Cass.Civ. - 12967/2024

From GDPRhub
Cass.Civ. - 12967/2024
Courts logo1.png
Court: Cass.Civ. (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(14) GDPR
Article 9(1) GDPR
Decided: 01.02.2024
Published: 13.05.2024
Parties: Garante per la protezione dei dati personali
Università commerciale Luigi Bocconi
National Case Number/Name: 12967/2024
European Case Law Identifier: ECLI:IT:CASS:2024:12967CIV
Appeal from: Tribunale di Milano (Italy)
8174/2022
Appeal to: Not appealed
Original Language(s): Italian
Original Source: Corte Suprema di Cassazione (in Italian)
Initial Contributor: fb

The Supreme Court ruled that data processed by an anti-cheating software which identifies the person falls into the scope of biometric data.

English Summary

Facts

On 16 September 2021, the Italian DPA issued a €200,000 fine against the controller, a university. While Covid-19 restrictions were in place, it used a proctoring software to ensure students were not cheating during the examination. Among other matters, the DPA found that the controller was processing biometric data without a legal basis.

The controller challenged the DPA decision before the Court of Milan. On 20 October 2022, this Court partially upheld the controller’s appeal and overturned the DPA decision. It ruled that the data that was processed did not fall into the definition of biometric data as per Article 4(14) GDPR.

On 12 January 2023, the DPA appealed the decision of the Court of Milan before the Supreme Court, which upheld the appeal and overturned the judgement.

Holding

Firstly, the court analysed whether the data processed fell into the definition of biometric data in accordance with Article 4(14) GDPR. The court reminded that, according to this definition, personal data is biometric data when (1) it results from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person and (2) this processing allows or confirms the unique identification of that natural person.

Secondly, the Supreme Court disagreed with the judgement of the Court of Milan: according to the former, this processing was actually involving biometric data. It observed that the software was not only filming students while they were taking the exam, but also analysing the recording. More specifically, it was detecting “unusual behaviours” and collecting these “anomalous elements” into a video. This video was then sent to the professor, who could then decide if a further investigation was necessary.

The court pointed out that, among other functions, this processing allowed to uniquely identify the person, as during all the recording time the software constantly checks if the person behind the camera is actually the student who is supposed to take the exam. According to the judges’ opinion, the fact that then the video is assessed by a human being (the professor) is irrelevant for the qualification of this data as biometric data.

As the Supreme Court is only allowed to rule on principles of law and not on matters of fact, the case was referred again to the Court of Milan.

Comment

This is the reason for which some topics, such as whether there was an exception for the processing of biometric data under Article 9(2)(g) GDPR and Article 2-sexies(2)(bb) of the Italian Data Protection Code, were not assessed.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

ITALIAN REPUBLIC

IN THE NAME OF THE ITALIAN PEOPLE

THE SUPREME COURT OF CASSATION

SECTION ONE CIVIL

Composed of the Honorable Magistrates:

Dr. GENOVESE Francesco Antonio - President

Dr. MELONI Marina - Councillor

Dr. TRICOMI Laura – Councilor - Rel.

Dr. IOFRIDA Giulia - Advisor

Dr. CAIAZZO Rosario - Councilor

uttered the following

ORDER

on the appeal registered under no. 801/2023 R.G. proposed by:

PERSONAL DATA PROTECTION GUARANTOR - PRIVACY, in the person of the legal representative. p.t., domiciled in ROME VIA DEI PORTOGHESI, at the STATE ADVOCATE GENERAL who represents him and defends him ope legis.

- recurring -

against

LUIGI BOCCONI COMMERCIAL UNIVERSITY, in the person of the legal representative, represented and defended, also separately by the lawyers Fabio Lepri, Stefano Previti, Enrico Del Guerra and Alessandra Grandoni, and electively domiciled at the second in Rome, via Cicerone n. 60, by virtue of a special power of attorney for disputes in documents.

- counterclaimant -

against the JUDGEMENT of the COURT of MILAN n. 8174/2022 filed on 10/20/2022.

Having heard the report carried out in the council chamber on 02/01/2024 by Councilor LAURA TRICOMI.
Conduct of the process

1.1. - With the contested sentence, the Court of Milan partially accepted the appeal brought by the Luigi Bocconi Commercial University of Milan against provision no. 317 of 16 September 2021, adopted pursuant to articles. 78 Reg (EU) 2016/679 (hereinafter also, "Regulation"), 152 of Legislative Decree no. 196/2003 (Code regarding the protection of personal data, hereinafter also, "Code") and 10 of Legislative Decree no. 150/2011, with which the Guarantor for the protection of personal data (hereinafter, the Guarantor), in noting that a processing of biometric data carried out by the appellant violated the articles. 5, par. 1, letter. a), c) and e), 6, 9, 13, 25, 35, 44 and 46, of the Regulation, as well as 2-sexies of the Code, had established, towards the University, provisions aimed at conforming the treatment to the regulation , pursuant to article 58, par. 2, letter. d), of the same text and had imposed on the same entity the pecuniary administrative sanction of 200,000.000 euros, as well as the ancillary sanction of the publication of the same provision on the Guarantor's website (see articles 58, par. 2, letter i, and 83, par. 5, of the Regulation and 166, paragraphs 2 and 7, of the Code).

1.2. - The opposite measure was adopted by the Guarantor following a control activity carried out following a student's complaint regarding the use of a "proctoring" supervision system, in the context of the written exam tests for students students, in order to identify the latter and/or verify their correct behavior during the video conference exam.

As can be seen from the contested sentence, Bocconi University, in April 2020, given the need - following the pandemic emergency - to carry out special exams with the video conference system, but in such a way as to guarantee their seriousness, had decided to equip themselves with software (called "Respondus") provided by the company Respondus Inc. (based in the USA), suitable for allowing the authenticity of the test to be verified and limiting the risks of its alteration as much as possible; a software whose use the students were informed through communications relating to the new methods of carrying out the exam tests.

Following the control activity, carried out in consultation with the University, the Guarantor, among other things, had found and contested various violations of the Regulation: articles 5, par. 1, letter. a), c) and e) (principles of lawfulness, correctness and transparency, principle of minimization of processing and principle of limitation of conservation); 13 (information); 25 (privacy by design and by default); 35 (data protection impact assessment); 44 (general principle for transfer); 46 (transfer subject to adequate guarantees). As well as the art. 2-sexies (processing of particular categories of personal data, necessary for reasons of significant public interest) of the Code.

1.3. - With the decision indicated in the epigraph, the Court stated that the operating mechanism of the "Respondus" software was not a subject of discussion between the parties, described in the sentence as a software that: "captures the video images and the student's screen identifying and marking with a flag the moments in which unusual and/or suspicious behavior is detected through video recording and snapshots taken at random intervals to keep track of anomalous behavior... At the end of the test, the system processes the video, inserting warning signals regarding possible indicators of incorrect behavior ... so that the teacher ... can then evaluate whether an unauthorized action has actually been committed during the test" (fol.12).

It therefore excluded that, in the case in question, Article 9 of Regulation 679/2016 could be applied, as instead considered by the Guarantor, observing that the regime outlined therein is applicable only to the processing of biometric data "intended to identify uniquely a natural person"; that the processing of biometric data for identification purposes refers to the automatic recognition of natural persons based on an analogue or digital representation of a biometric characteristic obtained at the end of an acquisition process; that there was no processing of biometric data according to the life cycle of biometric data, consisting of the sequence in four phases - according to the Description accredited by the Guarantor for the protection of personal data, Guidelines on biometric recognition and graphometric signature, 12 November 2014 - following: First phase or detection via specialized sensors (e.g. fingerprint scanner) or general purpose devices (e.g. video camera) of biometric characteristics (e.g. the individual's face); Second phase, according to which, following the detection, a biometric sample is acquired (e.g. facial image); Third phase, whereby biometric traits are extracted from the biometric sample (e.g. specific points on the face) suitable to constitute the biometric model which will be stored in a database; Fourth phase, so-called. of the comparison (or match), where the biometric model is compared with the actual characteristics of the individual and the comparison in question allows the univocal identification of the natural person.

In particular, the Court stated that the mere acquisition of a photo (or a video recording) does not constitute the processing of biometric data, but of common data; on the other hand, the processing in question implies obtaining - from a photo or a video - biological characteristics to derive a mathematical model of the face of the portrayed subject, for the purposes of recognition of the same and which, in the case in question, the processing was not configurable of biometric data because this purpose was not contemplated in the mechanism implemented by the Respondus software, since any possible evaluation was left to the teacher and there was no demonstration that the fourth phase, previously indicated (so-called comparison or match), had actually been implemented.

It therefore deemed applicable the regulations envisaged for common personal data, pursuant to art. 6 of the reg. 679/2016, and proceeded to examine the case in relation to it.

1.4. - From another perspective, regarding the international transfer of personal data, the Court stated that the Amendment Agreement signed between the University and the supplier company Respondus, dated 18 August 2020, was such as to prevent the international transfer of data personal. This is because the standard clauses (referred to in the European Commission Decision of 5 February 2010 no. 87/EU) had been attached to the amendment agreement. This annex is made up of two appendices: the first describes the type of treatment; the second indicates the technical and organizational measures implemented by the Respondus company and Amazon. The Court considered the attached clauses to be correct - albeit by simple reference - both on a formal and substantial level, deeming that compliance with them was suitable to guarantee the interested parties adequate protection compared to European standards. It considered that "pseudonymisation" (i.e. the use of pseudonyms to name the data acquired in relation to each individual) was an adequate protection measure.

1.5. - Conclusively, the Court, in partial acceptance of the appeal, confirmed provision no. 317 of 2021 of the Guarantor for the Protection of Personal Data, limited to the dispute referred to in the articles. 5 par. 1 letter a), 13 Reg. 679/2016, reducing the fine imposed to €10,000.000; confirmed provision no. 317 of 2021, pronounced by the Guarantor for the protection of personal data, regarding the application of the art. 58 Reg. 679/2016, limited to the prohibition on the transfer of personal data of interested parties to the United States of America, in the absence of adequate information guarantees and the obligation to communicate to the Authority the initiatives undertaken in order to implement this aspect ; condemned the Guarantor to repay the sum of Euro 190,000.00 to the Luigi Bocconi Commercial University, in addition to legal interest from 10.26.2021 to the balance.

1.6. - The Guarantor for the protection of personal data has appealed with three means, for the cassation of the sentence of the Court of Milan published on 20 October 2022.

The Luigi Bocconi Commercial University responded with a counter-appeal, supported by briefs.

Chamber negotiations have been arranged.
Reasons for the decision

2.1. - The first reason denounces the violation and false application of the articles. 6 and 9 par. 2, letter. g) regulation (EU) 2016/679 and art. 2 sexies, paragraph 2, letter. bb) of Legislative Decree no. 196/2003 (art. 360, first paragraph, no. 3 c.p.c.).

The judge of first instance decided to exclude the possibility, in this case, of the processing of biometric data, based on the consideration that the purpose of unique identification of the person required by art. 9, par. 1, of EU regulation no. 679/2016 would not be covered by the Respondus IT system used by the appellant University, as any possible evaluation on the point would be left to the teacher and there would therefore be no demonstration that phase four (of the comparison or match), set out in the Guidelines regarding biometric recognition and metric graph signature adopted by the Guarantor on 12 November 2014, has been concretely implemented.

According to the appellant, the thesis is incorrect and is the result of an incorrect interpretation of the art. 9 par. 2, letter. g), of the Regulation and of the art. 2 sexies, paragraph 2, letter. bb) of the Code, which are, however, fully applicable in this case.

2.2. - The reason is well founded and must be accepted.

2.3. - In European Union law, biometric data is personal data if it is used to uniquely identify a person. The processing of such data is regulated by three different Union acts: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as to the free circulation of such data; Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of prevention, investigation, detection and prosecution of criminal offenses or enforcement of criminal sanctions , as well as the free circulation of such data; and Regulation 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons in relation to the processing of personal data by Union institutions, bodies, offices and agencies and on the free movement of such data . All these acts equally define biometric data as "personal data obtained by specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm unique identification, such as facial image or data dactyloscopic" (art. 4 n. 14 of Regulation 2016/679; art. 3 n. 13 of Directive 2016/680; art. 3 n. 18 of Regulation 2018/1725), while the regulation on processing is different based on the specifically pursued purpose.

2.4. - In the case in question, Reg (EU) 2016/679 (Regulation) and Legislative Decree no. apply. 196/2003 (Code).

Recital 51 of the Regulation states: "Personal data which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms deserve specific protection, since the context of their processing could create significant risks for the rights and fundamental freedoms. (...) The processing of photographs should not systematically constitute the processing of special categories of personal data, since they fall within the definition of biometric data only when they are processed using a specific technical device which allows for unique identification or the authentication of a natural person. Such personal data should not be processed, unless processing is permitted in the specific cases set out in this Regulation, taking into account that Member State law may lay down specific provisions on data protection to adapt the application of the rules of this Regulation for the purposes of compliance with a legal obligation or the execution of a task of public interest or for the exercise of public authority vested in the data controller. (...)".

Without prejudice to the definition of "processing" contained in art.4, par.1, n.2 of the Regulation, as "any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction", art. 9, par. 1, par. 2 lett. g) of the Regulation provides that: "1. It is prohibited to process personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as to process genetic data, biometric data intended to identify unambiguously a natural person, data relating to the person's health or sexual life or sexual orientation 2. Paragraph 1 shall not apply if one of the following cases occurs: (a) the data subject has given explicit consent. to the processing of such personal data for one or more specific purposes, except in cases where Union or Member State law provides that the data subject cannot revoke the prohibition referred to in paragraph 1 (...) g) the processing is necessary for reasons of important public interest on the basis of Union or Member State law, which must be proportionate to the purpose pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the rights fundamentals and interests of the interested party".

Therefore, the art. 2-sexies of the Code (Processing of particular categories of personal data necessary for reasons of relevant public interest) establishes that "1. The processing of particular categories of personal data referred to in Article 9, paragraph 1, of the Regulation, necessary for reasons of significant public interest pursuant to paragraph 2, letter g) of the same article, are permitted if they are provided for by European Union law or, in the internal system, by provisions of law or regulation or by general administrative acts which specify the types of data that can be processed, the operations that can be performed and the reason of significant public interest, as well as the appropriate and specific measures to protect the fundamental rights and interests of the interested party. 2. Without prejudice to the provisions of paragraph 1, the public interest relating to processing carried out by subjects carrying out tasks of public interest or connected to the exercise of public powers in the following matters is considered relevant: (...) bb) education and training in the scholastic, professional, high school or university;".

2.5. - It is also appropriate to remember that in art.5, par. 1 of the Regulation, the principles with which the processing of personal data must overall comply are summarized as follows: a) "lawfulness, correctness and transparency"; b) "purpose limitation"; c) "data minimization"; d) "accuracy"; e) "storage limitation"; f) "integrity and confidentiality" and that, again, in art.5, par. 2, of Regulation 2016/679, the principle of responsibility ("accountability", in the English version) was expressly introduced with the clarification that "The data controller is competent to comply with paragraph 1 and is able to prove it ( "accountability ")".

The principle of "accountability" characterizes, in completely innovative terms, the entire system of Regulation 2016/679 (see, in addition to art.5 and among others, articles 23-25, art.28 and Recitals 74 and 78).

Indeed, the personal data protection system is no longer defined only with direct and precise provisions whose non-application leads to a sanction, but also as an objective to be achieved which obliges the owner to demonstrate respect and compliance with the processing of data. implemented, to the regulation, through the adoption of preventive internal policies and mechanisms suitable to guarantee such compliance; they must take the form of a series of specific and demonstrable activities, aimed at ensuring the management of the risk connected to the processing of personal data, so much so that the request to document the choices regarding the achievement of the set objective of protection of personal data is made explicit data.

It is useful to remember that the Court of Justice of the European Union (see, to this effect, the ruling of 16 January 2019, Deutsche Post, C-496/17, EU-C/2019/26, point 57 and the jurisprudence cited therein ) stated that any processing of personal data must, on the one hand, comply with the principles relating to the processing of those listed in Article 5 of the Regulation and, on the other hand, respond to one of the principles relating to the lawfulness of data processing listed in Article 6 of that regulation.

3.1. - In summary, as far as this case is concerned, the processing of biometric data intended to uniquely identify a natural person in the absence of the interested party's consent is prohibited pursuant to Regulation 2016/6790; the prohibition ceases and processing is permitted when it is necessary for reasons of significant public interest, in specific subjects, including education and training in a school, professional, high school or university context, in accordance with the provisions of the Legislative Decree. n. 196/2003, with the clarification that the processing "must be proportionate to the purpose pursued, respect the essence of the right to data protection and provide appropriate and specific measures to protect the fundamental rights and interests of the interested party", in line also with the principle of "responsibility" dictated by art.5, par. 2 of Regulation 2016/679.

3.2. - The Court stated that Respondus, described as software that "captures video images and the student's screen identifying and flagging moments when unusual and/or suspicious behavior is detected through video recording and snapshots taken at random intervals to keep track of anomalous behavior... At the end of the test, the system processes the video, inserting warning signals regarding possible indicators of incorrect behavior... so that the teacher... can then evaluate whether an act has actually been committed 'action not permitted during the test' (following 12), involves the mere acquisition of a photo (or a video recording) and does not constitute the processing of biometric data.

In this sequence, according to the Court, there would be no processing of biometric data aimed at uniquely identifying a natural person, given that the student examined by the software would not be identified through his biometric data collected and processed by the Respondus system, but by the teacher called to evaluate the final video.

3.3. – The conclusion is in contrast with the rules on the processing of personal data and the error that marks the reconstruction of the Court concerns the subsumption of the concrete case in the abstract case of processing of personal data, a genus which includes biometric data.

3.4. - As can be seen from the description of the functioning of the Respondus software (first mentioned and deduced from the contested sentence), this does not limit itself to video recording the exam test, but during the recording it captures images of the natural person carrying out the exam test and selects, through the creation of videos, taking snapshots at random intervals and the moments in which it detects unusual behavior. Precisely because of the simultaneous selection of the material collected regarding anomalous behaviours, at the end of the test, the same software creates a video in which the anomalous elements converge (marked by flags) which may relate to the confirmation or otherwise of the physical correspondence of the person examined with the student (already identified by the University as to be subjected to the test) and to further anomalies recorded; video that is submitted to the teacher for his final evaluation regarding the regularity of the test taken by the person.

It is clear from this that the video and photo recordings taken by Respondus do not only have the function of documenting the examination test, but are characterized by the simultaneous processing and selection of the material, collected from moment to moment, a selection which converges in the identification and reporting of anomalous behavior, through the production of the final video.

The Court failed to consider that this overall activity integrates an autonomous and complex processing of the biometric data acquired and processed by the same software, and also concerns the confirmation of the identity of the natural person examined, as provided for by art.4, n.14 of the Regulations, since the outcome of this processing is only submitted ex post to the teacher for his evaluation regarding the regularity of the test.

As recalled by the Court itself, the life cycle of biometric data consists of the sequence in four phases - according to the Description accredited by the Guarantor for the protection of personal data, Guidelines on biometric recognition and graphometric signature, 12 November 2014 - which sees:

a) A first phase, with detection using specialized sensors (e.g. fingerprint scanner) or general purpose devices (e.g. video camera) of biometric characteristics (e.g. the individual's face);

b) A second phase: following the detection, a biometric sample is acquired (e.g. facial image);

c) A third phase: traits are extracted from the biometric sample (e.g. specific points on the face) suitable for constituting the biometric model which will be stored in a database;

d) A fourth phase, so-called. of the comparison (or match): the biometric model is compared with the actual characteristics of the individual and the comparison in question allows the univocal identification of the natural person.

The contested decision does not appear to have correctly taken into account these indications, because it neglected to consider that, in the procedure implemented through the use of the Respondus software, as described by the Court itself, the fourth comparison phase appears to take place during the entire filming, on the basis of the computer processing of the data acquired and processed from time to time through the creation of flags relating to anomalous behaviour, which may also concern the confirmation of the identity correspondence of the person filmed on video with that of the student to be examined, precisely because already identified by the University, and that the final control of the exam, entrusted to the natural person teacher, does not exclude (nor is it incompatible with) the automated processing of biometric data, where already implemented through the use of the software, and does not exempts from the discipline dictated by article 9 of Regulation 2016/679.

3.5. - The plea, which is therefore well founded, must be accepted and the Court, upon referral, will have to proceed with the re-examination, adhering to the following principle of law:

"With regard to the processing of personal data, pursuant to art. 9 of Regulation (EU) 2016/679, biometric data is processed, as defined by art. 4, n. 14 of Regulation 2016/679, when personal data are obtained through specific automated technical processing, carried out with software which, based on recordings and analyzes of the physical, physiological or behavioral characteristics of a natural person, processes them, highlighting anomalous behaviors or elements, and which reaches a final outcome, consisting of an elaborate video/photo that allows (or confirms) the univocal identification of the natural person, the circumstance that the final outcome of the processing is subsequently subjected to the final verification of a natural person remaining irrelevant".

4.1. - The second reason denounces the violation and false application of the articles. 44, 45 and 46 Regulation (EU) 2016/679; of the articles 3, 4 and 5 of the contractual clauses attached to Decision no. 2010/87/EU European Commission; art. 1321 c.c. (art. 360 first paragraph, n. 3 c.p.c.).

In the opinion of the appellant, the sentence should also be quashed with reference to what was erroneously held by the Court regarding the international transfer of personal data, on the observation that the Amendment Agreement signed by the University and the company Respondus, dated 18 August 2020 , was such as to prevent the international transfer of personal data.

Furthermore, the contested decision would be erroneous, where it considered that the "pseudonymization" of the data processed was an "adequate" measure, without considering that the processed data, coinciding with the face of a person, could always lead to the identification of the same, regardless of the additional data available to the owner.

4.2. - The reason is well founded and must be accepted.

4.3. - With the ruling of 16 July 2020 relating to case C-311/18, the European Court of Justice declared invalid the Commission's decision 2016/1250 on the adequacy of the protection offered by the Privacy Shield regime, the EU-US shield for the protection of personal data transferred to the United States. However, it judged decision 2010/87 relating to the Standard Contractual Clauses (SCC) to be valid for the transfer of personal data to recipients established in third countries.

Following this decision, an amendment agreement signed on 18 August 2020 was signed between Bocconi University and the Respondus company, with which the standard contractual clauses dictated in the European Commission Decision of 5 February 2010 no. were implemented. 87/EU.

The Court held that the agreement thus reformulated was such as to prevent the international transfer of personal data, precisely because the standard clauses referred to in Decision 2010/87/EU were attached to the amendment agreement.

In particular, the Court, noting that the annex is made up of two appendices, the first of which describes the type of processing and the second indicates the technical-organizational measures implemented by Responsus and by Amazon Web Service, sub-manager of Respondus, deemed the clauses attached by simple reference to be correct, both on a formal and substantive level, observing that compliance with them was suitable to guarantee the interested parties adequate protection compared to European standards.

On a formal level, the Court argued by recalling the jurisprudence of legitimacy which admitted that the content of a contractual clause can be determined by reference to a document external to the contract itself; on a substantive level, concerning the adequacy of the standard contractual clauses and additional guarantees, the Court recognized an "evidentiary flaw" in the argument put forward by the Guarantor.

4.4. - These conclusions are wrong.

4.5. - It is worth recalling that the Commission Decision of 5 February 2010 relating to standard contractual clauses for the transfer of personal data to processors established in third countries pursuant to Directive 95/46/EC of the European Parliament and of the Council, underlines, among other things, the central position assumed by the interested party (i.e. the natural person whose personal data are processed) by stating, in Recitals 19 and 20, that "(19) It is appropriate that the standard contractual clauses can be enforced not only by the organizations that stipulate the contract but also by the people to whom the data refers, in particular where any breach of the contract would be detrimental to them." and that the interested party must be able to take legal action, also for the purposes of compensation for damages, against the exporter who is responsible for the processing of the personal data transferred and, under certain conditions, against the importer or one of his subs appointed for violation of the obligations established by clause 3 of the Annex.

Furthermore, in Article 1, it is specified that "The standard contractual clauses reported in the annex constitute sufficient guarantees for the protection of private life and the fundamental rights and freedoms of persons, as well as for the exercise of related rights pursuant to the Article 26(2) of Directive 95/46/EC."

And indeed, the relevant Annex "Standard Contractual Clauses ("Data Processors")" expressly introduces with clause 3 (third party beneficiary clause) the rights that the interested party can assert - depending on the case - both with reference to the same clause 3, both in relation to clause 4, letters b) to i), to clause 5, letters a) to e) and g) to j), to clause 6, paragraphs 1 and 2, to clause 7, to clause 8, paragraph 2, and clauses 9 to 12 as a third party beneficiary, towards the exporter, importer or sub-processor, also through representation by an association or other organisation, where such representation corresponds to the explicit will of the interested party and is permitted by national legislation.

It should therefore be highlighted that clause 4, par. 1, letter. c) and clause 5, letter. c) of the standard clauses, expressly provide that the security measures must be "indicated in Appendix 2" and that Appendix 2 itself specifies that it "constitutes an integral part of the contractual clauses and must be completed and signed by the parties", contemplating a specific section, called "Description of the technical and organizational security measures implemented by the importer in accordance with clause 4, letter d) and clause 5, letter c) (or the attached legislative document/act)" and that such provisions are also effective with reference to the "interested party", who is not a contracting party, but a third party beneficiary.

In light of these provisions, the Court's thesis according to which the content of the contractual clauses containing the security measures can be determined by reference to a document external to the contract itself is incorrect, considering that this principle cannot be applied in this case, in as the contractual will of the parties, lex specialis of the synallagmatic relationship, was expressed in a very different sense, precisely through the integral transposition of the provisions of the Commission Decision of 5 February 2010 and its annexes, especially annex two and by the provisions contained therein, especially since - as already mentioned - the contract in question assisted by the standard contractual clauses for the transfer of personal data to data processors established in third countries not only obliges the contracting parties between them, but also regulates the rights of the third beneficiary which could be circumvented and frustrated, where the security obligations were not objectively identified or identifiable, even more so where the security measures could only be consulted through repeated access to the supplier's website and could change without express renegotiation between the contractors adequately accessible to the third beneficiary.

It is worth remembering that with the ruling of 16 July 2020 relating to case C-311/18, the European Court of Justice not only declared the Commission's decision 2016/1250 on the adequacy of the protection offered by the Privacy Shield regime invalid, it EU-USA shield for the protection of personal data transferred to the United States and instead judged decision 2010/87 relating to the Standard Contractual Clauses (SCC) for the transfer of personal data to recipients established in third countries to be valid, but also specified (in summary, in dispositive) that "Article 46, paragraph 1, and Article 46, paragraph 2, letter c) of Regulation 2016/679 must be interpreted as meaning that adequate guarantees, rights enforceable and the effective remedies required by those provisions must ensure that the rights of persons whose personal data are transferred to a third country on the basis of standard data protection clauses enjoy a level of protection substantially equivalent to that guaranteed domestically. of the Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To this end, the assessment of the level of protection guaranteed in the context of such a transfer must, in particular, take into account both the contractual clauses agreed between the controller or processor established in the Union and the recipient of the established transfer in the third country concerned as regards possible access by the public authorities of that third country to the personal data thus transferred, the relevant elements of the latter's legal system, in particular those set out in Article 45(2) of said Regulation." and that "Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is an adequacy decision validly adopted by the European Commission, the authority competent supervisory authority is required to suspend or prohibit a transfer of data to a third country carried out on the basis of standard data protection clauses adopted by the Commission, if that supervisory authority considers, in light of all the circumstances specific to such transfer, that the aforementioned clauses are not or cannot be respected in that third country and that the protection of the transferred data required by Union law, in particular by Articles 45 and 46 of that Regulation and by the Charter of Fundamental Rights, cannot be guaranteed with other means, where the controller or processor established in the Union has not themselves suspended the transfer or put an end to it.". In this regard, it must be noted that, in the case in question, the failure to explain the security measures in Annex 2, in contrast with what is provided for therein, the uncontested complexity of the IT access method to the security measures and the The uncertainty regarding their content, as highlighted by the Supervisory Authority, are circumstances that should have been expressly assessed by the Court with regard to the applicability of art. 58, par. 2, letter. f) and j), of Regulation 2016/679.

4.6. - At the end of the review, the substantial question of the adequacy or otherwise of the standard contractual clauses and additional guarantees remains absorbed, resolved by the Court by improperly recognizing an "evidentiary defect" in the argument put forward by the Guarantor.

4.7. - The question introduced regarding the renewed pseudonymisation of the data also remains absorbed in the outcome of the review, given that the decision on this point is invalidated by the erroneous qualification of the data processed as common personal data rather than as biometric data, i.e. personal data obtained from a specific automated technical processing, relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm unambiguous identification, such as, in this case, the facial image.

5. - The third reason, which in the alternative, denounces the failure to examine a decisive fact for the judgment which was the subject of discussion between the parties (art. 360, first paragraph, n. 5 c.p.c.) with reference to the part of the sentence in which the Court redetermined the sanction applicable to the opposing party, is absorbed.

6. - In conclusion, the first two grounds of appeal must be accepted and the third declared absorbed; the contested sentence is quashed with the case being referred to the Court of Milan in the person of a different magistrate, for the re-examination of the dispute in light of the principles set out and the payment of the costs also of the present proceedings.
P.Q.M.

- Accepts the first and second reasons; declares the third absorbed;

- Dismisses the contested sentence in relation to the reasons accepted and sends the case back to the Court of Milan in the person of a different magistrate, who is entrusted with also providing for the costs of the legitimacy judgement;
Conclusion

Thus decided in Rome, in the council chamber of the First Civil Section, on 1 February 2024.

Filed in the Clerk's Office on May 13, 2024.