Garante per la protezione dei dati personali (Italy) - 9817535

From GDPRhub
Garante per la protezione dei dati personali - 9817535
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 12(4) GDPR
Article 15 GDPR
Article 17 GDPR
Article 21 GDPR
Article 24 GDPR
Article 130 Legislative Decree no. 196/2003
Type: Investigation
Outcome: Violation Found
Started:
Decided: 05.08.2022
Published: 05.08.2022
Fine: 1,000 EUR
Parties: n/a
National Case Number/Name: 9817535
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: cmart

The Italian DPA fined a controller €1,000 for sending promotional messages without the data subject's consent and for ineffectively monitoring the third party carrying out the processing in its interest.

English Summary

Facts

A data subject lodged a complaint with the Italian DPA because he received an email containing unsolicited marketing communication regarding ticket-sales for a play promoted by Teatro Colosseo (controller). The data subject stated that it never gave consent to the reception of such communications. Furthermore, the data subject complained about the controller’s failure to respond to its request to exercise its rights under Articles 15, 17 and 21 GDPR. Following the complaint, the DPA opened an investigation into the controller.

The controller stated that it never had access to the data subject's data. In fact, the marketing communication was allegedly sent by another company. Namely, one that it hired in the past for the promotion of a different event. This task was allegedly given orally to that company in return for remuneration. Confident in the guarantees offered by that company in the field of the promotion of shows and cultural events, also on behalf of third parties, the controller did not deem it necessary at the time to exercise a power of control or issue instructions.

Furthermore, the controller stated that the marketing company would have acted as an autonomous controller, because it would have independently determined the means of processing and the recipients of the communications. The marketing company used its own list of contacts, that was never in possession of the controller. To substantiate this claim, the controller added that it did not own the email address used to send the promotional message. This belonged to a third party, to which the marketing company further delegated the promotional activity.

Holding

Contrary to the controller’s claim, the DPA stated that the controller determined both the means and the purposes of the processing, as the promotional activity was performed in the name, on behalf of and in the interest of the controller. Furthermore, the content of the communication gave the data subject a legitimate expectation that the communication was sent directly by the controller, rather than by the marketing company. Therefore, it must be deemed as the controller in this case.

Regarding the use of a third party for promotional activities, the DPA found that the facts of the case outlined a picture of inadequate control by the controller. Instead of drawing up a legally binding deed, the controller limited itself to a mere verbal agreement. In addition, it neglected to obtain any documentation that would demonstrate compliance with the GDPR from the third party, e.g. the origin of the data, the information provided, and whether consent was obtained.

The DPA held that by using a third company's contact list to process the data subject's personal data for marketing purposes, the controller did not meet the requirements of lawfulness, fairness and transparency from Article 5(1)(a) GDPR. Therefore, the controller violated the principle of accountability provided by Article 5(2) and 24 GDPR for the failure to adopt adequate technical and organisational measures to effectively monitor the companies carrying out promotional activities in its interest.

The DPA also found a violation of Article 6(1)(a) GDPR and Article 130(1) and (2) of the Italian Privacy Code (Legislative Decree No. 196/2003), as the promotional message was sent without the consent of the data subject.

Consequently, the DPA imposed a fine of €1,000. It prohibited the controller to carry out any further processing for promotional purposes of data collected without the consent of the data subjects. In addition, the DPA ordered the controller, should it intend to use third parties for promotional activities, to adopt appropriate measures to ensure that personal data would be processed in compliance with applicable law by the latter. Last, the DPA ordered the controller to adopt appropriate measures to ensure an effective response to the exercise of data subjects' rights.

Comment

The Italian DPA has always devoted a lot of attention to unsolicited communications, especially with regard to aggressive telemarketing, sanctioning operators with heavy penalties (totalling, according to the DPA annual report, €30 million in 2021 alone). In this field, the Italian DPA launched on 11 November 2022 a new telematic service for reporting the receipt of unwanted calls, which is part of a package of online services and procedures that the DPA is implementing to simplify the relationship with citizens and the fulfilment of the obligations imposed on data controllers.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9817535]

Order injunction against Colosseo S.r.l. - October 6, 2022

Record of measures
n. 297 of 5 August 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");

GIVEN the documentation in the deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Preliminary investigation

With the complaint of 10 August 2021, submitted to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained about the receipt, on June 24, 2021, of an unsolicited communication from the email address Percorsiwebair@gmail.com and concerning "the sale of tickets for a show" promoted by the Theater Colosseum of Turin attributable to the company Colosseo S.r.l. (hereinafter "Company"; "Colosseo Theater"). The complainant declared that he had never given his consent to the receipt of the aforementioned promotional communication and complained about the failure to respond to the request for the exercise of rights, pursuant to art. 15, 17 and 21 of the Regulations, sent by e-mail on June 28, 2021 to the address indicated in the Company's privacy policy, which can be found on its website.

In response to the request for information, formulated by the Office on 1 September 2021 pursuant to art. 157 of the Code, the Company, with communication dated 23 September 2021, declared its extraneousness in relation to the conduct complained of in the complaint, specifying that "the newsletter to which Mr. XX refers" would not have started "from [their] addresses mail, recognizable with the domain @ teatrocolosseo.it. " and that "Mr. XX is not in [their] database".

1.2. The dispute

In light of what emerged from the preliminary investigation, based on the overall documentation acquired, on November 12, 2021, the Colosseum Theater was notified of the initiation of the procedure pursuant to art. 166, paragraph 5, of the Code, with which the Office complained to the Company of the following violations:

- Articles 5, par. 2, and 24 of the Regulations due to the lack of adequate technical and organizational measures, with particular regard to the inability to effectively control the supply chain of partners who carry out promotional activities in the interest of Teatro Colosseo;

- Articles 12, par. 3, 15, 17 and 21 of the Regulations for failing to respond to the complainant's request regarding the processing of his personal data sent by e-mail on June 28, 2021;

- art. 6, par. 1, lett. a) of the Regulation and art. 130 of the Code for having sent the unsolicited communication in the absence of the necessary prior informed consent of the interested party in relation to the promotional activity and in the absence of another suitable legal basis.

1.3. The defense of Colosseum S.r.l.

With the defense briefs, forwarded on 12 December 2021, the Company asked this Authority to dismiss the proceeding initiated against it "or in any case [...] the ousting of its position" from what was contested with the communication of 12 November 2021 . This is because, in specifying that he never had the material availability of the complainant's personal data, he stated that the unsolicited e-mail, which gave rise to the complaint of Mr. XX, would have been sent by the company XX (hereinafter " XX ») which the same made use, in the reference period, to carry out the promotion of an exhibition organized at the Colosseum Theater. This appointment would have been conferred orally to XX for a fee. Trusting in the guarantees offered by XX in the sector of the promotion of shows and cultural events on behalf of third parties (as per the Chamber of Commerce registration), and having previously obtained assurances "about the professional and habitual performance of this activity [...] in full adherence to the dictates of the GDPR ", the Company considered that there was no need to exercise a power of control and to issue instructions regarding the processing of personal data that went beyond the verbal interlocutions functional to the agreement. Teatro Colosseo has, in fact, "legitimately and in good faith" held that the commissioning company, "in promoting the exhibition [...] would have done so towards subjects who had previously given their consent [...] for the sending of communications promotional ". XX allegedly "acted in total autonomy both as regards the method of promotion and as regards the recipients of the same promotional activities", drawing on its own list of contacts to which Teatro Colosseo has never had access. The Company therefore reiterated that it has not concretely "determined (or co-determined) any purpose of data processing, which has always remained the exclusive property of XX and in any case not known to Teatro Colosseo". It follows that, in the opinion of the Company, “XX [would have] acted in the present case as an independent owner and not also as the data controller of Teatro Colosseo. Nor […] is there a situation of co-ownership ”.

Furthermore, being a computer forensic consultant, the complainant would have been perfectly able, "given his specific skills, to realize that the e-mail received from the address Percorsiwebair@gmail.com was not actually attributable to a sending performed from Teatro Colosseo […] which uses a specific domain it owns "; this is because from the same address Mr. XX would also have received a communication relating to the promotion of a cultural event organized by a different body, the Sistina Theater.

Finally, the Company represented the possible application of some mitigating circumstances in the event of the imposition of the pecuniary administrative sanction, emphasizing, in particular, the uniqueness of the grievance, not having received "other negative feedback" and having been involved for the first time " in forty years of activity [in] this type of problem ”.

During the hearing, held on 13 January 2022, the Company, in recalling the contents of the brief presented on 12 December 2021, produced further documentation from which it is clear that the XX would have used, for the promotional activity in question, of a further subject, called XX attributable to this XX, who would have confirmed that he had deleted the data of Mr. XX.

2. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also based on the statements of the Company, for which the declarant responds pursuant to art. 168 of the Code, the following judicial assessments are formulated.

In the absence of contractual documentation, it is necessary to first recall the definition of "owner" pursuant to art. 4 of the Regulation, or the natural or legal person who, individually or together with others, determines the purposes and means of the processing.

In the present case, Teatro Colosseo has concretely determined the purpose for which the treatment was put in place (the transmission of promotional messages) and commissioned XX to advertise its cultural initiatives. The communication received from Mr. XX, in fact, although coming from an e-mail address unknown to the Company, contained in the content the promotion of a cultural event put in place by the Colosseum Theater of Turin of which, moreover, in the same message, both the website that the telephone numbers. The commercial communication attached to the complaint, therefore, unequivocally associated the receipt of the promotional message with an initiative of the Company. Such a configuration of the message must be considered suitable to generate in the recipients the conviction that they have been contacted directly by the Company to which the aforementioned Teatro Colosseo di Torino belongs and, for these reasons, the same complainant first contacted Colosseo S.r.l., to the contact details found in the relative privacy policy, on the basis of this legitimate expectation.

In this regard, it is necessary to recall what was clarified by the Guarantor with the general provision of 15 June 2011 (in www.garanteprivacy.it, web doc. 1821257) with specific regard to the fact that "[...] promotional contacts they are carried out in the name, however on behalf and in the interest, of the principal company; with the effect that legitimate expectations are created in the interested parties, since they perceive that they are recipients of advertising initiatives conducted directly by the company on behalf of which the proposal for the sale of products or services is formulated ". In these terms, the proposer, being the subject who determines the promotional purpose of the treatment and the means for its execution, as well as being the subject in whose interest the treatment is carried out, is configured as the data controller. On the other hand, the person who, on behalf of these, actually carries out the service, can be, depending on the concrete attitude of the roles between the parties, a co-owner or a data processor, as clarified by the Guarantor in the Guidelines on promotional activities. and contrast to spam of 4 July 2013 (web doc. 2542348), in the provision of 26 October 2017 (web doc. 7320903), and, more recently, with specific regard to relations between the client and the company's call center third parties in charge of promotional campaigns, also in provision no. 7 of 15 January 2020 (web doc. 9256486).

Therefore, while claiming its extraneousness with respect to the collection of the complainant's data, it appears that the communication received from Mr. XX was made in the name and in the interest of the Company which, for these reasons, must be considered the owner having, in practice, determined the decisions regarding the purposes and methods of processing, while not bothering to verify its implementation by the partner in charge of the promotional activity (see Article 4 of the Regulation) (see, in addition to the cited provisions of 26 October 2017 and provision 15 January 2020, also: provision 25 November 2021, web doc. 9736961; provision 25 November 2021, web doc. 9737185; provision 2 December 2021, web doc. 9731682; provision 2 December 2021, web doc. no. 9731664; provision 16 December 2021, web doc. no. 9742704).

What has been described up to now allows to outline a framework of inadequate control by the Company in the treatments aimed at the realization of the promotional campaign: Teatro Colosseo, instead of drafting a legally binding deed, has limited itself to some verbal interlocutions and it does not appear that it has requested the commercial partner the documentation proving the existence of the lawfulness requirements of the processing, such as the origin of the data, the information provided and the consents acquired by the interested recipients of the promotional campaign, or that it has verified this in any other way.

The Authority has repeatedly highlighted that the new principles dictated by the Regulation frame the responsibilities of the owner with a view to accountability and impose on all those involved in the processing of personal data proactive and consistent behaviors with the aim of proving, in each phase, the lawfulness of the treatments themselves (see first of all art. 5, par. 2, of the Regulation, as well as art. 24 in charge of the precise regulation of the aforementioned principle).

Furthermore, the conduct put in place by the Company differs from what was indicated by the Guarantor on several occasions, for example already in the aforementioned Guidelines on promotional activities, in which it was recognized that "the need for the promoters to implement measures and procedures suitable to know if the agent, to whom the data processing has been entrusted by means of automated methods for marketing purposes, possibly in turn turns to sub-agents or other third parties to carry out the same treatment, as well as to verify and guarantee compliance with the Code by the latter "(point 3 of the aforementioned Guidelines; see also Article 29 Working Group for data protection, WP 169, Opinion 7/2020 on the concept of" data controller "adopted on 7 July 2021; see, in addition to the cited prov. 26 October 2017 and 15 January 2020, also 9 July 2020, web doc. No. 9435753).

In the specific case, on the other hand, Teatro Colosseo became aware of the involvement in the campaign of a third party which the XX (such XX) would have used only after the act of contestation, confirming that it had not adequately taken care of the operational phases of the treatment. (intended to bring benefits in terms of increased sales).

Given this, in this case, the processing of personal data, carried out with the use of personal data lists from third parties for marketing purposes, was found to lack the requirements of lawfulness, correctness and transparency identified by art. 5 of the Regulation. Therefore, the violation of articles 5, par. 2, and 24 of the Regulation.

Furthermore, the conduct described gave rise to the sending of promotional messages without consent, pursuant to Articles 6, par. 1, lett. a) of the Regulation and 130, paragraphs 1 and 2, of the Code, since the Company has not produced evidence to document the acquisition.

With regard, then, to the failure to respond to the request formulated by the complainant on June 28, 2021, it is represented that the Company has processed the requests made only after having been requested to do so by the Authority (with a request for information of September 1, 2021, pursuant to art.157 of the Code). This circumstance, however, was attributed, in the context of the defense brief, to personal events that involved, in the reference period for the violation, the Chief Executive Officer of the Company for which full justification was given before the Authority.

In light of the above, pursuant to art. 58, par. 2, lett. f) of the Regulations, it is necessary to impose a ban on the processing of personal data collected on Teatro Colosseo without having acquired the aforementioned necessary prior informed consent from the interested party in relation to the marketing activity.

It is also necessary to have to order the Colosseum Theater, pursuant to art. 58, par. 2, lett. d) of the Regulation, if it intends in the future to make use of third parties for promotional activities, to adopt suitable procedures aimed at constantly verifying that personal data are processed in full compliance with the relevant provisions and, in particular, to acquire a free, specific consent in advance , unambiguous and documented of the interested parties for sending commercial communications.

Furthermore, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adopt suitable procedures to ensure full and effective feedback on the exercise of the rights of the interested parties. Furthermore, it is necessary to order the Company to issue suitable prior information to the interested parties regarding the processing of their data.

Finally, with regard to the treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to Articles 58, par. 2, lett. i) and 83, par. 5, of the Regulation.

However, in the overall assessment of the facts, it must be taken into account that the sporadic conduct (only one promotional communication complained of) and the subject of a single complaint, was immediately interrupted and concerned the promotion of only one cultural event (" Street Art in Blu "). The exceptional nature of this promotional campaign, compared to the ordinary advertising methods of the theatrical activity (website, road signs, inserted in newspapers, posters), allows to significantly reduce the position of Teatro Colosseo, even if this circumstance cannot overcome the complaints above. highlighted. Moreover, it is possible to hypothesize that the Company, whose corporate purpose lies outside the usual promotional circuit that involves marketing operators, did not have the perception that the assignment to third parties had involved the processing of personal data subject to the required obligations. by the relevant legislation. In fact, as the same clarified during the hearing, the promotional activity of the theater was always entrusted to the aforementioned instruments and only in this case the Company had decided to use another channel to overcome the limitations imposed on economic activities by legislation relating to the pandemic emergency.

It is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

3. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

On the basis of the above, given the violations referred to, the sanction provided for by art. 83, par. 5, of the Regulation.

For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive "(art. 83, par. 1 of the Regulation), identifying, for this purpose, a series of elements listed in par. 2 of art. 83 in question, to be assessed when quantifying the relative amount.

What aggravating circumstances, in the present case, it is considered necessary to take into account:

1. the subjective dimension of the conduct, to be considered grossly negligent, with particular reference to the lack of feedback provided both to the person concerned and to the Authority (letter b).

As mitigating elements, the following must instead be considered:

1. the low number of interested parties involved (only the complainant) as well as the common nature of the data processed (letters a, g);

2. the absence of previous proceedings initiated against the Company (letter e);

3. the lack of further reports or complaints (letter h);

4. the particular socio-economic situation that has affected the country in relation to the pandemic emergency (letter k);

5. the financial statements of the Company (letter k).

Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1, of the Regulation, taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company, it is believed that it should apply to Teatro Colosseo - also taking into account in consideration of other similar cases (see measures cited, as well as provision no. 126 of 7 April 2022, web document no. 9771529, and provision no. 153 of 28 April 2022, web document no. 9779025) - the administrative sanction for the payment of a sum of € 1,000 (one thousand / 00), equal to 0.005% of the maximum legal limit of € 20 million.

In the case in question, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at certain data controllers and on which the attention of the 'user.

Please note that pursuant to art. 170 of the Code, anyone who, being required to do so, does not comply with this provision of prohibition of processing is punished with imprisonment from three months to two years and who, in the event of non-compliance with the same provision, the sanction referred to in administrative office is also applied. to art. 83, par. 5, lett. e) of the Regulations.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.

WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, lett. f) of the Regulations, declares unlawful the processing carried out by Colosseo S.r.l., with registered office in Turin, via Madama Cristina 71, VAT number 04092480013, described in the terms set out in the motivation and, therefore, declares the complaint well founded;

a) pursuant to art. 58, par. 2, lett. f) of the Regulations, prohibits any further processing for promotional purposes of the personal data collected without the necessary prior informed consent of the interested parties having been acquired;

b) pursuant to art. 58, par. 2, lett. d) of the Regulation, if it intends in the future to carry out promotional activities, directly or through third parties, it orders the Company to adopt suitable procedures aimed at constantly verifying that personal data are processed in full compliance with the relevant provisions and, in particular, to acquire in advance an informed, free, specific, unambiguous and documented consent of the interested parties for sending commercial communications, pursuant to art. 6 and 7 of the Regulation and 130 of the Code;

c) pursuant to art. 58, par. 2, lett. d) of the Regulations, orders the Company to adopt appropriate procedures to ensure full and effective feedback on the exercise of rights and to issue interested parties with appropriate prior information, pursuant to Articles 12, 13 and 14 of the Regulation, regarding the processing of their data;

The Guarantor, pursuant to art. 58, par. 1, of the Regulations, also invites the data controller to communicate, within 30 days from the date of receipt of this provision, which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, lett. e) of the Regulations;

ORDER

at Colosseo S.r.l. to pay the sum of € 1,000.00 (one thousand / 00), as a pecuniary administrative sanction for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed;

INJUNCES

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 1,000.00 (one thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981;

HAS

as an ancillary sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication on the website of the Guarantor of this provision and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, 5 August 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei

[doc. web n. 9817535]

Order injunction against Colosseo S.r.l. - October 6, 2022

Record of measures
n. 297 of 5 August 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");

GIVEN the documentation in the deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Preliminary investigation

With the complaint of 10 August 2021, submitted to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained about the receipt, on June 24, 2021, of an unsolicited communication from the email address Percorsiwebair@gmail.com and concerning "the sale of tickets for a show" promoted by the Theater Colosseum of Turin attributable to the company Colosseo S.r.l. (hereinafter "Company"; "Colosseo Theater"). The complainant declared that he had never given his consent to the receipt of the aforementioned promotional communication and complained about the failure to respond to the request for the exercise of rights, pursuant to art. 15, 17 and 21 of the Regulations, sent by e-mail on June 28, 2021 to the address indicated in the Company's privacy policy, which can be found on its website.

In response to the request for information, formulated by the Office on 1 September 2021 pursuant to art. 157 of the Code, the Company, with communication dated 23 September 2021, declared its extraneousness in relation to the conduct complained of in the complaint, specifying that "the newsletter to which Mr. XX refers" would not have started "from [their] addresses mail, recognizable with the domain @ teatrocolosseo.it. " and that "Mr. XX is not in [their] database".

1.2. The dispute

In light of what emerged from the preliminary investigation, based on the overall documentation acquired, on November 12, 2021, the Colosseum Theater was notified of the initiation of the procedure pursuant to art. 166, paragraph 5, of the Code, with which the Office complained to the Company of the following violations:

- Articles 5, par. 2, and 24 of the Regulations due to the lack of adequate technical and organizational measures, with particular regard to the inability to effectively control the supply chain of partners who carry out promotional activities in the interest of Teatro Colosseo;

- Articles 12, par. 3, 15, 17 and 21 of the Regulations for failing to respond to the complainant's request regarding the processing of his personal data sent by e-mail on June 28, 2021;

- art. 6, par. 1, lett. a) of the Regulation and art. 130 of the Code for having sent the unsolicited communication in the absence of the necessary prior informed consent of the interested party in relation to the promotional activity and in the absence of another suitable legal basis.

1.3. The defense of Colosseum S.r.l.

With the defense briefs, forwarded on 12 December 2021, the Company asked this Authority to dismiss the proceeding initiated against it "or in any case [...] the ousting of its position" from what was contested with the communication of 12 November 2021 . This is because, in specifying that he never had the material availability of the complainant's personal data, he stated that the unsolicited e-mail, which gave rise to the complaint of Mr. XX, would have been sent by the company XX (hereinafter " XX ») which the same made use, in the reference period, to carry out the promotion of an exhibition organized at the Colosseum Theater. This appointment would have been conferred orally to XX for a fee. Trusting in the guarantees offered by XX in the sector of the promotion of shows and cultural events on behalf of third parties (as per the Chamber of Commerce registration), and having previously obtained assurances "about the professional and habitual performance of this activity [...] in full adherence to the dictates of the GDPR ", the Company considered that there was no need to exercise a power of control and to issue instructions regarding the processing of personal data that went beyond the verbal interlocutions functional to the agreement. Teatro Colosseo has, in fact, "legitimately and in good faith" held that the commissioning company, "in promoting the exhibition [...] would have done so towards subjects who had previously given their consent [...] for the sending of communications promotional ". XX allegedly "acted in total autonomy both as regards the method of promotion and as regards the recipients of the same promotional activities", drawing on its own list of contacts to which Teatro Colosseo has never had access. The Company therefore reiterated that it has not concretely "determined (or co-determined) any purpose of data processing, which has always remained the exclusive property of XX and in any case not known to Teatro Colosseo". It follows that, in the opinion of the Company, “XX [would have] acted in the present case as an independent owner and not also as the data controller of Teatro Colosseo. Nor […] is there a situation of co-ownership ”.

Furthermore, being a computer forensic consultant, the complainant would have been perfectly able, "given his specific skills, to realize that the e-mail received from the address Percorsiwebair@gmail.com was not actually attributable to a sending performed from Teatro Colosseo […] which uses a specific domain it owns "; this is because from the same address Mr. XX would also have received a communication relating to the promotion of a cultural event organized by a different body, the Sistina Theater.

Finally, the Company represented the possible application of some mitigating circumstances in the event of the imposition of the pecuniary administrative sanction, emphasizing, in particular, the uniqueness of the grievance, not having received "other negative feedback" and having been involved for the first time " in forty years of activity [in] this type of problem ”.

During the hearing, held on 13 January 2022, the Company, in recalling the contents of the brief presented on 12 December 2021, produced further documentation from which it is clear that the XX would have used, for the promotional activity in question, of a further subject, called XX attributable to this XX, who would have confirmed that he had deleted the data of Mr. XX.

2. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also based on the statements of the Company, for which the declarant responds pursuant to art. 168 of the Code, the following judicial assessments are formulated.

In the absence of contractual documentation, it is necessary to first recall the definition of "owner" pursuant to art. 4 of the Regulation, or the natural or legal person who, individually or together with others, determines the purposes and means of the processing.

In the present case, Teatro Colosseo has concretely determined the purpose for which the treatment was put in place (the transmission of promotional messages) and commissioned XX to advertise its cultural initiatives. The communication received from Mr. XX, in fact, although coming from an e-mail address unknown to the Company, contained in the content the promotion of a cultural event put in place by the Colosseum Theater of Turin of which, moreover, in the same message, both the website that the telephone numbers. The commercial communication attached to the complaint, therefore, unequivocally associated the receipt of the promotional message with an initiative of the Company. Such a configuration of the message must be considered suitable to generate in the recipients the conviction that they have been contacted directly by the Company to which the aforementioned Teatro Colosseo di Torino belongs and, for these reasons, the same complainant first contacted Colosseo S.r.l., to the contact details found in the relative privacy policy, on the basis of this legitimate expectation.

In this regard, it is necessary to recall what was clarified by the Guarantor with the general provision of 15 June 2011 (in www.garanteprivacy.it, web doc. 1821257) with specific regard to the fact that "[...] promotional contacts they are carried out in the name, however on behalf and in the interest, of the principal company; with the effect that legitimate expectations are created in the interested parties, since they perceive that they are recipients of advertising initiatives conducted directly by the company on behalf of which the proposal for the sale of products or services is formulated ". In these terms, the proposer, being the subject who determines the promotional purpose of the treatment and the means for its execution, as well as being the subject in whose interest the treatment is carried out, is configured as the data controller. On the other hand, the person who, on behalf of these, actually carries out the service, can be, depending on the concrete attitude of the roles between the parties, a co-owner or a data processor, as clarified by the Guarantor in the Guidelines on promotional activities. and contrast to spam of 4 July 2013 (web doc. 2542348), in the provision of 26 October 2017 (web doc. 7320903), and, more recently, with specific regard to relations between the client and the company's call center third parties in charge of promotional campaigns, also in provision no. 7 of 15 January 2020 (web doc. 9256486).

Therefore, while claiming its extraneousness with respect to the collection of the complainant's data, it appears that the communication received from Mr. XX was made in the name and in the interest of the Company which, for these reasons, must be considered the owner having, in practice, determined the decisions regarding the purposes and methods of processing, while not bothering to verify its implementation by the partner in charge of the promotional activity (see Article 4 of the Regulation) (see, in addition to the cited provisions of 26 October 2017 and provision 15 January 2020, also: provision 25 November 2021, web doc. 9736961; provision 25 November 2021, web doc. 9737185; provision 2 December 2021, web doc. 9731682; provision 2 December 2021, web doc. no. 9731664; provision 16 December 2021, web doc. no. 9742704).

What has been described up to now allows to outline a framework of inadequate control by the Company in the treatments aimed at the realization of the promotional campaign: Teatro Colosseo, instead of drafting a legally binding deed, has limited itself to some verbal interlocutions and it does not appear that it has requested the commercial partner the documentation proving the existence of the lawfulness requirements of the processing, such as the origin of the data, the information provided and the consents acquired by the interested recipients of the promotional campaign, or that it has verified this in any other way.

The Authority has repeatedly highlighted that the new principles dictated by the Regulation frame the responsibilities of the owner with a view to accountability and impose on all those involved in the processing of personal data proactive and consistent behaviors with the aim of proving, in each phase, the lawfulness of the treatments themselves (see first of all art. 5, par. 2, of the Regulation, as well as art. 24 in charge of the precise regulation of the aforementioned principle).

Furthermore, the conduct put in place by the Company differs from what was indicated by the Guarantor on several occasions, for example already in the aforementioned Guidelines on promotional activities, in which it was recognized that "the need for the promoters to implement measures and procedures suitable to know if the agent, to whom the data processing has been entrusted by means of automated methods for marketing purposes, possibly in turn turns to sub-agents or other third parties to carry out the same treatment, as well as to verify and guarantee compliance with the Code by the latter "(point 3 of the aforementioned Guidelines; see also Article 29 Working Group for data protection, WP 169, Opinion 7/2020 on the concept of" data controller "adopted on 7 July 2021; see, in addition to the cited prov. 26 October 2017 and 15 January 2020, also 9 July 2020, web doc. No. 9435753).

In the specific case, on the other hand, Teatro Colosseo became aware of the involvement in the campaign of a third party which the XX (such XX) would have used only after the act of contestation, confirming that it had not adequately taken care of the operational phases of the treatment. (intended to bring benefits in terms of increased sales).

Given this, in this case, the processing of personal data, carried out with the use of personal data lists from third parties for marketing purposes, was found to lack the requirements of lawfulness, correctness and transparency identified by art. 5 of the Regulation. Therefore, the violation of articles 5, par. 2, and 24 of the Regulation.

Furthermore, the conduct described gave rise to the sending of promotional messages without consent, pursuant to Articles 6, par. 1, lett. a) of the Regulation and 130, paragraphs 1 and 2, of the Code, since the Company has not produced evidence to document the acquisition.

With regard, then, to the failure to respond to the request formulated by the complainant on June 28, 2021, it is represented that the Company has processed the requests made only after having been requested to do so by the Authority (with a request for information of September 1, 2021, pursuant to art.157 of the Code). This circumstance, however, was attributed, in the context of the defense brief, to personal events that involved, in the reference period for the violation, the Chief Executive Officer of the Company for which full justification was given before the Authority.

In light of the above, pursuant to art. 58, par. 2, lett. f) of the Regulations, it is necessary to impose a ban on the processing of personal data collected on Teatro Colosseo without having acquired the aforementioned necessary prior informed consent from the interested party in relation to the marketing activity.

It is also necessary to have to order the Colosseum Theater, pursuant to art. 58, par. 2, lett. d) of the Regulation, if it intends in the future to make use of third parties for promotional activities, to adopt suitable procedures aimed at constantly verifying that personal data are processed in full compliance with the relevant provisions and, in particular, to acquire a free, specific consent in advance , unambiguous and documented of the interested parties for sending commercial communications.

Furthermore, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adopt appropriate procedures to ensure full and effective feedback on the exercise of the rights of the interested parties. Furthermore, it is necessary to order the Company to issue suitable prior information to the interested parties regarding the processing of their data.

Finally, with regard to the treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to Articles 58, par. 2, lett. i) and 83, par. 5, of the Regulation.

However, in the overall assessment of the facts, it must be taken into account that the sporadic conduct (only one promotional communication complained of) and the subject of a single complaint, was immediately interrupted and concerned the promotion of only one cultural event (" Street Art in Blu "). The exceptional nature of this promotional campaign, compared to the ordinary advertising methods of the theatrical activity (website, road signs, inserted in newspapers, posters), allows to significantly reduce the position of Teatro Colosseo, even if this circumstance cannot overcome the complaints above. highlighted. Moreover, it is possible to hypothesize that the Company, whose corporate purpose lies outside the usual promotional circuit that involves marketing operators, did not have the perception that the assignment to third parties had involved the processing of personal data subject to the required obligations. by the relevant legislation. In fact, as the same clarified during the hearing, the promotional activity of the theater was always entrusted to the aforementioned instruments and only in this case the Company had decided to use another channel to overcome the limitations imposed on economic activities by legislation relating to the pandemic emergency.

It is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

3. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

On the basis of the above, given the violations referred to, the sanction provided for by art. 83, par. 5, of the Regulation.

For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive "(art. 83, par. 1 of the Regulation), identifying, for this purpose, a series of elements listed in par. 2 of art. 83 in question, to be assessed when quantifying the relative amount.

What aggravating circumstances, in the present case, it is considered necessary to take into account:

1. the subjective dimension of the conduct, to be considered grossly negligent, with particular reference to the lack of feedback provided both to the person concerned and to the Authority (letter b).

As mitigating elements, the following must instead be considered:

1. the low number of interested parties involved (only the complainant) as well as the common nature of the data processed (letters a, g);

2. the absence of previous proceedings initiated against the Company (letter e);

3. the lack of further reports or complaints (letter h);

4. the particular socio-economic situation that has affected the country in relation to the pandemic emergency (letter k);

5. the financial statements of the Company (letter k).

Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1, of the Regulation, taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company, it is believed that it should apply to Teatro Colosseo - also taking into account in consideration of other similar cases (see measures cited, as well as provision no.126 of 7 April 2022, web document no. 9771529, and provision no. 153 of 28 April 2022, web document no. 9779025) - the administrative sanction for the payment of a sum of € 1,000 (one thousand / 00), equal to 0.005% of the maximum legal limit of € 20 million.

In the case in question, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at certain data controllers and on which the attention of the 'user.

Please note that pursuant to art. 170 of the Code, anyone who, being required to do so, does not comply with this provision of prohibition of processing is punished with imprisonment from three months to two years and who, in the event of non-compliance with the same provision, the sanction referred to in administrative office is also applied. to art. 83, par. 5, lett. e) of the Regulations.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.

WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, lett. f) of the Regulations, declares unlawful the processing carried out by Colosseo S.r.l., with registered office in Turin, via Madama Cristina 71, VAT number 04092480013, described in the terms set out in the motivation and, therefore, declares the complaint well founded;

a) pursuant to art. 58, par. 2, lett. f) of the Regulations, prohibits any further processing for promotional purposes of the personal data collected without the necessary prior informed consent of the interested parties having been acquired;

b) pursuant to art. 58, par. 2, lett. d) of the Regulation, if it intends in the future to carry out promotional activities, directly or through third parties, it orders the Company to adopt suitable procedures aimed at constantly verifying that personal data are processed in full compliance with the relevant provisions and, in particular, to acquire in advance an informed, free, specific, unambiguous and documented consent of the interested parties for sending commercial communications, pursuant to art. 6 and 7 of the Regulation and 130 of the Code;

c) pursuant to art. 58, par. 2, lett. d) of the Regulations, orders the Company to adopt appropriate procedures to ensure full and effective feedback on the exercise of rights and to issue interested parties with appropriate prior information, pursuant to Articles 12, 13 and 14 of the Regulation, regarding the processing of their data;

The Guarantor, pursuant to art. 58, par. 1, of the Regulations, also invites the data controller to communicate, within 30 days from the date of receipt of this provision, which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, lett. e) of the Regulations;

ORDER

at Colosseo S.r.l. to pay the sum of € 1,000.00 (one thousand / 00), as a pecuniary administrative sanction for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed;

INJUNCES

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 1,000.00 (one thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981;

HAS

as an ancillary sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication on the website of the Guarantor of this provision and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, 5 August 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei