Garante per la protezione dei dati personali (Italy) - 10070252

From GDPRhub
Garante per la protezione dei dati personali - 10070252
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(12) GDPR
Article 56(1) GDPR
Article 60(4) GDPR
Article 60(6) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 17.07.2024
Published:
Fine: n/a
Parties: Avis Budget Italia S.p.A.
National Case Number/Name: 10070252
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The DPA found that a car rental company’s disclosure of personal data to law enforcement authorities in connection with a traffic code violation was a data breach. The controller submitted data of a previous customer who was not responsible for the traffic code violation.

English Summary

Facts

Two Norwegian citizens (the data subjects) rented a car at Venice airport, from a car rental company (the controller). After going back to Norway, the data subjects received from the Italian authorities a car fine and a letter stating they had not paid the toll for a highway. However, the data subjects noticed that these two documents referred to a period of time in which they had already gone back to Norway.

After sending some emails to the controller, they filed a complaint with the Norwegian DPA (Datatilsynet). Since the main establishment of the controller is in Italy, the complaint was forwarded to the Italian DPA (Garante per la protezione dei dati personali) pursuant to Article 56(1) GDPR.

The controller argued that, due to human error, the data subjects' data were confused with the person that was actually driving the car while the traffic code violations happened. Therefore, their names were wrongly sent to the authorities that, then, issued the fines to the data subjects.

Moreover, the controller pointed out that, for car rentals, communicating the name of the driver to competent authorities is a legal obligation under several Italian laws.

After the mistake was pointed out, the controller contacted the authorities issuing the fines in order to ensure that the latter were addressed to the right person. Therefore, the data subjects did not eventually have to pay the fine.

Holding

First, the DPA noted that the controller lawfully collected the data subjects’ personal data since that was necessary for the performance of a contract under Article 6(1)(b) GDPR.

Second, the DPA pointed out that, in principle, the controller can rely on Article 6(1)(c) GDPR to communicate the data to the competent authorities after being notified that the rented car was involved in a traffic code violation.

However, in the case at hand, the controller communicated the wrong name. According to the DPA, this event falls into the definition of a data breach pursuant to Article 4(12) GDPR.

Thirdly, the DPA noted that the data breach at hand was not caused by any technical problem but by an occasional human error.

Fourthly, the DPA welcomed the fact that the controller had improved its technical and organizational measures to avoid this type of incidents.

Fifthly, the DPA noted that the controller mitigated the negative consequences of the breach by contacting the authorities and making sure the data subjects were not the addressee of the fine anymore.

Therefore, the DPA believed that no corrective measure under Article 58(2) GDPR was needed.

Pursuant to Article 60(4) GDPR, the Italian DPA forwarded the draft decision to the Norwegian DPA. Since the latter did not object, the decision became final according to Article 60(6) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. n. 10070252]

Provision of 17 July 2024

Register of provisions
n. 441 of 17 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councilor Fabio Mattei, general secretary;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “(“GDPR”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003 (Personal Data Protection Code, hereinafter “Code”) as amended by Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679”;

HAVING SEEN the complaint of XX of 2 November 2021, submitted to the Norwegian data protection authority, in which an alleged violation of his personal data by Avis Budget Italia S.p.A. was complained about;

CONSIDERING the cooperation mechanism between European data protection authorities, as provided for by the Regulation (Article 60 et seq.) for cross-border processing of personal data, and in particular the IMI art. 56 procedure opened on 14 January 2022 by the Norwegian authority for the identification of the lead authority in handling the procedure;

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint and the investigation

With a complaint submitted to the Norwegian data protection authority, two Norwegian citizens (XX) complained that upon their return from a trip between Italy and Croatia, they had received a fine for driving in prohibited areas from the “Italian police”, as well as a notice for failure to pay a motorway toll from XX (a debt collection company, as subsequently ascertained, on behalf of XX, an Italian motorway services concessionaire), although they had not been in Italy during the period in which the traffic offences were allegedly committed.

They therefore complained of an alleged violation of the rules on personal data protection by Avis Budget Italia, from which the complainants had rented a car at the Venice airport (the complainants had initially turned to Avis Budget Norway, to book the vehicle then made available by Avis Budget Italia, part of Avis Budget Group): the company had erroneously associated the personal data relating to the same interested parties with a license plate number that did not correspond to the car they had rented (as proven by documentation in the files); as a consequence, the complainants had received notification of administrative sanctions from the aforementioned third parties (“Italian police” and XX), whose practices had then been archived, at the request of Avis itself. In the complaint, the interested parties also argued that Avis had “caused them a long and difficult process, […and] a lot of work even though we had nothing to do with any of the disputes [notified]”.

The Guarantor - Lead Authority in the cooperation procedure pursuant to art. 60 GDPR for the cross-border processing in question, as Avis Budget Italia is the independent data controller - sent to that company, with a note dated 16 February 2022, a request for information regarding the incident.

With a note dated 28 March 2022, Avis Budget Italia (hereinafter “Avis”) provided an initial response to the Guarantor, confirming, in particular, that “the data of the interested parties had been communicated to XX in relation to a notification of violation of a ban on access and parking in prohibited areas, as well as to the XX company for a dispute over non-payment of tolls”, and also adding that “the erroneous communication is attributable to a mere technical error relating to the association between the identification data of the actual driver and the license plate of the rented vehicle in the period in which, respectively, the violation of the traffic limitation rules and the non-payment of the motorway toll had occurred.”

The company also clarified that "the communication of the rental customer's data by the car rental company corresponds [...] both to a legal obligation (combined provisions of Articles 84, 126 bis and 196 of the Highway Code), and to a duty of collaboration with the Authority [...] proceeding or the management body of the public motorway concession", but that in the circumstance that is the subject of the complaint "an error appears to have occurred in the association between their name as renters and the license plate number of the vehicle that is the subject of the disputes of non-payment and violation of road traffic regulations".

Having taken note of what was declared by the owner, also regarding the proactive behavior, developed by the same, which requested the aforementioned third parties to rectify the data and to cancel the disputes erroneously addressed to the interested parties, with consequent archiving of the administrative practices, it was deemed necessary in any case to acquire clarifications from Avis in order to better understand the process that gave rise to the communication to third parties of erroneous personal data relating to the complainants and to verify any violations of the discipline for the protection of personal data.

This Authority has therefore sent, also following the integration of documents by the Norwegian authority, a new request for information to the owner, pursuant to art. 157 of the Code, asking to provide clarifications and representing to the same what is provided for in the matter of false declarations, attestations, exhibitions or documentation to the Guarantor (art. 168 of the Code).

The owner, in providing new feedback to the Guarantor, represented that "with regard to the facts dating back to 2019 [...] Avis has carried out all necessary corrections, taking charge of all necessary communication activities to the interested parties and without any consequences for the interested customer", specifying, among other things, that:

"the data are provided to Avis on the initiative of the requesting customer in the context of the conclusion [of] a vehicle rental contract [...].

The provision of the customer's data also allows AVIS to fulfill specific regulatory obligations of identification and communication to the authority (Police Headquarters) of the relevant data [... of] drivers of a motor vehicle (with reference [to Legislative Decree no. 113 of 2018, converted by] Law 132/2018 and related Ministerial Decree 29 October 2021) [...]. The public authorities responsible for controlling road traffic and motorway service concessionaires, in the event of violations or omissions to be contested by the interested parties [to] whom they are attributed, shall in any case notify Avis (as the car rental company that owns the vehicle) requests for driver identification […];

the data relating to the customer and the related rental are therefore processed and stored on the AVIS computer system for contractual, legal and administrative purposes […]. Furthermore, with regard to the specific circumstances of the case in question, the storage of data relating to the rental also allows AVIS to respond to requests for driver identification by public authorities in relation to complaints of violation of traffic regulations set out in the Highway Code or local regulations, as well as requests by motorway service concessionaires in the event of complaints of non-payment of the toll, as indicated above;

the activities of managing requests for identification of drivers of rental vehicles, after receiving notifications (in the form of a paper report or communication via PEC) by AVIS, are subsequently carried out by the company Agenzia Italia Spa, on behalf of and on behalf of AVIS with the provision of an outsourced service (on the basis of a service contract and appointment as External Manager, […], by searching for the relevant data corresponding to the notifications on the IT system and communicating them to the authorities and concessionaires. In this specific regard, as previously communicated, AVIS has a legal obligation (pursuant to the combined provisions of Articles 84, 126 bis and 196 of the Highway Code) as well as a collaboration with the requesting authorities and concessionaires to provide said identification data upon reasoned request, as deduced from the relevant results in the AVIS system based on correspondence with the license plate number and date of the dispute.

In the specific circumstance of the case in question, however, as was subsequently ascertained both following the customer's report and following an internal check that then led to the cancellation of the related requests for administrative violation and failure to pay motorway tolls, with closure of the related practices […], it appears that data other than that of the customer who had actually rented the vehicle […] were identified and provided and to whom they should therefore have been correctly attributed.

In fact, after having carried out every appropriate check (as dutifully occurs in all cases, albeit quite rare, in which a possible anomaly in the consistency of the rental data and disputes of the kind is reported), it must be considered that the circumstances of erroneous association of the above findings occurred following a material error attributable to the manual data entry activity for rental registration purposes by the operators in service at the rental station, […] consequently leading to the erroneous identification of the complainant as the driver of the vehicle itself on the dates on which said disputes occurred;

It is also possible that the customer requests and obtains a different type of vehicle than the one assigned by the system based on the specifications previously provided by the customer or that a vehicle already pre-assigned is returned late or early […] resulting in a reassignment of the vehicle. In these cases, despite all the care taken by the operator in inserting the necessary correction, there is the possibility, although absolutely rare, that an overlap of rental dates or times may occur […].

As a rule, however, in these cases the system reports an anomaly in this regard, which is then promptly corrected, but it cannot be absolutely excluded that a temporary permanence in the system of data for so-called "void" rentals (i.e. a rental closed suddenly at the request or changed needs of the customer [...] or for identified technical reasons) and related very rare incorrect associations of rental dates or times with respect to a vehicle [...], which are then systematically ascertained and corrected ex post in the shortest time technically possible, as a prerogative of the system, as part of the internal controls or upon notification by the customer, and in all cases without any consequences for the customer in terms of debit errors, for which AVIS takes full responsibility;

it is possible that [following the forwarding by Avis of the notifications] “relating to disputes for violations of road traffic regulations or missed motorway tolls of the competent authorities and bodies […] to Agenzia Italia […] a manual insertion of a date different from that relating to the dispute occurred, at the time of the search by Agenzia Italia to follow up on requests for identification of drivers [and] data different from that of the actual driver involved and, in particular, those of the customer who subsequently reported the circumstance as erroneous.

an erroneous association between the reference date and time for disputed violations and the vehicle license plate, determined by one of the circumstances mentioned above, unfortunately caused an incorrect communication of the driver's details, which however was corrected. It is therefore reiterated that in this circumstance there does not appear to have been an IT problem or an inconsistency in the data cross-referencing resulting from the operation of the system, but only an inconvenience related to the human conduct of the operator […] during the data entry phase […] probably generated by last minute changes by the customer or management of advances or delays in returning a vehicle.

It should also be noted that compared to the time [of the facts] (dating back to 2019), our systems have in the meantime been periodically and significantly updated also with the adoption of technical solutions which have had, among other things, the purpose of reducing the risk that data entry […or other] manual intervention by an operator […] could incidentally cause a mix-up or a lack of consistency in the rental records, even with appropriate preventive reporting or monitoring tools.

AVIS remains committed to constantly improving its systems precisely to minimize these risks as much as possible […]; as part of its accountability as Data Controller, [Avis] undertakes to dedicate its best technical resources to the aforementioned [periodic] updating of the systems regarding the detection and reporting of anomalies with the primary aim of further reducing the already remote possibility that similar accidental mishaps, however rare, may recur in the future.

AVIS corresponds to the notifications received due to legal obligation and collaboration, but substantially with an essentially "vicarious" function with respect to the needs of verification and contestation for public interest […] in terms of dutiful collaboration in the management of a request for driver identification, but which is in itself extraneous to its processing purposes as Data Controller (provision of rental services, with respect to the contestation of infringement and failure to pay tolls);

In conclusion, […] a mere material and human error in data entry temporarily generated subsequent incorrect communications to the requesting authorities and motorway bodies, but as stated, this mix-up was then fully identified following the report and subsequently the subject of requests [for] rectification accepted by the same on the initiative of AVIS;

at present, no relevant cases or reports relating to the processing of rental customers’ data have occurred previously […].”

2. Assessments of the Authority and conclusions

Pursuant to Regulation (EU) 2016/679 on data protection (“GDPR”), processing of personal data must be carried out in accordance with the fundamental principles indicated in art. 5 (e.g., lawfulness, correctness, transparency, limited purposes, minimization, accuracy, integrity and confidentiality of data) and, to be lawful, must be based on one of the legal bases contemplated in art. 6 GDPR (including: consent of the data subject, performance of a contract, compliance with a legal obligation, performance of a task carried out in the public interest, legitimate interest of the controller). The basis on which the data processing is based for compliance with a legal obligation must be established by Union or Member State law to which the controller is subject (art. 6, para. 3).

Furthermore, according to art. 24 GDPR, taking into account the nature, context and purposes of the processing as well as the risks to the rights and freedoms of individuals, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing complies with the GDPR; these measures are reviewed and updated where necessary.

Art. 32 GDPR specifies the security obligations, establishing that: “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk […]. In assessing the appropriate level of security, special account is taken of the risks presented by the processing which arise in particular from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

With regard to the legal basis of the processing, with reference to the case in question, the documentation in the files shows that Avis would have initially processed the complainants’ data for the performance of a contract (art. 6, para. 1, b) and that, presumably due to a material error in the data entry phase, the complainants’ data would have been associated with the license plate of a vehicle not attributable to them.

Following requests for identification of the driver by the public authority and the concessionaire of Italian motorway services, in relation to complaints of violation of the Highway Code and failure to pay motorway tolls, Avis itself, in line with art. 6, par. 1, c) and f), would have communicated to such third parties the data of the complainants - as presumably resulting from the activity of managing requests for identification of the drivers of the vehicles. As also indicated in the information provided by Avis, the same may, in fact, be required to make such communication by legal obligation, as well as for a legitimate interest (in particular in the event of any disputes, for the defense of its rights).

More specifically, it emerged that, in the context of the communication of the drivers' data by Avis to the aforementioned subjects (XX and the motorway services concessionaire), an activity that is in principle lawful, based on the Community and national regulatory framework (art. 6, para. 1, letter c), f) and para. 3 GDPR; arts. 126 bis, 176, 196, inter alia, of Legislative Decree 285/1992, the Italian “Highway Code”), in this specific case, since an undue communication of (common) data occurred, the complainants not being the actual offenders, this led to a violation of personal data (data breach), or “a security breach that leads to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (art. 4, point 12) GDPR).

However, from the analysis of the documentation acquired, it emerged that the cause of this violation is to be traced to an occasional human error that occurred during the data entry phase, and not to an IT problem or to the operation of the system used by Avis. The data controller promptly corrected the data in its internal systems and requested such correction from the aforementioned subjects, archiving the traffic violation tickets, as also confirmed by the interested parties; furthermore, the data controller declared that during the proceedings it updated the technical and organizational measures used, in particular regarding the detection and reporting of anomalies in order to further reduce the possibility of similar errors (see also the EDPB Guidelines “Guidelines 9/2022 on personal data breach notification under GDPR, Adopted 28 March 2023”).

As also highlighted in the EDPB Guidelines no. 01/2021 on examples regarding the notification of a personal data breach, para. 78, “In this case, the breach does not result from a deliberate action by an employee, but from accidental human error caused by carelessness. This type of breach can be avoided or made less frequent […]” by a series of technical and organizational measures and precautions referred to therein. In such cases, however, the same Guidelines do not include, among the necessary actions to be taken on the basis of the identified risks, either notification to the supervisory authority or to the data subject pursuant to Articles 33 and 34 of the GDPR.

Furthermore, it should be remembered that the Guarantor, pursuant to Article 57, paragraph 1, letter d) of the GDPR, has, among other things, the task of promoting awareness among data controllers regarding the obligations imposed on them by the GDPR.

The Guarantor, the lead authority, has therefore reported to the other authorities concerned on the investigation activity, sharing its position on the matter.

In particular, having taken note of the feedback provided by the Company, also pursuant to art. 168 of the Privacy Code and in line with the EDPB Guidelines 02/2022 on the application of article 60 of the GDPR, adopted by the EDPB on 14 March 2022 (par. 232, 233, 234), this Authority proposed not to take any corrective action pursuant to art. 58, para. 2 GDPR against the controller, rather than adopting a decision pursuant to art. 60, para. 7, in order to close the procedure, while inviting the controller to constantly verify the adequacy of the technical and administrative measures relating to data processing operations (including adequate staff training) to avoid (or promptly identify) similar errors in the future (art. 57, para. 1, letter d) GDPR).

The Authority reached this conclusion taking into account all the circumstances of the case and, in particular, that the mix-up appears to be due to human error, of an occasional nature and that the data controller (which, in principle, is required, under Italian law, to share drivers' data with the above-mentioned requesting bodies) has taken proactive action to reduce or eliminate the impact of what happened on the data subjects.

This is also in line with the provisions of the EDPB Guidelines 2/2022, cit. according to which, in light of the result obtained and the specific circumstances of the case, "the supervisory authority may consider that the most appropriate decision in relation to the complaint in question is to close the procedure, taking note of the solution reached and without taking any action against the data controller" and after "a careful assessment of the circumstances of the complaint as a whole [...]" (EDPB Guidelines 2/2022 on the application of art. 60, para. 232, 233).

Pursuant to art. 60, para. 4-6, since no objections were raised by the authorities concerned within the foreseen deadline of four weeks, the draft decision has become binding for the authorities concerned and for the Guarantor (lead authority).

Therefore, it is considered appropriate to close the procedure in question, pursuant to art. 60, para. 7, of the GDPR, without the adoption of corrective/sanctioning measures pursuant to art. 58, para. 2 GDPR, considering that the violation has entailed a level of risk for the rights and freedoms of the data subjects that can be considered low (see EDPB Guidelines 01/2021, cit.). However, it is considered appropriate, pursuant to the aforementioned art. 57, para. 1, lett. d) GDPR, invite the controller to constantly check the data security measures (and in particular, technical and organizational measures) to prevent similar human errors, also in light of what is highlighted in the EDPB Guidelines 01/2021: "It is important to first identify how the human error could have occurred and, if applicable, how it could have been avoided. In this specific case, the risk is low, since no special categories of personal data or other data whose misuse could have significant negative effects were involved, the violation does not result from a systemic error by the controller and only two persons are affected" (para. 107 Guidelines 01/2021).

The Guarantor, therefore, adopts this provision and notifies it to the controller, pursuant to art. 60, para. 7, GDPR, in consideration of its role as lead supervisory authority "as the sole interlocutor of the controller of the processing subject to the complaint in question"; the interested parties will be informed through the authority that received the complaint – in this case, the Norwegian authority (EDPB Guidelines 2/2022, para. 234).

GIVEN ALL THE ABOVE, THE GUARANTOR

pursuant to art. 60, par. 7, of the GDPR, as well as art. 143, paragraph 3, of the Code, arts. 14 and 18 of the regulation of the Guarantor n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, orders the closure of the proceeding in question, without the adoption of corrective and sanctioning measures, for the reasons set out above and in line with the provisions of the EDPB Guidelines 2/2022, on the application of art. 60 of the General Data Protection Regulation, adopted on 14 March 2022, para. 232, 233,234;

pursuant to art. 57, par. 1, letter d) GDPR, invites Avis Budget Italia S.p.A. to constantly verify the adequacy of the technical and administrative measures relating to data processing operations (including adequate staff training) to avoid (or promptly identify) similar errors in the future.

This provision is notified to the controller and communicated to the interested parties via the Norwegian authority that received the complaint.

Pursuant to art. 78 of the Regulation, as well as art. 152 of the Code, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed, alternatively, with the court of the place where the controller resides or has its registered office or with that of the place of residence of the interested party within thirty days from the date of communication of the provision itself or sixty days, if the appellant resides abroad.

Rome, 17 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei

[web doc. no. 10070252]

Measure of 17 July 2024

Register of measures
no. 441 of 17 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, general secretary;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “(“GDPR”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003 (Personal Data Protection Code, hereinafter “Code”) as amended by Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679”;

HAVING SEEN the complaint of XX of 2 November 2021, submitted to the Norwegian data protection authority, in which an alleged violation of his personal data by Avis Budget Italia S.p.A. was complained about;

CONSIDERING the cooperation mechanism between European data protection authorities, as provided for by the Regulation (Article 60 et seq.) for cross-border processing of personal data, and in particular the IMI art. 56 procedure opened on 14 January 2022 by the Norwegian authority for the identification of the lead authority in handling the procedure;

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint and the investigation

With a complaint submitted to the Norwegian data protection authority, two Norwegian citizens (XX) complained that upon their return from a trip between Italy and Croatia, they had received a fine for driving in prohibited areas from the “Italian police”, as well as a notice for failure to pay a motorway toll from XX (a debt collection company, as subsequently ascertained, on behalf of XX, an Italian motorway services concessionaire), although they had not been in Italy during the period in which the traffic offences were allegedly committed.

They therefore complained of an alleged violation of the rules on personal data protection by Avis Budget Italia, from which the complainants had rented a car at the Venice airport (the complainants had initially turned to Avis Budget Norway, to book the vehicle then made available by Avis Budget Italia, part of Avis Budget Group): the company had erroneously associated the personal data relating to the same interested parties with a license plate number that did not correspond to the car they had rented (as proven by documentation in the files); as a consequence, the complainants had received notification of administrative sanctions from the aforementioned third parties (“Italian police” and XX), whose practices had then been archived, at the request of Avis itself. In the complaint, the interested parties also argued that Avis had “caused them a long and difficult process, […and] a lot of work even though we had nothing to do with any of the disputes [notified]”.

The Guarantor - Lead Authority in the cooperation procedure pursuant to art. 60 GDPR for the cross-border processing in question, as Avis Budget Italia is the independent data controller - sent to that company, with a note dated 16 February 2022, a request for information regarding the incident.

With a note dated 28 March 2022, Avis Budget Italia (hereinafter “Avis”) provided an initial response to the Guarantor, confirming, in particular, that “the data of the interested parties had been communicated to XX in relation to a notification of violation of a ban on access and parking in prohibited areas, as well as to the XX company for a dispute over non-payment of tolls”, and also adding that “the erroneous communication is attributable to a mere technical error relating to the association between the identification data of the actual driver and the license plate of the rented vehicle in the period in which, respectively, the violation of the traffic limitation rules and the non-payment of the motorway toll had occurred.”

The company also clarified that "the communication of the rental customer's data by the car rental company corresponds [...] both to a legal obligation (combined provisions of articles 84, 126 bis and 196 of the Highway Code), and to an obligation to collaborate with the [...] proceeding Authority or the body managing the public motorway concession", but that in the circumstance that is the subject of the complaint "an error appears to have occurred in the association between their name as renters and the license plate number of the vehicle that is the subject of the disputes of non-payment and violation of road traffic regulations".

Having taken note of what was declared by the owner, also regarding the proactive behavior, developed by the same, which requested the aforementioned third parties to rectify the data and to cancel the disputes erroneously addressed to the interested parties, with consequent archiving of the administrative practices, it was deemed necessary in any case to acquire clarifications from Avis in order to better understand the process that gave rise to the communication to third parties of erroneous personal data relating to the complainants and to verify any violations of the discipline for the protection of personal data.

This Authority has therefore sent, also following the integration of documents by the Norwegian authority, a new request for information to the owner, pursuant to art. 157 of the Code, asking to provide clarifications and representing to the same what is provided for in the matter of false declarations, attestations, exhibitions or documentation to the Guarantor (art. 168 of the Code).

The owner, in providing new feedback to the Guarantor, represented that "with regard to the facts dating back to 2019 [...] Avis has carried out all necessary corrections, taking charge of all necessary communication activities to the interested parties and without any consequences for the interested customer", specifying, among other things, that:

"the data are provided to Avis on the initiative of the requesting customer in the context of the conclusion [of] a vehicle rental contract [...].

The provision of the customer's data also allows AVIS to fulfill specific regulatory obligations of identification and communication to the authority (Police Headquarters) of the relevant data [... of] drivers of a motor vehicle (with reference [to Legislative Decree no. 113 of 2018, converted by] Law 132/2018 and related Ministerial Decree 29 October 2021) [...]. The public authorities responsible for controlling road traffic and motorway service concessionaires, in the event of violations or omissions to be contested by the interested parties [to] whom they are attributed, shall in any case notify Avis (as the car rental company that owns the vehicle) requests for driver identification […];

the data relating to the customer and the related rental are therefore processed and stored on the AVIS computer system for contractual, legal and administrative purposes […]. Furthermore, with regard to the specific circumstances of the case in question, the storage of data relating to the rental also allows AVIS to respond to requests for driver identification by public authorities in relation to complaints of violation of traffic regulations set out in the Highway Code or local regulations, as well as requests by motorway service concessionaires in the event of complaints of non-payment of the toll, as indicated above;

the activities of managing requests for identification of drivers of rental vehicles, after receiving notifications (in the form of a paper report or communication via PEC) by AVIS, are subsequently carried out by the company Agenzia Italia Spa, on behalf of and on behalf of AVIS with the provision of an outsourced service (on the basis of a service contract and appointment as External Manager, […], by searching for the relevant data corresponding to the notifications on the IT system and communicating them to the authorities and concessionaires. In this specific regard, as previously communicated, AVIS has a legal obligation (pursuant to the combined provisions of Articles 84, 126 bis and 196 of the Highway Code) as well as a collaboration with the requesting authorities and concessionaires to provide said identification data upon reasoned request, as deduced from the relevant results in the AVIS system based on correspondence with the license plate number and date of the dispute.

In the specific circumstance of the case in question, however, as was subsequently ascertained both following the customer's report and following an internal check that then led to the cancellation of the related requests for administrative violation and failure to pay motorway tolls, with closure of the related practices […], it appears that data other than that of the customer who had actually rented the vehicle […] were identified and provided and to whom they should therefore have been correctly attributed.

In fact, after having carried out every appropriate check (as dutifully occurs in all cases, albeit quite rare, in which a possible anomaly in the consistency of the rental data and disputes of the kind is reported), it must be considered that the circumstances of erroneous association of the above findings occurred following a material error attributable to the manual data entry activity for rental registration purposes by the operators in service at the rental station, […] consequently leading to the erroneous identification of the complainant as the driver of the vehicle itself on the dates on which said disputes occurred;

It is also possible that the customer requests and obtains a different type of vehicle than the one assigned by the system based on the specifications previously provided by the customer or that a vehicle already pre-assigned is returned late or early […] resulting in a reassignment of the vehicle. In these cases, even with all the accuracy of the operator in inserting the necessary correction, there is the possibility, although absolutely rare, that an overlap of rental dates or times may occur […].

As a rule, however, in these cases the system signals an anomaly in this regard, which is then promptly corrected, but it cannot be absolutely excluded that a temporary permanence in the system of data for so-called rentals may occur. "void" (i.e. a rental closed suddenly upon request or changed needs of the customer […] or for technical reasons found) and related very rare incorrect associations of rental dates or times with respect to a vehicle […], which are then systematically ascertained and corrected ex post in the shortest time technically possible, as a prerogative of the system, as part of internal controls or upon notification by the customer, and in all cases without any consequences for the customer in terms of debit errors, for which AVIS takes full responsibility;

it is possible that [following the forwarding by Avis of the notifications] “relating to disputes for violations of road traffic regulations or missed motorway tolls of the competent authorities and bodies […] to Agenzia Italia […] a manual insertion of a date different from that relating to the dispute occurred, at the time of the search by Agenzia Italia to follow up on requests for identification of drivers [and] data different from that of the actual driver involved and, in particular, those of the customer who subsequently reported the circumstance as erroneous.

an erroneous association between the reference date and time for disputed violations and the vehicle license plate, determined by one of the circumstances mentioned above, unfortunately caused an incorrect communication of the driver's details, which however was corrected. It is therefore reiterated that in this circumstance there does not appear to have been an IT problem or an inconsistency in the data cross-referencing resulting from the operation of the system, but only an inconvenience related to the human conduct of the operator […] during the data entry phase […] probably generated by last minute changes by the customer or management of advances or delays in returning a vehicle.

It should also be noted that compared to the time [of the facts] (dating back to 2019), our systems have in the meantime been periodically and significantly updated also with the adoption of technical solutions which have had, among other things, the purpose of reducing the risk that data entry […or other] manual intervention by an operator […] could incidentally cause a mix-up or a lack of consistency in the rental records, even with appropriate preventive reporting or monitoring tools.

AVIS remains committed to constantly improving its systems precisely to minimize these risks as much as possible […]; as part of its accountability as Data Controller, [Avis] undertakes to dedicate its best technical resources to the aforementioned [periodic] updating of the systems regarding the detection and reporting of anomalies with the primary aim of further reducing the already remote possibility that similar accidental mishaps, however rare, may recur in the future.

AVIS corresponds to the notifications received due to legal obligation and collaboration, but substantially with an essentially "vicarious" function with respect to the needs of verification and contestation for public interest […] in terms of dutiful collaboration in the management of a request for driver identification, but which is in itself extraneous to its processing purposes as Data Controller (provision of rental services, with respect to the contestation of infringement and failure to pay tolls);

In conclusion, […] a mere material and human error in data entry temporarily generated subsequent incorrect communications to the requesting authorities and motorway bodies, but as stated, this mix-up was then fully identified following the report and subsequently the subject of requests [for] rectification accepted by the same on the initiative of AVIS;

at present, no relevant cases or reports relating to the processing of rental customers’ data have occurred previously […].”

2. Assessments of the Authority and conclusions

Pursuant to Regulation (EU) 2016/679 on data protection (“GDPR”), processing of personal data must be carried out in accordance with the fundamental principles indicated in art. 5 (e.g., lawfulness, correctness, transparency, limited purposes, minimization, accuracy, integrity and confidentiality of data) and, to be lawful, must be based on one of the legal bases contemplated in art. 6 GDPR (including: consent of the interested party, performance of a contract, fulfillment of a legal obligation, performance of a task of public interest, legitimate interest of the owner). The basis on which the data processing is based for the fulfillment of a legal obligation must be established by the law of the Union or of the Member State to which the owner is subject (art. 6, para.3).

Furthermore, according to art. 24 GDPR, taking into account the nature, context and purposes of the processing as well as the risks to the rights and freedoms of individuals, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing complies with the GDPR; these measures are reviewed and updated where necessary.

Art. 32 GDPR specifies the security obligations, establishing that: “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk […]. When assessing the appropriate level of security, account shall be taken in particular of the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
With regard to the legal basis of the processing, with reference to the case in question, it emerges from the documentation in the file that Avis would have initially processed the complainants' data for the execution of a contract (art. 6, para. 1, b) and that, presumably due to a material error in the data entry phase, the complainants' data would have been associated with the license plate of a vehicle not attributable to them.

Following requests for identification of the driver by the public authority and the concessionaire of Italian motorway services, in relation to complaints of violation of the Highway Code and failure to pay motorway tolls, Avis itself, in line with art. 6, para. 1, c) and f), would have communicated to such third parties the complainants' data - as presumably resulting from the activity of managing requests for identification of the drivers of the vehicles. As also indicated in the information provided by Avis, the latter may, in fact, be required to provide such communication by law, as well as for a legitimate interest (in particular in the event of any disputes, for the defense of its rights).

More specifically, it emerged that, in the context of the communication of drivers' data by Avis to the aforementioned subjects (XX and the motorway services concessionaire), an activity that is in principle lawful, based on the Community and national regulatory framework (art. 6, para. 1, letter c), f) and para. 3 GDPR; arts. 126 bis, 176, 196, inter alia, of Legislative Decree 285/1992, the Italian “Highway Code”), in this specific case, since an undue communication of (common) data occurred, the complainants not being the actual offenders, this led to a violation of personal data (data breach), or “a security breach that leads to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (art. 4, point 12) GDPR).

However, from the analysis of the documentation acquired, it emerged that the cause of this violation is to be traced to an occasional human error that occurred during the data entry phase, and not to an IT problem or to the operation of the system used by Avis. The data controller promptly corrected the data in its internal systems and requested such correction from the aforementioned subjects, archiving the traffic violation tickets, as also confirmed by the interested parties; furthermore, the data controller declared that during the proceedings it updated the technical and organizational measures used, in particular regarding the detection and reporting of anomalies in order to further reduce the possibility of similar errors (see also the EDPB Guidelines “Guidelines 9/2022 on personal data breach notification under GDPR, Adopted 28 March 2023”).

As also highlighted in the EDPB Guidelines no. 01/2021 on examples regarding the notification of a personal data breach, para. 78, “In this case, the breach does not result from a deliberate action by an employee, but from accidental human error caused by carelessness. This type of breach can be avoided or made less frequent […]” by a series of technical and organizational measures and precautions referred to therein. In such cases, however, the same Guidelines do not include, among the necessary actions to be taken on the basis of the identified risks, either notification to the supervisory authority or to the data subject pursuant to Articles 33 and 34 of the GDPR.

Furthermore, it should be remembered that the Guarantor, pursuant to Article 57, paragraph 1, letter d) of the GDPR, has, among others, the task of promoting awareness among data controllers regarding the obligations imposed on them by the GDPR.

The Guarantor, the lead authority, has therefore reported to the other authorities concerned on the investigation activity, sharing its position in this regard.

In particular, having taken note of the feedback provided by the Company, also pursuant to Article 168 of the Privacy Code and in line with the EDPB Guidelines 02/2022 on the application of Article 60 of the GDPR, adopted by the EDPB on 14 March 2022 (par. 232, 233, 234), this Authority proposed not to take any corrective action pursuant to Article 58, para. 2 GDPR against the controller, but rather to adopt a decision pursuant to Article 60, para. 7, in order to close the proceedings, while inviting the controller to constantly verify the adequacy of the technical and administrative measures relating to data processing operations (including adequate training of staff) to avoid (or promptly identify) similar errors in the future (Article 57, para. 1, letter d) GDPR).

The Authority reached this conclusion taking into account all the circumstances of the case and, in particular, that the mix-up appears to be due to human error, of an occasional nature and that the data controller (which, in principle, is required, under Italian law, to share drivers' data with the above-mentioned requesting bodies) has taken proactive action to reduce or eliminate the impact of what happened on the data subjects.

This is also in line with the provisions of the EDPB Guidelines 2/2022, cit. according to which, in light of the result obtained and the specific circumstances of the case, "the supervisory authority may consider that the most appropriate decision in relation to the complaint in question is to close the procedure, taking note of the solution reached and without taking any action against the data controller" and after "a careful assessment of the circumstances of the complaint as a whole [...]" (EDPB Guidelines 2/2022 on the application of art. 60, para. 232, 233).

Pursuant to art. 60, para. 4-6, since no objections were raised by the authorities concerned within the foreseen deadline of four weeks, the draft decision has become binding for the authorities concerned and for the Guarantor (lead authority).

Therefore, it is considered appropriate to close the procedure in question, pursuant to art. 60, para. 7, of the GDPR, without the adoption of corrective/sanctioning measures pursuant to art. 58, para. 2 GDPR, considering that the violation has entailed a level of risk for the rights and freedoms of the data subjects that can be considered low (see EDPB Guidelines 01/2021, cit.). However, it is considered appropriate, pursuant to the aforementioned art. 57, para. 1, lett. d) GDPR, invite the controller to constantly check the data security measures (and in particular, technical and organizational measures) to prevent similar human errors, also in light of what is highlighted in the EDPB Guidelines 01/2021: "It is important to first identify how the human error could have occurred and, if applicable, how it could have been avoided. In this specific case, the risk is low, since no special categories of personal data or other data whose misuse could have significant negative effects were involved, the violation does not result from a systemic error by the controller and only two persons are affected" (para. 107 Guidelines 01/2021).

The Guarantor, therefore, adopts this provision and notifies it to the controller, pursuant to art. 60, para. 7, GDPR, in consideration of its role as lead supervisory authority "as the sole interlocutor of the controller of the processing subject to the complaint in question"; the interested parties will be informed through the authority that received the complaint – in this case, the Norwegian authority (EDPB Guidelines 2/2022, para. 234).

GIVEN ALL THE ABOVE, THE GUARANTOR

pursuant to art. 60, par. 7, of the GDPR, as well as art. 143, paragraph 3, of the Code, arts. 14 and 18 of the regulation of the Guarantor n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, orders the closure of the proceeding in question, without the adoption of corrective and sanctioning measures, for the reasons set out above and in line with the provisions of the EDPB Guidelines 2/2022, on the application of art. 60 of the General Data Protection Regulation, adopted on 14 March 2022, para. 232, 233,234;

pursuant to art. 57, par. 1, letter d) GDPR, invites Avis Budget Italia S.p.A. to constantly verify the adequacy of the technical and administrative measures relating to data processing operations (including adequate staff training) to avoid (or promptly identify) similar errors in the future.

This provision is notified to the controller and communicated to the interested parties via the Norwegian authority that received the complaint.

Pursuant to art. 78 of the Regulation, as well as art. 152 of the Code, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed, alternatively, with the court of the place where the controller resides or has its registered office or with that of the place of residence of the interested party within thirty days from the date of communication of the provision itself or sixty days, if the appellant resides abroad.

Rome, 17 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE SECRETARY GENERAL
Mattei