Cass.Civ. (Italy) - 27189/2023

From GDPRhub
Revision as of 13:47, 10 November 2023 by Ar (talk | contribs)
Cass.Civ. (Italy) - 27189/2023
Courts logo1.png
Court: Cass.Civ. (Italy)
Jurisdiction: Italy
Relevant Law: Article 83 GDPR
Article 10 of Legislative Decree No 150 of 2011
Article 166 of the Italian Privacy Code
Decided: 14.09.2023
Published:
Parties: Garante per la Protezione dei Dati Personali
National Case Number/Name: 27189/2023
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Italian
Original Source: Supreme Court of Cassation of Italy (in Italian)
Initial Contributor: ar

The Italian Supreme Court ruled that the fine imposed by the Italian DPA on a delivery company was not excessive and did not breach Article 83 GDPR.

English Summary

Facts

On 10 June 2021, the Italian DPA issued a €2,600,000 fine against the defendant, a delivery company, for violation of the GDPR regarding the processing of personal data of platform workers. The defendant appealed this decision to the Court of Appeal.

The Court of Appeal annulled the decision of the DPA because although the decision of the DPA was legitimate in terms of the violation found, its decision of the sanction was not. The Court of Appeal found that the fine imposed by the DPA amounted to 7.29% of the defendant's annual worldwide turnover, and thus significantly higher than the 4% parameter mentioned in Article 83(5)(a) GDPR and even higher than the average percentage (0.0019%) applied by the DPA to other sanctioned entities. It thus annulled the measure, however, without modifying the amount of the sanction as the Court of Appeal did not have this power under Article 10 of Legislative Decree No 150 of 2011.

The Italian DPA appealed this decision to the Italian Supreme Court.

Holding

The main issue addressed by the Italian Supreme Court and brought by the DPA is the infringement or misapplication of Article 83 GDPR and Article 166 of the Italian Privacy Code, given that the sanction imposed was compliant with the provisions.

The Supreme Court reiterated that Article 83 GDPR regulates the general conditions for imposing administrative sanctions, and each supervisory authority shall ensure that the administrative fines imposed are ‘in each individual case’ effective, proportionate and dissuasive. To be determined based on certain elements listed in Article 83(2) GDPR. The Supreme Court further noted that in the case of an intentional or negligent breach of several provisions of the GDPR, Article 83(3) GDPR requires that the maximum penalty shall not exceed ‘the amount specified for the gravest infringement’. In this perspective, the amount is set out in paragraphs 4 and 5 of Article 83 GDPR. Both present two types of administrative fines as alternative sanctions. Respectively, an ordinary penalty of up to €10,000,000 or a proportional one of up to 2% of the annual turnover and up to €20,000,000 or 4% of the annual turnover.

The Supreme Court clarified that the second type of proportional fine does not aim to mitigate the set limit amount provided by the ordinary penalty but is an additional amount to be used if it determines a higher penalty than the ordinary one. As can be easily deduced from the final phrase of the provision (whichever is higher). According to the Supreme Court, this was completely omitted by the Court of Appeal. It added that the Court of Appeal also did not consider that the defendant’s annual turnover worldwide in 2019 amounted to €35,654,375. This means that the sanction did not exceed the maximum permissible penalty under Article 83 GDPR since the penalty of 4% of the defendant's annual worldwide turnover was also lower than €20,000,000.

Regarding the statement by the Court of Appeal asserting that the sanction was unlawful because it allegedly exceeded the average percentage applied in other cases, the Supreme Court noted that it did so without specifying which other instances it was referring to.

The Supreme Court further assessed the Court of Appeal’s statement of not having the power to modify the amount of the sanction under Article 10 of Legislative Decree No 150 of 2011. The Supreme Court ruled that the article read with Article 166 of the Privacy Code leads to the assertion that even in disputes concerning personal data, it may annul all or part of the decision as long as the amount is not less than the minimum penalty.

Therefore, the Supreme Court approved the DPA’s motive for appeal, set aside the judgement in relation to the upheld grounds and referred the case back to the Court of Appeal for the costs of the appeal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.