Garante per la protezione dei dati personali (Italy) - 10025835
Garante per la protezione dei dati personali - 10025835 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 12(3) GDPR Article 15 GDPR Article 24(1) GDPR Article 33(1) GDPR Article 130 d.lgs. 196/2003 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 05.10.2023 |
Decided: | 24.04.2024 |
Published: | |
Fine: | 30,000 EUR |
Parties: | Rossi Carta S.r.l. Unipersonale |
National Case Number/Name: | 10025835 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante per la protezione dei dati personali (in IT) |
Initial Contributor: | fb |
The DPA fined a controller €30,000 after a data breach occurred due to the usage of an outdated CMS tool that was highly vulnerable to cyber-attacks.
English Summary
Facts
On 27 August 2022, the data subject filed a complaint against the controller. The data subject argued he had received unsolicited marketing emails from the controller and that it did not reply to his access request.
The controller argued that it had not replied to the data subject because his access request email was marked as spam. Moreover, it noted that the data subject received marketing emails because his email address was in the controller’s database of people who had given their specific consent for direct marketing. However, the controller pointed out that it had proceeded to delete the data subject’s data.
After that, the data subject received an email in which the controller asked him to confirm his email address in order to sign up for a newsletter. The controller argued that the data subject had received this email because a third party had entered the data subject's email address into the controller’s system. Moreover, the controller noted that the data subject had not been subscribed to the newsletter as he had not confirmed his email address.
On 14 May 2023, the data subject received 39 emails with identical content, inviting the data subject to confirm his phone number. Following this event, the DPA asked the controller for clarification, since it was not supposed to have the data subject’s phone number.
The controller followed up the DPA request saying that, after further checks, it found out that some unauthorised accesses to its IT systems had been made. The controller argued that the 39 emails had been sent by these unauthorised people after they had inserted the data subject's personal data in the system.
Holding
Firstly, the DPA noted that the controller had been using – and was still using at the time of the decision – an outdated and vulnerable Content Management System (CMS) tool to manage its website. The DPA found that the use of this outdated tool implied a high risk of data breaches.
Therefore, the DPA held that the controller had not implemented appropriate technical and organisational measures to protect personal data and found a violation of Articles 5(1)(f), 5(2) and 24(1) GDPR. Moreover, pursuant to Article 58(2)(d) GDPR, the DPA ordered the controller to implement appropriate measures in connection with its CMS tool.
The DPA also focused on a possible failure to notify the DPA of the data breach pursuant to Article 33 GDPR. The DPA noted that the security pitfalls of the controller’s IT system could have led to several unlawful activities, such as using the controller’s platform to send phishing emails and, more general, unauthorised accesses to personal data. Therefore, the DPA found that this data breach was not unlikely to result in a risk to the rights and freedoms of natural persons and so a notification to the DPA was required under Article 33(1) GDPR.
Moreover, the DPA noted that the controller had not been that a data breach occurred until the DPA required to investigate the matter in more detail. According to the DPA, this further proved how the security measures of the controller were insufficient.
Thirdly, the DPA pointed out that the controller was unable to provide the data subject with information about the source of his personal data and, more in general, did not act on his access request. Moreover, the DPA found a lack of legal basis since the data subject had never consented to the processing of his email and phone number for marketing purposes. Therefore, the DPA found a violation of Articles 6(1), 7, 12(3) and 15 GDPR and Article 130 of the Italian Data Protection Code.
On these grounds, the DPA issued a fine of €30,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 10025835] Provision of 24 April 2024 Register of measures n. 237 of 24 April 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”); HAVING REGARD TO the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018 n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter "Code"); HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000; SPEAKER Prof. Ginevra Cerrina Feroni; GIVEN 1. THE INVESTIGATORY ACTIVITY CARRIED OUT With a complaint dated August 27, 2022, Mr. XX complained about receiving a promotional email from the company Rossi Carta S.r.l. Unipersonale (hereinafter, Rossi Carta or the Company) and the failure to respond to a request to exercise the rights made on 6 June 2022. On 8 November 2022 the complainant added that he had received seven further unwanted emails. In response to the Authority's request for information, with certified e-mail dated 5 December 2022, the Company declared that it had not responded to the complainant because the communication had mistakenly flowed into the "spam" box of the email system. Furthermore, with regard to the sending of the promotional message, it was declared that the owner processed "only the e-mail address xx. This address had been entered into our database (...) as pertaining to the subjects who had given their consent for the processing of their data for marketing purposes". At the same time, the Company declared that it had responded to the objection request and deleted the complainant's data. On 15 December 2022, Mr XX complained that he had only received partial feedback on his request, as no clarifications were provided regarding the origin of the data but only their erroneous inclusion in the lists used for marketing. On 26 December 2022, he supplemented his observations by adding that he had received a new communication from Rossi Carta requesting to confirm the email address for an alleged request to subscribe to the newsletter. Prompted by a new request for information from the Office, Rossi Carta responded that the email received from Mr. XX was a simple "transitional" email sent by the system following a request to subscribe to the newsletter, a request denied by the complainant and therefore probably carried out by a third party using Mr XX's data found on the web; since the request was not confirmed, no registration was completed. Despite this, on May 14, 2023, the complainant declared that he had received 39 emails, all with identical content but the result of separate sendings. In these emails the complainant was invited to confirm his telephone number shown in the email itself. Once again the Office forwarded the complainant's integration to the Company requesting clarification regarding what was represented, taking into account that it - according to what was declared on the functioning of the data collection form - should not have had the telephone number of the complainant. With the note received on 8 June 2023, the Company, confirming that it does not hold Mr.'s data. XX, declared that it had carried out further and subsequent checks following the new integration, learning only then that its website had been accessed by IP addresses not belonging to those assigned to Rossi Carta and therefore presuming that external parties did not authorized persons may have thus sent the disputed emails. In the period in question, however, there were no similar mailings to other subjects besides Mr. XX. Furthermore, the event that occurred would have led to serious problems with the indexing of the pages of the Company's e-commerce site (rossicarta.it) with consequent loss of positioning in Google search results. The statements made by the Company, with particular regard to the technical arguments, were also evaluated by the Guarantor's Digital Technologies and IT Security Department which, as the documents stand, highlighted the company's inability to autonomously and promptly intercept the attacks on its systems and the consequent violations - attacks of which the owner became aware only following the complaint and several discussions with the Authority and only a few months after the event. 2. DISPUTE OF VIOLATIONS The Office took steps to contest the violations detected with the initiation of the proceedings dated 5 October 2023 prot. n. 136981/23, notified via certified e-mail. Given that the reasons expressed in the aforementioned document have been fully recalled here, Rossi Carta has been accused of violating the articles. 5, par. 1, letter. f), 5, par. 2 and 24 of the Regulation for violation of the obligation to guarantee adequate protection of personal data from unauthorized processing and access, through appropriate technical measures that ensure the integrity and confidentiality of personal data and to be able to prove this fulfillment . Furthermore, the violation of the art. 33 of the Regulation, taking into account that the event described could constitute a violation of personal data which, involving risks for the rights and freedoms of natural persons, would have made it necessary to notify the Guarantor pursuant to art. 33 of the Regulation, and considering that no data breach notification had been received by the Authority, nor was the carrying out of assessments regarding the risk level of the event such as to exclude a notification obligation. Finally, with regard to the sending of unwanted promotional emails and the lack of response to the exercise of rights, taking into account that the Company had never provided clarifications regarding the origin of the complainant's data, the violation of the articles was considered to be complete. 12, par. 3 and 15 of the Regulation as well as articles. 6 and 7 of the Regulation and art. 130 of the Code. 3. THE DEFENSE OF THE ROSSI CARD With certified e-mail dated 3 November 2023, the Company sent a defense statement in which it first observed that the receipt of the aforementioned "transitional email" by the complainant would be confirmation of the fact that his email address had been canceled as declared; this email, in fact, is sent only to the newly added addresses specifically to request confirmation of the desire to subscribe to the newsletter. With regard to the 39 emails containing the complainant's telephone number, the Company reiterated that the newsletter subscription form on the website collects, as the only data, the email address and in no case is it possible to also enter a number phone. In this regard, he reiterated that, in the same period, the Company's website had recorded an anomaly which had generated a system loop, directing each product page to the home page. This event would have resulted in a gradual de-indexing of the site from Google search results. The Company also added that it was unable, despite the intervention of IT technicians, to identify the author of the tampering, noting only that it arose from a script launched from an IP address external to the Company; however, this anomaly would not have "...produced any theft of personal data, nor caused emails to be sent to subjects other than Mr. XX". Finally, the Company has attached a technical report and the contracts signed with the supplier of the hosting service and the email marketing service, highlighting the technical measures envisaged to guarantee the security of the information processed, also highlighting that the suppliers mentioned have been deemed reliable also due to of the ISO certifications produced. In particular, the technical report clarifies that "it was also possible to ascertain that an additional module (on the website) to the Prestashop CMS, a module dedicated to redirects (301, 302, 303 URL redirects - SEO) created a loop by sending each request to a page dedicated to a product. This loop caused the gradual but very rapid disappearance from the Google SERPs, bringing the company's visibility to the search engine to a very low position. Note, however, that it had occurred in the Rossi Carta una computer systems further anomaly linked to the same IP address as above. In fact, the Mailing Services Support Center (...) had reported that on the dates of 2 and 3 February from the same IP address [...], which is based on North East Italy, there were actions on the account and in particular in those days all the email addresses present in the mailing list appeared to have been moved to the black list with consequent blocking of the service by the system." With regard to the failure to notify the violation of personal data, provided for by art. 33 of the Regulation, the Company deemed it not necessary to do so due to the fact that the described system anomaly would have had effects only on the de-indexing of the site and not on the personal data stored by the Company, data which does not include any telephone number . Furthermore, no other user subscribed to the newsletter would have complained about receiving anomalous emails. Finally, with regard to the lack of information on the origin of the data, the Company added that "from what was subsequently reconstructed the insertion would have occurred following the incorrect typing of another email address (...) not belonging to the complainant. On this point, however, it is noted that at any time Mr. XX could have unsubscribed from receiving the newsletter so as not to receive any communication". With the documentary integration of 23 January 2024 and with the subsequent hearing of 24 January 2024, the Company added that it could not have noticed the anomalous sending of 39 emails to the complainant since the anomaly alert system is activated only if they are sent more than 50 submissions. 4. LEGAL ASSESSMENTS The peculiarity of the story described and the subsequent documentary additions, produced by the Company also in the defense phase, made it necessary to carry out further technical assessments by the competent Digital Technologies and IT Security Department, the results of which were acquired in the proceedings with note dated 12 February 2024. On this occasion it was observed that, despite the event which occurred and the analyses, including those of a technical nature, carried out by the company following the complaint and the dialogue with the Authority, the website rossicarta.it appears to be used still the Prestashop CMS in version 1.7.6(1). This version is absolutely obsolete and subject to numerous vulnerabilities, even of high severity (see https://www.cvedetails.com/versionsearch.php?page=1&vendor=Prestashop&product=&version=1.7.6). As an example, it can be noted that 23 vulnerabilities are associated with Prestashop version 1.7.6.9 alone, 17 of which are of high severity with a Common Vulnerability Scoring System - CVSS score greater than 8 out of 10 (see https://www .cvedetails.com/vulnerability-list/vendor_id-8950/product_id15797/version_id-1357198/Prestashop-Prestashop-1.7.6.9.html). Among the reported vulnerabilities, CVE-2022-31181 appears particularly relevant, with a CVSS score of 9.8 out of 10 and known for several months at the time of the alleged "anomaly" on the company's website(2), exploiting which, through an attack of the SQL-injection type, it would have been possible to inject and execute a script with malicious code on the platform. The high score of the indicated vulnerability is due to the risk considered high in terms of loss of confidentiality, integrity and availability of the data involved, the ease of the attack and the possibility of perpetrating the attack without the need for user privileges. From these further checks it was therefore confirmed that the Company was using an obsolete system for the management of data collected via the website, a site which is used for e-commerce activities and, therefore, potentially suitable for receiving numerous and heterogeneous (personal, contact, payment data); this system, affected by vulnerabilities known since the beginning of 2022, was still in use at the time of the events and even after the discussions with the Guarantor, despite the updates released by the manufacturer having been available since July 2022. All this highlights profiles of violation of the obligation to guarantee adequate protection of personal data from unauthorized processing and access, through appropriate technical measures that ensure the integrity and confidentiality of personal data and to be able to prove this fulfillment. For these reasons, the violation of the articles is considered complete. art. 5, par. 1, letter. f), 5, par. 2 and 24 of the Regulation. Taking into account that, at the time of the technical checks conducted by the Guarantor, the platform for managing the website was not yet updated, it is necessary, pursuant to art. 58, par. 2, letter. d), order Rossi Carta to adopt, with regard to the content management system of the website rossicarta.it, technical measures which, in the state of the art, are considered adequate to the risks existing in the processing of personal data. Furthermore, in consideration of the illegality and seriousness of the conduct, it is believed that the conditions for the application of a pecuniary administrative sanction pursuant to art. 58, par. 2, letter. i) of the Regulation. With regard to the failure to notify a violation of personal data, which was contested in the aforementioned document initiating the proceedings, the following is observed. On the basis of the declarations made, Rossi Carta would have detected unauthorized access to its systems which would have led to the de-indexing of the website and the movement of all the email addresses present in the Company's mailing list to the black list (see technical report attached to the memorandum defense of 3 November 2023). Therefore, according to Rossi Carta, these anomalies would not have led to a violation of the data collected by Rossi Carta itself, despite having occurred in conjunction with the receipt - only by the complainant - of the 39 emails with a request for confirmation of the number telephone. With regard to the complainant's data, the Company declared that it had processed - by mistake - only the email address which would have been deleted after the first request for information from the Guarantor (see declaration of 5 December 2022). Therefore, the subsequent anomalous mailings, whose genesis is still unknown, would not have resulted in access to the complainant's data stored by the Company. From the technical checks carried out by the Guarantor it emerged, as mentioned, that the Company was using an obsolete content management system (CMS) of the website and potentially capable of allowing access to numerous personal data; the vulnerabilities present could also have allowed the same Rossi Carta platform to be used to carry out illicit activities such as, for example, sending phishing emails. Such an eventuality could present a high risk for the rights and freedoms of natural persons, making it necessary to notify the Guarantor pursuant to art. 33, par. 1 of the Regulation. However, the Company was not aware of this risk and limited itself to only registering the de-indexing of the site and the moving of the addresses to the black list. Furthermore, the available documentation only attests that the Company suffered external attacks and that, in the same period, it used technical measures that were inadequate and potentially suitable for carrying out events of the type that occurred. Furthermore, as mentioned, the Company took note of what happened only following discussions with the Guarantor by carrying out other technical checks after receiving the document initiating the procedure, by which time notification of a possible data breach would have been superfluous. . It follows that even the failure to notify the Guarantor - as well as the very ability to assess whether it was due - was caused by the lack of adequate measures to guarantee the security of the processing; since this last case is already the subject of the corrective and sanctioning measures described above, the profile of failure to notify can also be considered absorbed in it, thus being able to defer from further interventions. Finally, with regard to the sending of unwanted promotional emails and the lack of response to the exercise of rights, it is noted that the Company has not provided clarifications regarding the origin of the complainant's data, limiting itself to stating, initially, that they they had been mistakenly included in the contact list without indicating the source; only in the defense phase did the Company hypothesize that the incorrect inclusion of the complainant's email address was due to an incorrect typing of this address. In any case, the complainant did not receive a response to his request to exercise his rights (allegedly ended up in the email spam folder) and did not receive a response during the preliminary investigation (after the request for information from the Guarantor) since the Company provided its justifications only after the initiation of the proceedings. For these reasons, the request for access to the data cannot be considered satisfied; similarly, since no consent has been acquired for the sending of promotional messages and since such sending continued even after the opposition, this processing is carried out in the absence of a suitable legal basis. This conduct can also be considered attributable to a general inability of the Company to guarantee adequate control of operations involving data processing (formation of lists, management of requests to exercise rights), such that the errors alleged by the same cannot be considered excusable. as justification for sending promotional messages and failing to reply to the complainant. Therefore, the violation of the articles is considered complete. 12, par. 3 and 15 of the Regulation as well as articles. 6 and 7 of the Regulation and art. 130 of the Code and it is necessary to inflict a pecuniary administrative sanction, pursuant to art. 58, par.2, letter. i, of the Regulation. 5. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION Based on the above, various provisions of the Regulation and the Code have been violated in relation to related processing carried out by Rossi Carta, for which the art. 83, par. 3, of the Regulation, according to which, if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of only the sanction provided for by the art. 83, par. 5, of the Regulation. For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual global turnover of the previous financial year whichever is higher, specifies the methods for quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relevant amount. In fulfillment of this provision, hypothesized, on the basis of the information found in the latest financial statements (recorded as of 31 December 2022), the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 and therefore quantified as 20 million euros as the maximum applicable law, the following aggravating circumstances must be considered: 1. the severity and duration of the violations detected. In particular, with regard to the sending of unwanted promotional messages and the failure to respond to the request to exercise the rights, taking into account the justifications given and the fact that it was an isolated case, a low level of seriousness of the violation can be considered . However, with regard to the use, for over a year, of inadequately updated systems, there is a damage to the data of the users of the rossicarta.it website which can potentially be very significant despite not being aware of attacks actually carried out by exploiting this vulnerability; even the sending of emails to the complainant - who appears to be the only interested party involved - resulted from an external attack of unknown origin. For this profile, the level of severity can therefore be assessed as medium (art. 83, par. 2, letter a), of the Regulation); 2. the failure of the data controller to adopt adequate measures to mitigate the damage to the interested parties since the Company, despite the attempts made, was unable to understand the reasons for the events complained of by the complainant, nor did it notice of the vulnerabilities that affected its website content management platform (art. 83, par. 2, letter c), of the Regulation); 3. the degree of responsibility of the data controller, given that the Company has adopted an obsolete technological platform and therefore completely inadequate to avoid serious risks for the personal data collected by it, also taking into account the fact that the vulnerabilities were known by time and that an update had been available for months (art. 83, par. 2, letter d), of the Regulation). As mitigating elements, it is believed that the following can be taken into account: 1. of the number of subjects affected by the violations since, although this potentially capable of causing significant damage to the data of all users present on the website, in concrete terms (and based on what has been ascertained) it only involved the sending of email to the complainant (art. 83, par. 2, letter a) of the Regulation); 2. the absence of malice regarding the sending of promotional emails without consent and the failure to update the systems, which appear to be attributable to the Company's negligence; in fact, this would have acted in the belief that it had adopted measures adequate to the state of the art without, however, being aware of the level of obsolescence of the systems used and the potential risks resulting from their failure to update (art. 83, par. 2, letter b) of the Regulation); 3. the absence of previous relevant violations committed by the data controller (art. 83, par. 2, letter e), of the Regulation); 4. the degree of cooperation in interaction with the Supervisory Authority (art. 83, par. 2, letter f), of the Regulation); 5. of the fact that the Company, which has the dimensional requirements of a small business, suffered economic losses as a result of the attack which - as represented in the note dated 8 June 2023 - were added to the damage resulting from the flood which occurred in Emilia Romagna, where it is based (art. 83, par. 2, letter k) of the Regulation). From an overall perspective of the necessary balance between the rights of the interested parties and freedom of enterprise, the aforementioned criteria must be prudently evaluated, also in order to limit the economic impact of the sanction. Therefore, it is believed that - based on all the elements indicated above - the administrative sanction of paying a sum of 30,000.00 (thirty thousand/00) euros equal to 0.15% of the maximum statutory sanction of 20 million should be applied to Rossi Carta. of Euro. The maximum statutory sanction is identified with reference to the provisions of the art. 83, par. 5 of the Regulation, taking into account that 4% of Rossi Carta's turnover, based on the data reported in the latest financial statements, is less than 20 million euros. It is noted that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected herein in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation. It is also believed - in consideration of the relevance of the violations - that, pursuant to art. 166, paragraph 7, of the Code, and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, the injunction order must be published on the Guarantor's website, as an additional sanction. ALL THIS CONSIDERING THE GUARANTOR pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful the processing described in the terms set out in the justification carried out by Rossi Carta S.r.l., with registered office in via P. D'Altri 76 Cesena (FC), VAT no. 00111730404; consequentially: a) pursuant to art. 58, par. 2, letter. d), orders Rossi Carta to adopt, with regard to the content management system of the website rossicarta.it, technical measures which, in the state of the art, are considered adequate to the risks existing in the processing of personal data; b) pursuant to art. 157 of the Code, orders Rossi Carta to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the imposed measure; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation. ORDER pursuant to art. 58, par. 2, letter. i), of the Regulation, to Rossi Carta S.r.l., in the person of its legal representative, to pay the sum of 30,000.00 (thirty thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed. ORDERS to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 30,000.00 (thirty thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of law no. 689/1981; HAS a) pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website; b) pursuant to art. 17 of the Guarantor Regulation n. 1/2019, provides for the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted. Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 24 April 2024 PRESIDENT Stantion THE SPEAKER Cerrina Feroni THE GENERAL SECRETARY Mattei ________ NOTE 1) In this regard, see what emerges from the analysis of the rossicarta.it website through the following free services for checking the CMS https://whatcms.org/ and https://sitechecker.pro/what-is-cms 2) The vulnerability CVE-2022-31181 has been known since the beginning of 2022; Prestashop CMS release 1.7.8.7 was released in July 2022. [doc. web no. 10025835] Provision of 24 April 2024 Register of measures n. 237 of 24 April 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”); HAVING REGARD TO the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018 n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter "Code"); HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000; SPEAKER Prof. Ginevra Cerrina Feroni; GIVEN 1. THE INVESTIGATORY ACTIVITY CARRIED OUT With a complaint dated August 27, 2022, Mr. XX complained about receiving a promotional email from the company Rossi Carta S.r.l. Unipersonale (hereinafter, Rossi Carta or the Company) and the failure to respond to a request to exercise the rights made on 6 June 2022. On 8 November 2022 the complainant added that he had received seven further unwanted emails. In response to the Authority's request for information, with certified e-mail dated 5 December 2022, the Company declared that it had not responded to the complainant because the communication had mistakenly flowed into the "spam" box of the email system. Furthermore, with regard to the sending of the promotional message, it was declared that the owner processed "only the e-mail address xx. This address had been entered into our database (...) as pertaining to the subjects who had given their consent for the processing of their data for marketing purposes". At the same time, the Company declared that it had responded to the objection request and deleted the complainant's data. On 15 December 2022, Mr XX complained that he had only received partial feedback on his request, as no clarifications were provided regarding the origin of the data but only their erroneous inclusion in the lists used for marketing. On 26 December 2022, he supplemented his observations by adding that he had received a new communication from Rossi Carta requesting to confirm the email address for an alleged request to subscribe to the newsletter. Prompted by a new request for information from the Office, Rossi Carta responded that the email received from Mr. XX was a simple "transitional" email sent by the system following a request to subscribe to the newsletter, a request denied by the complainant and therefore probably carried out by a third party using Mr XX's data found on the web; since the request was not confirmed, no registration was completed. Despite this, on May 14, 2023, the complainant declared that he had received 39 emails, all with identical content but the result of separate sendings. In these emails the complainant was invited to confirm his telephone number shown in the email itself. Once again the Office forwarded the complainant's integration to the Company requesting clarification regarding what was represented, taking into account that it - according to what was declared on the functioning of the data collection form - should not have had the telephone number of the complainant. With the note received on 8 June 2023, the Company, confirming that it does not hold Mr.'s data. XX, declared that it had carried out further and subsequent checks following the new integration, learning only then that its website had been accessed by IP addresses not belonging to those assigned to Rossi Carta and therefore presuming that external parties did not authorized persons may have thus sent the disputed emails. In the period in question, however, there were no similar mailings to other subjects besides Mr. XX. Furthermore, the event that occurred would have led to serious problems with the indexing of the pages of the Company's e-commerce site (rossicarta.it) with consequent loss of positioning in Google search results. The statements made by the Company, with particular regard to the technical arguments, were also evaluated by the Guarantor's Digital Technologies and IT Security Department which, as the documents stand, highlighted the company's inability to autonomously and promptly intercept the attacks on its systems and the consequent violations - attacks of which the owner became aware only following the complaint and several discussions with the Authority and only a few months after the event. 2. DISPUTE OF VIOLATIONS The Office took steps to contest the violations detected with the initiation of the proceedings dated 5 October 2023 prot. n. 136981/23, notified via certified e-mail. Given that the reasons expressed in the aforementioned document have been fully recalled here, Rossi Carta has been accused of violating the articles. 5, par. 1, letter. f), 5, par. 2 and 24 of the Regulation for violation of the obligation to guarantee adequate protection of personal data from unauthorized processing and access, through appropriate technical measures that ensure the integrity and confidentiality of personal data and to be able to prove this fulfillment . Furthermore, the violation of the art. 33 of the Regulation, taking into account that the event described could constitute a violation of personal data which, involving risks for the rights and freedoms of natural persons, would have made it necessary to notify the Guarantor pursuant to art. 33 of the Regulation, and considering that no data breach notification had been received by the Authority, nor was the carrying out of assessments regarding the risk level of the event such as to exclude a notification obligation. Finally, with regard to the sending of unwanted promotional emails and the lack of response to the exercise of rights, taking into account that the Company had never provided clarifications regarding the origin of the complainant's data, the violation of the articles was considered to be complete. 12, par. 3 and 15 of the Regulation as well as articles. 6 and 7 of the Regulation and art. 130 of the Code. 3. THE DEFENSE OF THE ROSSI CARD With certified e-mail dated 3 November 2023, the Company sent a defense statement in which it first observed that the receipt of the aforementioned "transitional email" by the complainant would be confirmation of the fact that his email address had been canceled as declared; this email, in fact, is sent only to the newly added addresses specifically to request confirmation of the desire to subscribe to the newsletter. With regard to the 39 emails containing the complainant's telephone number, the Company reiterated that the newsletter subscription form on the website collects, as the only data, the email address and in no case is it possible to also enter a number phone. In this regard, he reiterated that, in the same period, the Company's website had recorded an anomaly which had generated a system loop, directing each product page to the home page. This event would have resulted in a gradual de-indexing of the site from Google search results. The Company also added that it was unable, despite the intervention of IT technicians, to identify the author of the tampering, noting only that it arose from a script launched from an IP address external to the Company; however, this anomaly would not have "...produced any theft of personal data, nor caused emails to be sent to subjects other than Mr. XX". Finally, the Company has attached a technical report and the contracts signed with the supplier of the hosting service and the email marketing service, highlighting the technical measures envisaged to guarantee the security of the information processed, also highlighting that the suppliers mentioned have been deemed reliable also due to of the ISO certifications produced. In particular, the technical report clarifies that "it was also possible to ascertain that an additional module (on the website) to the Prestashop CMS, a module dedicated to redirects (301, 302, 303 URL redirects - SEO) created a loop by sending each request to a page dedicated to a product. This loop caused the gradual but very rapid disappearance from the Google SERPs, bringing the company's visibility to the search engine to a very low position. Note, however, that it had occurred in the Rossi Carta una computer systems further anomaly linked to the same IP address as above. In fact, the Mailing Services Support Center (...) had reported that on the dates of 2 and 3 February from the same IP address [...], which is based on North East Italy, there were actions on the account and in particular in those days all the email addresses present in the mailing list appeared to have been moved to the black list with consequent blocking of the service by the system." With regard to the failure to notify the violation of personal data, provided for by art. 33 of the Regulation, the Company deemed it not necessary to do so due to the fact that the described system anomaly would have had effects only on the de-indexing of the site and not on the personal data stored by the Company, data which does not include any telephone number . Furthermore, no other user subscribed to the newsletter would have complained about receiving anomalous emails. Finally, with regard to the lack of information on the origin of the data, the Company added that "from what was subsequently reconstructed the insertion would have occurred following the incorrect typing of another email address (...) not belonging to the complainant. On this point, however, it is noted that at any time Mr. XX could have unsubscribed from receiving the newsletter so as not to receive any communication". With the documentary integration of 23 January 2024 and with the subsequent hearing of 24 January 2024, the Company added that it could not have noticed the anomalous sending of 39 emails to the complainant since the anomaly alert system is activated only if they are sent more than 50 submissions. 4. LEGAL ASSESSMENTS The peculiarity of the story described and the subsequent documentary additions, produced by the Company also in the defense phase, made it necessary to carry out further technical assessments by the competent Digital Technologies and IT Security Department, the results of which were acquired in the proceedings with note dated 12 February 2024. On this occasion it was observed that, despite the event which occurred and the analyses, including those of a technical nature, carried out by the company following the complaint and the dialogue with the Authority, the website rossicarta.it appears to be used still the Prestashop CMS in version 1.7.6(1). This version is absolutely obsolete and subject to numerous vulnerabilities, even of high severity (see https://www.cvedetails.com/versionsearch.php?page=1&vendor=Prestashop&product=&version=1.7.6). As an example, it can be noted that 23 vulnerabilities are associated with Prestashop version 1.7.6.9 alone, 17 of which are of high severity with a Common Vulnerability Scoring System - CVSS score greater than 8 out of 10 (see https://www .cvedetails.com/vulnerability-list/vendor_id-8950/product_id15797/version_id-1357198/Prestashop-Prestashop-1.7.6.9.html). Among the reported vulnerabilities, CVE-2022-31181 appears particularly relevant, with a CVSS score of 9.8 out of 10 and known for several months at the time of the alleged "anomaly" on the company's website(2), exploiting which, through an attack of the SQL-injection type, it would have been possible to inject and execute a script with malicious code on the platform. The high score of the indicated vulnerability is due to the risk considered high in terms of loss of confidentiality, integrity and availability of the data involved, the ease of the attack and the possibility of perpetrating the attack without the need for user privileges. From these further checks it was therefore confirmed that the Company was using an obsolete system for the management of data collected via the website, a site which is used for e-commerce activities and, therefore, potentially suitable for receiving numerous and heterogeneous (personal, contact, payment data); this system, affected by vulnerabilities known since the beginning of 2022, was still in use at the time of the events and even after the discussions with the Guarantor, despite the updates released by the manufacturer having been available since July 2022. All this highlights profiles of violation of the obligation to guarantee adequate protection of personal data from unauthorized processing and access, through appropriate technical measures that ensure the integrity and confidentiality of personal data and to be able to prove this fulfillment. For these reasons, the violation of the articles is considered complete. art. 5, par. 1, letter. f), 5, par. 2 and 24 of the Regulation. Taking into account that, at the time of the technical checks conducted by the Guarantor, the platform for managing the website was not yet updated, it is necessary, pursuant to art. 58, par. 2, letter. d), order Rossi Carta to adopt, with regard to the content management system of the website rossicarta.it, technical measures which, in the state of the art, are considered adequate to the risks existing in the processing of personal data. Furthermore, in consideration of the illegality and seriousness of the conduct, it is believed that the conditions for the application of a pecuniary administrative sanction pursuant to art. 58, par. 2, letter. i) of the Regulation. With regard to the failure to notify a violation of personal data, which was contested in the aforementioned document initiating the proceedings, the following is observed. On the basis of the declarations made, Rossi Carta would have detected unauthorized access to its systems which would have led to the de-indexing of the website and the movement of all the email addresses present in the Company's mailing list to the black list (see technical report attached to the memorandum defense of 3 November 2023). Therefore, according to Rossi Carta, these anomalies would not have led to a violation of the data collected by Rossi Carta itself, despite having occurred in conjunction with the receipt - only by the complainant - of the 39 emails with a request for confirmation of the number telephone. With regard to the complainant's data, the Company declared that it had processed - by mistake - only the email address which would have been deleted after the first request for information from the Guarantor (see declaration of 5 December 2022). Therefore, the subsequent anomalous mailings, whose genesis is still unknown, would not have resulted in access to the complainant's data stored by the Company. From the technical checks carried out by the Guarantor it emerged, as mentioned, that the Company was using an obsolete content management system (CMS) of the website and potentially capable of allowing access to numerous personal data; the vulnerabilities present could also have allowed the same Rossi Carta platform to be used to carry out illicit activities such as, for example, sending phishing emails. Such an eventuality could present a high risk for the rights and freedoms of natural persons, making it necessary to notify the Guarantor pursuant to art. 33, par. 1 of the Regulation. However, the Company was not aware of this risk and limited itself to only registering the de-indexing of the site and the moving of the addresses to the black list. Furthermore, the available documentation only attests that the Company suffered external attacks and that, in the same period, it used technical measures that were inadequate and potentially suitable for carrying out events of the type that occurred. Furthermore, as mentioned, the Company took note of what happened only following discussions with the Guarantor by carrying out other technical checks after receiving the document initiating the procedure, by which time notification of a possible data breach would have been superfluous. . It follows that even the failure to notify the Guarantor - as well as the very ability to assess whether it was due - was caused by the lack of adequate measures to guarantee the security of the processing; since this last case is already the subject of the corrective and sanctioning measures described above, the profile of failure to notify can also be considered absorbed in it, thus being able to defer from further interventions. Finally, with regard to the sending of unwanted promotional emails and the lack of response to the exercise of rights, it is noted that the Company has not provided clarifications regarding the origin of the complainant's data, limiting itself to stating, initially, that they they had been mistakenly included in the contact list without indicating the source; only in the defense phase did the Company hypothesize that the incorrect inclusion of the complainant's email address was due to an incorrect typing of this address. In any case, the complainant did not receive a response to his request to exercise his rights (allegedly ended up in the email spam folder) and did not receive a response during the preliminary investigation (after the request for information from the Guarantor) since the Company provided its justifications only after the initiation of the proceedings. For these reasons, the request for access to the data cannot be considered satisfied; similarly, since no consent has been acquired for the sending of promotional messages and since such sending continued even after the opposition, this processing is carried out in the absence of a suitable legal basis. This conduct can also be considered attributable to a general inability of the Company to guarantee adequate control of operations involving data processing (formation of lists, management of requests to exercise rights), such that the errors alleged by the same cannot be considered excusable. as justification for sending promotional messages and failing to respond to the complainant. Therefore, the violation of the articles is considered complete. 12, par. 3 and 15 of the Regulation as well as articles. 6 and 7 of the Regulation and art. 130 of the Code and it is necessary to inflict a pecuniary administrative sanction, pursuant to art. 58, par.2, letter. i, of the Regulation. 5. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION Based on the above, various provisions of the Regulation and the Code have been violated in relation to related processing carried out by Rossi Carta, for which the art. 83, par. 3, of the Regulation, according to which, if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of only the sanction provided for by the art. 83, par. 5, of the Regulation. For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual global turnover of the previous financial year whichever is higher, specifies the methods for quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relevant amount. In fulfillment of this provision, hypothesized, on the basis of the information found in the latest financial statements (recorded as of 31 December 2022), the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 and therefore quantified as 20 million euros as the maximum applicable law, the following aggravating circumstances must be considered: 1. the severity and duration of the violations detected. In particular, with regard to the sending of unwanted promotional messages and the failure to respond to the request to exercise the rights, taking into account the justifications given and the fact that it was an isolated case, a low level of seriousness of the violation can be considered . However, with regard to the use, for over a year, of inadequately updated systems, there is a damage to the data of the users of the rossicarta.it website which can potentially be very significant despite not being aware of attacks actually carried out by exploiting this vulnerability; even the sending of emails to the complainant - who appears to be the only interested party involved - resulted from an external attack of unknown origin. For this profile, therefore, the level of severity can be assessed as medium (art. 83, par. 2, letter a), of the Regulation); 2. the failure of the data controller to adopt adequate measures to mitigate the damage to the interested parties since the Company, despite the attempts made, was unable to understand the reasons for the events complained of by the complainant, nor did it notice of the vulnerabilities that affected its website content management platform (art. 83, par. 2, letter c), of the Regulation); 3. the degree of responsibility of the data controller, given that the Company has adopted an obsolete technological platform and therefore completely inadequate to avoid serious risks for the personal data collected by it, also taking into account the fact that the vulnerabilities were known by time and that an update had been available for months (art. 83, par. 2, letter d), of the Regulation). As mitigating elements, it is believed that the following can be taken into account: 1. of the number of subjects affected by the violations since, although this potentially capable of causing significant damage to the data of all users present on the website, in concrete terms (and based on what has been ascertained) it only involved the sending of email to the complainant (art. 83, par. 2, letter a) of the Regulation); 2. the absence of malice regarding the sending of promotional emails without consent and the failure to update the systems, which appear to be attributable to the Company's negligence; in fact, this would have acted in the belief that it had adopted measures adequate to the state of the art without, however, being aware of the level of obsolescence of the systems used and the potential risks resulting from their failure to update (art. 83, par. 2, letter b) of the Regulation); 3. the absence of previous relevant violations committed by the data controller (art. 83, par. 2, letter e), of the Regulation); 4. the degree of cooperation in interaction with the Supervisory Authority (art. 83, par. 2, letter f), of the Regulation); 5. of the fact that the Company, which has the dimensional requirements of a small business, suffered economic losses as a result of the attack which - as represented in the note dated 8 June 2023 - were added to the damage resulting from the flood which occurred in Emilia Romagna, where it is based (art. 83, par. 2, letter k) of the Regulation). From an overall perspective of the necessary balance between the rights of the interested parties and freedom of enterprise, the aforementioned criteria must be prudently evaluated, also in order to limit the economic impact of the sanction. Therefore, it is believed that - based on all the elements indicated above - the administrative sanction of paying a sum of 30,000.00 (thirty thousand/00) euros equal to 0.15% of the maximum statutory sanction of 20 million should be applied to Rossi Carta. of Euro. The maximum statutory sanction is identified with reference to the provisions of the art. 83, par. 5 of the Regulation, taking into account that 4% of Rossi Carta's turnover, based on the data reported in the latest financial statements, is less than 20 million euros. It is noted that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation. It is also believed - in consideration of the relevance of the violations - that, pursuant to art. 166, paragraph 7, of the Code, and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, the injunction order must be published on the Guarantor's website, as an additional sanction. ALL THIS CONSIDERING THE GUARANTOR pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful the processing described in the terms set out in the justification carried out by Rossi Carta S.r.l., with registered office in via P. D'Altri 76 Cesena (FC), VAT no. 00111730404; consequentially: a) pursuant to art. 58, par. 2, letter. d), orders Rossi Carta to adopt, with regard to the content management system of the website rossicarta.it, technical measures which, in the state of the art, are considered adequate to the risks existing in the processing of personal data; b) pursuant to art. 157 of the Code, orders Rossi Carta to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the imposed measure; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation. ORDER pursuant to art. 58, par. 2, letter. i), of the Regulation, to Rossi Carta S.r.l., in the person of its legal representative, to pay the sum of 30,000.00 (thirty thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed. ORDERS to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 30,000.00 (thirty thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of law no. 689/1981; HAS a) pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website; b) pursuant to art. 17 of the Guarantor Regulation n. 1/2019, provides for the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted. Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 24 April 2024 PRESIDENT Stanzione THE SPEAKER Cerrina Feroni THE GENERAL SECRETARY Mattei ________ NOTE 1) In this regard, see what emerges from the analysis of the rossicarta.it website through the following free services for checking the CMS https://whatcms.org/ and https://sitechecker.pro/what-is-cms 2) The vulnerability CVE-2022-31181 has been known since the beginning of 2022; Prestashop CMS release 1.7.8.7 was released in July 2022.