Garante per la protezione dei dati personali (Italy) - 10110241

Garante per la protezione dei dati personali - 10110241

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 12(2) GDPR Article 12(3) GDPR Article 13 GDPR Article 14 GDPR Article 21(2) GDPR Article 24 GDPR Article 30 GDPR Article 35 GDPR Article 37 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	16.01.2025
Published:
Fine:	100,000 EUR
Parties:	Realmaps
National Case Number/Name:	10110241
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	GPDP (in IT)
Initial Contributor:	elu

After a two-year long investigation, the DPA fined a databroker €100,000 for the unlawful processing of property owner’s personal data in real estate lists which were sold to other real estate agencies. Further, the DPA found numerous other GDPR violations.

English Summary

Facts

Between May 2022 and April 2024, the DPA received numerous complaints stating that multiple data subjects received calls from real estate agencies for marketing purposes. These real estate agencies, upon request, shared that they had acquired personal data from Realmaps, the controller.

The DPA decided to investigate how the data processing by the controller took place. The investigation revealed that the controller provides multiple real estate’s lists of property owners, containing telephone numbers and cadastral data on their properties.

Upon request of the real estate agencies, the controller buys these cadastral data, and places them on the controllers’ database, together with name, surname, contact data, social security number, email and home address. Through a specific software, these information are matched and then a list with all the information of each property owner is sent to the real estate agency that requested it so that they can use for marketing purposes.

Holding

The DPA considered that both the real estate agency and Realmaps are to be considered controllers in the case at hand. The DPA found a long list of violations.

Violation of Articles 5(2), 6(1)(a), 7, 24, 13, 14 GDPR

The DPA held that the controller did not make any random check on the lawfulness of the data acquired, stating that lawfulness was ensured by the list provider on the basis of their contractual relationship. However, the DPA considered that the controller did not verify, nor proofread, the informed consent given by data subjects. It cannot be held that a consent initially expressed consciously with regard to certain processing operations may be used for successive transfers of personal data from one controller to another in a manner totally unforeseeable for the data subject.

In compliance with the principle of accountability, the controller should have verified at least by means of a congruous sample, the lawfulness of the consent given.

Moreover, the DPA held that two distinct purposes of processing (marketing and communication to third parties for their promotional activities) are merged in a single formulation.

However, both of them require specific informed consent from the data subjects. The communication or transfer to third parties of personal data for marketing purposes cannot be based on the acquisition of a single, generic consent from the data subjects for other purposes.

Therefore, the transfer of data from one controller to the other is not supported by an appropriate consent, since it is not specific to the distinct marketing purposes of the controller; consequently, the subsequent transfer of data is unlawful.

The DPA thus found a violation of Articles 5(2), 6(1)(a), 7, 24, 13, 14 GDPR.

Violation of Article 30, 35, 37 GDPR

The DPA held that the controller did not establish the Register of Processing Activities, did not conduct a data protection impact assessment and also failed to designate a Data Protection Officer.

The DPA thus found a violation of Articles 30, 35, 37 GDPR.

Violation of Article 12(2) and (3), 21(2) GDPR

The DPA could not find any email inbox dedicated to receive data subject’s objections to the processing of their data.

The DPA thus found a violation of Articles 12(2) and (3), 21(2) GDPR.

Violation of Article 5(1)(e) GDPR

The DPA found that the data was stored indefinitely, thus violating Article 5(1)(e) GDPR.

Violation of Article 5(1)(a), 6(1))a), 7 and 12(1) GDPR

The DPA considered that the lack of a privacy policy did not permit to understand which legal basis is applicable and thus does not permit to assess the lawfulness of the processing.

The DPA thus found a violation of Articles 5(1)(a), 6(1)(a), 7 and 12(1) GDPR.

Fine

Due to the aforementioned violations, the DPA deemed it appropriate to impose a fine of €100,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10110241]

Provision of 16 January 2025

Register of provisions
no. 11 of 16 January 2025

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

HAVING SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018, no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the “Code”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000;

REPORTER the lawyer Guido Scorza;

WHEREAS

1. Documents received by the Authority and the preliminary investigation conducted

The Authority received several complaints (reports and claims) in the period between May 2022 and April 2024, in which the receipt of promotional communications sent by real estate agencies was complained of, which, at the request of the interested parties, reported to the same that they had acquired personal data (including mobile telephone numbers) from Realmaps S.r.l. (hereinafter «Realmaps» or «Company») indicating, in the response to the interested parties, an email address of that Company for the exercise of rights (XX). Only in one case (file no. 360344) did the Company provide feedback to the interested party claiming to have acquired the personal data from XX (owner of the website XX), as the main supplier of Realmaps.

In light of the conduct described, the Authority deemed it necessary to verify the methods of processing personal data implemented by Realmaps for marketing purposes and, therefore, on 9 and 10 April 2024, it conducted an inspection at the registered office of the Company.

2. The inspection activity carried out by the Authority at the company headquarters and related outcomes

During the inspection, it emerged that Realmaps provides a clientele of real estate agencies with a list of data of the owners of properties located in a specific area of interest, including telephone numbers (landline and mobile) and cadastral information relating to the buildings. Specifically, at the request of the real estate agency (which acts as a customer interested in a specific area), the Company acquires the cadastral data of the properties located in that specific geographical area through access to public registers, such as SISTER and the archives of the Land Agency. The real estate data thus acquired flows into the Realmaps database in which the personal data provided by the list providers are also recorded, including name, surname, telephone number (landline or mobile), tax code, residential address and email address. Through a special software (called “Automatch”), the cadastral data (organized in regional tables, containing information on the buildings and their owners in the corresponding provinces and municipalities) are cross-referenced, using the tax code, with the telephone number registered to the owner of the property in order to send the Real Estate Agency/client a single list containing, therefore, also the contact data necessary for carrying out the marketing activity.

2.1. Personal data acquired from list providers

The Company indicated the suppliers from which it would purchase the lists of personal data to be sold, for a fee, to the Real Estate Agencies/clients for its own marketing purposes. The list providers - which Realmaps would have used in the years 2022, 2023 and 2024 - are attributable to the companies XX (main supplier), XX and XX.

The Company, in specifying its role as "intermediary" covered in the transfer of data from one owner to another (specifically, from the supplier to the Real Estate Agency/client), declared that it does not periodically carry out "random checks" on the lawfulness of the lists acquired (with particular reference to the fulfillment of the information and consent) due to the guarantees offered by the list provider in the contractual phase. By relying on these contractual guarantees, and counting on the positive outcomes of the established collaboration, there would have been, according to the Company, no need to exercise a power of control over the lists acquired and on the lawfulness of the contacts transferred as they were allegedly "consented". Sporadic checks are carried out by Realmaps upon renewal of the contract with the list provider or upon specific request of the interested parties (see page 4 of the minutes of 9 April 2024). The Company did not produce evidence of these checks, nor was it able to indicate a defined time frame and sampling percentage.

In this context, in detecting the circumstance described above, the qualification of mere intermediary that Realmaps would have attributed to itself must be excluded since the same company, having established the purposes and methods of processing of the personal data in question, must be qualified as an independent controller, pursuant to art. 4, p. 7, and art. 24 of the Regulation.

As controller, therefore, it was not found that Realmaps verified, nor proved, the existence of an informed consent of the interested parties that authorized the processing for commercial purposes. Even if we wanted to consider the existence of an alleged (but, as mentioned, undocumented) original consent given by the interested parties to the list providers, such authorization, aimed at communication to third parties for the relevant marketing purposes, could not have legitimized, after an initial transmission of data to Realmaps, also subsequent transfers from the latter to other independent data controllers, or, in this case, from Realmaps to the Real Estate Agencies/clients. The regulatory provision (articles 6 and 7 of the Regulation) does not legitimize the communication of data between independent data controllers on the basis of the sole informed consent initially given to the subject who collected the data. In this regard, the Guarantor has repeatedly stated that “It cannot, in fact, be considered that a manifestation of will initially expressed in a conscious manner with respect to certain processing can have a chain reaction, through subsequent transfers of personal data from one owner to another in a manner that is completely imponderable for the interested party” (see provision of 13 May 2021, no. 192, web doc. no. 9670025; see also provisions of 11 December 2019, no. 232, web doc. no. 9244365; 12 November 2020, no. 224, web doc. no. 9485681; 15 December 2022, no. 431, web doc. no. 9856345, all in www.gpdp.it).

Therefore, in this case, it is represented that the use by the Company of lists of personal data obtained from a third party would have made it necessary for Realmaps to request and acquire informed consent for the subsequent communication to the Real Estate Agencies/clients.

Furthermore, it was not proven that the information was provided to the interested parties by the list providers (also a condition of legitimacy for the communication of data to the Company), nor by Realmaps of its own information.

Finally, also in compliance with the principle of accountability, the Company should have verified, at least by means of a suitable sample, the lawfulness of the fulfillment of the aforementioned obligations in this matter (see provision of 22 May 2018, no. 363, web doc. no. 8995274; see cited provision of 13 May 2021, no. 192, web doc. no. 9670025, all in www.gpdp.it).

This is especially true in light of the abundance of personal data acquired from list providers and uploaded to the Realmaps database in the table called “numbers” containing the contactable users. Specifically, 32,510 personal data were provided by XX, 2,052,933 by XX., 112,117 by XX and 10,049 by XX (see page 3 of the report of 10 April 2024).

In addition, from the documentation produced during the inspection, it emerged that one of the list providers accredited by Realmaps – XX – had transmitted to the Company the data acquired, in turn, from a further third party on the occasion of the participation of the interested parties in a prize competition (“Win an iPad Pro”), advertised on the website https://.... This third party, following the completion of the online form for the collection of personal data underlying the procedure for participation in the competition, requested, among other authorizations, consent “for the sending of […] commercial offers also by third parties to whom it will be possible for the Data Controller to communicate the personal data […] provided”.

Based on this approach, two distinct processing purposes (marketing by the owner and communication to third parties for their promotional activities) are merged into a single formulation, which instead require specific informed consent from the interested parties, pursuant to art. 4, p. 11, of the Regulation (see also recitals 32 and 33). With regard to the communication of data to third parties for marketing purposes, the Guarantor, in the “Guidelines on promotional activities and the fight against spam” (provision of 4 July 2013, no. 330, web doc. no. 2542348), noted that “the communication or transfer of personal data to third parties for marketing purposes cannot be based on the acquisition of a single and generic consent from the interested parties for such purposes. Therefore, anyone who, as data controller, intends to collect the personal data of the interested parties also to communicate them (or transfer them) to third parties for their promotional purposes must first provide them with suitable information […]. Furthermore, it is necessary for the controller to acquire specific consent for the communication (and/or transfer) of personal data to third parties for promotional purposes, which is also separate from that requested by the controller to carry out promotional activities itself”.

Therefore, the transfer of data from the third party transferor to XX is not supported by an appropriate consent, as it is not specific to the distinct marketing purposes of the owner and the transferee subjects; consequently, the subsequent transmission of data from XX to Realmaps cannot be considered legitimate. Furthermore, also in this case, the arguments set out above regarding the mistaken belief in the lawfulness of the transfer of data from one owner to another based solely on the consent given “upstream” of the chain of subjects involved in the processing in question are confirmed.

In light of the above, the violation of Articles 5, par. 2, 24, 13, 14, 6, par. 1, letter a) and 7 of the Regulation was found.

2.2. Qualification of the roles of the subjects authorized to access the Realmaps database

For the creation of the database, mapping and data filtering services, Realmaps used a company providing ICT services and system support (XX, now XX) with which it formalized the collaboration relationship, by signing a contract, only in September 2023. From 2021 (the year the collaboration began) to 2023, the Company therefore maintained an informal relationship with XX (see page 2 of the minutes of 10 April 2024), which would then have processed the personal data in question on behalf of Realmaps.

Access to the database is permitted not only to the aforementioned ICT service provider but also to Realmaps employees who manage the estimates. In this regard, the list of operators authorized to consult the database and to perform the related filtering and cross-referencing operations of the data contained therein (called “users” in the database) was produced to process requests from Agencies/clients (see communication sent by email by the Company on 11 April 2024). From the analysis of the screenshots acquired during the inspection (see attachment 11 to the minutes of 10 April 2024), it also emerged that some former Realmaps employees, although without a contract and a formal assignment, would have been authorized to access the database for the entire period of the collaboration and, in some cases, before the start of the employment relationship and even after its conclusion. In fact, access to the database was found in April 2024 by a collaborator who, according to the Company, would have worked occasionally in 2023.

Furthermore, it emerged that some access operations were carried out by subjects who were not clearly identified and in any case different from those authorised by Realmaps; in particular, hits in the database were attributed to a generic “operatore_it” and to “develop”, active already in 2022.

In this context, it must be noted that the processing described above (access, consultation, filtering, cross-referencing), which can also be referred to a large group of interested parties, were carried out in the absence of a formal “attribution of functions and tasks to subjects designated” for the processing of personal data, pursuant to art. 2-quaterdecies of the Code. Therefore, it was deemed that the violation of the provisions of art. 28 and 29 of the Regulation and the principles of privacy by design (art. 25 of the Regulation) and accountability (pursuant to art. 5, par. 2, and 24 of the Regulation). Furthermore, the uninhibited accessibility to the database by a multitude of subjects, not all of whom are included in the corporate organization of Realmaps, in violation of art. 2-quaterdecies of the Code (as in the case of the ICT service provider), constitutes a gap in the security measures such as to consider the violation of art. 5, par. 1, letter f) of the Regulation as well as art. 32, par. 1, letter b) and d), and par. 2, of the Regulation, with regard to the “ability to ensure on an ongoing basis the confidentiality [and] integrity” of the data processed and to adopt “a procedure to regularly test, assess and evaluate the effectiveness of technical and organizational measures in order to ensure the security of processing” (see par. 2: “In assessing the appropriate level of security, special account shall be taken of the risks presented by the processing, which arise in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”).

The Company also declared that it had not prepared the Register of processing activities, pursuant to art. 30 of the Regulation, nor had a data protection officer been appointed (art. 37 of the Regulation), nor had an impact assessment been carried out, pursuant to art. 35 of the same Regulation (see page 4 of the minutes of 9 April 2024); fulfillments that, in this case, would have been necessary given the systematic and invasive nature of the processing with respect to the rights and freedoms of the interested parties. Therefore, the violation of Articles 30, 35 and 37 of the Regulation was also contested.

2.3. Exercise of rights and investigative outcomes relating to complaints received by the Authority

For the processing of requests for the exercise of rights, it was found, in the documents, that as a rule, Real Estate Agencies/clients - in response to requests from interested parties to obtain information on the processing of their personal data in the context of the complained commercial activity - indicate an email address attributable to Realmaps (XX). This email appears to be controlled by the “privacy consultant” of Realmaps (who, as mentioned, was found to lack a formal designation or an act of appointment that recognizes his/her attributions), who forwards the request first to the list provider (in most cases to the main supplier XX, to the email address XX to obtain information on the existence of a consent connected to a personal data and a telephone number and, secondly, to the company XX to register the opposition by inserting the number concerned in the “numbers_excluded” table. Sometimes it is the same “privacy consultant” who contacts the interested parties/applicants by telephone to provide them with a verbal response and, subsequently, to proceed with the insertion of the number in the “numbers_excluded” table (see pages 4 and 5 of the minutes of 10 April 2024).

With reference to the specific complaints received by the Authority, and from which the inspection arose in word, it emerged that only in one case (file no. 295373) the interested party's number appeared among the "excluded_numbers". However, the telephone numbers of interested parties who had opposed the processing of their personal data by formally communicating with Realmaps were included in the "numbers" table, and therefore contactable (files nos. 198910 - 255444 - 319814 - 360344). In other cases, the telephone numbers to which unwanted contacts were addressed were not present in the Company's database (see files nos. 302375 - 223355 - 245765). With respect to the aforementioned complaints, however, the requests for opposition/cancellation submitted by the interested parties were not found in the email box dedicated to handling the requests of the interested parties (XX), nor the alleged feedback from the Company. This is because, for some of these requests (files nos. 198910 – 209288 – 302375 - 319814), the interested parties used the Company's certified email address (XX) recently replaced by a new digital address (XX) registered at the Chamber of Commerce on 12 February 2024 (see page 5 of the minutes of 10 April 2024 and Annex 9). In this regard, the few communications (no. 3), relating to the exercise of rights, received at the new certified email address of Realmaps were viewed. In two cases, despite the opposition expressed by the interested parties and Realmaps' assurances to one of them, the telephone numbers were still present in the table of contactable users (table "numbers").

In light of the above, it emerged that, in general, the requests for exercising the rights of the interested parties were not found, nor, in almost all the cases analyzed by the Authority, were the requests for cancellation of the personal data accepted since, from further checks, they were found in the list of contactable users (table “numbers”).

It should also be noted that the possible inclusion of the interested user in the aforementioned table “excluded_numbers” does not appear to be an adequate solution to guarantee the management of the right of opposition, considering that the same table appeared to be devoid of any reference that would allow the interested parties’ will to be contextualized and detailed in this regard. Therefore, a conduct was found that was not consistent with the obligation of the owner to facilitate, with appropriate measures, the exercise of the rights provided for by the legislation in question and to satisfy, without delay, the related requests, including the right of opposition that can be advanced “at any time”. It was therefore considered that the violation of art. 12 par. 2 and 3, as well as art. 21, par. 2, of the Regulation.

2.4. Data retention periods

The Company currently retains in its database a significant amount of data whose collection has not been sufficiently detailed, with particular reference to the date of acquisition of such information. It follows that the failure to indicate the date of uploading the data into the database does not allow us to have knowledge of the retention periods of the same; nor is it possible to reconstruct the history of the alleged (but not documented) consents in the absence of some temporal placement, producing, as a possible effect, a sine die retention of the data. This gap cannot even be overcome by referring generically to the terms contained in the contracts stipulated with the suppliers since the tacit renewal of such agreements over the years (as represented by the Company during the inspection), could result in retention periods that are significantly longer than those indicated in the contracts themselves.
Therefore, the violation of the principle of limitation of conservation pursuant to art. 5, par. 1, letter e) of the Regulation was deemed to be integrated.

2.5. Processing of personal data via the website

With reference to the website, found at the link https://..., it is stated that upon completion of the online form, set up on the home page to request quotes and obtain information on the products and services offered, it is mandatory to flag a check box containing a generic authorization to process personal data. Furthermore, although there is a link dedicated to the privacy policy, it leads to an empty page, devoid of content, as already verified by the Office in the period prior to the inspection. The Company argued that the data acquired via the aforementioned online form can be processed for the provision of the service (response to the user's request for information) but also for commercial purposes (see minutes of 10 April 2024 page 6).

The Office noted that the lack of information does not allow for clarification of the processing of data acquired through the online form and for what purposes the same data are used, nor where they are merged and stored. This gap was not remedied even when the reservations were lifted on 30 April 2024 (see Annex 4) since the Company limited itself to representing that the data of users who fill out the aforementioned online form arrive at the XX email address "as requests for information and [...] for recontact".

Based on the statements made by the Company during the inspection, the website setup, in the terms described above, allows us to believe that the user's registration through the online form is conditioned by the simultaneous release of a single consent for the separate purposes of providing the service and marketing. This consent, which is neither specific nor free, does not appear to constitute an appropriate legal basis for the aforementioned processing, pursuant to Articles 6 and 7 of the Regulation.

Therefore, it was deemed possible to configure a violation of Articles 5, paragraph 1, letter a), 6, paragraph 1, letter a), 7 and 12, paragraph 1, of the Regulation.

3. Notification of alleged violations pursuant to Article 166, paragraph 5, of the Code

Based on the above, on 14 May 2024 the Company was charged with the alleged violation of the following provisions:

Article 5, paragraph 1, letter a), e) and f) and paragraph 2;

Article 6, paragraph 1, letter a);

Article 7;

Article 12, paragraphs 1, 2 and 3;

Article 13;

Article 14;

Article 21, paragraph 2;

Article 24;

Article 25;

art. 28;

art. 29;

art. 30;

art. 32, par. 1, lett. b) and d) and par. 2;

art. 35;

art. 37

and art. 2-quaterdecies of the Code.

With the same note, the Authority therefore communicated the initiation of the procedure for the adoption of the provisions referred to in article 58, par. 2, of the Regulation and for the possible application of the pecuniary sanctions referred to in art. 83, par. 4 and 5, of the Regulation (note ref. prot. no. 0058339/24 of 14 May 2024).

4. Realmaps' defense and the corresponding legal assessments of the Authority

On June 13, 2024, Realmaps responded to the aforementioned dispute by sending a defense brief (the content of which, with particular reference to the corrective actions implemented, was resumed at the hearing held on July 8, 2024 and confirmed in the integration of July 15, 2024). In consideration of the reasons reported below (to which, for greater detail, full reference is made), Realmaps asked the Authority, "where [...] it finds any violation", that "the sanction of the payment of a sum in any case contained" be applied.

4.1. With reference to point 2.1. of this provision (Personal data acquired from list providers), the Company preliminarily clarified that it had "cautiously suspended the processing of data consisting of their communication to real estate agencies [...]" and represented and documented that it had requested from XX, the main supplier of Realmaps, evidence of the consents and information provided to the interested parties. In the relationship with the list providers (in particular with XX.), the Company, "having examined the contractual agreements but above all the factual elements and circumstances of the case", considered that there was a situation of joint ownership of the processing, rather than exclusive ownership by Realmaps. This is because, according to the Company, the requirement of "joint participation" with the list providers would emerge in defining the processing methods, as referred to in the EDPB Guidelines 7/2020 on the concepts of owner and manager. Specifically, XX. would have jointly defined with the Company the processing method, with exclusive reference to the management of the requests to exercise the rights of the interested parties; this activity, which, according to the Technical-Commercial Annex produced to accompany the contract stipulated with Realmaps, would be entirely the responsibility of the list provider. In other words, since XX, according to the contractual agreements, is responsible for processing requests on the processing of personal data that the interested parties initially address to Realmaps (on the indication of the Real Estate Agencies, as represented in point 1 of this provision), this list provider is to be considered joint controller as it participates, jointly with the Company, in the definition of the described processing method.

Having clarified this, the Company confirmed that it had relied "in good faith" on the compliance with the legislation on the protection of personal data of the lists acquired, also given the assurances "on the correctness of the collection of consents" provided by XX, already in the pre-contractual phase, through a form delivered to Realmaps by the same defined as "difficult to understand". “Considering the status of joint controllers between Realmaps and the list providers – the Company continued – it was not necessary for the former to acquire, for the purposes of processing, the consent of the interested parties, nor for it to provide any information to the latter, such obligations being, by express contractual provision, the responsibility of the joint controller list provider”.

As reconstructed in point 2.1 (whose arguments are intended to be fully recalled), taking into account what was argued by the Company in the defense brief and confirmed during the hearing, it is not possible to overcome the reasons for contestation expressed in the act of initiation of the proceeding. Therefore, it is confirmed that Realmaps is the controller not only with reference to the evasion of requests to exercise the rights of the interested parties but also with regard to all the further phases of the processing. This is because the collection, storage, processing and transmission to third parties of personal data constitute processing operations carried out by Realmaps in a manner completely independent of the procedures for managing the databases of the list providers. The Company, in fact, has organized its database by drawing on various sources (public registers - third-party lists) and using sophisticated software capable of cross-referencing the data in its possession (cadastral and registry data) in order to offer a commercial product to Real Estate Agencies/clients. These processing operations are not shared with the list provider and are excluded from its scope of intervention but are attributable solely to an operating method that Realmaps has consolidated over the years of its activity.

It should be added that, with the exception of the contract signed with XX., of the list providers that Realmaps would have used in supplying the registry data to be transferred to the Real Estate Agencies clients, only a copy of the commercial agreement agreed with XX was produced which, as represented in point 2.1., would have acquired the data from a third party, moreover established outside the European Union.

As the data controller, Realmaps is therefore responsible for the violations identified in point 2.1. of this provision, with particular reference to the lack of checks on the alleged lawfulness of the lists acquired from the suppliers and, therefore, on the existence of a consent that would authorize the processing for commercial purposes by third parties to whom the personal data were communicated, as well as on the release of suitable information to the interested parties. An explicit request in this sense was formulated by Realmaps only after the act of contestation and, moreover, with reference only to the personal data acquired from XX. and not also to those, equally numerous, transferred by the other suppliers (XX and XX).

In light of the above, it is believed that the violation of articles 5, par. 2, 24, 13, 14, 6, par. 1, letter a) and 7 of the Regulation must be confirmed.

4.2. With reference to point 2.2. of this provision (Qualification of the roles of the subjects authorized to access the Realmaps database) the Company specified that only XX., an ICT service provider, has the credentials to access the Realmaps database; the employees and collaborators of the latter, however, "access only the Automatch program to formulate the estimates to be sent to the agency clients via a link, which only the agencies access, via a password". Furthermore, in the supplementary note of 15 July 2024, with which the Company intended to clarify some profiles that emerged during the defense brief, Realmaps admitted that it had not proceeded with the formal designation of all the subjects authorized to access the database and, on this occasion, produced the deeds of appointment of some employees authorized to access and of the person responsible for the processing of personal data attributable to the company XX. It also specified that the subjects “not clearly identified and in any case different from those authorized […] attributable to a generic operatore_it and to develop […]” refer to “general accounts used and usable by system operators […]”. Finally, in declaring itself aware of the amount of data processed, Realmaps assured that it will “provide diversified identification credentials between various subjects and formal authorizations” as well as prepare a DPIA and the Processing Register. On 15 July 2024, to resolve the reservations expressed during the hearing, the Company transmitted the act of appointment of the DPO (signed on 10 July 2024) whose contact details were communicated to the Guarantor on 19 July 2024, in compliance with art. 37, par. 7, of the Regulation. In light of the above, first of all, it must be noted that the use of the software called “Automatch” - with which the data of owners of properties located in the area of interest of the Agency/Client are selected and extracted - involves, in any case, access operations to the Realmaps database. In fact, the “Automatch” software is nothing more than an application that facilitates searches in the Company’s database for subjects who do not necessarily have the appropriate technical skills; this software allows the results of the search to be downloaded in the form of “csv files”, called “download mapping file” and “download number file”, which contain the lists of data requested by Realmaps customers (see attachment 11 to the minutes of 10 April 2024).

It should be noted that the “csv” format of the files allows you to easily export structured data (stored in a database or a spreadsheet, for example) and import them into other programs, in order to view and reuse them. The “csv” files used by the Company’s employees therefore allow you to create partial or total copies of the Realmaps database. Furthermore, contrary to what the Company claims, the possibility for its employees to view the data contained in the files to be sent to the Real Estate Agencies appears concrete since, as evidenced during the inspection, the password to be used to open the file itself is indicated for these files, which therefore cannot be said to be the exclusive prerogative of the customer (buyer real estate agency).

Furthermore, in light of what the Company has represented, the “general accounts used and usable by system operators” are configured, in fact, as system credentials shared between multiple users of the Realmaps platform. This approach poses critical issues with regard to the actual possibility of tracing access back to the person formally authorised to process it. Access via shared and non-personal accounts also nullifies the effectiveness, for example, of controls on log files and the application of the measures provided for by the provision of the Guarantor of 27 November 2008 relating to system administrators, which is still to be considered valid with the value of a guideline (in www.gpdp.it, web doc. no. 1577499 – “Measures and precautions prescribed to the holders of processing carried out with electronic tools relating to the attribution of the functions of system administrator”, modified with the provision of 25 June 2009). In fact, paragraph 4.3. of the aforementioned provision contains the measure to prepare the list of system administrators with an indication of the “identification details of the natural persons who are system administrators with the list of the functions attributed to them […]”. In this case, this measure was totally ignored by the Company since access to the system is also operated by individuals with non-nominative but shared credentials and in the absence of the relevant attributions.

During the defense brief and following the hearing, only the contracts signed with three employees of the Company were produced, one of whom was a minority shareholder. Moreover, this collaborator, hired on 29 March 2024, does not appear among the individuals who had access to the Realmaps database already in 2022 (as per Annex 11 to the minutes of 10 April 2024). Differently, with reference to one of the other two Realmaps employees, whose contracts were produced, it emerged that this collaborator had access to the Company's database in a period prior to the formalization of the employment relationship and the related designation as data processor (see cited Annex 11 to the minutes of 10 April 2024). In fact, this appointment was formalized on July 23, 2023 despite accesses having been recorded as early as May 2023. In relation to all additional collaborators - authorized to consult the database and, as described in point 2.2. of this provision, to the related filtering and cross-referencing operations of the data contained therein for the management of estimates to Real Estate Agencies/clients - no formal contracts or agreements were produced that defined the scope of intervention on the personal data and the methods of processing them; the Company, in fact, declared that it had not proceeded with a formal designation of the subjects authorized to access the Realmaps database. This is especially detrimental to the security of the systems given the easy accessibility to the database by a multitude of subjects, not all of whom are included in the corporate organization of Realmpas. The described setup was affected by vulnerabilities connected to the risk, considered high, in terms of loss of confidentiality, integrity and availability of the data involved. In fact, as widely represented above, it is possible to extract a considerable amount of data contained in the Realmaps database and make them accessible/visible to anyone (to unauthorized subjects and to Real Estate Agencies that request it, upon financial compensation), resulting, in fact, in a massive and uncontrolled processing of the same data.

Therefore - while acknowledging the improvement measures adopted by the Company following the Authority's challenge (some of which are being defined: identification credentials for subjects formally authorized to access the database; DPIA; Processing Register) - with reference to the processing already carried out and subject to the inspection, it is believed that the violations contested in point 2.2 should be confirmed. of this provision (articles 5, par. 1, letter f; 5, par. 2; 24; 25; 28; 29; 30; 32, par. 1, letters b and d; 32, par. 2; 35; 37 of the Regulation and art. 2-quaterdecies of the Code).

4.3. With reference to point 2.3. of this provision (Exercise of rights and investigative outcomes relating to complaints received by the Authority) the Company, with a note dated 15 July 2024 - in reiterating the method used to process requests to exercise the rights of interested parties, consisting in the transfer of requests from the real estate agency to Realmaps and from the latter to the supplier - confirmed the role of joint owner of XX and specified the following: "the list provider delivered to the client [Realmaps], to reassure her of the correctness of the collection of consents, a form, which was illustrated as a tool that provided that each request from interested parties would be managed directly by XX who had handled the collection of consents, also through the real estate agencies. In all of this, it is clear that Realmaps does not have and has never had a direct relationship with the interested parties, property owners".

First, it is noted that the Company has not produced documentation proving the release by XX., in the pre-contractual phase, of the aforementioned form with which the management of the requests of the interested parties was illustrated, totally entrusted to the supplier; a form which, moreover, Realmaps has defined as "difficult to understand" (see the memorandum of 13 June 2023 p. 3.2., referred to in paragraph 4.1. of this provision) and which, therefore, has made the information contained therein inadmissible.

Furthermore, in recalling the Authority's assessments regarding the ownership recognized as belonging to Realmaps (see paragraph 4.1. of this provision), the circumstance that the Company "had never had a direct relationship with the interested parties, real estate owners", appears to be denied by the documentation in the files. In fact, not only was Realmaps the recipient of the requests of the interested parties but, in some cases, it also provided the relevant feedback, albeit aimed at deferring the complete satisfaction of the request made to XX (see file no. 295372 - requests of 7 April and 30 June 2023 -; file no. 255444 - request of 1 March 2023 renewed on 8 March 2023 attaching the "FORM for exercising rights in the field of personal data protection"; file no. 344943 - request of 19 February 2024 to which Realmaps provided feedback on 22 February 2024; file no. 223355 - request of 11 February 2023, renewed on 24 February 2023 to which Realmaps provided feedback on 24 March 2023; file no. 334862 – requests of 26 and 31 October 2023).

The procedure implemented by the Company, as data controller, does not appear to be functional to guarantee timely processing “and without unjustified delay” of the requests of the interested parties (pursuant to art. 12, par. 3, of the Regulation). Added to this is the fact that the registration in the company systems of the requests for opposition and deletion of data expressed by the interested parties would have been entrusted now to XX (which, as already described in point 2.2. of this provision, would have operated for a long period as a supplier of ICT services and system support in the absence of a formal designation) now to the “privacy consultant”. This approach, which is also not formalized and likely to create confusion about the actual roles played by the subjects involved in the processing, has led, in fact, to a profound gap in the timely reception of the requests of the interested parties.

Ultimately, for the reasons set out above, the management of requests for the exercise of the rights of the interested parties was not adequate. Therefore, the violation of art. 12 par. 2 and 3, as well as art. 21, par. 2, of the Regulation must be confirmed since, as emerged during the inspection (see point 2.3. of this provision to which reference is made), in almost all cases verified by the Authority, the opposition to further processing does not appear to have been recorded in the company systems.

4.4. With reference to point 2.4. of this provision (Data retention periods), the Company claimed to have been established in 2021 "and therefore the exceeding of the data retention period in marketing matters cannot be attributed [...] which is two years. Moreover, it is possible to derive the initial date from the moment of sharing the data with the List Provider".

It should be noted, first of all, that the two-year retention period for marketing purposes invoked by the Company is a time parameter indicated in the provision on “Fidelity cards and consumer guarantees” adopted by the Guarantor on 24 February 2005 (in www.gpdp.it, doc, web no. 1103045). This provision, with the entry into force of Regulation (EU) 2016/679, has assumed the value of a non-binding guideline since the paradigm shift introduced by European legislation has recognized the owner as having general responsibility for the processing of personal data (accountability), including the definition of the retention periods of the personal data being processed. Therefore, in exercising its accountability, the controller “is required to implement appropriate and effective measures and be able to demonstrate the compliance of the processing activities with the […] regulation” (cit. recital 74 of the Regulation, in these terms see articles 5 and 24 of the Regulation), including compliance with the principles of purpose, minimization and limitation of storage, pursuant to art. 5, par. 1, letters b), c), and e) of the Regulation. Ultimately, in light of the European regulatory framework, the aforementioned provision aims to guide the choices of the controller, also with reference to storage times (establishing the general rule of two years); however, the decision on the processing and the related timing is solely up to the controller himself. This duly clarified, even if we want to consider the time parameters indicated in the aforementioned provision, it is noted that the two-year term invoked by the Company, at the time of the inspection, which took place in April 2024, was in any case expired. Furthermore, as already represented in point 2.4. of this provision, it is not possible to trace the moment of loading the data into the company systems for the start of the retention periods; this is because the database was found to have no time references and the tacit renewal of the supply contracts with the list providers does not allow to clearly define the perimeter of the retention which, therefore, could be longer than the terms indicated in the contracts themselves.

Therefore, the violation of the principle of limitation of conservation pursuant to art. 5, par. 1, letter e) of the Regulation is confirmed.

4.5. With reference to point 2.5. of this provision (Processing of personal data via the website), the Company stated that, during the inspection, “a problem was found in the connection to the information notice […]” whose revised text was made available online starting from 6 July 2024.

From a check of the Company’s website, it is confirmed that the gap that emerged during the inspection has been remedied; in fact, it is possible to view the text of the privacy notice via a specific link at the bottom of the home page. However, the critical issues related to the setting of the online form on the Realmaps website appear to persist, with particular reference to the mandatory acquisition of a single generic consent to the processing of personal data (cit. "I consent to the processing of my personal data for the receipt of information on Realmaps").

From reading the information currently available on the Company's website, it was possible to ascertain that the processing carried out through the aforementioned online form is aimed at "managing activities related to the type of request that are consultancy and/or commercial, including the sending of advertising material and technical/economic offers"; it follows that the consent acquired in the formulation just illustrated does not appear suitable as it aims to merge the different purposes of service provision and marketing into a single solution.

In this regard, it should be reiterated here that the capacity for self-determination of the interested parties is not respected when the effective and conscious freedom of choice regarding the processing of their personal data is not ensured and this defect of legitimacy is relevant for the purposes of the applicability of violations of the data protection legislation (in particular that relating to consent), regardless of whether or not the proposed processing activities are carried out (see provision “Online services: request for "mandatory" consent for promotional purposes”, point 3.1. - 27 October 2016, no. 439, web doc. no. 5687770; provision 12 June 2019, no. 130, point 3, web doc. no. 9120218; in www.gpdp.it).

It should also be noted that the “connection problem” that would have justified the temporary inaccessibility to the text of the privacy policy prevented the interested parties from having information regarding the processing of their personal data at least for the period of time under scrutiny by the Authority. In fact, this information gap was ascertained by the Authority already on 26 January 2024, before the inspection took place, and formalized in a specific report of operations carried out (ref. prot. no. 24/24 of 29/01/2024). At the time of the inspection, which took place in April 2024, therefore three months after the remote inspection, the information was still not available on the Company's website, which, moreover, was unaware of this and which only made it available after the intervention of the Authority and following the act of initiation of the procedure of 14 May 2024. In addition to this, the new text of the information contains the indication of the old certified email address of the Company (XX) which was then replaced on 12 February 2024 with a new digital address. The indication of an incorrect address - as it is no longer used by the Company - compromises the exercise of the rights by the interested parties.

In light of the above, due to the lack of transparency on the processing and the unsuitable legal basis of the consent requested following the completion of the online form, the violation of Articles 5, paragraph 1, letter a), 6, paragraph 1, letter c) and 10, paragraph 1, letter e) of the GDPR is confirmed. a), 7 and 12, par. 1, of the Regulation.

5. Conclusions

For the above as a whole, while acknowledging the initiatives undertaken by the Company following the Authority's complaint, with reference to the processing already carried out and subject to the inspection, Realmaps' liability is deemed to be established for the violation of the following provisions:

articles 5, par. 1, letter a), e) and f) and par. 2; 6, par. 1, letter a); 7; 12, pars. 1, 2 and 3; 13; 14; 21, par. 2; 24; 25; 28; 29; 30; 32, par. 1, letter b) and d) and par. 2; 35; 37

and art. 2-quaterdecies of the Code.

Having therefore ascertained the unlawfulness of the above-described conduct of the Company, it is necessary:

- pursuant to art. 58, par. 2, letter f) of the Regulation, prohibit any further processing for commercial purposes carried out through lists, including those acquired from suppliers (list providers), for which the Company does not have free, specific and informed consent to the communication of data to third parties for promotional purposes (articles 6 and 7 of the Regulation);

- pursuant to art. 58, par. 2, letter d), of the Regulation, order the Company, if it intends in the future to carry out promotional activities through the marketing of telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, also through adequate sample checks, that personal data are processed in full compliance with the provisions in force (prior acquisition of free, specific, unequivocal, documented, as well as informed, consent of the interested parties for the sending of commercial communications) (articles 6, 7 and 14 of the Regulation);

- pursuant to art. 58, par. 2, letter d) of the Regulation, order Realmaps to adopt adequate technical and organizational measures to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without undue delay, the related requests, including the right to object that can be advanced "at any time" by the interested party (articles 15, 17 and 21, par. 2, of the Regulation);

- pursuant to art. 58, par. 2, letter d) of the Regulation, order to provide that the operations on personal data carried out both by the partner entities and by their employees and collaborators who access the Realmaps database, are preceded by the designation of the same, respectively as data controllers and persons in charge of the various phases of the processing (articles 28 and 29 of the Regulation and art. 2 quaterdecies of the Code);

- pursuant to art. 58, par. 2, letter f) of the Regulation, prohibit the processing of personal data collected through the website https://... without having obtained the necessary prior informed, free and specific consent of the interested parties in relation to marketing activities, pursuant to Articles 6 and 7 of the Regulation and Article 130 of the Code; it is also considered appropriate to order, pursuant to Article 58, paragraph 2, letter d) of the Regulation, to indicate in the privacy notice the correct email address to which requests for the exercise of rights on the processing of personal data should be addressed, pursuant to Articles 12 and 13 of the Regulation.

Finally, with regard to the processing already carried out and in consideration of the violations identified above, it is believed that the conditions exist for the application of an administrative pecuniary sanction pursuant to Articles 58, paragraph 2, letter i) and 83 of the Regulation.

6. Order for the application of the administrative pecuniary sanction

Based on the above, various provisions of the Regulation and the Code have been violated in relation to connected processing carried out by Realmaps, therefore it is necessary to apply Article 83, paragraph 3, of the Regulation, according to which, “if, in relation to the same processing or to connected processing, a controller infringes, intentionally or negligently, several provisions of the Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious infringement”, with consequent application of the sanction provided for by Article 83, paragraph 5, of the Regulation.

In order to determine the amount of the sanction, which must “in any case be effective, proportionate and dissuasive” (Article 83, paragraph 1), it is necessary to take into account the elements indicated in Article 83, paragraph 2, of the Regulation. As aggravating circumstances, it is considered that:

1) the high number of subjects involved in the contested processing (art. 83, par. 2, letter a of the Regulation): in the table called “numbers”, containing the contactable users, 32,510 personal data provided by XX, 2,052,933 by XX, 112,117 by XX and 10,049 by XX were found. In addition to the users acquired by the list providers, there is also a large amount of data on property owners “downloaded” from public registers, such as SISTER and the Archives of the Land Registry;

2) the seriousness of the violations detected (art. 83, par. 2, letter a of the Regulation) with particular reference to the lack of random checks of the numbers provided by the list providers, the inadequate management of the interested parties’ right to object, as well as the lack of control over the processing carried out by subjects not expressly authorised, with possible repercussions also in terms of data security; such breaches refer to “systemic” conduct, therefore rooted in corporate procedures;

3) the duration of the processing, which continued for years and was interrupted only following the intervention of the Guarantor (Article 83, paragraph 2, letter a of the Regulation);

4) the grossly negligent nature of the violation, since the Company has demonstrated negligence in the processing of personal data (Article 83, paragraph 2, letter b of the Regulation);

5) the overall assessment of the economic capacity of the Company, taking into account the latest available corporate turnover (as resulting from the 2024 VAT return relating to the tax period 2023): the Company, for the tax period 2023, recorded an increase in turnover equal to almost double that of the previous year (2022) (Article 83, paragraph 2, letter k of the Regulation).

As mitigating factors, it is believed that the following should be taken into account:

1) the adoption of corrective measures, some of which were initiated immediately after the conclusion of the inspections, and which partly reflect the requirements imposed by this provision (Article 83, paragraph 2, letter c of the Regulation);

2) the absence of previous proceedings initiated against the owner (Article 83, paragraph 2, letter e of the Regulation);

3) cooperation with this Authority in the context of the inspection and the subsequent proceedings (Article 83, paragraph 2, letter f of the Regulation).

Based on the set of elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness, pursuant to Article 83, paragraph 1, of the Regulation, also taking into account the necessary balance between the rights of the interested parties and the freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company, it is believed that the administrative sanction of the payment of a sum of €100,000.00 (one hundred thousand/00) should be applied to Realmaps, equal to approximately 0.5% of the maximum statutory sanction of €20 million.

In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should also be applied, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Guarantor Regulation no. 1/2019.

In implementation of the principles set out in art. 83 of the Regulation, the imposition of such an ancillary sanction appears proportionate in light of the seriousness and the particular disvalue of the conduct being censured with specific reference to the large number of subjects involved and the massive processing (lasting for years) carried out in relation to their personal data, as observed in points 1 and 3 of the aggravating circumstances described above.

Furthermore, the failure to adopt security measures that could ensure the integrity and confidentiality of the data, including through a formal designation of the subjects authorised to access the company systems, together with the lack of a verification procedure for the lists acquired from third parties, denote a culpable insensitivity to the issue of personal data protection.

It is recalled that pursuant to art. 170 of the Code, anyone who, being required to do so, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in the event of non-compliance with the same provision, the sanction referred to in art. 83, par. 5, letter e) of the Regulation.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor, are met for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation.

CONSIDERING ALL THE ABOVE, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter f), of the Regulation, declares unlawful, in the terms set out in the reasons, the processing carried out by the company Realmaps S.r.l., with registered office in Milan, Via San Gregorio n. 55, VAT no. 01741190084;

b) pursuant to art. 58, par. 2, letter f) of the Regulation, prohibits Realmaps S.r.l. from any further processing for commercial purposes carried out through lists, including those acquired from suppliers (list providers), for which the Company does not have free, specific and informed consent to the communication of data to third parties for promotional purposes (articles 6 and 7 of the Regulation);

c) pursuant to art. 58, par. 2, letter d), of the Regulation, orders the Company, if it intends to carry out promotional activities in the future through the marketing of telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, including through adequate sample checks, that personal data are processed in full compliance with the provisions in force (prior acquisition of free, specific, unequivocal, documented, as well as informed, consent from the interested parties for the sending of commercial communications) (articles 6, 7 and 14 of the Regulation);

d) pursuant to art. 58, par. 2, letter d) of the Regulation, orders Realmaps S.r.l. to adopt adequate technical and organizational measures to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the related requests, including the right to object that can be advanced "at any time" by the interested party (articles 15, 17 and 21, par. 2, of the Regulation);

e) pursuant to art. 58, par. 2, letter d) of the Regulation, orders the Company to provide that the processing operations on personal data carried out both by the partner entities and by its employees and collaborators who access the Realmaps database, are preceded by the designation of the same, respectively, as data controllers and persons in charge of the various phases of the processing (articles 28 and 29 of the Regulation and art. 2 quaterdecies of the Code);

f) pursuant to art. 58, par. 2, letter f) of the Regulation, prohibits the processing of personal data collected through the website https://... without having obtained the necessary prior informed, free and specific consent of the interested parties in relation to marketing activities, pursuant to Articles 6 and 7 of the Regulation and Article 130 of the Code; furthermore, pursuant to Article 58, paragraph 2, letter d) of the Regulation, orders to indicate in the privacy notice the correct email address to which requests for the exercise of the rights on the processing of personal data should be addressed, pursuant to Articles 12 and 13 of the Regulation.

g) pursuant to Article 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by Article 83, paragraph 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, letter i), of the Regulation, to Realmaps S.r.l., in the person of its legal representative, to pay the sum of Euro 100,000.00 (one hundred thousand/00), as a pecuniary administrative sanction for the violations indicated in the reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed;

ORDERS

the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 100,000.00 (one hundred thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

a) pursuant to art. 166, paragraph 7, of the Code, the publication in full of this injunction order on the website of the Guarantor;

b) pursuant to art. 17 of the Guarantor Regulation no. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, paragraph 1, letter u) of the Regulation, of the violations and measures adopted;

c) the publication of this provision pursuant to arts. 154-bis of the Code and 37 of the aforementioned Regulation no. 1/2019.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as art. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 16 January 2025

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE GENERAL SECRETARY
Mattei

[web doc. no. 10110241]

Provision of 16 January 2025

Register of provisions
n. 11 of 16 January 2025

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);