Garante per la protezione dei dati personali (Italy) - 10106904

Garante per la protezione dei dati personali - 10106904

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 14 GDPR Article 24 GDPR Article 28 GDPR Article 37 GDPR Article 38 GDPR Article 157 of the Italian Privacy Code
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	19.12.2024
Published:
Fine:	70,000 EUR
Parties:	n/a
National Case Number/Name:	10106904
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	GDPD (in IT)
Initial Contributor:	elu

The DPA fined a credit repair company €70,000 for multiple GDPR violations, including inadequate data transparency, failure to delete unnecessary data, improper data processing by third parties, and an unsuitable DPO appointment.

English Summary

Facts

After the Bank of Italy notified the DPA of a personal data breach, the DPA decided to start an ex officio investigation. The notification concerned requests for information advanced by the legal representative of a credit repair company to the databases of national banks. Credit repair consists of finding and fixing mistakes on your credit report to boost one's credit score. The legal representative was appointed as processor, while the credit rehabilitation company was the controller.

All these access requests concerned natural persons, the data subjects, who did not give any authorization for the search.

The DPA advanced a request for information to the controller, which remained unanswered. Thus, the DPA started an investigation, which revealed the following.

First, the controller deals primarily with the erasure of credit reports by banks. Data subjects reach out to the controller through their website. Subsequently, the controller calls the data subject about this service.

Second, when the controller calls the data subject, the controller gives information on data processing by means of a prerecorded voice to give the data subjects an overview on the services offered. Then, if the data subjects accepted, their data is collected. However, not all data present in the database was collected from the data subjects.

Third, the Privacy Policy is shared, first, with the data subjects via telephone, on the date of the the first phone contact and, for the second time, when they fill out a form on “mandate to act” in public and private central credit rating centers.

Fourth, the controller’s database revealed that:

The controller's IT system contains data regarding 74,214 data subjects. This data includes: name, surname, place and data of birth, social security number and contact details.
In each customer file, there are also the reports provided, by the companies and banking institutions, in response to requests for access made by the controller through the processor.
In the IT system, personal data held by other credit rehabilitation companies could be consulted for insolvency recovery purposes.
The aforementioned data, collected via paper forms, was given by every customer and was stored in the controller's office.

Finally, there were no systematic procedures for periodic deletion of old data. The controller retained the complete paper files and digital records, even if it no longer had any contractual relationship with those data subjects.

Holding

Violation of Article 5(1)(a) and Article 14(1) and (2) GDPR

The DPA found that, although the controller stored data of over 70,000 data subjects in a database., there was no indication of how, and by whom, the data has been collected, which is required in Article 5(1)(a) GDPR.

Moreover, the controller could not show, in the investigative phase, that the data subjects were informed of the data processing as required as per Article 14(1) and (2) GDPR.

Thus, the DPA found a violation of Article 5(1)(a) GDPR and Article 14(1) and (2) GDPR.

Violation of Article 5(1)(e) GDPR

In the Privacy Policy of the controller, no information was given as per the duration of the storage was given. More specifically, the controller never deleted the personal data that is no longer necessary. This for instance, would be the case for data subjects that did not use the controller’s services (amounting to several thousands).

Thus, the DPA found a violation of Article 5(1)(e) GDPR.

Violation of Article 28 GDPR

The DPA considered that, in the context of this data processing, the processor was not authorized to process the personal data in question. More specifically, the DPA found that some processing is carried out by third parties without any contract or “other legal act under Union or Member State law”, as per Article 28(3) GDPR.

In the case at hand, the controller has availed itself of the cooperation of certain third parties, not respecting the conditions of Article 28 GDPR.

Thus, the DPA found a violation of Article 28 GDPR.

Violation of Article 37 and 38 GDPR

The controller appointed the legal representative of the company as DPO.

First, this designation was not communicated to the DPA, thus infringing Article 37(7) GDPR.

Second, as per Recital 97 GDPR, the DPO needs to be able to act in “complete independence”. The DPA found it quite clear that the role of DPO is completely incompatible with that of legal representative of the controller, since the same person who determines the means and purposes of processing cannot have the necessary independence to also exercise supervisory duties, on compliance with the rules and policies of the controller’s policies on the protection of personal data.

Thus, due to the appointment of an “inadequate” DPO and to the lack of communication of said appointment, the DPA found a violation of respectively Article 37(6) and 38 GDPR, as well as Article 37(7) GDPR.

Violation of Article 5(2) and 24 GDPR

The DPA found that the technical and organizational measures adopted by the controller to conform the process to the GDPR were not adequate to the nature, purpose, context and risks of the personal data processing in question. This is problematic in view of the principle of accountability ex Article 5(2) GDPR and Article 24 GDPR.

Thus, the DPA found a violation of Article 5(2) GDPR and Article 24 GDPR.

Violation of Article 157 of the Italian Privacy Code

The DPA further found a violation of Article 157 of the Italian Privacy Code, Codice Italiano Privacy, due to the lack of reply to the request for information advanced by the DPA to the controller.

Fine

As a consequence of the aforementioned violations, the DPA deemed it appropriate to fine the controller €70,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of February 28, 2025

[web doc. no. 10106904]

Measure of December 19, 2024

Register of measures
no. 802 of December 19, 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);

HAVING SEEN the inspection carried out on 13 June 2023 at the operational headquarters of Studio Riabilitazione Creditizia s.r.l.s. (hereinafter “Studio Riabilitazione” or “the Company”);

HAVING EXAMINED the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

REPORTER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The inspection activity against the company.

In the context of the exercise of the control powers referred to in art. 58, par. 1 of the Regulation (see also arts. 157 and 158 of the Code), the undersigned Authority carried out inspections of Studio Riabilitazione Creditizia s.r.l.s..

The control activity originated from a report received from the Bank of Italy which found that Mr. XX (legal representative of the aforementioned company) had made numerous requests for access to the data of the Central Risk Office of the Bank itself, on behalf of natural persons, in the absence of effective legitimacy, with the consequent risk of improper use of personal data of a financial nature unduly acquired.

Following the inspection (see the report of operations carried out on 13/6/2023, as well as notes of 28/6/2023 and 3/7/2023 with which the Company, in order to resolve the reservations made during the inspection, transmitted the supplementary documentation), the Office, having found some critical issues worthy of a more in-depth analysis, formulated a request for information, pursuant to art. 157 of the Code, which however remained unanswered (see notes of 4/12/2023 and 23/1/2024); given the lack of response, the aforementioned Special Unit, upon delegation from the Office (see note of 6/3/2024), notified the Company of the aforementioned request for information - together with the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code, in relation to the violation of art. 157 of the Code - and has acquired the requested information (see minutes of operations carried out on 15 and 17/4/2024).

From the above-described investigation, based on the statements made by the legal representative of the Company, it emerged that:

1. the Company "mainly deals with the cancellation of reports in credit centers operated by banks". Customers identify the Company's contacts mainly "through the website www.studioucp.it", where "information on the services offered" is also reported;

2. when "the customer contacts the company by telephone", the same "receives information on data processing via a pre-recorded voice" that "provides some general information on the services offered"; then, "if the customer accepts, the operator acquires the customer's data (name, surname, address, email, etc.) in the company database (Customer Relationship Management, c.d. CRM). This CRM also stores additional data that the customer provides during the course of the consultancy relationship, i.e. the forms signed and sent by email”. The Company, once it has obtained the authorizations from the interested parties, carries out “access requests or searches at the private and public risk centers (Bank of Italy and Chamber of Commerce) in order to better define the customer's debt position” and evaluate “the feasibility of deleting or limiting the processing of the customer's personal data at the risk centers”. In the event that it does not detect “any element to proceed with deletion, it sends the customer a further "questionnaire" to obtain more details on the circumstances complained of”; then “if from the analysis of the additional data provided the Company sees the aforementioned feasibility, it issues a cost estimate that is sent to the customer by email. If the customer accepts the service offered by the Company, the contractual documentation including the attachments is sent to him by ordinary mail, so that he returns it, always by courier, signed for acceptance. Then the activity is started at the competent offices to request, for example, the cancellation of the reports”;

3. the information referred to in articles 13 and 14 of the Regulation (a copy of which has been acquired, see annex 1 to the minutes of 13/6/2023 and, among the attachments, see page 43), in addition to being published on the website www.studioucp.it (see annex 9 to the aforementioned minutes), is provided to the interested parties both by telephone, at the time of the first contact with the Company, and subsequently, on the occasion of the signing of the “mandate form” and the delegation to operate, on their behalf, at the public and private risk centers (see mandate contract, delegation and information pages 9, 20-22 and 43 of the minutes of operations carried out of 13/6/2023, as well as annex 8, including, page 157). With the same, the customer is informed that the legal basis for the processing of personal data lies in art. 6, letter b) of the Regulation and that the same are retained "for the entire duration of the contractual relationship and, after the termination of the relationship, limited to the data necessary at that point, for the extinction of the contractually assumed obligations and for the fulfillment of all possible legal obligations and for the needs of protection, including contractual, connected or deriving from it";

4. the Company, in carrying out its business, avails itself of the collaboration of various subjects (natural and legal persons) with respect to which the privacy roles have not been correctly identified and/or regulated, pursuant to art. 28 of the Regulation. In particular, from the set of elements acquired, it appears that:

a. the company "Centro Realizzazioni informatiche e finanziamenti S.r.l.s." (see minutes of 13/6/2023, page 5) – whose legal representative is always XX – carries out personal data processing, on behalf of and in the interest of Studio Riabilitazione creditizia, in the absence of any act that, having assessed the professional requirements of the company and taking into account the guarantees offered by the same for the protection of the rights of the interested parties, binds it to the owner by defining the obligations and rights, as well as the terms and conditions of the personal data processing carried out;

b. additional subjects intervene “in the customer data processing process (…)” as data controllers pursuant to art. 28 of the Regulation; this concerns the company "Ufficio Cattivi Pagatori S.r.l.", also attributable to Mr. XX (sole shareholder of the same) and "some external professionals, legal or tax consultants", whose activity "consists in receiving in paper form the delegation signed by the client and the instructions of the activities to be carried out, for the specific individual case, at the various public offices involved (e.g. at the Chamber of Commerce, the protests and bills of exchange are provided to the professional) (see annexes 3, 4 and 5 to the minutes of 13/6/2023). With respect to each of these subjects, the Company has prepared a "Letter of appointment to the data controller" which contains an express reference to a "contract of which it forms an integral part"; however, at the specific request of the Office to produce a copy of the contracts in question "or other legal document pursuant to art. 28, par. 3 of the Regulation”, the Company did not provide any additional documentation (see minutes of 17/4/24, page 4).

5. during the inspection, a copy of the processing register, prepared pursuant to art. 30 of the Regulation (see annex 9), was acquired; furthermore, at the request of the Office, the Company confirmed that it had designated Dr. XX as “Data Protection Officer” pursuant to art. 37 of the Regulation (as can also be found in the information provided to customers), specifying that it had not, however, made the necessary communication to the Authority (see minutes of 13/6/2023, page 6);

6. with regard to the information system, the Company declared that the system in operation is composed of 10 client workstations and a server, operating on the premises of the Company itself. The workstations are accessed by entering a username and password. The server operates a CRM (Customer relationship management) IT system for managing the customer database, a customized product developed by an external supplier.

From the accesses made on site, it emerged, among other things, that:

- the “CRM Management” contains positions corresponding to n. 74,214 customers. For each “customer record” the data present concern name, surname, place and date of birth, tax code, contact details (telephone, physical address and email) an identification number (“NRG”), the “status” (i.e. whether the subject is an “already customer” or “new”, or “in operation” or “concluded”) as well as other information relating to the status of the practice, including any notes in text and summary form and the payment status of the invoices issued by the Company, following the processing of the practice;

- in each customer file, there are also the reports provided by the companies and banks, in response to the access requests submitted by the interested parties through the delegate, Dr. XX or XX (see minutes of 6/13/23, annex 7).

- access to the CRM occurs by entering a hidden authentication component (password) (see attachment 3 to the minutes of 13/6/2023) and is only possible from the Company's premises and without any possibility of connecting, via the Internet, to the IT systems from outside, "using so-called "remote desktop" software"; the Company has also declared that the "maintenance of the workstations and the CRM software is carried out by an external person, designated as system administrator, who goes to the office when necessary" (see minutes of 13/6/2023, page 6);

- the CRM "also includes personal data owned by the various companies that have succeeded each other over the years in providing the same services; such data are consulted from time to time for the insolvency recovery functionality for the services provided by the following companies: Ufficio cattivi pagatori srl, UCP srl, Centro Realizzazioni Informatiche e Finanza, Insurance Global Service srl”.

In this regard, the data controller, who was asked to specify which companies currently access — and in what capacity — the company database and whether there is, within the same, a compartmentalization or a functionality that allows tracing, with respect to each customer, the company that, as the owner, collected and then processed the personal data of the customer, was specified that: “currently the CRM is accessed as a company only by "Studio Riabilitazione Creditizia S.r.l.s", through the people mentioned. Over the years, the data of all the companies that have taken turns have merged into the CRM. Over the years, I have taken turns between the various companies for tax reasons and job opportunities. For each of them, I have collected the consent of each customer with whom we had working relationships. Consent was collected on paper. The documentation concerning consents to date, for moving to different locations, is stored in a cellar and kept in a special room. I would like to point out that for all the companies that have taken turns, I have always been the sole director and therefore the data controller. I would like to point out that the mandate given by each customer can be traced back to a single company and the others have never interacted with that customer, even though the data has all flowed into a single CRM. Even though over the years the companies have succeeded each other in the same services, the mandate from each individual customer has been given to a single company and only that company has had working relationships with him. There is no functionality in the CRM that allows us to trace, for each customer, the company that collected the data. All the data flows into the CRM in a general registry. I clarify that the CRM in question contains data not only of people who later became our customers, but also data of people who through the form on our site, www.ufficiocancellazioneprotesti.it, simply requested information and then did not want to continue the relationship. Therefore, since they are not customers, their data in the CRM is minimal (name - surname - telephone). To the best of my knowledge, and as confirmed by my collaborator (…), the customers in the database are approximately 46,000" (see minutes of 17/4/2024, page 9);

8. regarding the storage of data, both in digital format and in paper format, the Company declared that:

- "there are no systematic procedures for the periodic deletion of previous data and, therefore, the company retains the paper files and complete digital records, even if it no longer has an existing contractual relationship with said subjects; in particular, "for each customer there is a paper file kept in a cabinet located in the same office. The older practices are moved to a special room used as a warehouse" (see minutes of 13/6/23, pages 5-6);

- regarding the request to clarify the consistency of the above statements with what is indicated in the information provided to customers pursuant to articles 13 and 14 of the Regulation and reported in the register of treatments acquired in the files (annexes 1 and 9 to the minutes of 13/6/2023), the Company, in specifying that "our CRM has no commercial purposes and no data regarding customers is used to contact them again once our working relationship ends. We only maintain a comprehensive database, in which all the data has been collected over the years", he also stated that he will proceed, "as soon as possible, to delete from the company CRM all the data that no longer have any reason to remain in it, having exhausted the fiscal or legal timeframes that allow us to keep the data"

2. The initiation of the procedure for the adoption of corrective and sanctioning measures.

Within the scope of the procedure, the Company was the recipient of two separate notifications of violation, pursuant to art. 166, paragraph 5 of the Code:

the first, with a note dated 6 March 2024, in relation to the violation of art. 157 of the Code, for the failure to respond, within the terms, to the request for information made on 23/1/2024 and duly notified to it by the Guardia di Finanza Unit on 15 April 2023;

the second, with a note dated 3 September 2024, in relation to the violations of the Regulation found, following the documentation acquired during the preliminary investigation, with reference to articles 5, par. 1, letter a), e) and par. 2, 14, 24, 28, 37, 38 of the Regulation, notified via certified email, dated 3 September 2024.

The Company, although invited to submit its defense papers or documents within 30 days of receiving the aforementioned notes (art. 166, paragraphs 6 and 7 of the Code, art. 18 of Law 689/1981) - which appear to have been correctly notified - has not submitted any elements.

3. Outcome of the proceedings.

3.1. Observations on the legislation on the protection of personal data relevant to the specific case and violations ascertained.

Following the examination of the statements made to the Authority during the proceedings (the author is responsible for the veracity of which pursuant to and for the purposes of art. 168 of the Code), as well as the documentation acquired, it appears that Studio Riabilitazione Creditizia s.r.l.s., as data controller, has implemented processing of customers' personal data that does not comply with the regulations on the protection of personal data, in relation to the various profiles represented below.

In general, it is highlighted that the processing of personal data must take place in compliance with the principles indicated in art. 5, par. 1, of the Regulation, including those of “lawfulness, fairness and transparency” and “limitation of storage”, pursuant to which personal data must be – respectively – “processed lawfully, fairly and in a transparent manner in relation to the data subject”, as well as “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed” (Article 5, paragraph 1, letters a) and e), of the Regulation).

In particular, the principle of transparency translates into the obligation, on the part of the data controller, to provide the data subject with all the information relating to the processing of personal data concerning him or her, in an accessible and comprehensible manner, making him or her aware, at the time the personal data are obtained, also of the purposes and methods of the processing and of the legal basis thereof, as well as of all further information necessary to ensure that the processing is fair and transparent in compliance with the provisions of Articles 13 and 14 of the Regulation (see also Council 39 of the Regulation).

Article 14, paragraphs 1 and 2 of the Regulation also provides that, in the event that the personal data “are not obtained from the data subject”, the data controller is required to provide the data subject with the information referred to in paragraphs 1 and 2 “within a reasonable period of time from obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed” or, “in the event that the personal data are intended for communication with the data subject, at the latest at the time of the first communication to the data subject; or, in the event that a communication to another recipient is envisaged, no later than the first communication of the personal data” (Article 14, paragraph 3 of the Regulation).

The provisions of the Regulation then specifically identify the entities – controller, processor – who, in different capacities, can process the personal data of the data subjects, also establishing their relative attributions.

In particular, the controller is the entity on which decisions fall regarding the purposes and methods of processing of the personal data of the data subjects as well as a "general responsibility" (accountability) for the processing carried out by the controller or by others who carry out such processing "on his behalf", i.e. the data processors (cons. 81, art. 4, point 8) and 28 of the Regulation).

The relationship between the controller and the processor must be regulated "by a contract or other legal act under Union or Member State law, which binds the processor to the controller and which stipulates the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller" (art. 28, par. 3, Regulation).

The controller is also responsible for compliance with the personal data protection regulations, having to, to this end, implement appropriate technical and organizational measures to ensure, and be able to demonstrate, that the processing is carried out in accordance with the Regulation; this “taking into account the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons” (Articles 5, paragraph 2 and 24 of the Regulation).

Article 37 of the Regulation (“Designation of the data protection officer”), in providing for the cases in which the designation of the data protection officer (DPO) is mandatory, also establishes that, in any case, even where the DPO is identified voluntarily by the controller, the DPO “may be an employee of the controller (or processor) or perform his/her tasks on the basis of a service contract”.

The “Guidelines on Data Protection Officers (“DPOs”)” adopted by the Art. 29 Working Party on 13 October 2016 (amended on 5 April 2017) provide that where “an organisation designates a DPO on a voluntary basis, the requirements of Articles 37 to 39 will apply to his/her designation, position and tasks, as if the designation had been mandatory” (see point 2.1).

The DPO, whether or not an employee of the data controller, should be able to perform the functions and tasks incumbent on them independently (Cons. 97). The data controller is also required to publish the contact details of the DPO and communicate them to the supervisory authority. (art. 37, par. 6 and 7 of the Regulation).

Pursuant to art. 38 of the Regulation (“Position of the data protection officer”), the DPO must be a person designated by the data controller (or the data processor) to perform, towards the data controller, support and control, consultative, training and information functions in relation to the application of the personal data protection legislation, in full independence and autonomy, in the absence of conflicts of interest and without receiving instructions in order to perform his/her tasks, on which he/she reports directly to the hierarchical top of the controller.

3.2. Confirmed violations.

3.2.1. Violation of art. 5, par. 1, lett. a) and art. 14 of the Regulation.

Based on the elements acquired during the checks described above, it was found that the Company holds a database in which the personal data of over 70,000 customers acquired by the various companies headed by Mr. XX, which have taken turns in the same customer services over the years, are recorded.

No functionality of the CRM in question allows to identify, with respect to each customer, which company has collected the personal data; the same data is also stored, in an equally undifferentiated manner, in paper files kept on the company's premises or, with reference to the oldest files, in a warehouse.

In this regard, it should be noted that, with regard to the personal data of customers whose data were not collected directly by Studio Riabilitazione, but by one or more of the other companies in any case attributable to Mr. XX (and subsequently merged into the CRM of Studio Riabilitazione), the latter, in its capacity as data controller, was not able to demonstrate - during the investigation - that it had informed the interested parties of such steps by providing the interested parties with the information required by art. 14, paragraphs 1 and 2 of the Regulation, according to the terms established by the subsequent paragraph 3 of the same article.

The Company's conduct was therefore carried out in violation of the principle of "loyalty, fairness and transparency" pursuant to art. 5, paragraph 1, letter a) and art. 14 of the Regulation (see paragraph 3.1).

3.2.2. Violation of art. 5, paragraph 1, letter e) of the Regulation.

It has also been ascertained that, when the customer contacts the Company to use its services, he receives an information notice pursuant to art. 13 of the Regulation in which the essential characteristics of the processing are explained, including information relating to the retention periods of the data being processed (see page 43 of the minutes of 13/6/2023).

The information notice model acquired in the records states that "personal data will be retained for a period of time not exceeding that strictly necessary to achieve the purposes indicated. Personal data whose retention is not necessary or for which retention is not required by current legislation, in relation to the purposes indicated, will be deleted or transformed into anonymous form. It should be noted that the information systems used to manage the information collected are configured, from the start, in such a way as to minimize the use of the data".

On the contrary, however, from the checks carried out - and from the statements made in the minutes by the party (see minutes 13/6/23 pages 5-6) -, it emerged that, in fact, the Company did not identify precise time frames for the retention of the personal data processed, both with reference to those who, by signing a mandate contract, made use of the Company's services, and with reference to those who simply requested information, without subsequently establishing any contractual relationship.

In particular, the Company, unlike what was reported in the information provided to the interested parties, has never proceeded, after the termination of the contractual relationship, to the deletion of personal data whose retention is not necessary. This applies in particular to the data of those who, after having contacted the Company, did not use its services (which amount to several thousand).

This conduct is therefore carried out in violation of the principle of "limitation of retention", pursuant to art. 5, par. 1, letter a). e), of the Regulation, according to which personal data must be stored in a way that allows the identification of the interested party for a period of time not exceeding that necessary to achieve the purposes of the processing.

The principle in question in fact imposes on the owner the burden of evaluating the duration of the processing, in necessary correlation with the specific purposes set upstream, at the time of collection; this in order to "ensure that the period of storage of personal data is limited to the minimum necessary" (see Cons. 39 of the Regulation).

Even though during the inspection, the Company has undertaken to provide for the deletion, "from the company CRM" of "all data that no longer have reason to remain in the same having exhausted the fiscal or legal timeframes that allow us to maintain the data", no assurances were provided in this regard.

3.2.3. Violation of art. 28 of the Regulation.

During the inspection, it also emerged that certain processing is carried out, on behalf of the Company, by certain subjects - natural and legal persons - without the Company having taken steps, as required, to regulate the relationship, in accordance with the provisions of art. 28 of the Regulation.

The owner, in fact, can legitimately decide to entrust the processing, on his behalf, by resorting to processors (see art. 28 and Cons. 81 of the Regulation).

In this case, however, the execution of the processing, by a processor, should be governed by a contract (or by another legal act pursuant to the Union or Member State law) that binds the data processor to the data controller and which specifies the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the data controller.

The data processor is therefore entitled to process the data of the data subjects "only upon documented instructions from the controller" (see art. 28, par. 3, letter a); see also the provision of the Garante of 14 January 2021 [web doc. n. 9542113] and, more extensively, on the relationship between the data controller and the data processor, see the “Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR”, adopted by the Personal Data Protection Committee on 7 July 2021.

It is therefore up to the data controller, by virtue of the general responsibility that falls on him (art. 24 of the Regulation) to ensure the correct regulation of the relationships between the various subjects involved in the processing (see art. 5, par. 2, so-called “accountability” and 24 of the Regulation).

In this case, during the inspection, it emerged that the data controller had availed himself of the collaboration of some subjects in the absence of the conditions set out in art. 28 of the Regulation. In particular, as highlighted above (see par. 1, point 4, letters a) and b)), these are natural and legal persons who process personal data, on behalf of Studio Riabilitazione Creditizia, without this activity having been adequately regulated by a contract or other legal act, or on the basis of a "letter of assignment" which however lacks any real and effective content, which is limited to reporting abstract formulas, taken mostly from the provisions of the Regulation, without specifically identifying the tasks, obligations and areas of competence of each person in charge, as instead provided for by art. 28, par. 3, of the Regulation. For the reasons set out above, it follows that, in this case, on the basis of the elements acquired and of what was confirmed by the Company itself in the terms set out above, art. 28 of the Regulation has been violated.

3.2.4. Violation of arts. 37 and 38 of the Regulation.

From the documentation acquired during the proceedings, it also appears that the Company has decided to designate the Data Protection Officer (hereinafter, “RPD”) and has identified the same in Dr. XX, legal representative of the company itself.

This designation was made clear to the interested parties through the information (both that published on the Company website and that provided to the customers themselves together with the contract form, see page 43 of the attachments to the minutes of 13/6/2023), while no communication was given to the Authority, as instead required by art. 37, par. 7 of the Regulation.

In this regard, it should be noted that the “Guidelines on Data Protection Officers (“DPOs”)” adopted by the Art. 29 Working Party on 13 October 2016 (amended on 5 April 2017) provide that where “an organisation designates a DPO on a voluntary basis, the requirements of Articles 37 to 39 will apply to his or her designation, position and tasks, as if the designation had been mandatory” (see point 2.1 of the Guidelines cited).

It should also be noted that Article 37, paragraph 6 of the Regulation expressly provides that the DPO may be a staff member of the controller or processor or perform his or her tasks on the basis of a service contract.

As provided for in recital 97, “such data protection officers, whether or not they are employees of the controller, should be able to perform their duties and tasks independently”.

It is quite clear that the role of DPO is therefore completely incompatible with that of legal representative of the company to which he/she is appointed, since the same person who determines the means and purposes of the processing cannot have the necessary independence to also exercise the tasks of supervision, compliance with the regulations and policies of the owner in terms of personal data protection, provided for by art. 39, par. 1, letter b), of the Regulation and entrusted precisely to a person (even internal) who must however be ensured a condition of independence (see recital 97).

This is further confirmed also in the set of provisions referred to in art. 38 of the Regulation, with reference to the position of the data protection officer, where, among other things, it is provided that the data controller and the data processor ensure that the data protection officer does not receive any instructions, with regard to the performance of his/her duties, and reports directly to the hierarchical summit of the data controller or the data processor

The assessment of the possible existence of incompatibilities related to the performance of tasks that involve decision-making powers in relation to the processing of personal data (as in the case of the legal representative of the company) should have led to the impossibility of completing the designation which, even if carried out, as in the case at hand, is in any case null and void.

The failure to communicate the data of the designated DPO to the Authority, as provided for by art. 37, par. 7 of the Regulation, also prevented the Authority from detecting and reporting the aforementioned incompatibility to the data controller.

It is therefore established that the Company has designated, as DPO, an incompatible person (legal representative), in violation of Articles 37, par. 6 and 38 of the Regulation and has failed to communicate the contact details of the DPO to the Authority, in violation of Articles 37, par. 7 of the Regulation.

3.2.5. Violation of Articles 5, par. 2 and 24 of the Regulation.

Furthermore, from the set of violations set out above, it emerges that the technical and organizational measures adopted overall by the controller in order to conform the processing to the Regulation, were not adequate to the nature, context, purposes and risks of the processing in question, configuring, on the part of the controller, the violation of the principle of "accountability" pursuant to Articles 5, par. 2 and of the provisions of Article 24 of the Regulation.

In accordance with the aforementioned principle, in fact, the owner is the subject to whom the "general responsibility" of the treatment is attributed, thus burdening him with the burden of implementing an organizational and management system characterized by real and effective measures of data protection as well as verifiable (see also cons. 74 of the GDPR).

This is done, first of all, through the correct and timely preparation of the obligations imposed by the Regulation (information, definition of the relationships with third parties entrusted with the processing on behalf of the owner - data processors -, correct designation of the data protection officer) as well as through the implementation of procedures and organizational practices aimed at conforming the processing to the reference discipline (such as, for example, definition of data retention periods and procedures for the automatic deletion of data, as well as procedures for managing requests to exercise rights and complaints, see Article 29 Group, WP 173 of 13 July 2010 - Opinion 3/2010 on the principle of accountability, pages 11-12).

3.2.6. Violation of Article 157 of the Code.

As part of the investigation, the Company also failed to provide feedback to a request for information formulated by the Authority, pursuant to Article 157 of the Code. 157 of the Code and duly notified.
It should be noted in this regard that the violation in question made it necessary to involve the Privacy Unit of the Guardia di Finanza, responsible for providing notification of the documents and collecting the investigative elements, with a consequent increase in the procedure in terms of costs and time.

The violation of art. 157 entails, pursuant to art. 166, paragraph 2, of the Code, the application of the administrative sanction pursuant to art. 83, paragraph 5 of the Regulation.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, paragraph 2, of the Regulation.

For the above reasons, the Authority, also acknowledging that the Company has not submitted any defensive observations with respect to the findings notified by the Office with the documents initiating the proceedings, believes that there are no elements that allow the findings to be overcome and to order the archiving of the present proceedings, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

The processing of personal data carried out by Studio Riabilitazione Creditizia s.r.l.s. is therefore unlawful, in the terms set out above, as it was carried out in violation of art. 5, par. 1, letter a), and e) and par. 2, 14, 24, 28, 37 and 38 of the Regulation and art. 157 of the Code.

The violation, ascertained in the terms set out in the reasons, cannot be considered “minor”, taking into account the nature and gravity of the violation itself which concerned, among other things, the general principles, the responsibility of the data controller, the definition of the relationships with the data processors and the designation of the data protection officer, as well as the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).

The Authority also considered that the level of severity of the violation is high, in light of all the relevant factors in the specific case and, in particular, the nature, gravity and duration of the violation, taking into account the number of data subjects whose personal data have been processed by the Company over time.

Given the corrective powers attributed by art. 58, par. 2, of the Regulation, in light of the circumstances of the specific case, it is deemed necessary to prescribe the following corrective measures:

- prepare a procedure for the retention of personal data of customers, which defines the terms in relation to the purposes of the processing and the criteria for their deletion;

- provide for the deletion of personal data of customers whose retention is no longer necessary, with particular regard to the data of those who, after having contacted the Company, have not used its services;

- also provide, where not already done, for the deletion of all personal data with respect to which the Company has undertaken to do so during the procedure, the retention terms permitted by law having expired;

- provide for the correct regulation of the relationship with the subjects to whom the Company entrusts the processing of personal data, on its behalf, by adopting a suitable contract (or another binding legal act) in compliance with the provisions of art. 28, par. 3 of the Regulation;

- provide - where the Company intends to designate the Data Protection Officer

- to assign the task to a suitable person, in possession of the requirements set out in art. 37, par. 5, in compliance with the provisions of art. 38 and 39 of the Regulation.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (art. 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceedings, it appears that Studio Riabilitazione Creditizia s.r.l.s. has violated art. 5, par. 1, letter a), and e) and par. 2, 14, 24, 28, 37 and 38 of the Regulation and art. 157 of the Code. In the event of a breach of the aforementioned provisions, the application of the administrative pecuniary sanction provided for by art. 83 of the Regulation is envisaged.

The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Studio Riabilitazione Creditizia s.r.l.s. which has been found to be unlawful, in the terms set out above.

Having deemed it necessary to apply paragraph 3 of art. 83 of the Regulation where it is stated that "where, in relation to the same or linked processing operations, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement", the total amount of the fine is calculated so as not to exceed the maximum fine provided for by the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2, of the Regulation for the purposes of applying the administrative pecuniary sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is represented that, in the specific case, the circumstances reported below were taken into consideration:

- in relation to the nature, seriousness and duration of the violations, the nature of the same was considered relevant as they concern the failure to comply with the general principles of processing and, in particular, the principle of lawfulness and transparency and limitation of storage as well as the general principle of "accountability";

- with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which violated the obligation of diligence provided for by the law by not following up on the communications sent by the Authority during the procedure were taken into consideration;

- the significant number of data subjects whose data are processed by the Company and on whom the effects of the contested violations are reflected (approximately 74,000);

- the poor cooperation with the Authority demonstrated by the Company during the proceedings which led to an aggravation of the proceedings, in terms of costs and times;

- the absence of specific precedents was taken into account in favor of the party.

It is also believed that in the case in question, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (art. 83, par. 1, of the Regulation), the economic conditions of the offender, determined on the basis of the turnover of the Company, as per the financial statements for the year 2023, are relevant in the first place.

In light of the elements indicated above and the assessments carried out, it is believed, in the case in question, to apply to Studio Riabilitazione Creditizia S.p.A. the administrative sanction of the payment of a sum equal to 70,000 (seventy thousand) euros.

In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor given the nature and number of violations that concern non-compliance with the general principles in the processing of the data of thousands of interested parties.

GIVEN ALL THE ABOVE, THE GUARANTOR

pursuant to art. 57, paragraph 1, letter f), of the Regulation, notes the unlawfulness of the processing carried out by Studio Riabilitazione Creditizia s.r.l.s., in the person of its legal representative pro tempore, with registered office in Rome, Piazzale Clodio no. 22 - P.I. 14339591001, for the violation of articles 5, par. 1, letter a), and e) and par. 2, 14, 24, 28, 37 and 38 of the Regulation and art. 157 of the Code;

pursuant to art. 58, par. 2, letter d), of the Regulation, requires the Company to comply, within 90 days from the date of notification of this provision, with the provisions set forth in par. 4 of this decision, while at the same time requiring it to provide, pursuant to art. 157 of the Code and within the aforementioned deadline, adequately documented feedback on the initiatives undertaken; it is represented that any failure to provide feedback may result in the application of the administrative pecuniary sanction provided for by art. 83, par. 5, letter e) of the Regulation;

ORDERS

pursuant to art. 58, par. 2, letter i) of the Regulation to the same Company to pay the sum of Euro 70,000 (seventy thousand) as an administrative pecuniary sanction for the violations indicated in this provision;

ORDERS

therefore to the same Company to pay the aforementioned sum of Euro 70,000 (seventy thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981.

It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.

ORDERS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/20129, the publication of the injunction order on the website of the Guarantor;

pursuant to art. 154-bis, paragraph 3, of the Code and art. 37 of the Regulation of the Guarantor no. 1/20129, the publication of this provision on the website of the Guarantor;

pursuant to art. 17 of Regulation no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same Article 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 19 December 2024

THE PRESIDENT
Stanzione

THE REPORTER
Cerrina Feroni

THE DEPUTY SECRETARY GENERAL
Filippi

SEE ALSO Newsletter of 28 February 2025

[web doc. no. 10106904]

Provision of 19 December 2024

Register of provisions
no. 802 of 19 December 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”);

SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);

SEEN the inspection carried out on 13 June 2023 at the operational headquarters of Studio Riabilitazione Creditizia s.r.l.s. (hereinafter “Studio Riabilitazione” or “the Company”);

EXAMINING the documentation in the files;

SEEN the observations formulated by the general secretary pursuant to art. 15 of the regulation of the Guarantor no. 1/2000;

REPORTER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The inspection activity against the company.

In the context of the exercise of the control powers referred to in art. 58, par. 1 of the Regulation (see also articles 157 and 158 of the Code), inspections were carried out by the undersigned Authority against Studio Riabilitazione Creditizia s.r.l.s..

The control activity originated from a report received from the Bank of Italy which found that Mr. XX (legal representative of the aforementioned company) had made numerous requests for access to the data of the Central Risk Office of the Bank itself, on behalf of natural persons, in the absence of effective legitimacy, with the consequent risk of improper use of personal data of a financial nature unduly acquired.

Following the inspection (see the report of operations carried out on 13/6/2023, as well as notes of 28/6/2023 and 3/7/2023 with which the Company, in order to resolve the reservations made during the inspection, transmitted the supplementary documentation), the Office, having found some critical issues worthy of a more in-depth analysis, formulated a request for information, pursuant to art. 157 of the Code, which however remained unanswered (see notes of 4/12/2023 and 23/1/2024); given the lack of response, the aforementioned Special Unit, upon delegation from the Office (see note of 6/3/2024), notified the Company of the aforementioned request for information - together with the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code, in relation to the violation of art. 157 of the Code - and has acquired the requested information (see minutes of operations carried out on 15 and 17/4/2024).

From the above-described investigation, based on the statements made by the legal representative of the Company, it emerged that:

1. the Company "mainly deals with the cancellation of reports in credit centers operated by banks". Customers identify the Company's contacts mainly "through the website www.studioucp.it", where "information on the services offered" is also reported;

2. when "the customer contacts the company by telephone", the same "receives information on data processing via a pre-recorded voice" that "provides some general information on the services offered"; then, "if the customer accepts, the operator acquires the customer's data (name, surname, address, email, etc.) in the company database (Customer Relationship Management, c.d. CRM). This CRM also stores additional data that the client provides during the course of the consultancy relationship, i.e. the forms signed and sent by email”. The Company, once it has obtained the delegations from the interested parties, carries out “access requests or searches at private and public risk centres (Bank of Italy and Chamber of Commerce) in order to better define the client’s debt position” and evaluate “the feasibility of deleting or limiting the processing of the client’s personal data at the risk centres”.In the event that it does not detect "any element to proceed with the cancellation, it sends the customer a further "questionnaire" to obtain more details on the circumstances complained of"; then "if from the analysis of the further data provided the Company sees the aforementioned feasibility, it issues a cost estimate that is sent to the customer via email. If the customer accepts the service offered by the Company, the contractual documentation including the attachments is sent to him via ordinary mail, so that he returns it, always by courier, signed for acceptance. Then the activity is started at the competent offices to request, for example, the cancellation of the reports";

3. the information referred to in articles. 13 and 14 of the Regulation (a copy of which has been acquired, see attachment 1 to the minutes of 13/6/2023 and, among the attachments, see page 43), in addition to being published on the website www.studioucp.it (see attachment 9 to the aforementioned minutes), is provided to the interested parties both by telephone, at the time of the first contact with the Company, and subsequently, on the occasion of the signing of the "mandate form" and the delegation to operate, on their behalf, at public and private risk centers (see mandate contract, delegation and information pages 9, 20-22 and 43 of the minutes of operations carried out of 13/6/2023, as well as attachment 8, including, page 157). With the same, the customer is informed that the legal basis for the processing of personal data lies in art. 6, letter a). b) of the Regulation and that they are retained "for the entire duration of the contractual relationship and, after the termination of the relationship, limited to the data necessary at that point, for the extinction of the contractually assumed obligations and for the fulfillment of all possible legal obligations and for the needs of protection, including contractual, connected or deriving from it";

4. the Company, in carrying out its activity, avails itself of the collaboration of various subjects (natural and legal persons) with respect to which the privacy roles have not been correctly identified and/or regulated, pursuant to art. 28 of the Regulation. In particular, from the set of elements acquired, it appears that:

a. the company "Centro Realizzazioni informatiche e finanziamenti S.r.l.s." (see minutes of 13/6/2023, page 5) – whose legal representative is always XX – carries out personal data processing, on behalf of and in the interest of Studio Riabilitazione creditizia, in the absence of any act that, having assessed the professional requirements of the company and taking into account the guarantees offered by the same for the protection of the rights of the interested parties, binds it to the owner by defining the obligations and rights, as well as the terms and conditions of the personal data processing carried out;

b. additional subjects intervene “in the customer data processing process (…)” as data controllers pursuant to art. 28 of the Regulation; this concerns the company "Ufficio Cattivi Pagatori S.r.l.", also attributable to Mr. XX (sole shareholder of the same) and "some external professionals, legal or tax consultants", whose activity "consists in receiving in paper form the delegation signed by the client and the instructions of the activities to be carried out, for the specific individual case, at the various public offices involved (e.g. at the Chamber of Commerce, the protests and bills of exchange are provided to the professional) (see annexes 3, 4 and 5 to the minutes of 13/6/2023). With respect to each of these subjects, the Company has prepared a "Letter of appointment to the data controller" which contains an express reference to a "contract of which it forms an integral part"; however, at the specific request of the Office to produce a copy of the contracts in question "or other legal document pursuant to art. 28, par. 3 of the Regulation”, the Company did not provide any additional documentation (see minutes of 17/4/24, page 4).

5. during the inspection, a copy of the processing register, prepared pursuant to art. 30 of the Regulation (see annex 9), was acquired; furthermore, at the request of the Office, the Company confirmed that it had designated Dr. XX as “Data Protection Officer” pursuant to art. 37 of the Regulation (as can also be found in the information provided to customers), specifying that it had not, however, made the necessary communication to the Authority (see minutes of 13/6/2023, page 6);

6. with regard to the information system, the Company declared that the system in operation is composed of 10 client workstations and a server, operating on the premises of the Company itself. The workstations are accessed by entering a username and password. The server operates a CRM (Customer relationship management) IT system for managing the customer database, a customized product developed by an external supplier.

From the accesses made on site, it emerged, among other things, that:

- the “CRM Management” contains positions corresponding to n. 74,214 customers. For each “customer record” the data present concern name, surname, place and date of birth, tax code, contact details (telephone, physical address and email) an identification number (“NRG”), the “status” (i.e. whether the subject is an “already customer” or “new”, or “in operation” or “concluded”) as well as other information relating to the status of the practice, including any notes in text and summary form and the payment status of the invoices issued by the Company, following the processing of the practice;

- in each customer file, there are also the reports provided by the companies and banks, in response to the access requests submitted by the interested parties through the delegate, Dr. XX or XX (see minutes of 13/6/23, attachment 7).

- access to the CRM occurs by entering a hidden authentication component (password) (see attachment 3 to the minutes of 13/6/2023) and is only possible from the Company's premises and without any possibility of connecting, via the Internet, to the IT systems from outside, "using so-called "remote desktop" software"; the Company has also declared that the "maintenance of the workstations and CRM software is carried out by an external person, designated as system administrator, who goes to the office on site when necessary" (see minutes of 13/6/2023, page 6);

- the CRM "also includes personal data owned by the various companies that have succeeded each other over the years in providing the same services; such data are consulted from time to time for the insolvency recovery functionality for the services provided by the following companies: Ufficio cattivi pagatori srl, UCP srl, Centro Realizzazioni Informatiche e Finanza, Insurance Global Service srl”.

In this regard, the data controller, who was asked to specify which companies currently access — and in what capacity — the company database and whether there is, within the same, a compartmentalization or a functionality that allows tracing, with respect to each customer, the company that, as the owner, collected and then processed the personal data of the customer, was specified that: “currently the CRM is accessed as a company only by "Studio Riabilitazione Creditizia S.r.l.s", through the people mentioned. Over the years, the data of all the companies that have taken turns have merged into the CRM. Over the years, I have taken turns between the various companies for tax reasons and job opportunities. For each of them, I have collected the consent of each customer with whom we had working relationships. Consent was collected on paper. The documentation concerning consents to date, for moving to different locations, is stored in a cellar and kept in a special room. I would like to point out that for all the companies that have taken turns, I have always been the sole director and therefore the data controller. I would like to point out that the mandate given by each customer can be traced back to a single company and the others have never interacted with that customer, even though the data has all flowed into a single CRM. Even though over the years the companies have succeeded each other in the same services, the mandate from each individual customer has been given to a single company and only that company has had working relationships with him. There is no functionality in the CRM that allows us to trace, for each customer, the company that collected the data. All the data flows into the CRM in a general registry. I clarify that the CRM in question contains data not only of people who later became our customers, but also data of people who through the form on our site, www.ufficiocancellazioneprotesti.it, simply requested information and then did not want to continue the relationship. Therefore, since they are not customers, their data in the CRM is minimal (name - surname - telephone). To the best of my knowledge, and as confirmed by my collaborator (…), the customers in the database are approximately 46,000" (see minutes of 17/4/2024, page 9);

8. regarding the storage of data, both in digital format and in paper format, the Company declared that:

- "there are no systematic procedures for the periodic deletion of previous data and, therefore, the company retains the paper files and complete digital records, even if it no longer has an existing contractual relationship with said subjects; in particular, "for each customer there is a paper file kept in a cabinet located in the same office. The older practices are moved to a special room used as a warehouse" (see minutes of 13/6/23, pages 5-6);

- regarding the request to clarify the consistency of the above statements with what is indicated in the information provided to customers pursuant to articles 13 and 14 of the Regulation and reported in the register of treatments acquired in the files (annexes 1 and 9 to the minutes of 13/6/2023), the Company, in specifying that "our CRM has no commercial purposes and no data regarding customers is used to contact them again once our working relationship ends. We only maintain a comprehensive database, in which all the data has been merged over the years", also declared that it will proceed, "as soon as possible, to delete from the company CRM all the data that no longer have a reason to remain in the same having exhausted the fiscal or legal timeframes that allow us to keep the data"

2. The start of the procedure for the adoption of corrective and sanctioning measures.

Within the scope of the proceedings, the Company was the recipient of two separate notifications of infringement, pursuant to art. 166, paragraph 5 of the Code:

the first, with a note dated 6 March 2024, in relation to the infringement of art. 157 of the Code, for the failure to respond, within the terms, to the request for information made on 23/1/2024 and duly notified to it by the Guardia di Finanza Unit on 15 April 2023;

the second, with a note dated 3 September 2024, in relation to the infringements of the Regulation found, following the documentation acquired during the investigation, with reference to art. 5, paragraph 1, letter a), e) and paragraph 2, 14, 24, 28, 37, 38 of the Regulation, notified via certified email, dated September 3, 2024.