Garante per la protezione dei dati personali (Italy) - 10079389

Garante per la protezione dei dati personali - 10079389

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 15 GDPR Article 24 GDPR Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:
Fine:	5,000 EUR
Parties:	n/a
National Case Number/Name:	10079389
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	elu

The DPA imposed a fine of €5,000 to a real estate agency following a complaint regarding unwanted calls to a data subject, whose data was collected and stored unlawfully on a paper filing system.

English Summary

Facts

The data subject received an unwanted call from Company X. After an access and deletion request, the Company X distanced itself from the calls and traced them back to the real estate agency Studio Immobiliare S.r.l.s., the controller.

The data subject advanced a complaint and, subsequently, the Italian DPA advanced a request for access in its investigation. The controller stated that the data subject´s data was retrieved from a data base containing the phone contact of the data subject that had been acquired years prior from a provider. It also stated, on the phone, that the use of this information by an employee was improper and that it would proceed to the erasure of the data, which however was not confirmed in written form.

Holding

The DPA only initiated proceedings against Studio Immobiliare S.r.l.s., the controller, and deemed the involvement of Company X too superficial to be relevant in the investigation.

It appeared that the data subject´s phone number came into the controller´s possession for unknown reasons, likely connected to some unspecified operations by previous managers.

In fact, so-acquired personal data, without any legal basis, were stored, without any care, for an indefinite time period on an unattended paper filing system, which is problematic in light of Article 32(1)(b) and (d), as well as (2) GDPR. The “human error” claim would be per se indicative of insufficient organizational measures from the controller, indicating a violation of the accountability principle under Article 5(1)(f), (2) and 24 GDPR.

Moreover, the access request was answered by the controller late and only partially, as the legal basis was not explicated nor specifically explained. Therefore, the access request was not satisfied in violation of Articles 12 and 13 GDPR. Within this context, the DPA found a violation of Articles 12(3), 15 as well as Articles 6(1)(a) and 7 GDPR.

As a consequence of these violations, the DPA found it appropriate to impose a fine of €5,000 to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10079389]

Provision of 17 October 2024

Register of provisions
no. 622 of 17 October 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018 no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter “Code”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

With a complaint dated 2 April 2024, Mrs. XX complained about receiving, on 19 February, an unwanted phone call from “XX” in the absence of consent and stated that she had not received a response to the request to know the origin of the personal data and to delete them, made on the same date and repeatedly requested (specifically on 26 February and 5 March 2024). In particular, the complainant initially contacted XX S.p.A. which - in declaring its non-involvement in relation to the conduct complained of and attributing the same to a promotional initiative of Studio Immobiliare Pianezza S.r.l.s. (hereinafter «Immobiliare Pianezza» or «Company»), an independent data controller, - redirected the interested party's communications to the aforementioned Company, urging it to respond promptly.

On 9 April 2024, the Office sent the aforementioned Companies a request for information, pursuant to art. 157 of the Code (ref. prot. no. 44127/24), to which both XX S.p.A. and Immobiliare Pianezza provided feedback; the former, confirming what had already been communicated to the complainant regarding its non-involvement, the latter, instead, representing - with a communication dated 20 April 2024 - that the telephone number of the interested party, acquired years earlier from the list provider XX (hereinafter "XX") and "saved by the previous manager of the agency on paper", would have been improperly used by one of its collaborators, in contravention of the company directives. Furthermore, a timely feedback regarding the deletion of the data would have been provided by Immobiliare Pianezza by telephone to the complainant, without, however, forwarding a written confirmation communication to the latter, unless following the intervention of the Guarantor.

2. DISPUTE OF VIOLATIONS

The Office decided to proceed exclusively against Immobiliare Pianezza, affiliate XX, as a legal entity independent from the Franchisor (owner of the trademark – in this case XX). In this regard, for the profiles of interest in the context of this proceeding, it must be specified that the institution of commercial affiliation (Franchising), governed by Law 6 May 2004, no. 129, is implemented by signing a contract "between two legal entities, economically and legally independent, on the basis of which one party grants the other, in exchange for payment, the availability of a set of industrial or intellectual property rights [...] for the purpose of marketing certain goods or services" (art. 1 of Law no. 129/2004 cit.). On the basis of this, the real estate agencies included in the affiliation circuit are considered legally and economically independent, without constraints of subordination, with respect to the Franchisor. It follows that the responsibility for the conduct complained of in the complaint in question is attributable solely to the Affiliate (Immobiliare Pianezza) who acted as an independent data controller.

Therefore, the Office proceeded to contest the violations detected by the Company with the act of initiation of the procedure of 3 May 2024 (ref. prot. no. 53807/24) duly notified to the email address indicated in the Register of Companies of the Chamber of Commerce (specifically XX) as well as to the address on the relevant website (XX).

Assuming here that the reasons expressed in the aforementioned act have been fully recalled, Immobiliare Pianezza has been contested for the violation of art. 5, par. 1, letter. f), 2 and 24 of the Regulation for not having guaranteed, nor proven, adequate protection of the personal data held by it from unauthorized processing and access, through the adoption of suitable security measures that ensure the integrity and confidentiality of the data; furthermore, the Company was not even able to prove that it had carried out the necessary checks regarding the lawfulness requirements of the personal data acquired from the list provider, such as the information provided and the consents given by the interested parties, recipients of the promotional campaign.

Finally, with regard to the late response to the exercise of rights, taking into account that the Company, in the initial dialogue with the complainant, limited itself to ensuring the mere deletion of the personal data without providing clarifications regarding their origin until after the intervention of the Authority, the violation of Articles 12, paragraph 3, and 15 of the Regulation, as well as Articles 6 and 7 of the Regulation and Article 130 of the Code for not having acquired any consent to receive promotional telephone calls.

3. LEGAL ASSESSMENTS

Immobiliare Pianezza did not exercise its right of defense in relation to the contested charges and, therefore, did not produce defense briefs, nor did it request a hearing pursuant to art. 166, paragraph 6, of the Code and art. 13 of the Internal Regulation of the Guarantor no. 1/2019. Nonetheless, the proceedings initiated with the contested notice must be considered adequately investigated and full proof of the liability of Immobiliare Pianezza acquired in relation to the objections raised against it.

First of all, Immobiliare Pianezza acted as the owner, pursuant to art. 4 of the Regulation, having specifically determined the purpose for which the processing was carried out (promotion of its services) and the telephone channel used for this purpose (see, for example, provision no. 412 of 25 November 2021, web doc. no. 9736961; provision no. 413 of 25 November 2021, web doc. no. 9737185; provision no. 424 of 2 December 2021, web doc. no. 9731682; all in www.gpdp.it). Therefore, both the obligations imposed by the legislation on the protection of personal data and the responsibility for the violations detected can be directly traced back to the same Company.

Having duly clarified this, it does not appear that the Company, the data controller, has provided documentation proving the existence of the lawfulness requirements of the personal data acquired from XX, such as the information provided and the consents given by the complainant recipient of the promotional campaign, nor that it has carried out such checks in any other way. In fact, it appears that the complainant's address became available to the Company for unknown reasons, attributable to unspecified operations of previous "agency managers". It has not even been clarified whether the relationship with the supplier XX was in some way formalized in an agreement or contract that also defined the privacy roles.

Therefore, the personal data thus acquired, lacking the necessary lawfulness requirements that would have authorized their use, were found to be stored, without any caution and for an indefinite period, on an unattended paper medium that was freely accessible by the Company's employees, moreover in the absence of a formal "attribution of functions and tasks to designated subjects" for the processing, pursuant to art. 2-quaterdecies of the Code. In addition, Immobiliare Pianezza did not take into account the risks to the rights and freedoms of the interested parties arising from the failure to adopt appropriate security measures that could ensure the integrity and confidentiality of the personal data held by it, as provided for by art. 32, par. 1, letters b) and d), and par. 2, of the Regulation; the Company nevertheless continued to process the personal data contained in the lists provided by XX despite the unusability of the same data, as provided for by art. 2-decies of the Code. Furthermore, the circumstance of human error invoked by the Company (in the response of 20 April 2024) as a reason for the conduct complained of, attributable to a personal initiative of one of its employees, would be indicative, in itself, of a lack of training of its collaborators, but above all of insufficient organizational and control measures by the data controller, together with the inability to comply with the obligation to demonstrate compliance with the rules (so-called "accountability"). It is therefore believed that the violation of Articles 5, paragraphs 1, letter f), 2 and 24 of the Regulation must be confirmed.

Furthermore, the request to exercise the rights was found late (only after the intervention of the Authority) and partially, since, as already mentioned, the conditions of lawfulness that would have legitimized the availability of the data by the Company were not clarified, but assurances were given to the complainant and during the investigation exclusively in order to delete the data themselves (see response of 20 April 2024). From this perspective, the mere deletion of the interested party's data, as represented by the Company in the response to the exercise of the rights, does not exhaust the obligations of the data controller who, in the case in question, should have provided all the information that could allow the complainant to reconstruct the circumstance in which she would have given the alleged consent to marketing, as well as identify the distribution of responsibilities within the scope of the processing, the methods and purposes, together with the related legal bases of lawfulness, of the processing itself.

For these reasons, the request for access to personal data cannot be considered satisfied and was not found within the terms set out in art. 12, par. 3, of the Regulation, nor did the Company, during the proceedings, provide explanations for the lack of response, since the circumstance of the telephone confirmation of the cancellation was denied by the complainant. Likewise, since no consent to receive promotional telephone calls was acquired, the processing appears to have been carried out in the absence of an appropriate legal basis.
This conduct can also be considered attributable to a general inability of the Company to guarantee adequate control of the operations that involve the processing of personal data (formation of lists and indication of the legal basis for the lawful use of the same, management of requests to exercise rights), such that the error cited as justification for the unwanted contact and the lack of response to the complainant cannot be considered excusable. Therefore, the violation of art. 12, par. 3, and 15 of the Regulation, as well as Articles 6, par. 1, letter a), 7 of the Regulation and Article 130 of the Code.

4. CONCLUSIONS

In light of the arguments set out in point 3 of this provision, the contested violations are deemed to be confirmed and it is necessary:

a) pursuant to Article 58, par. 2, letter f), of the Regulation, to prohibit the processing of personal data acquired by the list provider XX in the absence of appropriate consent from the interested parties to the marketing activity, pursuant to Articles 6 and 7 of the Regulation, as well as 130 of the Code;

b) pursuant to Article 58, par. 2, letter d), of the Regulation, to order the erasure of such data without delay, except for those that are necessary to retain for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unequivocal consent of the interested party.

Finally, with regard to the processing already carried out and in consideration of the violations ascertained above, it is believed that the conditions exist for the application of an administrative pecuniary sanction pursuant to Articles 58, par. 2, letter i) and 83 of the Regulation.

5. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

Based on the above, various provisions of the Regulation and the Code have been violated in relation to connected processing carried out by Immobiliare Pianezza, for which reason it is necessary to apply Article 83, par. 3, of the Regulation, according to which, if, in relation to the same processing or to connected processing, a data controller violates, with intent or negligence, several provisions of the Regulation, the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation, with consequent application of only the sanction provided for by art. 83, par. 5, of the Regulation.

For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum amount set by law in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the preceding financial year, if higher, specifies the methods of quantifying the aforementioned sanction which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount.

In compliance with this provision - having noted, on the basis of the information found in the latest financial statement (recorded on 31 December 2022), the occurrence of the first hypothesis provided for by the aforementioned art. 83, par. 5, of the Regulation and therefore quantified at 20 million euros as the maximum applicable fine - the following aggravating circumstances must be considered:

1. the negligent nature of the conduct, since the rules for the protection of personal data were completely ignored by the owner until the intervention of the Guarantor (art. 83, par. 2, letter b, of the Regulation);

2. the seriousness and duration of the violations detected. In particular, with regard to the unwanted phone call and the late and inadequate response to the request to exercise the rights, taking into account the fact that it was an isolated case, a low level of seriousness of the violation can be considered. With regard, however, to the data provided by the list provider and stored for years by the Company on freely accessible media, a potentially very significant prejudice is noted for all the interested parties present in the list acquired by the provider, even if they are not aware of the telephone contacts actually made by exploiting this vulnerability; even the same telephone call addressed to the complainant - who appears to be the only interested party involved - derived from an individual initiative of which the Company became aware only after the intervention of the Authority. For this profile, therefore, the level of severity can be assessed as medium (art. 83, par. 2, letter a, of the Regulation);

3. the failure of the data controller to adopt adequate measures to mitigate the damage referred to in the previous point, since the Company limited itself to ensuring the mere deletion of the data subject's data without, however, proposing targeted interventions to overcome the described vulnerabilities and, therefore, to ensure the integrity and confidentiality of the data held by it (Article 83, paragraph 2, letter c, of the Regulation);

4. the low level of cooperation in the interaction with the Supervisory Authority, given that the Company did not submit defensive briefs, nor did it provide timely feedback to the Office's request for information, such as not to allow a complete definition of the processing in question (Article 83, paragraph 2, letter f, of the Regulation).

As mitigating factors, it is believed that the following can be taken into account:

1. the number of subjects affected by the violations since, although these are potentially capable of causing harm to all users present in the list acquired by the supplier, in practice, and on the basis of what has been ascertained, the processing involved the making of only one unwanted phone call to the complainant (Article 83, paragraph 2, letter a, of the Regulation);

2. the absence of previous relevant violations committed by the data controller (Article 83, paragraph 2, letter e, of the Regulation);

3. the overall assessment of the economic capacity of the Company, which has the dimensional requirements of a micro-enterprise, with particular reference also to the latest available balance sheet relating to the year 2022 (Article 83, paragraph 2, letter k, of the Regulation).

In considering the necessary balance between the rights of the interested parties and the freedom of enterprise, it is necessary to prudently evaluate the aforementioned criteria, also in order to limit the economic impact of the sanction.

Therefore, it is believed that - based on the set of elements indicated above - the administrative sanction of the payment of a sum of €5,000.00 (five thousand/00) equal to 0.025% of the maximum statutory sanction of €20 million should be applied to Immobiliare Pianezza.

In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation no. 1/2019.

In implementation of the principles set out in art. 83 of the Regulation, the imposition of such an ancillary sanction appears reasonable and proportionate given the seriousness and the particular disvalue of the conduct being criticized with specific reference to the duration of the violation ascertained and the potentially high number of subjects involved, as noted in point 2 of the aggravating circumstances described above.

Furthermore, the failure to adopt security measures that could ensure the integrity and confidentiality of the data was not followed by any intervention aimed at overcoming the described vulnerability, not even following the intervention of the Guarantor; this, together with the lack of a selection procedure for list providers, denotes a culpable and persistent insensitivity to the issue of personal data protection. It is recalled that, pursuant to art. 170 of the Code, anyone who, being required to do so, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in the event of non-compliance with the same provision, the sanction referred to in art. 83, par. 5, letter e) of the Regulation

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor, are met for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation.

GIVEN ALL THE ABOVE, THE GUARANTOR

pursuant to art. 57, par. 1, letter f), of the Regulation, declares the processing described in the terms of the motivation carried out by Immobiliare Pianezza S.r.l.s., with registered office in via Don Bosco 6, 10044 Pianezza (TO), VAT no. 12492720011, to be unlawful; consequently:

a) pursuant to art. 58, par. 2, letter f), of the Regulation, prohibits the processing of personal data acquired by the list provider XX in the absence of appropriate consent from the interested parties to the marketing activity, pursuant to articles 6 and 7 of the Regulation, as well as 130 of the Code;

b) pursuant to art. 58, par. 2, letter d), of the Regulation, orders to proceed without delay to the deletion of said personal data, except for those that are necessary to retain for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unequivocal consent of the interested party;

c) pursuant to art. 157 of the Code, orders Immobiliare Pianezza to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measure imposed in the previous point b); any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, par. 5, of the Regulation.

ORDERS

pursuant to art. 58, par. 2, letter i), of the Regulation, to Immobiliare Pianezza S.r.l.s., in the person of its legal representative, to pay the sum of Euro 5,000.00 (five thousand.00) as a pecuniary administrative sanction for the violations indicated in the reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.

ORDERS

the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €5,000.00 (five thousand.00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

a) pursuant to art. 166, paragraph 7, of the Code, the publication in full of this injunction order on the website of the Guarantor;

b) pursuant to art. 17 of the Guarantor Regulation no. 1/2019, orders the annotation in the internal register of the Authority, provided for by art. 57, paragraph 1, letter u) of the Regulation, of the violations and measures adopted;

c) the publication of this provision pursuant to arts. 154-bis of the Code and 37 of the aforementioned Regulation no. 1/2019.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as art. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 17 October 2024

THE PRESIDENT
Stanzione

THE REPORTER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei

[web doc. no. 10079389]

Provision of 17 October 2024

Register of provisions
n. 622 of 17 October 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018 no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter “Code”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

With a complaint dated 2 April 2024, Mrs. XX complained about receiving, on 19 February, an unwanted phone call from “XX” in the absence of consent and stated that she had not received a response to the request to know the origin of the personal data and to delete them, made on the same date and repeatedly requested (specifically on 26 February and 5 March 2024). In particular, the complainant initially contacted XX S.p.A. which - in declaring its non-involvement in relation to the conduct complained of and attributing the same to a promotional initiative of Studio Immobiliare Pianezza S.r.l.s. (hereinafter «Immobiliare Pianezza» or «Company»), an independent data controller, - redirected the interested party's communications to the aforementioned Company, urging it to respond promptly.

On 9 April 2024, the Office sent the aforementioned Companies a request for information, pursuant to art. 157 of the Code (ref. prot. no. 44127/24), to which both XX S.p.A. and Immobiliare Pianezza provided feedback; the former, confirming what had already been communicated to the complainant regarding its non-involvement, the latter, instead, representing - with a communication dated 20 April 2024 - that the telephone number of the interested party, acquired years earlier from the list provider XX (hereinafter "XX") and "saved by the previous manager of the agency on paper", would have been improperly used by one of its collaborators, in contravention of the company directives. Furthermore, a timely feedback regarding the deletion of the data would have been provided by Immobiliare Pianezza by telephone to the complainant, without, however, forwarding a written confirmation communication to the latter, unless following the intervention of the Guarantor.

2. DISPUTE OF VIOLATIONS

The Office decided to proceed exclusively against Immobiliare Pianezza, affiliate XX, as a legal entity independent from the Franchisor (owner of the trademark – in this case XX). In this regard, for the profiles of interest in the context of this proceeding, it must be specified that the institution of commercial affiliation (Franchising), governed by Law 6 May 2004, no. 129, is implemented by signing a contract "between two legal entities, economically and legally independent, on the basis of which one party grants the other, in exchange for payment, the availability of a set of industrial or intellectual property rights [...] for the purpose of marketing certain goods or services" (art. 1 of Law no. 129/2004 cit.). On the basis of this, the real estate agencies included in the affiliation circuit are considered legally and economically independent, without constraints of subordination, with respect to the Franchisor. It follows that the responsibility for the conduct complained of in the complaint in question is attributable solely to the Affiliate (Immobiliare Pianezza) who acted as an independent data controller.

Therefore, the Office proceeded to contest the violations detected by the Company with the act of initiation of the procedure of 3 May 2024 (ref. prot. no. 53807/24) duly notified to the email address indicated in the Register of Companies of the Chamber of Commerce (specifically XX) as well as to the address on the relevant website (XX).

Assuming here that the reasons expressed in the aforementioned act have been fully recalled, Immobiliare Pianezza has been contested for the violation of art. 5, par. 1, letter. f), 2 and 24 of the Regulation for not having guaranteed, nor proven, adequate protection of the personal data held by it from unauthorized processing and access, through the adoption of suitable security measures that ensure the integrity and confidentiality of the data; furthermore, the Company was not even able to prove that it had carried out the necessary checks regarding the lawfulness requirements of the personal data acquired from the list provider, such as the information provided and the consents given by the interested parties, recipients of the promotional campaign.

Finally, with regard to the late response to the exercise of rights, taking into account that the Company, in the initial dialogue with the complainant, limited itself to ensuring the mere deletion of the personal data without providing clarifications regarding their origin until after the intervention of the Authority, the violation of Articles 12, paragraph 3, and 15 of the Regulation, as well as Articles 6 and 7 of the Regulation and Article 130 of the Code for not having acquired any consent to receive promotional telephone calls.

3. LEGAL ASSESSMENTS

Immobiliare Pianezza did not exercise its right of defense in relation to the contested charges and, therefore, did not produce defense briefs, nor did it request a hearing pursuant to art. 166, paragraph 6, of the Code and art. 13 of the Internal Regulation of the Guarantor no. 1/2019. Nonetheless, the proceedings initiated with the contested notice must be considered adequately investigated and full proof of the liability of Immobiliare Pianezza acquired in relation to the objections raised against it.

First of all, Immobiliare Pianezza acted as the owner, pursuant to art. 4 of the Regulation, having specifically determined the purpose for which the processing was carried out (promotion of its services) and the telephone channel used for this purpose (see, for example, provision no. 412 of 25 November 2021, web doc. no. 9736961; provision no. 413 of 25 November 2021, web doc. no. 9737185; provision no. 424 of 2 December 2021, web doc. no. 9731682; all in www.gpdp.it). Therefore, both the obligations imposed by the legislation on the protection of personal data and the responsibility for the violations detected can be directly traced back to the same Company.

Having duly clarified this, it does not appear that the Company, the data controller, has provided documentation proving the existence of the requirements for the lawfulness of the personal data acquired from XX, such as the information provided and the consents given by the complainant recipient of the promotional campaign, nor that it has carried out such checks in any other way. It has in fact appeared that the complainant's address became available to the Company for unknown reasons, attributable to unspecified operations of previous "agency managers". It has not even been clarified whether the relationship with the supplier XX was in some way formalized in an agreement or contract that also defined the privacy roles.

Therefore, the personal data thus acquired, lacking the necessary requirements of lawfulness that would have authorized their use, were stored, without any caution and for an indefinite period, on an unattended paper medium that was freely accessible by the Company's employees, moreover in the absence of a formal "assignment of functions and tasks to designated subjects" for the processing, pursuant to art. 2-quaterdecies of the Code. In addition, Immobiliare Pianezza did not take into account the risks for the rights and freedoms of the interested parties arising from the failure to adopt appropriate security measures that could ensure the integrity and confidentiality of the personal data held by it, as provided for by art. 32, par. 1, letters b) and d), and par. 2, of the Regulation; the Company nevertheless continued to process the personal data contained in the lists provided by XX despite the unusability of the same data, as provided for by art. 2-decies of the Code. Furthermore, the circumstance of human error invoked by the Company (in the response of 20 April 2024) as a reason for the conduct complained of, attributable to a personal initiative of one of its employees, would be indicative, in itself, of a lack of training of its collaborators, but above all of insufficient organizational and control measures by the data controller, together with the inability to comply with the obligation to demonstrate compliance with the rules (so-called "accountability"). It is therefore believed that the violation of Articles 5, paragraphs 1, letter f), 2 and 24 of the Regulation must be confirmed.

Furthermore, the request to exercise the rights was found late (only after the intervention of the Authority) and in a partial manner, since, as already mentioned, the conditions of lawfulness that would have legitimized the availability of the data by the Company were not clarified, but assurances were given to the complainant and during the investigation exclusively in order to delete the data themselves (see response of 20 April 2024). From this perspective, the mere deletion of the interested party's data, as represented by the Company in the response to the exercise of the rights, does not exhaust the obligations of the data controller who, in the case in question, should have provided all the information that could allow the complainant to reconstruct the circumstance in which she would have given the alleged consent to marketing, as well as identify the distribution of responsibilities within the scope of the processing, the methods and purposes, together with the related legal bases of lawfulness, of the processing itself.