be held accountable pursuant to art. 168 of the Code ˗ do not allow to overcome all the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow its archiving, since, moreover, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance, apply. The processing carried out by the Company is unlawful in the terms set out above, in relation to art. 5, par. 1, letter a), 13 and 28 of the GDPR. Violation of the provisions referred to above entails the application of the administrative sanction provided for by art. 83, par. 4, letter a); par. 5, letters a) and b), of the GDPR. 7. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83, par. 5, of the Regulation, by adopting an injunction order (art. 18. Law 24 November 1981 no. 689). The violation, ascertained in the terms set out in the reasons, cannot be considered "minor", taking into account the nature, gravity, degree of responsibility and the manner in which the supervisory authority became aware of the violation (recital 148 of the Regulation). With reference to the elements listed in art. 83, par. 2, of the Regulation for the purposes of applying the administrative pecuniary sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in the specific case, the following circumstances were considered: - in relation to the nature and seriousness of the violation, the nature of the violation was considered relevant, which concerned the organization of the entire processing with reference to the roles respectively held by the Company and the Bank at the time the fact occurred and, specifically, the lawfulness of the processing of the data relating to the interested party; - in relation to the intentional or negligent nature of the violations, the conduct of the Company must be taken into account, which - despite being aware of the lack of authorization from the MEF to know, also through the Bank, the information contained in SCIPAFI - decided to access the watchlist made available by the Bank which contained information also taken from the aforementioned System, even if subsequently reworked; - the cooperation provided by the Company during the investigation and the adjustments made in compliance with the principle of accountability (through the establishment of a new, more structured contractual framework, having signed a new service contract with an annexed new agreement pursuant to Article 28 of the GDPR) and the principles of privacy by design and privacy by default through the implementation of measures aimed at eliminating the visibility of the prejudicial motivation linked to the numerical causality as transmitted by the Bank through the watchlist; - the absence of previous rulings by the Authority against the Bank with respect to the same case, as well as complaints similar to the one subject of this provision. Finally, it is noted that, during the proceedings, the Company updated the information in accordance with the provisions contained in Articles 5, par. 1, letter a) and 13 of the GDPR, therefore, there is no basis for ordering that the processing be brought into conformity with the provisions of the GDPR with respect to this profile. Taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the fine (Article 83, par. 1, of the Regulation), it is believed that the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022, are relevant in this case. Also, it is considered necessary to apply paragraph 3 of Article 83 of the Regulation which provides that “If, in relation to the same processing or linked processing, a controller […] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation”, the total amount of the sanction is calculated so as not to exceed the maximum amount set forth in the same art. 83, par. 5, letter a), of the Regulation. In light of the elements indicated above and the assessments carried out, it is deemed necessary to adopt, against Drivalia Leasys Rent S.p.A. (in abbreviated form Leasys Rent S.p.A.) - C.F./P.I. 05406791003, with registered office in Turin, Corso Orbassano 367, the administrative sanction of the payment of a sum equal to Euro 250,000.00 (two hundred and fifty thousand euros, 00). In this context, it is also believed, in consideration of the type of violations ascertained, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor and that the conditions set out in art. 17 of Regulation no. 1/2019 exist. GIVEN ALL THE ABOVE, THE GUARANTOR determines the unlawfulness of the processing carried out by Drivalia Leasys Rent S.p.A. (in abbreviated form Leasys Rent S.p.A.) - C.F./P.I. 05406791003 - in the person of the legal representative pro tempore, with registered office in Turin, Corso Orbassano 367, pursuant to art. 143 of the Code, for the violation of arts. 12, par. 3, and 15 of the Regulation; ORDERS pursuant to art. 58, par. 2, letter i), of the Regulation, to Drivalia Leasys Rent S.p.A. (abbreviated to Leasys Rent S.p.A.), to pay the sum of Euro 250,000.00 (two hundred and fifty thousand euros. 00) as a pecuniary administrative sanction for the violations indicated in this provision; ORDERS therefore the same Company to pay the aforementioned sum of Euro 250,000.00 (two hundred and fifty thousand euros. 00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. Please note that the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code); ORDERS the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019, and believes that the conditions referred to in art. 17 of Regulation no. 1/2019 exist. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 6 June 2024 THE PRESIDENT Stanzione THE REPORTER Scorza THE GENERAL SECRETARY Mattei
