Garante per la protezione dei dati personali (Italy) - 9525315
Garante per la protezione dei dati personali - 9525315 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(e) GDPR Article 6 GDPR Article 9 GDPR Article 28 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 17.12.2020 |
Fine: | 40000 EUR |
Parties: | Miropass s.r.l. |
National Case Number/Name: | 9525315 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Garante Privacy (in IT) |
Initial Contributor: | n/a |
The Italian DPA (Garante) imposed a fine of € 40 000 on Miropass s.r.l. for the violation of Articles 5(1)(a) and (e), 6, 9 and 28 GDPR.
English Summary
Facts
With a previous measure (n. 81 of 7 march 2019) the Garante declared the unlawfulness of the processing activity deployed by the Municipality of Rome using the system "TuPassi" provided by Miropass s.r.l..
Consequently, the Garante carried out an investigation on the platform "TuPassi" provided by Miropass s.r.l.; in its investigation the Garante noted the absence of: - a suitable prerequisite of lawfulness, in violation of article 5(a), 6 and 9 GDPR
- definition of the data retention period, in violation of Article 5(1)(e) GDPR
- adequate definition of the relationship with a sub-processor, in violation of Article 28 GDPR.
Dispute
Miropass s.r.l. presented its written defense, based on this, is the processing still deemed illicit by the DPA?
Holding
The Garante considers that the elements produced in defense did not allow to overcome the previously notified findings and thus reaffirms the unlawfulness of the processing of personal data carried out by Miropass s.r.l.
The processing was conducted in violation of basic principles: in the absence of a suitable legal basis for the processing of personal data of users and employees and without having regulated the relationship with its processor, thus, in violation of Articles 5(1) (a) and (e), 6, 9 and 28 GDPR.
With the power conferred by Article 58(2)(i) GDPR, the Italian DPA imposed a fine of 40.000 euro on Miropass s.r.l.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.