Garante per la protezione dei dati personali (Italy) - 0007060

From GDPRhub
Garante per la protezione dei dati personali - 10007060
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(e) GDPR
Article 12(3) GDPR
Article 15 GDPR
Article 21(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 27.01.2022
Decided: 22.02.2024
Published:
Fine: 90,000 EUR
Parties: Coop Italia Società Cooperativa
National Case Number/Name: 10007060
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protenzione dei dati personali (in IT)
Initial Contributor: im

The DPA fined Coop Italia €90,000 for failing to assist a data subject in exercising their rights. Additionally, the ex officio investigation revealed an excessive data storage period of 5 years of users contacting customer service via social platforms.

English Summary

Facts

On 27 January 2022, a data subject contacted the Italian DPA (‘Garante’) regarding the processing activities by Coop Italia Società Cooperativa (‘Coop Italia’ or ‘controller’), one of the largest supermarket chains in Italy. The data subject purchased an e-sim from CoopVoce, Coop Italia’s phone operator service. He kept receiving promotional messages from the controller and, therefore, objected to the processing of his data for these purposes under Article 21(2) GDPR. Additionally, the data subject filed an access request under Article 15 GDPR. The data subject did not receive any response from the controller while he continued receiving additional promotional messages. Therefore, the data subject filed a complaint with the Garante.

The controller replied to the Garante’s information request admitting to have sent two further promotional text messages after receiving the objection to processing. They explained that due to a mere and quite exceptional internal misunderstanding they failed to respond to the requests. Nevertheless, the data subject contested the Coop Italia’s reply on the merits.

The Garante conducted an inspection at Coop Italia focused on monitoring marketing and profiling activities. The inspection addressed aspects that were not covered by the complaint and revealed that controller collected multitude of data as part of the CoopVoce telephone service.

In particular, the controller collected telephone and traffic data, internet browsing data, position, and/or geolocation data related to the use of e-Sim card. The Garante noted a consent to such a significant and diverse array of personal data might not be specific and free to fulfil the requirements of legal basis under Article 6(1)(a) GDPR. The controller said that this data was necessary to perform contractual obligations undertaken by Coop Italia to provide their services. For the purpose of direct marketing, the controller stated that they processed only name and contact data provided by the data subject in compliance with the consent given. In their view, this encompassed several other purposes such as market research, economic and statistical analysis.

Moreover, the controller collected images, videos and audio recordings to promote its events and fairs. In this regard, the controller claimed that such processing was based on documents signed by the individuals involved. The legal basis was free and specific consent of the interested parties. The photos and audio-video recordings are kept for a maximum period of 5 years in relation to which the DPA noted that such retention period is excessive for these purposes.

Lastly, the investigation also revealed that the controller processed identification, contact details, images and other personal data from its social platforms. The processing of this data was based on consent for a purpose of promotional activities and for responding to their users' requests. The controller collected this data for a period of 5 years which the Garante also considered excessive.

Holding

The DPA took a view that regardless of the non-systemic nature of the infringement, the failure to help data subjects to exercise their right to object to the processing is detrimental to the fundamental right of data protection. Article 15 GDPR concerning the data subject's right of access should be complied with together with Article 12(3) GDPR which requires a response to requests made 'without undue delay' and 'within a period of 30 days'. For the failure to do so, the DPA established an infringement of Article 12(3), 15 and 21(2) GDPR.

In regard to the processing of telephone, traffic, browsing and position data, the DPA decided to set aside the objection concerning the infringement of Article 6(1)(a) GDPR. Since the collection and use of such data took place to perform the contractual obligations to provide services and the data used for direct marketing was limited to only name and contact data to which processing data subjects consented, the processing was in compliance with the GDPR.

However, the DPA did not agree with Coop Italia's categorization of statistical and economic analysis as a form of processing for direct marketing purpose. They argued that these activities necessitate separate consent, distinct from marketing activities. Combining them under a single marketing consent was misleading since they were utilized for profiling. The DPA instructed the controller to revise the consent acquisition process accordingly.

Moreover, the DPA acknowledged the controller’s defense argument regarding preservation of photos and video recordings on signed documents by individuals involved. The DPA clarified that, in general, contractual autonomy can affect data storage timelines, unless adequate information about data processing and clear contractual terms are provided. Therefore, the DPA dismissed the objection of the excessive storage limitation.

Lastly, the DPA stated that data retention period for processing of data from social platforms lacked clear criteria for its determination and appeared to be excessive for promotional purposes and invasive of individual’s privacy especially of those users who are not customers. Therefore, the DPA deemed it necessary to uphold the relevant objection for breach of Article 5(1)(e) GDPR regarding storage limitation.

As a result of the foregoing, Coop Italia was held liable for breach of Article 5(1)(e), Article 12(3), Article 15, Article 21(2) GDPR for which the DPA imposed a fine of €90,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10007060]

Provision of 22 February 2024

Register of measures
n. 130 of 22 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000;

SPEAKER the lawyer. Guido Scorza;

1. THE INTERESTED PARTY'S REPORT REGARDING THE EXERCISE OF HIS RIGHTS AND THE RELATED INVESTIGATION.

A reporter contacted this Office on 27 January 2022, reiterating and clarifying a previous communication of 7 April 2021 towards Coop Italia Società Cooperativa (hereinafter also referred to as the "Company" or "Coop Italia"). In particular, the whistleblower represented that:

a) on 10 December 2021, as a customer, you had written, by email, to Coop Italia (with specific regard to the "CoopVoce" service) to object to the processing for promotional purposes and to find out what personal data the same Company held ;

b) on 17 December 2021 the Company sent him a communication, again by email, in which it simply declared that it had registered its refusal to receive promotional communications;

c) therefore, on 20 December 2021, the same person had reiterated his request for access to his personal data and cancellation of the same, which however, as far as the documents were concerned, had remained unanswered;

d) the Company had continued to send him promotional messages via text message, thus showing that it had not followed up on his opposition.

On 15 April 2022, the Office launched a preliminary investigation in this regard, formulating a request for information and documentary elements, to which the Company responded only on 27 December 2022, representing that the interested party's requests "for a mere and a completely exceptional internal mix-up… they were considered to have escaped…, but in reality they were not correctly tried”. Furthermore, the Company admitted having sent two further promotional text messages (even after the opposition to the processing), specifying that it had proceeded with the cancellation according to "standard procedure" of the data subject's data "within the terms of the law", maintaining only those mandatory for law and to have offered the same interested party, due to the "mistake" that occurred, a promotional bonus.

On 5 May 2022, the reporting party - to whom the Office's request and the Company's response were addressed for appropriate information - disputed Coop's response on the merits, also highlighting that he had not given any consent for promotional purposes.

2. THE INVESTIGATIVE ACTIVITY.

2.1. Request for information and audits.

In addition to the specific report, as part of the more general control activity of marketing and profiling activities, an inspection was carried out at the Company between 4 and 6 April 2023. The latter then sent a note on the following 4 May, dissolving the reservations contained in the inspection reports and provided feedback - with notes dated 24 and 28 July - to the request for additional information and documentation, sent by this Authority on 4 July 2023.

In light of the overall elements acquired, including the registration procedures on the Company's websites, the following critical issues emerged, with particular regard to the Coopvoce service; to the collection of images and other personal data during holidays and events; as well as the collection of data on social platforms. These critical issues were reported in the act of initiating the administrative procedure and contesting the administrative violations of 1 December 2023, prot. n. 1742054, notified to Coop Italia on the same date by certified email, which must be considered fully referenced and reproduced here.

2.2. The processing of personal data relating to the use of e-sims.

With reference to paragraph A) of the dispute, regarding the processing of personal data relating to the use of telephone accounts via e-sim, it was found that - in addition to the aforementioned failure to respect the interested party's right to object - the Company processes such data “including telephone and/or telematic traffic data and internet navigation and/or position and/or geolocation data (obtained via GPS and/or position services or functions and/or with identification of mobile phones and antennas, including wi-fi and/or postal code and/or city name), subject to the "specific" consent of the interested party:

1. "point b.i), ... for purposes functional to market research, economic and statistical analysis, direct sales, marketing, sending of advertising/information/promotional material and updates on initiatives and offers to customers (marketing). These activities may concern mobile and personal electronic communications products and services provided by COOPItalia as well as other products and services of COOPItalia, products and services of COOPItalia Associates and/or products and services of companies belonging to and/or connected to the Coop system, and/ or products and services of its commercial partners, and may be carried out by COOPItalia both with traditional methods (listed, but not limited to, mail, calls with operator, etc.) and with automated contact methods (listed, but not limited to exhaustive, sms, mms, fax, voice, e-mail and web applications, calls without operator";

2. "point b.ii) ... may be communicated to third parties (Coop system companies) in order to receive from them, both with traditional methods (listed, but not limited to, mail, calls with operator, etc.) or with automated contact methods (including, but not limited to, sms, mms, fax, voice, email and web applications, unattended calls), their advertising material and commercial information (third-party marketing)”;

3. "point b.iii) ... may be communicated to third parties (other commercial partners) in order to receive from them, both with traditional methods (listed, but not limited to, mail, calls with operator) and with automated methods of contact (including, but not limited to, sms, mms, fax, telephone calls, emails and web applications, unattended calls), their advertising material and commercial information (third party marketing);

4. "point b.iv) ... may be processed by COOPItalia for profiling purposes and relating to the analysis and identification of behaviours, habits, preferences and consumer choices and for the definition of commercial profiles that allow it to offer better services or targeted offers and dedicated”;

5. "point b.v) ... the same data may be communicated to third parties (Coop system companies) for their profiling purposes and for the definition of commercial profiles that allow them to offer better services or targeted and dedicated offers";

6. "point b.vi) ... may be communicated to third parties (other commercial partners) for their profiling purposes and for the definition of commercial profiles ...".

With reference to the aforementioned points (from b.i to b.vi), the complaint noted that the consent cannot be said to be specific and free, as it refers to a considerable and varied mass of personal data, which is also decidedly relevant with respect to the right to data protection such as "telephone and/or electronic traffic and internet navigation data and/or position and/or geolocation (obtained via GPS and/or services or functions on the position and/or with identification of mobile phones and also wi-fi antennas and/or postal code and/or city name)”. Furthermore, the Company warns that third parties may use all possible contact methods to convey their promotional communications, increasing the level of impact on the fundamental rights indicated above.

The violation, based on what was highlighted in the complaint, was even more significant in the cases (marked by: b.ii; b.iii; b.v; b.v.i) in which the data are intended to circulate outside the sphere of management and control of Coop, falling within the availability of third parties, who - pursuing their own promotional and profiling purposes - are to be considered independent data controllers, and therefore legitimated to process the data in question based on their own purposes and methods ( see art. 28 of the EU General Regulation no. 679/2016, hereinafter “Regulation”).

Furthermore, with limited reference to point b.i, it was noted that the congeries of activities-purposes indicated ("market research, economic and statistical analyses, direct sales, marketing, sending of advertising/information/promotional material and updates on initiatives and offered to customers..."), cannot be associated with the request for a single consent, at least as a separate consent must be prepared for the specific economic and statistical analysis activities.

Given the incorrect collection, the provision in the same information according to which this "consent is optional and may be revoked by you at any time" is not relevant to remedy the hypothesized unlawful processing. In case of lack of consent or revocation, you will still be able to use the Services, but your data cannot be processed for the purposes described in the aforementioned points.

2.3. The processing of personal data collected during "events and fairs".

With reference to paragraph B) of the dispute, in the text of the “Privacy Policy Events and Fairs Information”, it was found that: “In particular, the following personal data of the interested party may be processed: • photographs, images, videos and/or or audio recordings; 2. Purpose and legal basis of the processing 2.1 The data provided by the interested party will be processed for the publicization of the event: during demonstrations, fairs and/or public events, they could be carried out by the Data Controller, and/or journalists, and /or expressly authorized photographers and/or videomakers, audio and/or video recordings and/or photographs, to promote events on websites and/or social profiles (e.g. Facebook, YouTube, Instagram, Twitter, etc.), radio, TV, newspapers, magazines, brochures, catalogs and/or other paper promotional material; … 5. Data retention times: photographic images and audio and video recordings will be kept in the Data Controller's archives, in relation to their possible use for the purposes indicated, for a period of five years.”

Furthermore, from the analysis of the "video and photo information poster for various events" (annex 2 to the aforementioned response of 28 July 2023), it emerged that, according to what the Company asserted: "The photographs and videos in question concern the trade fair activities to be understood as demonstrations or events of a public nature, participation in the event entails consent to the processing given unless otherwise denied. Only with specific consent, photographs and/or video footage that directly and explicitly portray the interested party may be published for promotional purposes on paper materials or electronic/digital channels (e.g. brochures, flyers, websites, social networks, etc.). In this last case the interested party can deny consent, thus making it impossible to process the data for these specific purposes. We remind you that, pursuant to articles 15 and following of the GDPR, you may have access to such data at any time, view it, request its modification or deletion from our archives, lodge a complaint with the authority, or oppose their use, provided except for any dissemination that cannot be controlled by the Data Controller, by writing to the Data Controller" at an email address of the Company.
With respect to these treatments, it was found that the provision of a time - albeit maximum - of 5 years for the storage of the data in question is excessive compared to the purposes indicated in the aforementioned letters a) and b) - i.e. marketing ones and, even more so , those of mere feedback to interested parties or social caring - also taking into account the considerable amount of data collected and processed. Furthermore, reference must be made to the provisions of the general provision of 24 February 2005, 'Fidelity cards' and guarantees for consumers. The rules of the Guarantor for loyalty programs' - [doc. web no. 1103045], according to which - without prejudice to the validity of the consent, if originally correctly collected, for promotional and profiling purposes - the retention of the details of the interested party's personal data can be carried out, respectively, for a maximum period of 24 months and 12 months.

2.4. The processing of personal data collected through social platforms.

With reference to paragraph C) of the dispute, the following emerged from reading the text of the "Privacy Policy on Social Networks".

In addition to Facebook, “CoopItalia Soc. Coop. it also has accounts on other social networks, namely:

• Instagram - to consult the relevant legislation on Privacy (link) and Cookies (link);

• Twitter - to consult the relevant legislation on Privacy (link) and Cookies (link);

• YouTube - to consult the relevant legislation on Privacy (link) and Cookies (link);

• Linkedin … This privacy policy is intended for any CoopItalia social page …. 1.

Type of personal data being processed - ...; identifiers, contact details (telephone, email), images and audio-video recordings, any personal data of users/visitors that can be deduced from posts on social media (e.g. personal data such as name and surname, images/videos portraying them, etc.) and related statistical data (e.g. FB Insights). 2. Purpose and legal basis of the processing - ... a) carry out brand awareness, engagement and lead generation campaigns on social channels for commercial, promotional and institutional purposes (image and video posts, announcements, promos, etc.); ... b) respond to any requests from users/visitors of the social pages (posts, comments as well as requests for contact and/or assistance, so-called "social caring")... The direct publication of posts and contents by users-visitors on the social pages managed by CoopItalia Soc. Coop. (referred to in letter b) will be considered as free and specific consent of the interested parties. … 4. Data retention times - the images (photos and audio-video recordings) will be stored in the archives of CoopItalia Soc. Coop., in relation to their possible use for the purposes indicated, for a maximum period of 5 years …”.

In the complaint it was noted that - while admitting that there is no general obligation to acquire specific consent for all cases of video recording/photographic activity and any subsequent publication - the indication relating to the data retention period ( referred to in the aforementioned point 5) is lacking in the criterion used to establish it and moreover - considering the type of data (the image of the person, rather than his contact details) - excessive with respect to the propaganda/promotional purposes of the Company, also taking into account that in this case a data dissemination activity is carried out, as such, which is decidedly invasive with respect to the personal sphere of the interested parties.

2.5. Conclusions and notification of alleged violations pursuant to art. 166, paragraph 5, of the Code.

Overall, the following violations were therefore recognisable, with the aforementioned complaint of 1 December 2023:

• with reference to paragraph A) of the dispute: art. 15, relating to the right of access of the interested party, also through art. 12, par. 3 of the Regulation, which requires responses to requests made "without unjustified delay and, in any case, at the latest, within the maximum period of 30 days from receipt" of the same; as well as art. 21, par. 2, of the Regulation, which guarantees the right to object, "at any time", to the processing of data for promotional purposes;

• always with reference to the aforementioned paragraph A): art. 6 of the Regulation and 130 of the Code, and, more generally, the principles of lawfulness and correctness, referred to in art. 5, par.1, letter. a), of the Regulation;

• with reference to paragraphs B) and C) of the dispute: art. 5, par. 1, letter. e) of the Regulation, which establishes the principle of limitation of conservation, also based on the aforementioned general provision of 24 February 2005.

Based on the above, it was necessary to notify the Company, on 1 December 2023, with the aforementioned act of initiation of the procedure, of the alleged violation of the following provisions of the Regulation:

- art. 5, par.1, letters a) and e);

- art 6;

- art. 12, par.3;

- art. 15,

- art. 21, par.2;

- as well as the art. 130 of the Code.

With the same note, the start of the procedure for the possible adoption of the measures referred to in article 58, par. 2, of the Regulation and for the possible application of the economic sanctions referred to in the art. 83, par. 4 and 5 of the Regulation.

3. THE DEFENSIVE ACTIVITY OF THE COMPANY.

3.1. The defense brief.

3.1.1. The exercise of rights pursuant to art. 15-22 of the Regulation.

With the defense statement of 31 January 2024, to which reference is made in full, Coop stated, also pursuant to art. 168 of the Code, which, following the initial reports of the reporter in December 2021 and January 2022 and subsequent communications, had already taken steps to carefully analyze the situation and fully understand the reasons that led to an incomplete processing of the first request of access and deletion of personal data, despite being found within the terms via email from CoopVoce Customer Service on 17 December 2021 (see attachment 1), and found completely and definitively on a subsequent date. Following this internal analysis, Coop Italia has adopted a series of improvement measures to further refine its internal procedures for managing requests to exercise rights.

The Company highlighted that, with the exception of the isolated report referred to in paragraph 1 above, it has always correctly handled requests to exercise rights, "the response (to the aforementioned interested party) having to be considered an exceptional and completely isolated case" as reported in the letters dated 4 and 18 May 2022 sent by Coop Italia via certified e-mail to the user and the Authority, finally received by the Guarantor, on 27 December 2022, "due to a transcription error of the certified email address towards the GPDP" (see Annex 2); in the response dated 18 May 2022 "evidence of the recording of the logs relating to the giving of consent of the interested party is also provided."

3.1.2. The processing of personal data relating to the use of e-sims.

The Company has declared that personal data (and in particular the various 'metadata' relating to customer data and voice traffic), as mentioned in the information, "are used for distinct and specific purposes. The collection and use of such data does not only take place to pursue the purposes based on consent but also, and above all, to carry out the contractual obligations assumed by Coop Italia towards its customers for the purpose of providing the telephony service and data communications….Coop Italia in using data for direct marketing specifically uses only the personal information (name and surname) and contact data (e-mail and text message) provided by the interested party, in compliance with the consent given .” As regards the communication of data to third parties for marketing purposes, in the Company's opinion, "this practice is carried out in full compliance with current legislation, subject to the explicit consent of the interested party, and in compliance with the indications dictated by the Authority", adding that "... there is no transfer or communication of customer data to third parties for the purposes mentioned above, except in the context of specific initiatives."

Furthermore, with limited reference to point b.i, and in particular to the congeries of activities/purposes indicated ("market research, economic and statistical analyses, direct sales, marketing, sending of advertising/informative/promotional material and updates on initiatives and offers to customers...") and for which a single consent is requested from the interested parties, in the opinion of the Company, these purposes and activities, "although distinct in their specific expressions, can all reasonably be classified within the broader category of direct marketing, promotional and commercial communication', in the context of “a gender-specific relationship, where each particular activity is a specific manifestation of the broader concept of marketing and commercial communication. This grouping is intended not only for greater clarity and user understanding, but also to ensure a cohesive and integrated approach within our marketing strategies.”

3.1.3. The processing of personal data collected during events and fairs.

With regard to the conservation of personal data collected during events and fairs, Coop Italia has wanted to clarify that "such data, including images, audio and video recordings, are part of multi-year projects that involve recurring appointments which therefore require the reuse of the aforementioned materials . The conservation of participants' data therefore also derives from the need for "celebratory reporting" of the various editions created through videos, books, posters, leaflets, etc... to create a story of continuity and tradition which also translates into the word trust and recognition of Coop Members and Customers. “

Furthermore, their conservation takes place on the basis of releases signed by the interested parties, which also include civil obligations (image rights, use pursuant to articles 10 and 320 of the Civil Code, and articles 96 and 97 of Law 633/1941) . Therefore, the established retention period also reflects these obligations and is not necessarily aligned with the time limits established for the retention of data for promotional purposes.

The above represents the "reason" for determining this retention period.

3.1.4. The processing of personal data collected through social platforms.

Coop Italia has specified that it will not proceed with "the direct acquisition of personal data of social network users for storage in its systems, or in any case for processing via a platform integrated into those of the social network of reference, except in contexts very specific, such as the response to requests for information and assistance, managed by the Customer Care office, and the evaluation of any complaints, all other activities being limited (for example, the publication of commercial content, reporting and sharing of "posts" also of users who follow Coop Italia's social pages) within the exclusive perimeter of ownership of the relevant social network, according to the rules of the platforms themselves".

In the Company's opinion, "the five years of retention of requests for assistance, complaints, etc. they are parameterized to the need that Coop Italia has to demonstrate that it has fully complied with customer/user requests, as well as to manage any complaints coming from these channels: this, in essence, represents the "motivation" for determining such a retention period... ”).

3.1.5. The quantification criteria referred to in art. 83, par. 2, of the Regulation.

In this regard, Coop has, among other things, stated that:

- the case of the whistleblower was an opportunity to verify and refine its internal procedures for managing requests to exercise rights by interested parties;

- from the first request for information and during the inspection, provided the widest cooperation;

- there are no specific corrective measures already adopted by the Authority with reference to the specific violation complained of;

- “CoopVoce is recognized for the high quality of customer service and has received significant praise from consumers… (also) compliance with legislation on the protection of personal data; CoopVoce operates in a highly competitive market characterized by low profit margins (see attachment no. 6 "CoopVoce and the mobile telephony market"); “… it also had to face huge investments to free itself from Telecom Italia and first take charge of the direct management of data traffic and, from 2023, also the management of the voice component”; with reference to the last decade, "... CoopVoce's operating income has remained essentially constant at 2014 levels in the face of ... above all a growth in technological costs of over six (6) times and in the presence of significant investments linked to infrastructure ( transition to Full-MVNO and development of VoLTE technology) (ref. annex 6 “CoopVoce and the mobile telephony market” p. 3); ... the pandemic and the consequent effect on physical stores, from which CoopVoce draws the majority of its customers, led to a significant reduction in the flow of new customers, despite a significant increase in advertising costs, which more than tripled in period."

3.2. The Society's hearing.

On 6 February 2024, the Company - in reiterating what was already partially represented during the inspection and through the defense brief - confirmed the measures already adopted in relation to the complaints received, underlining its broad willingness to implement what was further established by this Authority and representing the following:

In particular, the Company, with reference to the only report in question, pointed out that the interested party has not presented any further complaints since May 2022. More generally, the procedure for managing the rights of interested parties has been carefully reviewed and rearticulated , for the purposes of greater uniformity and to guarantee a tight deadline (approximately 2 weeks or a maximum within 30 days); in particular, the interested party instantly receives an email which assures him of receipt and prompt response, also thanks to the exact tracking of the request in our systems (see attached table: annex n.1); furthermore, since February 2023, it has created a new special Coopvoce certified email address to channel interested parties' requests, in addition to the ordinary email address; addresses both present on the coopvoce website. Furthermore, the Company highlighted that:

1) the cooponline site was closed (non-food products) due to lack of customers;

2) referred to the losses and the negative trend that has affected the Company since 2021, referred to in the 2024 memorandum;

3) with respect to the issue of data retention of images collected and stored for a period of time - generally 5 years - it has attached specific authorization forms (one for adults; one for minors, entrusted to parents or other persons exercising parental responsibility with express clauses regarding the transfer of image rights pursuant to art. 10 of the Civil Code and the copyright law (annexes 2 and 3);

4) is in the process of placing online privacy information that is increasingly clear and simple and therefore easily usable, assisted by figurative icons, in compliance with the EDPB Guidelines on transparent information;

5) with reference to the communication of data, including traffic data, to third parties, it specified that these are Coop group companies that receive such data in their systems; however, promotional communications are sent directly by Coop Italia using the contact details available; in any case these are specific initiatives, as specified in the memorandum;

6) with particular reference to the data of users and customers, collected through social platforms, the Company, in acceptance of the indication contained in the complaint received from the Authority, has changed the retention period, reducing it from 5 years to 6 months.

4. LEGAL ASSESSMENTS OF THE AUTHORITY.

4.1. Exercise of rights pursuant to art. 15-22 of the Regulation.

While taking note of the non-systematic nature of the violation which concerns, as far as the documents are concerned, only one interested party, it must nevertheless be highlighted, in consideration of the relevance of the right to object to processing for marketing purposes, which - if not channeled into the right tracks of correct processing - is detrimental to the right to protection of personal data and the rights of the person connected to it. The hypothesized violation of the articles must therefore be confirmed. art. 6; 12, par.3; 15; 21, par. 2, of the Regulation; as well as the art. 130 of the Code.

The Authority - in consideration of the above as well as the alleged review of the procedures relating to the exercise of rights by interested parties - does not believe it is necessary to adopt corrective measures in this regard.

4.2. The processing of personal data relating to the use of e-sims.

Given the varied multitude of data collected as part of the Coopvoce service, and in particular "telephone and/or electronic traffic data and internet navigation and/or position and/or geolocation data (obtained via GPS and/or services or functionality on the location and/or with identification of mobile phones and antennas, including wi-fi and/or postal code and/or city name" -, Coop has, however, represented in its brief that "The collection and use of such data ... takes place ... above all, to fulfill the contractual obligations assumed by Coop Italia towards its customers for the purposes of providing the telephony and data communications service .... Coop Italia in the use of data for direct marketing specifically uses only the information personal details (name and surname) and contact details (e-mail and text message) provided by the interested party, in compliance with the consent given."

It is therefore deemed necessary to archive what was observed in the complaint regarding the violation of the art. 6, par.1, letter. a), of the Regulation and not to have to order any corrective measures in this regard.

From a different perspective, despite what Coop claims, the concept of marketing cannot be expanded so much as to also include the peculiar statistical and economic analysis activities, which are structurally different from promotional ones. In this regard, it is not worth referring to the 2013 Guidelines, for two important reasons:

the Authority, in the 2013 Guidelines referred to by the Company, referred only to the purposes typified by the art. 130, paragraph 1, of the Code, i.e. "those of sending advertising material, direct sales, carrying out market research and commercial communication [...]" believing that only "the aforementioned activities - and not also further purposes, such as those of economic and statistical analysis - "are functional, in most cases, to pursue a single marketing purpose (lato sensu), with the consequence that the connected processing appears to justify - always as a rule - the acquisition of a single consent.";

a non-specific consent is not free as it determines a coercion of the will of the interested party, with consequent violation of the principles of correctness of the processing, and of the freedom to express consent (a principle already enshrined in art. 23 of the previous Code) . Each processing purpose, other than contractual, administrative and accounting purposes (e.g. profiling, marketing, etc.) requires, however, free, specific, informed and distinct consent for each of them (art. 6, par. 1, letter . a, of the Regulation). This capacity for self-determination is not ensured when consent is collected in an undifferentiated manner to pursue distinct purposes, although each of them can be pursued individually in the presence of an autonomous evaluation and determination of the interested party. This orientation finds full and constant correspondence also in the provisions of this Authority and which was confirmed even after the full operation of the Regulation (see provision dated 12 June 2019, web doc. no. 9115; provision dated 15 January 2020, web document no. 9256486);

the Regulation has further strengthened the principle of consent, together with its requirements of freedom, specificity and, in addition, unequivocality (see: articles 5, par. 1, letter a, and 7, par. 4; and in particular recital 32, but also recitals 39, 40, 42 and 43).

On the basis of the overall results of the investigation conducted, it is possible to include these statistical and economic activities in the profiling activity, with respect to which, according to what has been declared, they are in terms of a close and direct connection, since they are necessary and preparatory to carrying out profiling, especially of an aggregate type. However, the inclusion of these activities in the request for consent for marketing and not profiling purposes, however, deviates this expression of will from the actual purpose of the processing. It is therefore deemed necessary to confirm the relevant dispute (art. 6, par.1, letter a), of the Regulation) and to order the modification of the formula for acquiring consent for marketing activities, expunging the reference to "activities statistical and economic".

4.3. The processing of personal data collected during "events and fairs".

In this regard, and in particular with reference to the conservation of photos and video recordings, this Authority deems it necessary to take into account the defensive exception formulated by the Company, i.e., specifically, that such "conservation takes place on the basis of releases signed by the interested parties, which also include obligations of a civil nature (image rights, use pursuant to articles 10 and 320 of the Civil Code, and articles 96 and 97 of Law 633/1941)", guaranteeing interested parties the exercise of their rights regarding the protection of data. In this sense, the Authority wishes to clarify, from a more general perspective, that the contractual autonomy of private individuals, pursuant to art. 1321 c.c. - provided that in the face of persistent fulfillment of the obligation to provide suitable information for the processing as well as clear contractual terms and conditions - it can legitimately affect the timing of data retention, but not also derogate from the fundamental rights of the interested parties referred to in the articles. 15-22 of the Regulation, as ensured, in this case, by Coop.

In the aforementioned terms it is therefore deemed necessary to archive the relevant dispute (art. 5, par.1, letter e)) and not to order any corrective measures.

4.4. The processing of personal data collected through social platforms.

In this regard, if the five-year retention of data relating to "requests for information and assistance, managed by the Customer Care office" can be admitted, with particular reference to those submitted by customers, the same cannot be said for data relating to mere users , for which the legal basis of the contract does not exist and no reason of necessity is discernible. Furthermore, it seems necessary to this Authority to distinguish between the data of active customers and that of terminated customers. Within the aforementioned limits, it is therefore deemed necessary to confirm the relevant dispute (art. 5, par.1, letter e)). Given, however, what the Company has declared regarding the drastic reduction in the retention times of data collected via social media, it is not considered necessary to order any corrective measures.

5. CONCLUSIONS.

For the above overall, it is considered established - albeit within the aforementioned limits and specifications - the liability of Coop Italia in relation to the following violations of the Regulation:

- art. 5, par.1, letter. And);

- art. 12, par.3;

- art. 15,

- art. 21, par.2;

- as well as the art. 130 of the Code.

Having ascertained the illegality of the above-described conduct of the Company and also considering what is represented above by this Authority, it is necessary to adopt the following corrective measure against the same: order the modification of the formula for acquiring consent for marketing activities, expunging the reference to "statistical and economic activities".

With regard to the processing already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, par. 5, of the Regulation.

6. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations confirmed above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against CoopItalia of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.
In this regard, for the determination of the maximum amount, reference must be made, pursuant to the aforementioned provisions of the Regulation, to the turnover of the Company as deduced from the ordinary financial statements for the year 2022 (707,800,006 euros), from which derives that the aforementioned statutory maximum amounts to €28,312,000.00.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation.

The circumstances to be taken into consideration in the specific case must be considered, as an aggravating factor, the high quantity of interested parties whose data were collected through the CoopVoce website and subsequently transmitted for specific initiatives to third parties (letter a).

At the same time, the following are to be considered as mitigating circumstances:

1. the negligent nature of the violations found, mostly linked to an incorrect interpretation of the relevant legislation (letter b);

2. the timely adoption of corrective measures, with specific reference to the procedures for managing the rights of interested parties and the retention times of user and customer data collected through social platforms (letter c);

3. the absence of previous violations and therefore of previous corrective and sanctioning measures (letter e);

4. the constant and fruitful collaboration with this Authority (letter f);

5. the significant economic losses "and the negative trend that has affected the Company since 2021", referred to in the defense brief and the hearing minutes (letter k).

Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Coop Italia – taking into account previous terms, the administrative sanction of the payment of a sum of €90,000.00, equal to 0.31% of the maximum law.

Please remember that, pursuant to art. 170 of the Code, anyone who, being obliged, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e), of the Regulation.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the sensitivity of the matter under investigation (processing of traffic data and retention times of data collected through social platforms) as well as the need for non-discrimination compared to similar cases (see: provision of 8 June 2023, web document no. 9909907;

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected herein in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.

ALL THE WHEREAS, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by Coop Italia Società Cooperativa, with registered office in Via del Lavoro, 6-8, Casalecchio Reno (Bologna), VAT no. 01515921201; and, as a result, towards the same:

b) pursuant to art. 58, par. 2, letter. d), orders the modification of the formula for acquiring consent for marketing activities, eliminating the reference to "statistical and economic activities";

c) pursuant to art. 157 of the Code, orders to communicate to the Authority, within 30 days from the notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, letter. i), of the Regulation, to Coop Italia Società Cooperativa, in the person of its legal representative, to pay the sum of 90,000 euros (ninety thousand/00), as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 90,000 (ninety thousand/00) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of law no. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 22 February 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

[doc. web no. 10007060]

Provision of 22 February 2024

Register of measures
n. 130 of 22 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000;

SPEAKER the lawyer. Guido Scorza;

1. THE INTERESTED PARTY'S REPORT REGARDING THE EXERCISE OF HIS RIGHTS AND THE RELATED INVESTIGATION.

A reporter contacted this Office on 27 January 2022, reiterating and clarifying a previous communication of 7 April 2021 to Coop Italia Società Cooperativa (hereinafter also referred to as the "Company" or "Coop Italia"). In particular, the whistleblower represented that:

a) on 10 December 2021, as a customer, you had written, by email, to Coop Italia (with specific regard to the "CoopVoce" service) to object to the processing for promotional purposes and to find out what personal data the same Company held ;

b) on 17 December 2021 the Company sent him a communication, again by email, in which it simply declared that it had registered its refusal to receive promotional communications;

c) therefore, on 20 December 2021, the same person had reiterated his request for access to his personal data and cancellation of the same, which however, as far as the documents were concerned, had remained unanswered;

d) the Company had continued to send him promotional messages via text message, thus showing that it had not followed up on his opposition.

On 15 April 2022, the Office launched a preliminary investigation in this regard, formulating a request for information and documentary elements, to which the Company responded only on 27 December 2022, representing that the interested party's requests "for a mere and a completely exceptional internal mix-up… they were considered to have escaped…, but in reality they were not correctly tried”. Furthermore, the Company admitted to having sent two further promotional text messages (even after the opposition to the processing), specifying that it had proceeded with the cancellation according to "standard procedure" of the interested party's data "within the terms of the law", maintaining only those mandatory for law and to have offered the same interested party, due to the "mistake" that occurred, a promotional bonus.

On 5 May 2022, the reporting party - to whom the Office's request and the Company's response were addressed for appropriate information - contested Coop's response on the merits, also highlighting that he had not given any consent for promotional purposes.

2. THE INVESTIGATIVE ACTIVITY.

2.1. Request for information and audits.

In addition to the specific report, as part of the more general control activity of marketing and profiling activities, an inspection was carried out at the Company between 4 and 6 April 2023. The latter then sent a note on the following 4 May, dissolving the reservations contained in the inspection reports and provided feedback - with notes dated 24 and 28 July - to the request for additional information and documentation, sent by this Authority on 4 July 2023.

In light of the overall elements acquired, including the registration procedures on the Company's websites, the following critical issues emerged, with particular regard to the Coopvoce service; to the collection of images and other personal data during holidays and events; as well as the collection of data on social platforms. These critical issues were reported in the act of initiating the administrative procedure and contesting the administrative violations of 1 December 2023, prot. n. 1742054, notified to Coop Italia on the same date by certified email, which must be considered fully referenced and reproduced here.

2.2. The processing of personal data relating to the use of e-sims.

With reference to paragraph A) of the dispute, regarding the processing of personal data relating to the use of telephone accounts via e-sim, it was found that - in addition to the aforementioned failure to respect the interested party's right to object - the Company processes such data “including telephone and/or telematic traffic data and internet navigation and/or position and/or geolocation data (obtained via GPS and/or position services or functions and/or with identification of mobile phones and antennas, including wi-fi and/or postal code and/or city name), subject to the "specific" consent of the interested party:

1. "point b.i), ... for purposes functional to market research, economic and statistical analysis, direct sales, marketing, sending of advertising/information/promotional material and updates on initiatives and offers to customers (marketing). These activities may concern mobile and personal electronic communications products and services provided by COOPItalia as well as other products and services of COOPItalia, products and services of COOPItalia Associates and/or products and services of companies belonging to and/or connected to the Coop system, and/ or products and services of its commercial partners, and may be carried out by COOPItalia both with traditional methods (listed, but not limited to, mail, calls with operator, etc.) and with automated contact methods (listed, but not limited to exhaustive, sms, mms, fax, voice, e-mail and web applications, calls without operator";

2. "point b.ii) ... may be communicated to third parties (Coop system companies) in order to receive from them, both with traditional methods (listed, but not limited to, mail, calls with operator, etc.) or with automated contact methods (including, but not limited to, sms, mms, fax, voice, email and web applications, unattended calls), their advertising material and commercial information (third-party marketing)”;

3. "point b.iii) ... may be communicated to third parties (other commercial partners) in order to receive from them, both with traditional methods (listed, but not limited to, mail, calls with operator) and with automated methods of contact (including, but not limited to, sms, mms, fax, telephone calls, emails and web applications, unattended calls), their advertising material and commercial information (third party marketing);

4. "point b.iv) ... may be processed by COOPItalia for profiling purposes and relating to the analysis and identification of behaviours, habits, preferences and consumer choices and for the definition of commercial profiles that allow it to offer better services or targeted offers and dedicated”;

5. "point b.v) ... the same data may be communicated to third parties (Coop system companies) for their profiling purposes and for the definition of commercial profiles that allow them to offer better services or targeted and dedicated offers";

6. "point b.vi) ... may be communicated to third parties (other commercial partners) for their profiling purposes and for the definition of commercial profiles ...".

With reference to the aforementioned points (from b.i to b.vi), the complaint noted that the consent cannot be said to be specific and free, as it refers to a considerable and varied mass of personal data, which is also decidedly relevant with respect to the right to data protection such as "telephone and/or electronic traffic and internet navigation data and/or position and/or geolocation (obtained via GPS and/or services or functions on the position and/or with identification of mobile phones and also wi-fi antennas and/or postal code and/or city name)”. Furthermore, the Company warns that third parties may use all possible contact methods to convey their promotional communications, increasing the level of impact on the fundamental rights indicated above.

The violation, based on what was highlighted in the complaint, was even more significant in the cases (marked by: b.ii; b.iii; b.v; b.v.i) in which the data are intended to circulate outside the sphere of management and control of Coop, falling within the availability of third parties, who - pursuing their own promotional and profiling purposes - are to be considered independent data controllers, and therefore legitimated to process the data in question based on their own purposes and methods ( see art. 28 of the EU General Regulation no. 679/2016, hereinafter “Regulation”).

Furthermore, with limited reference to point b.i, it was noted that the congeries of activities-purposes indicated ("market research, economic and statistical analyses, direct sales, marketing, sending of advertising/information/promotional material and updates on initiatives and offered to customers..."), cannot be associated with the request for a single consent, at least as a separate consent must be prepared for the specific economic and statistical analysis activities.

Given the incorrect collection, the provision in the same information according to which this "consent is optional and may be revoked by you at any time" is not relevant to remedy the hypothesized unlawful processing. In case of lack of consent or revocation, you will still be able to use the Services, but your data cannot be processed for the purposes described in the aforementioned points.

2.3. The processing of personal data collected during "events and fairs".

With reference to paragraph B) of the dispute, in the text of the “Privacy Policy Events and Fairs Information”, it was found that: “In particular, the following personal data of the interested party may be processed: • photographs, images, videos and/or or audio recordings; 2. Purpose and legal basis of the processing 2.1 The data provided by the interested party will be processed for the publicization of the event: during demonstrations, fairs and/or public events, they could be carried out by the Data Controller, and/or journalists, and /or expressly authorized photographers and/or videomakers, audio and/or video recordings and/or photographs, to promote events on websites and/or social profiles (e.g. Facebook, YouTube, Instagram, Twitter, etc.), radio, TV, newspapers, magazines, brochures, catalogs and/or other paper promotional material; … 5. Data retention times: photographic images and audio and video recordings will be kept in the Data Controller's archives, in relation to their possible use for the purposes indicated, for a period of five years.”

Furthermore, from the analysis of the "video and photo information poster for various events" (annex 2 to the aforementioned response of 28 July 2023), it emerged that, according to what the Company asserted: "The photographs and videos in question concern the trade fair activities to be understood as demonstrations or events of a public nature, participation in the event entails consent to the processing given unless otherwise denied. Only with specific consent, photographs and/or video footage that directly and explicitly portray the interested party may be published for promotional purposes on paper materials or electronic/digital channels (e.g. brochures, flyers, websites, social networks, etc.). In this last case the interested party can deny consent, thus making it impossible to process the data for these specific purposes. We remind you that, pursuant to articles 15 and following of the GDPR, you may have access to such data at any time, view it, request its modification or deletion from our archives, lodge a complaint with the authority, or oppose their use, provided except for any dissemination that cannot be controlled by the Data Controller, by writing to the Data Controller" at an email address of the Company.
With respect to these treatments, it was found that the provision of a time - albeit maximum - of 5 years for the storage of the data in question is excessive compared to the purposes indicated in the aforementioned letters a) and b) - i.e. marketing ones and, even more so , those of mere feedback to interested parties or social caring - also taking into account the considerable amount of data collected and processed. Furthermore, reference must be made to the provisions of the general provision of 24 February 2005, 'Fidelity cards' and guarantees for consumers. The rules of the Guarantor for loyalty programs' - [doc. web no. 1103045], according to which - without prejudice to the validity of the consent, if originally correctly collected, for promotional and profiling purposes - the retention of the details of the interested party's personal data can be carried out, respectively, for a maximum period of 24 months and 12 months.

2.4. The processing of personal data collected through social platforms.

With reference to paragraph C) of the dispute, the following emerged from reading the text of the "Privacy Policy on Social Networks".

In addition to Facebook, “CoopItalia Soc. Coop. it also has accounts on other social networks, namely:

• Instagram - to consult the relevant legislation on Privacy (link) and Cookies (link);

• Twitter - to consult the relevant legislation on Privacy (link) and Cookies (link);

• YouTube - to consult the relevant legislation on Privacy (link) and Cookies (link);

• Linkedin … This privacy policy is intended for any CoopItalia social page …. 1.

Type of personal data being processed - ...; identifiers, contact details (telephone, email), images and audio-video recordings, any personal data of users/visitors that can be deduced from posts on social media (e.g. personal data such as name and surname, images/videos portraying them, etc.) and related statistical data (e.g. FB Insights). 2. Purpose and legal basis of the processing - ... a) carry out brand awareness, engagement and lead generation campaigns on social channels for commercial, promotional and institutional purposes (image and video posts, announcements, promos, etc.); ... b) respond to any requests from users/visitors of the social pages (posts, comments as well as requests for contact and/or assistance, so-called "social caring")... The direct publication of posts and contents by users-visitors on the social pages managed by CoopItalia Soc. Coop. (referred to in letter b) will be considered as free and specific consent of the interested parties. … 4. Data retention times - the images (photos and audio-video recordings) will be stored in the archives of CoopItalia Soc. Coop., in relation to their possible use for the purposes indicated, for a maximum period of 5 years …”.

In the complaint it was noted that - while admitting that there is no general obligation to acquire specific consent for all cases of video recording/photographic activity and any subsequent publication - the indication relating to the data retention period ( referred to in the aforementioned point 5) is lacking in the criterion used to establish it and moreover - considering the type of data (the image of the person, rather than his contact details) - excessive with respect to the propaganda/promotional purposes of the Company, also taking into account that in this case a data dissemination activity is carried out, as such, which is decidedly invasive with respect to the personal sphere of the interested parties.

2.5. Conclusions and notification of alleged violations pursuant to art. 166, paragraph 5, of the Code.

Overall, the following violations were therefore recognisable, with the aforementioned complaint of 1 December 2023:

• with reference to paragraph A) of the dispute: art. 15, relating to the right of access of the interested party, also through art. 12, par. 3 of the Regulation, which requires responses to requests made "without unjustified delay and, in any case, at the latest, within the maximum period of 30 days from receipt" of the same; as well as art. 21, par. 2, of the Regulation, which guarantees the right to object, "at any time", to the processing of data for promotional purposes;

• always with reference to the aforementioned paragraph A): art. 6 of the Regulation and 130 of the Code, and, more generally, the principles of lawfulness and correctness, referred to in art. 5, par.1, letter. a), of the Regulation;

• with reference to paragraphs B) and C) of the dispute: art. 5, par. 1, letter. e) of the Regulation, which establishes the principle of limitation of conservation, also based on the aforementioned general provision of 24 February 2005.

Based on the above, it was necessary to notify the Company, on 1 December 2023, with the aforementioned act of initiation of the procedure, of the alleged violation of the following provisions of the Regulation:

- art. 5, par.1, letters a) and e);

- art 6;

- art. 12, par.3;

- art. 15,

- art. 21, par.2;

- as well as the art. 130 of the Code.

With the same note, the start of the procedure for the possible adoption of the measures referred to in article 58, par. 2, of the Regulation and for the possible application of the economic sanctions referred to in the art. 83, par. 4 and 5 of the Regulation.

3. THE DEFENSIVE ACTIVITY OF THE COMPANY.

3.1. The defense brief.

3.1.1. The exercise of rights pursuant to art. 15-22 of the Regulation.

With the defense statement of 31 January 2024, to which reference is made in full, Coop stated, also pursuant to art. 168 of the Code, which, following the initial reports of the reporter in December 2021 and January 2022 and subsequent communications, had already taken steps to carefully analyze the situation and fully understand the reasons that led to an incomplete processing of the first request of access and deletion of personal data, despite being found within the terms via email from CoopVoce Customer Service on 17 December 2021 (see attachment 1), and found completely and definitively on a subsequent date. Following this internal analysis, Coop Italia has adopted a series of improvement measures to further refine its internal procedures for managing requests to exercise rights.

The Company highlighted that, with the exception of the isolated report referred to in paragraph 1 above, it has always correctly handled requests to exercise rights, "the response (to the aforementioned interested party) having to be considered an exceptional and completely isolated case" as reported in the letters dated 4 and 18 May 2022 sent by Coop Italia via certified e-mail to the user and the Authority, finally received by the Guarantor, on 27 December 2022, "due to a transcription error of the certified email address towards the GPDP" (see Annex 2); in the response dated 18 May 2022 "evidence of the recording of the logs relating to the giving of consent of the interested party is also provided."

3.1.2. The processing of personal data relating to the use of e-sims.

The Company has declared that personal data (and in particular the various 'metadata' relating to customer data and voice traffic), as mentioned in the information, "are used for distinct and specific purposes. The collection and use of such data does not only take place to pursue the purposes based on consent but also, and above all, to carry out the contractual obligations assumed by Coop Italia towards its customers for the purpose of providing the telephony service and data communications….Coop Italia in using data for direct marketing specifically uses only the personal information (name and surname) and contact data (e-mail and text message) provided by the interested party, in compliance with the consent given .” As regards the communication of data to third parties for marketing purposes, in the Company's opinion, "this practice is carried out in full compliance with current legislation, subject to the explicit consent of the interested party, and in compliance with the indications dictated by the Authority", adding that "... there is no transfer or communication of customer data to third parties for the purposes mentioned above, except in the context of specific initiatives."

Furthermore, with limited reference to point b.i, and in particular to the congeries of activities/purposes indicated ("market research, economic and statistical analyses, direct sales, marketing, sending of advertising/informative/promotional material and updates on initiatives and offers to customers...") and for which a single consent is requested from the interested parties, in the opinion of the Company, these purposes and activities, "although distinct in their specific expressions, can all reasonably be classified within the broader category of direct marketing, promotional and commercial communication', in the context of “a gender-specific relationship, where each particular activity is a specific manifestation of the broader concept of marketing and commercial communication. This grouping is intended not only for greater clarity and user understanding, but also to ensure a cohesive and integrated approach within our marketing strategies.”

3.1.3. The processing of personal data collected during events and fairs.

With regard to the conservation of personal data collected during events and fairs, Coop Italia has wanted to clarify that "such data, including images, audio and video recordings, are part of multi-year projects that involve recurring appointments which therefore require the reuse of the aforementioned materials . The conservation of participants' data therefore also derives from the need for "celebratory reporting" of the various editions created through videos, books, posters, leaflets, etc... to create a story of continuity and tradition which also translates into the word trust and recognition of Coop Members and Customers. “

Furthermore, their conservation takes place on the basis of releases signed by the interested parties, which also include civil obligations (image rights, use pursuant to articles 10 and 320 of the Civil Code, and articles 96 and 97 of Law 633/1941) . Therefore, the established retention period also reflects these obligations and is not necessarily aligned with the time limits established for the retention of data for promotional purposes.

The above represents the "reason" for determining this retention period.

3.1.4. The processing of personal data collected through social platforms.

Coop Italia has specified that it will not proceed with "the direct acquisition of personal data of social network users for storage in its systems, or in any case for processing via a platform integrated into those of the social network of reference, except in contexts very specific, such as the response to requests for information and assistance, managed by the Customer Care office, and the evaluation of any complaints, all other activities being limited (for example, the publication of commercial content, reporting and sharing of "posts" also of users who follow the social pages of Coop Italia) within the exclusive perimeter of ownership of the relevant social network, according to the rules of the platforms themselves".

In the Company's opinion, "the five years of retention of requests for assistance, complaints, etc. they are parameterized to the need that Coop Italia has to demonstrate that it has fully complied with customer/user requests, as well as to manage any complaints coming from these channels: this, in essence, represents the "motivation" for determining such a retention period... ”).

3.1.5. The quantification criteria referred to in art. 83, par. 2, of the Regulation.

In this regard, Coop has, among other things, stated that:

- the case of the whistleblower was an opportunity to verify and refine its internal procedures for managing requests to exercise rights by interested parties;

- from the first request for information and during the inspection, provided the widest cooperation;

- there are no specific corrective measures already adopted by the Authority with reference to the specific violation complained of;

- “CoopVoce is recognized for the high quality of customer service and has received significant praise from consumers… (also) compliance with legislation on the protection of personal data; CoopVoce operates in a highly competitive market characterized by low profit margins (see attachment no. 6 "CoopVoce and the mobile telephony market"); “… it also had to face huge investments to free itself from Telecom Italia and first take charge of the direct management of data traffic and, from 2023, also the management of the voice component”; with reference to the last decade, "... CoopVoce's operating income has remained essentially constant at 2014 levels in the face of ... above all a growth in technological costs of over six (6) times and in the presence of significant investments linked to infrastructure ( transition to Full-MVNO and development of VoLTE technology) (ref. annex 6 “CoopVoce and the mobile telephony market” p. 3); ... the pandemic and the consequent effect on physical stores, from which CoopVoce draws the majority of its customers, led to a significant reduction in the flow of new customers, despite a significant increase in advertising costs, which more than tripled in period."

3.2. The Society's hearing.

On 6 February 2024, the Company - in reiterating what was already partially represented during the inspection and through the defense brief - confirmed the measures already adopted in relation to the complaints received, underlining its broad willingness to implement what was further established by this Authority and representing the following:

In particular, the Company, with reference to the only report in question, pointed out that the interested party has not presented any further complaints since May 2022. More generally, the procedure for managing the rights of interested parties has been carefully reviewed and rearticulated , for the purposes of greater uniformity and to guarantee a tight deadline (approximately 2 weeks or a maximum within 30 days); in particular, the interested party instantly receives an email which assures him of receipt and prompt response, also thanks to the exact tracking of the request in our systems (see attached table: annex n.1); furthermore, since February 2023, it has created a new special Coopvoce certified email address to channel interested parties' requests, in addition to the ordinary email address; addresses both present on the coopvoce website. Furthermore, the Company highlighted that:

1) the cooponline site was closed (non-food products) due to lack of customers;

2) referred to the losses and the negative trend that has affected the Company since 2021, referred to in the 2024 memorandum;

3) with respect to the issue of data retention of images collected and stored for a period of time - generally 5 years - it has attached specific authorization forms (one for adults; one for minors, entrusted to parents or other persons exercising parental responsibility with express clauses regarding the transfer of image rights pursuant to art. 10 of the Civil Code and the copyright law (annexes 2 and 3);

4) is in the process of placing online privacy information that is increasingly clear and simple and therefore easily usable, assisted by figurative icons, in compliance with the EDPB Guidelines on transparent information;

5) with reference to the communication of data, including traffic data, to third parties, it specified that these are Coop group companies that receive such data in their systems; however, promotional communications are sent directly by Coop Italia using the contact details available; in any case, these are specific initiatives, as specified in the memorandum;

6) with particular reference to the data of users and customers, collected through social platforms, the Company, in acceptance of the indication contained in the complaint received from the Authority, has changed the retention period, reducing it from 5 years to 6 months.

4. LEGAL ASSESSMENTS OF THE AUTHORITY.

4.1. Exercise of rights pursuant to art. 15-22 of the Regulation.

While taking note of the non-systematic nature of the violation which concerns, as far as the documents are concerned, only one interested party, it must nevertheless be highlighted, in consideration of the relevance of the right to object to processing for marketing purposes, which - if not channeled into the right tracks of correct processing - is detrimental to the right to protection of personal data and the rights of the person connected to it. The hypothesized violation of the articles must therefore be confirmed. art. 6; 12, par.3; 15; 21, par. 2, of the Regulation; as well as the art. 130 of the Code.

The Authority - in consideration of the above as well as the alleged review of the procedures relating to the exercise of rights by interested parties - does not believe it is necessary to adopt corrective measures in this regard.

4.2. The processing of personal data relating to the use of e-sims.

Given the varied multitude of data collected as part of the Coopvoce service, and in particular "telephone and/or electronic traffic data and internet navigation and/or position and/or geolocation data (obtained via GPS and/or services or functionality on the location and/or with identification of mobile phones and antennas, including wi-fi and/or postal code and/or city name" -, Coop has, however, represented in its brief that "The collection and use of such data ... takes place ... above all, to fulfill the contractual obligations assumed by Coop Italia towards its customers for the purposes of providing the telephony and data communications service .... Coop Italia in the use of data for direct marketing specifically uses only the information personal details (name and surname) and contact details (e-mail and text message) provided by the interested party, in compliance with the consent given."

It is therefore deemed necessary to archive what was observed in the complaint regarding the violation of the art. 6, par.1, letter. a), of the Regulation and not to order any corrective measures in this regard.

From a different perspective, despite what Coop claims, the concept of marketing cannot be expanded so much as to also include the peculiar statistical and economic analysis activities, which are structurally different from promotional ones. In this regard, it is not worth referring to the 2013 Guidelines, for two important reasons:

the Authority, in the 2013 Guidelines referred to by the Company, referred only to the purposes typified by the art. 130, paragraph 1, of the Code, i.e. "those of sending advertising material, direct sales, carrying out market research and commercial communication [...]" believing that only "the aforementioned activities - and not also further purposes, such as those of economic and statistical analysis - "are functional, in most cases, to pursue a single marketing purpose (lato sensu), with the consequence that the connected processing appears to justify - always as a rule - the acquisition of a single consent.";

a non-specific consent is not free as it determines a coercion of the will of the interested party, with consequent violation of the principles of correctness of the processing, and of the freedom to express consent (a principle already enshrined in art. 23 of the previous Code) . Each processing purpose, other than contractual, administrative and accounting purposes (e.g. profiling, marketing, etc.) requires, however, free, specific, informed and distinct consent for each of them (art. 6, par. 1, letter . a, of the Regulation). This capacity for self-determination is not ensured when consent is collected in an undifferentiated manner to pursue distinct purposes, although each of them can be pursued individually in the presence of an autonomous evaluation and determination of the interested party. This orientation finds full and constant correspondence also in the provisions of this Authority and which was confirmed even after the full operation of the Regulation (see provision dated 12 June 2019, web doc. no. 9115; provision dated 15 January 2020, web document no. 9256486);

the Regulation has further strengthened the principle of consent, together with its requirements of freedom, specificity and, in addition, unequivocality (see: articles 5, par. 1, letter a, and 7, par. 4; and in particular recital 32, but also recitals 39, 40, 42 and 43).

On the basis of the overall results of the investigation conducted, it is possible to include these statistical and economic activities in the profiling activity, with respect to which, according to what has been declared, they are in terms of a close and direct connection, since they are necessary and preparatory to carrying out profiling, especially of an aggregate type. However, the inclusion of these activities in the request for consent for marketing and not profiling purposes, however, deviates this expression of will from the actual purpose of the processing. It is therefore deemed necessary to confirm the relevant dispute (art. 6, par.1, letter a), of the Regulation) and to order the modification of the formula for acquiring consent for marketing activities, expunging the reference to "activities statistical and economic".

4.3. The processing of personal data collected during "events and fairs".

In this regard, and in particular with reference to the conservation of photos and video recordings, this Authority deems it necessary to take into account the defensive exception formulated by the Company, i.e., specifically, that such "conservation takes place on the basis of releases signed by the interested parties, which also include obligations of a civil nature (image rights, use pursuant to articles 10 and 320 of the Civil Code, and articles 96 and 97 of Law 633/1941)", guaranteeing interested parties the exercise of their rights regarding the protection of data. In this sense, the Authority wishes to clarify, from a more general perspective, that the contractual autonomy of private individuals, pursuant to art. 1321 c.c. - provided that in the face of persistent fulfillment of the obligation to provide suitable information for the processing as well as clear contractual terms and conditions - it can legitimately affect the timing of data retention, but not also derogate from the fundamental rights of the interested parties referred to in the articles. 15-22 of the Regulation, as ensured, in this case, by Coop.

In the aforementioned terms it is therefore deemed necessary to archive the relevant dispute (art. 5, par.1, letter e)) and not to order any corrective measures.

4.4. The processing of personal data collected through social platforms.

In this regard, if the five-year retention of data relating to "requests for information and assistance, managed by the Customer Care office" can be admitted, with particular reference to those submitted by customers, the same cannot be said for data relating to mere users , for which the legal basis of the contract does not exist and no reason of necessity is discernible. Furthermore, it seems necessary to this Authority to distinguish between the data of active customers and that of terminated customers. Within the aforementioned limits, it is therefore deemed necessary to confirm the relevant dispute (art. 5, par.1, letter e)). Given, however, what the Company has declared regarding the drastic reduction in the retention times of data collected via social media, it is not considered necessary to order any corrective measures.

5. CONCLUSIONS.

For the above overall, it is considered established - albeit within the aforementioned limits and specifications - the liability of Coop Italia in relation to the following violations of the Regulation:

- art. 5, par.1, letter. And);

- art. 12, par.3;

- art. 15,

- art. 21, par.2;

- as well as the art. 130 of the Code.

Having ascertained the illegality of the above-described conduct of the Company and also considering what is represented above by this Authority, it is necessary to adopt the following corrective measure against the same: order the modification of the formula for acquiring consent for marketing activities, expunging the reference to "statistical and economic activities".

With regard to the processing already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, par. 5, of the Regulation.

6. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations confirmed above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against CoopItalia of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.
In this regard, for the determination of the maximum amount, reference must be made, pursuant to the aforementioned provisions of the Regulation, to the turnover of the Company as deduced from the ordinary financial statements for the year 2022 (707,800,006 euros), from which it emerges that the aforementioned statutory maximum amounts to €28,312,000.00.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation.

The circumstances to be taken into consideration in the specific case must be considered, as an aggravating factor, the high quantity of interested parties whose data were collected through the CoopVoce website and subsequently transmitted for specific initiatives to third parties (letter a).

At the same time, the following are to be considered as mitigating circumstances:

1. the negligent nature of the violations found, mostly linked to an incorrect interpretation of the relevant legislation (letter b);

2. the timely adoption of corrective measures, with specific reference to the procedures for managing the rights of interested parties and the retention times of user and customer data collected through social platforms (letter c);

3. the absence of previous violations and therefore of previous corrective and sanctioning measures (letter e);

4. the constant and fruitful collaboration with this Authority (letter f);

5. the significant economic losses "and the negative trend that has affected the Company since 2021", referred to in the defense brief and the hearing minutes (letter k).

Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Coop Italia – taking into account previous terms, the administrative sanction of the payment of a sum of €90,000.00, equal to 0.31% of the maximum law.

Please remember that, pursuant to art. 170 of the Code, anyone who, being obliged, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e), of the Regulation.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the sensitivity of the matter under investigation (processing of traffic data and retention times of data collected through social platforms) as well as the need for non-discrimination compared to similar cases (see: provision of 8 June 2023, web document no. 9909907;

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected herein in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.

ALL THE WHEREAS, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful, within the terms set out in the justification, the processing carried out by Coop Italia Società Cooperativa, with registered office in Via del Lavoro, 6-8, Casalecchio Reno (Bologna), VAT no. 01515921201; and, as a result, towards the same:

b) pursuant to art. 58, par. 2, letter. d), orders the modification of the formula for acquiring consent for marketing activities, eliminating the reference to "statistical and economic activities";

c) pursuant to art. 157 of the Code, orders to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, letter. i), of the Regulation, to Coop Italia Società Cooperativa, in the person of its legal representative, to pay the sum of 90,000 euros (ninety thousand/00), as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 90,000 (ninety thousand/00) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of law no. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 22 February 2024

PRESIDENT
Stanzione

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei