Garante per la protezione dei dati personali (Italy) - 9860553

From GDPRhub
Garante per la protezione dei dati personali - 9860553
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started: 28.02.2022
Decided: 15.12.2022
Published: 02.03.2023
Fine: 120000 EUR
Parties: n/a
National Case Number/Name: 9860553
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Italian DPA (in IT)
Initial Contributor: sabrina_salmeri

The Italian DPA fined Assiteca Spa, an insurance company, €120,000 for unlawful data processing due to lack of consent, and long term data retention. The infringements could be attributed to flaws on the integration of IT systems, following a merger.

English Summary

Facts

The Italian DPA launched an investigation into the insurance broker Assiteca Spa (Assiteca), the controller, as part of the authorities planned inspection activities for 2022, and following a number of complaints. The investigation consisted of carrying out a simulated request for car insurance quotations on two websites operated by the company.

As a preliminary point, the company explained that the services on these two websites were previously implemented by 6Sicuro SpA, a company which merged into Assiteca in July 2021. At the time of the investigation, the two websites had separate IT systems and were undergoing re-engineering.

During the investigation process, the DPA raised several issues regarding the following: first, absence of consent to processing for promotional purposes; second, lack of transparency regarding data processing; third, the retention time of personal data; and fourth, the lack of technical and organisational measures to prevent prejudice to data subjects.

In its defence, the company emphasised that, as a result of the merger, the anomalies detected during the inspection by the Garante were to be considered as “circumscribed effects attributable to the misalignment of the systems and not to a systematic lack of security measures”. In addition, they have, started the process for the acquisition of a new system, and made changes to rectify any technical anomalies at issue here.

Holding

Issuing its decision, Italian DPA addressed the four issues identified above. Firstly, regarding consent, following the merger the company had retained the data of nearly 9,700 customers of the previous company without their knowledge by exposing their personal data to potential processing for promotional purposes even in the absence of consent. The DPA found that, due to a system bug, the will of some users was not correctly implemented since some consents were involuntarily given to the system after accessing e-mails containing car insurance quotes. The Company clarified that the event originated from involuntary problems of a technical nature. However, for 9,700 users a consent had been registered that demonstrate genuine intent and, for 2,155 of these, a consent was acquired that had never been expressed, in violation of Article 6(1)(a) and Article 7 GDPR.

Secondly, in terms of transparency, the DPA found that the information provided to data subjects was not sufficiently clear, in particular concerning transfers to third parties and profiling. However, the text of the information notice has been amended, giving a clearer statement of the processing operations carried out and their legal bases. As such, no further action is deemed necessary.

Third, regarding retention, the company had not defined in advance the data retention periods for the individual purposes, in breach of Article 5(1)(e) GDPR.

Fourth, and finally, the DPA also noted the presence of inadequate technical measures for processing, but did not consider sanctioning the company because integration of two different corporate systems had recently been carried out, and the necessary changes have been made.

Pursuant to Article 83 GDPR, the DPA fined the controller €120,000. Determining the amount of the fine, the authority took into account the broad scope of the processing involving 9,700 data subjects; the seriousness of the violation, in misrepresenting the data subjects wishes without their knowledge, and exposing their respective personal data; and the manner the authority had become aware of the violations, as part of an own-volition investigation. However, the DPA also considered a number of mitigating factors, including: that the company’s intentions do not appear to be aimed at consciously achieving the effects; the timely adoption of corrective measures; the absence of previous infringements; and the high degree of cooperation with the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9860553]

Injunction against Assiteca S.p.A. - December 15, 2022

Register of measures
no. 430 of 15 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. THE INVESTIGATION ACTIVITY

On 28 February, 1 and 2 March 2022 an inspection was carried out at Assiteca SpA to verify the collection of personal data carried out through the websites www.6sicuro.it and www.chiarezza.it, with particular regard to the use of such data for marketing purposes, also through communication to third parties, as well as, in order to check the procedure adopted to reply to the requests of the interested parties. The investigation was initiated ex officio on the basis of the Guarantor's inspection activities for the first half of 2022(1) and also took into account some grievances addressed to the Guarantor for information and a complaint.

Preliminarily, Assiteca, which was born as an insurance broker, clarified that the services provided through the aforementioned portals had been created by 6Sicuro SpA, a company incorporated into Assiteca in July 2021, with separate information systems at the time of the assessment (but in the reengineering).

The on-site checks were carried out by simulating a request for a comparison of car estimates on the websites www.chiarezza.it and www.6sicuro.it and subsequently the corresponding registrations in the Company's systems were verified through direct access to them.

The following is an acknowledgment of what emerged:

1. at the end of filling in the fields on the sites indicated, separate consents were requested for as many processing purposes as well as specific consents for the approval of contractual clauses. With regard exclusively to the consents relating to the processing of personal data, some of them were qualified as "mandatory" and concerned the declaration of acknowledgment of the information and the assent to the communication of data to the insurance companies for the preparation of estimates and for the finalization of the contract. The Company was also informed that the tax inspectors had officially accessed the same sites on 17 February 2022 from which it emerged that on the www.6sicuro.it site the consent relating to "search and profiling" was already selected while in the website www.chiarezza.it all optional consents were already selected; the Company justified this result by clarifying that, during the compilation process, after entering the e-mail address, a query automatically retrieves any consents already given from the database and displays them in this way to the user;

2. during the compilation of the estimate on the website www.chiarezza.it, the user was shown a pop-up with the request "Can we contact you regarding this estimate? YES NO". The company clarified that this functionality was used to allow the user to be contacted even if he did not complete the compilation of the estimate;

3. the Company used the data to send promotional communications via e-mail, sms or telephone contact to subjects present in its database who had given specific consent and transferred this data to third parties, if specific consent was present, for their respective autonomous promotional purposes;

4. the data collected through the preparation of the estimate were logically linked to the estimate and not to the individual user whose data was saved only if the compilation procedure was completed by selecting the "compare prices" button. At the time of the investigation, 5,196,103 e-mail addresses were registered (of which 3,391,809 for which at least one consent was given) and 4,262,923 telephone numbers (of which 2,709,333 for which at least one consent was given) ;

5. after completing the form to obtain the quote, and having made the individual choices regarding the privacy consents to be granted, the user received a confirmation e-mail with a link "go to the quote" to view the results. Testing with the e-mail addresses of the tax inspectors, it was ascertained that, if the button at the bottom of the e-mail was clicked, all optional consents (even if not granted) were automatically set to "yes" in the systems, regardless from the choices made by the user during the compilation;

6. from the register of treatments "addendum 6 safe" it appeared that two types of treatment were identified: i) preparation of insurance estimates; ii) marketing initiatives, transfer of data to third parties, profiling, sending of newsletters. For both, the legal basis of the consent was indicated and the data retention times were "until consent is revoked"; this approach was also confirmed by the statements made during the investigation during which an estimate from 2009 was also found. The Company has however ensured that it has started the assessments for a review of the data retention times and for the migration of the systems on a single platform that will allow management by user and not by estimate;

7. the Company has provided the list of third parties (see minutes of 2 March 2022) who have received personal data to be used for marketing purposes (for a total of 25,399,805 users). However, these subjects were not present (or were only minimally present) in the list of third-party data transfer companies published on the two sites and reachable via the appropriate link in point 6 of the privacy information. This verification was carried out by the Office both on 21 February 2022 and on 16 June 2022;

8. the tax inspectors provided a list of 863 mobile users for which they were asked to provide evidence of the history of consents and use in promotional campaigns. The first two numbers of the list were also examined and it was found that number XX was acquired in 2009 and modified in 2014 but reported the date of the last modification as 01/01/1901;

9. the tax inspectors asked to carry out checks on the consents issued by three subjects who in 2021 had sent reports and complaints to the Guarantor for the receipt of promotional messages from 6Sicuro SpA despite the opposition: from the extractions carried out in the backend database it emerged that for two whistleblowers, consent was revoked for marketing purposes on the dates indicated in the reports, while the data of one whistleblower (mobile XX) who had never given any consent had been used in January and March 2021 for telemarketing activities.

With a note dated March 18, 2022, the Company sent a supplementary memorandum, resolving reserves, in which it confirmed the update of the organizational and technical measures taken to completely integrate the 6Sicuro unit, acquired in July 2021. In particular, Assiteca declared that it had purchased a Customer Relationship Management (CRM) platform in order to unify the functions of the various company sectors, currently separate, to also allow each user to access their own personal area on the two sites in order to verify their information and autonomously manage the consents. The entire process of modifying company procedures has been accounted for by attaching the related implementation times.

With regard to the specific information that has remained reserved, Assiteca:

a) in relation to the in-depth analysis relating to the problem described in point 5 of the previous list, he declared that a system bug was detected which involved approximately 9,700 master data. The Company declared that it would proceed within the month of March to: i) correct the error, ii) restore the status of the consents, iii) inform any third parties to whom the data had been communicated;

b) provided detailed elements regarding the 863 numbers provided by the tax inspectors;

c) with regard to the anomaly described in point 8 above, the Company considered that it "is attributable to an IT error generated by session interruptions in the context of the data import process from the old to the new IT infrastructure". Since it was not possible to restore the original consents, the anomaly was reported in the systems by adding a fictitious date. However, the problem concerned only 9 users;

d) with regard to the requests to exercise the rights received from interested parties in 2021, the Company declared that they amount to 120,894 of which 98.88% have already been managed;

e) with regard to the pop-up generated while completing the questionnaire, the Company, following the outcome of the checks carried out, declared that no data was kept if the request for a quote was not completed. Therefore, said pop-up would be just a mere typo, deriving from subsequent graphic interventions, without any consequence in the retention of data and has therefore been removed.

Furthermore, the Company deemed it necessary to provide further clarifications regarding the fact that, when accessed ex officio by the Guarantor's officials, some consents were pre-flagged; the Company confirmed that, at the time of the verification, a procedure was in place which, by recognizing the telephone number, presented the interested party with the latest status of the consents collected. However, it was assured that this procedure would be passed by March 31, 2022.

Finally, on April 7, 2022, the Company spontaneously supplemented the information provided, acknowledging the updates made. In particular, he stated:

a) to have completed the procedure for verifying and correcting the system bug that had led to the undue change of consent for users who had clicked on the "go to quote" button. In this regard, the Company specified that of the approximately 9700 users involved, in reality only 2155 users had undergone the change of consent since in the remaining cases there had only been an overwriting of a consent already given;

b) to have completed the management of the residual requests for revocation of consent not yet processed at the time of presentation of the brief of 18 March 2022;

c) to have definitively suppressed the function that allowed the presentation of the pre-flagged consent in the case of contact data already present in the database.

2. DISPUTING INFRINGEMENTS

Based on the results of the inspection activity, the Company was notified of the start of the proceeding pursuant to art. 166, paragraph 5, of the Code.

On that occasion, the Office considered that there was a picture of overall lack of technical and organizational measures by the controller. This was due to various system errors which had led to circumventing the will expressed by the interested parties with the consequent sending of promotional messages and with the consequent communication to third parties in the absence of a suitable consent (as in fact occurred in the case of the whistleblower referred to in number XX). Even the clarification that of the 9,700 users, "only" 2,155 had been affected by the modification of the consent, did not exempt the other 7,545 from prejudice since for the latter the overwriting of the consent in any case constituted a misrepresentation of the will of the interested party who, despite having given the consent previously, he may not have wanted to give it by filling in a subsequent estimate (therefore also the previous consent should have been considered revoked and was instead confirmed).

It has been observed that the system setup itself, which centered the registry on the basis of the estimate and not of the user, did not allow correct management over time of the will of the interested party who, in the absence of registration as a user in a specific area personnel, could not even make use of the right to verify/modify the data released and the consents given (unless, of course, by writing directly to the Company).

With regard, however, to the suitability of the consents acquired, it was observed that the Company - as described in the privacy information - based the processing for marketing purposes, communication to third parties and profiling on consent. Furthermore, with regard to the "communication and commercial purposes" (point 2.1.e of the information), taking into account the numerous individual consents that were requested at the end of the estimate, it was considered difficult to understand whether this treatment concerned promotional communications from Assiteca or (also or exclusively) communication to third parties for their own promotional purposes. Furthermore, again with regard to communication to third parties, it did not appear that the list of data transferees reported the companies to which such data had actually been transferred. Furthermore, the purposes indicated in point 2.1.g of the information were numerous, heterogeneous and in fact permitted "for any reason".

Instead, with regard to profiling, the purpose of this treatment was not clarified in the information. In point 2.1.f. of the information, entitled "research and profiling purposes" the purpose of the treatment was defined as follows: "carrying out checks concerning the level of satisfaction of Assiteca customers; research and elaboration of statistics, also anonymously, as well as studies and market research, user profiling also with electronic tools". This generic wording would suggest that the profiling activity was mainly aimed at carrying out statistical analyses. However, in point 4 of the disclosure it was stated that failure to provide consent would have made it impossible "for Assiteca to analyze the consumption habits of the interested party in order to process and send specific offers based on the preferences of the same". Here, therefore, the purpose of profiling would seem to be to convey personalized promotional communications.

On these assumptions, it was considered that any consent obtained could not have been considered de facto informed and, consequently, free since the purpose for which the profiling was carried out on the data provided was not clear and, consequently, the concerned was unable to assess the consequences of such processing. Similar considerations were made for communication to third parties and for marketing purposes.

Furthermore, it was noted that "mandatory consents" were requested, a term which in fact represents an oxymoron since, as is well known, consent is characterized by the requirement of freedom. It was therefore assumed that the Company had not adequately assessed the most appropriate legal basis for such processing or had misunderstood as a request for consent the mere declaration of acknowledgment of the information.

Finally, despite having documented that it had initiated investigations, it does not appear that the Company had ever defined the data retention times, which were not specified in the information, with the result that the data collected had never been cancelled.

Therefore, while taking into account the fact that the Company had taken note of the errors found and had corrected them (or had started the procedures for the necessary modifications), it was considered that the treatments thus described had led to the violation of the articles 5, par. 1, lit. a), d) and e), 6, par. 1, lit. a), 7, 13 and 24 of the Regulation and the violation of art. 130 of the Code.

3. THE DEFENSE OF THE COMPANY

With a note dated 19 September 2022, Assiteca sent a defense brief, the contents of which are understood to be referred to in full here, in which it provided detailed clarifications regarding the objections raised by the Office, acknowledging the corrective measures punctually adopted.

In particular, the Company, with regard to the general charge of lack of adequate measures to guarantee the compliance of the treatments, recalled that the merger by incorporation of 6Sicuro S.p.A. it had also led to the need to integrate the related information systems, with the consequent risk of misalignments. For these reasons, Assiteca had started negotiations - as early as October 2021 and therefore well before the inspection by the Guarantor - for the acquisition of a new CRM system. The systems engineering procedure, which required a lot of time and several modifications, was completed in September 2022 resulting in a new version of the 6sicuro.it andclarity.it websites, much more user friendly and focused on the user rather than on the budget . Therefore, the anomalies detected during the inspection by the Guarantor were to be considered as limited effects attributable to the misalignment of the systems and not to a systematic lack of security measures. Furthermore, all the technical anomalies detected were corrected immediately after the inspection.

With regard to other disputed aspects - attributable to the comprehensibility of the treatments by the interested parties - the Company, although deeming that it has adopted methods already compliant with the rules, has taken steps to implement corrective measures in order to improve the understanding by users avoiding any misunderstandings. In particular:

- with regard to the clarity of the privacy information, it proceeded to reformulate the text and communicated it extensively to users;

- with regard to the presence of pre-flagged consents which acknowledged the preferences already registered in the system, while not deeming that this method constituted a violation, the Company took steps to eliminate this functionality on 22 March 2022, therefore well before receiving the the act of initiation of the procedure;

- with regard to the forms of consent whose acceptance was mandatory, it proceeded to clearly distinguish requests for "consent" from mere "acknowledgement" and from declarations of another nature.

Finally, the Company confirmed that it had defined the data retention times for the various purposes and undertook to carry out audits at least every 12 months to verify the functioning of the platform and the compliance of the treatments.

A hearing was held on 5 October 2022 in which the Company provided further details regarding the activities undertaken to optimize the methods with which the treatments are carried out, describing in detail the timing for the creation of the new CRM system and the substantial investments made both to correct the misalignments resulting from the integration of the systems of the merged companies, and to strengthen the guarantee measures of the treatments.

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the declarations of the Company for which one responds pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

4.1 On the lack of technical and organizational measures

Recalling the considerations made in point 2 and taking into account the clarifications provided by Assiteca in its defence, it is believed that the technical measures adopted were not entirely adequate - in the cases specifically subject to verification - to guarantee a treatment that was free from prejudices for the interested. In fact, they had given rise to technical anomalies which had affected the validity of some registrations or the validity of the same consents expressed by some users. However, in the light of the clarifications provided, it is believed that such conduct can be assessed limited to the specific events ascertained (without attributing the value of a violation of a systematic nature), above all by virtue of the fact that the integration of two different corporate systems had recently been carried out , being able to consider these events as the accidental result of a process that the Company already intended to subject to re-engineering.

With regard to the specific aspects related to the pre-flagged consents (due to an already expressed will) and to the treatment focused on the quote rather than on the user, although it is clear that these methods of treatment do not in themselves constitute a violation of the , it must first be clarified that the fact that there is no specific legal obligation does not mean that the treatment is, for that alone, compliant with the provisions of the Regulation. The current legal framework is in fact oriented towards dictating principles rather than specific rules of conduct, due to the impossibility of foreseeing every single treatment method from the outset. In this context, it is up to the owner to choose the methods most in line with his nature and the type of treatment he will have to carry out as well as, obviously, the solutions available at the state of the art. In the case of a company like Assiteca, which processes data from millions of users for different purposes, where users periodically return to the portals to make estimates by adding or overwriting information, it is clear that a method of information management focused on the user rather than on the quote ensures greater clarity for the person concerned who is using the services and therefore constitutes a more appropriate measure for the type of treatment. A similar reasoning can be made regarding the choice of presenting the consent boxes already selected (but modifiable) on the basis of previously expressed consents.

However, it is acknowledged that the Company had already planned, even before the inspection, to update its systems and that, at present, all the changes described have been made. For these reasons, no further action is deemed necessary.

4.2 On the clarity of the information

From an examination of the text of the disclosure present on the Company's websites at the time of the investigation, various interpretative doubts had emerged regarding the actual processing carried out, given the literal content of some passages. In particular, point 2.1.e of the disclosure was not sufficiently clear since, although the Company specified that the intent was only to describe the promotional purposes of Assiteca itself, the reference "to third-party companies - to which the data may be communicated - ... " could imply that the promotional purposes concerned subjects other than the owner.

With regard to point 2.1.f, relating to profiling, the purposes of the processing mentioned were heterogeneous (customer satisfaction, statistics, market research, promotions). In this regard, Assiteca clarified that it did not carry out profiling activities aimed at marketing but that it used this treatment only to allow for the development of the risk profile by virtue of its role as an insurance intermediary.

To date, the text of the disclosure has in any case been modified, acknowledging in a clearer way the treatments carried out and the related legal bases.

For these reasons, no further action is deemed necessary.

4.3 Consent to processing for promotional purposes

From the investigations carried out, as described above, it was found that, due to a system bug, the will of some users was not correctly implemented since some consents were involuntarily given to the system after accessing the e-mail containing the estimate. Even if the Company has clarified that the event originated from involuntary problems of a technical nature, the fact remains that for 9,700 users a consent was registered which does not prove the real will and, for 2,155 of these, a consent was acquired consent that had never been expressed, in violation of articles 6, par. 1, lit. a) and 7 of the Regulation.

Furthermore, with regard to the whistleblower referred to in number XX, the Company maintained, in its brief, that he had only received a service e-mail and not a promotional communication. However, it should be remembered that the complainant had complained of unwanted telephone contacts (even after the opposition) and not the receipt of an e-mail. From the on-site verification it was possible to verify, as reported in the report of 1 March 2022, that no consent had been acquired for that numbering and yet it had been sold for telemarketing campaigns in 2020 and 2021, the year in which two times even after the opposition manifested on 28 January 2021. Therefore it is noted that the processing took place in the absence of the consent of the interested party in violation of art. 6, par. 1, lit. a) of the Regulation and of the art. 130 of the Code.

Given the above, taking into account that the Company has already adopted corrective measures, it is not deemed necessary to impose further requirements and the conditions for the application of an administrative-pecuniary sanction are considered complete, pursuant to art. 58, par. 2, lit. the).

4.4 On the retention times of personal data

As described above (see point 6 of paragraph 1) the Company had not taken steps to define in advance the data retention times for the individual purposes. In defense, Assiteca, while assuring that it had now punctually defined different retention times, nevertheless considered that it had acted correctly since the deletion of the data was ensured in the event of revocation of consent for promotional purposes. In support of its arguments, the Company mentioned a previous ruling by the Guarantor(2) in which it was clarified that consent to the processing of personal data "must be considered valid, regardless of the time that has elapsed, until it is revoked by the interested party". However, it should be noted that the Company has only partially evaluated the judgment it itself cited. The principle expressed by the Guarantor, in fact, does not exempt the holder from the burden of establishing a priori data retention times but rather clarifies precisely that the consent must, yes, be considered valid until revoked, but "provided that it has been correctly originally acquired and which is still valid in the light of the rules applicable at the time of processing as well as the retention times established by the owner, and indicated in the information".

In this regard, we confirm what was disputed with the act of initiation of the procedure, noting that the treatment took place in violation of art. 5, par. 1, lit. e) of the Regulation.

Given the above, taking into account that the Company has already adopted corrective measures, it is not deemed necessary to impose further requirements and the conditions for the application of an administrative-pecuniary sanction are considered complete, pursuant to art. 58, par. 2, lit. the).

5. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Assiteca, for which it is necessary to apply the art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or to related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sole sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, in the present case, having verified, on the basis of the latest available financial statements, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 and therefore quantified at 20 million euros as the applicable statutory maximum, the following aggravating circumstances must be considered:

1. the wide range of treatments which involved 9,700 data subjects for a few months (Article 83, paragraph 2, letter a), of the Regulation);

2. the seriousness of the violations detected, due to the fact that, for 9,700 users, the expressed will was misrepresented without their knowledge by exposing their personal data to potential processing for promotional purposes even in the absence of consent (Article 83, paragraph 2 , letter a), of the Regulation);

3. the manner in which the Supervisory Authority became aware of the violations, which emerged during an inspection activity, launched ex officio taking into account some reports and a complaint (art. 83, par. 2, lett. h), of the Regulation).

As mitigating elements, it is considered necessary to take into account:

1. of the intentions of the Company which, on the basis of what has been acquired in deeds, do not appear aimed at knowingly realizing the effects of the disputed conduct; this also taking into account the corporate changes that have taken place and the consequent need to integrate different corporate systems and procedures (Article 83, paragraph 2, letter b), of the Regulation);

2. the timely adoption of corrective measures, some of which already started before the inspections, as well as the huge investments made - already decided before the intervention of the Guarantor - to make the treatments compliant with the rules and to improve the management of personal information from part of the users (Article 83, paragraph 2, letters c) and d), of the Regulation);

3. the fact that the Company has acknowledged that it responds in a timely manner to requests for the exercise of rights by the interested parties (article 83, paragraph 2, letters c) and d), of the Regulation);

4. the absence of previous relevant violations committed by the data controller (Article 83, paragraph 2, letter e), of the Regulation);

5. the high degree of cooperation in interaction with the Supervisory Authority (Article 83, paragraph 2, letter f), of the Regulation).

With an overall view of the necessary balance between the rights of the interested parties and the freedom to do business, taking into account that the Company, and in the initial application of the pecuniary administrative sanctions envisaged by the Regulation, it is necessary to evaluate the aforementioned criteria prudently, also in order to limit the economic impact of the fine on the organisational, functional and employment needs of the Company.

Therefore, it is believed that - on the basis of all the elements indicated above and the results of the latest financial statements, the administrative sanction of payment of a sum equal to 0.6% of the maximum statutory sanction of 20 million euros should be applied to Assiteca, corresponding to Euro 120,000.00 (one hundred and twenty thousand). The maximum statutory sanction is identified with reference to the provisions of art. 83, par. 5 of the Regulation, taking into account that 4% of Assiteca's turnover, on the basis of the latest available balance sheet, is less than 20 million euros.

It should be noted that the conditions set out in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

It is also believed - in consideration of the vast scope of the violations detected - that, pursuant to art. 166, paragraph 7, of the Code, and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor, by way of ancillary sanction.

ALL THAT BEING CONSIDERED, THE GUARANTOR

against Assiteca S.p.A., with registered office in Via Costanza Arconati 1, Milan, tax code 09743130156

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulation, to Assiteca S.p.A., in the person of its legal representative, to pay the sum of Euro 120,000.00 (one hundred and twenty thousand) as a pecuniary administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 120,000.00 (one hundred and twenty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive deeds pursuant to art. . 27 of the law n. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the Guarantor's website.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 15 December 2022

PRESIDENT
station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew



(1) Cf. Resolution of 22 December 2021 - Inspection activity on the initiative carried out by the Guarantor's Office, also through the Guardia di Finanza, limited to the period January-June 2022, in www.garanteprivacy.it, web doc n. 9737049.

(2) See provision 15 October 2020, in www.garanteprivacy.it web doc n. 9486485.

[doc. web no. 9860553]

Injunction against Assiteca S.p.A. - December 15, 2022

Register of measures
no. 430 of 15 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. THE INVESTIGATION ACTIVITY

On 28 February, 1 and 2 March 2022 an inspection was carried out at Assiteca SpA to verify the collection of personal data carried out through the websites www.6sicuro.it and www.chiarezza.it, with particular regard to the use of such data for marketing purposes, also through communication to third parties, as well as, in order to check the procedure adopted to reply to the requests of the interested parties. The investigation was initiated ex officio on the basis of the Guarantor's inspection activities for the first half of 2022(1) and also took into account some grievances addressed to the Guarantor for information and a complaint.

Preliminarily, Assiteca, which was born as an insurance broker, clarified that the services provided through the aforementioned portals had been created by 6Sicuro SpA, a company incorporated into Assiteca in July 2021, with separate information systems at the time of the assessment (but in the reengineering).

The on-site checks were carried out by simulating a request for a comparison of car estimates on the websites www.chiarezza.it and www.6sicuro.it and subsequently the corresponding registrations in the Company's systems were verified through direct access to them.

The following is an acknowledgment of what emerged:

1. at the end of filling in the fields on the sites indicated, separate consents were requested for as many processing purposes as well as specific consents for the approval of contractual clauses. With regard exclusively to the consents relating to the processing of personal data, some of them were qualified as "mandatory" and concerned the declaration of acknowledgment of the information and the assent to the communication of data to the insurance companies for the preparation of estimates and for the finalization of the contract. The Company was also informed that the tax inspectors had officially accessed the same sites on 17 February 2022 from which it emerged that on the www.6sicuro.it site the consent relating to "search and profiling" was already selected while in the website www.chiarezza.it all optional consents were already selected; the Company justified this result by clarifying that, during the compilation process, after entering the e-mail address, a query automatically retrieves any consents already given from the database and displays them in this way to the user;

2. during the compilation of the estimate on the website www.chiarezza.it, the user was shown a pop-up with the request "Can we contact you regarding this estimate? YES NO". The company clarified that this functionality was used to allow the user to be contacted even if he did not complete the compilation of the estimate;

3. the Company used the data to send promotional communications via e-mail, sms or telephone contact to subjects present in its database who had given specific consent and transferred this data to third parties, if specific consent was present, for their respective autonomous promotional purposes;

4. the data collected through the preparation of the estimate were logically linked to the estimate and not to the individual user whose data was saved only if the compilation procedure was completed by selecting the "compare prices" button. At the time of the investigation, 5,196,103 e-mail addresses were registered (of which 3,391,809 for which at least one consent was given) and 4,262,923 telephone numbers (of which 2,709,333 for which at least one consent was given) ;

5. after completing the form to obtain the quote, and having made the individual choices regarding the privacy consents to be granted, the user received a confirmation e-mail with a link "go to the quote" to view the results. Testing with the e-mail addresses of the tax inspectors, it was ascertained that, if the button at the bottom of the e-mail was clicked, all optional consents (even if not granted) were automatically set to "yes" in the systems, regardless from the choices made by the user during the compilation;

6. from the register of treatments "addendum 6 safe" it appeared that two types of treatment were identified: i) preparation of insurance estimates; ii) marketing initiatives, transfer of data to third parties, profiling, sending of newsletters. For both, the legal basis of the consent was indicated and the data retention times were "until consent is revoked"; this approach was also confirmed by the statements made during the investigation during which an estimate from 2009 was also found. The Company has however ensured that it has started the assessments for a review of the data retention times and for the migration of the systems on a single platform that will allow management by user and not by estimate;

7. the Company has provided the list of third parties (see minutes of 2 March 2022) who have received personal data to be used for marketing purposes (for a total of 25,399,805 users). However, these subjects were not present (or were only minimally present) in the list of third-party data transfer companies published on the two sites and reachable via the appropriate link in point 6 of the privacy information. This verification was carried out by the Office both on 21 February 2022 and on 16 June 2022;

8. the tax inspectors provided a list of 863 mobile users for which they were asked to provide evidence of the history of consents and use in promotional campaigns. The first two numbers of the list were also examined and it was found that number XX was acquired in 2009 and modified in 2014 but reported the date of the last modification as 01/01/1901;

9. the tax inspectors asked to carry out checks on the consents issued by three subjects who in 2021 had sent reports and complaints to the Guarantor for the receipt of promotional messages from 6Sicuro SpA despite the opposition: from the extractions carried out in the backend database it emerged that for two whistleblowers, consent was revoked for marketing purposes on the dates indicated in the reports, while the data of one whistleblower (mobile XX) who had never given any consent had been used in January and March 2021 for telemarketing activities.

With a note dated March 18, 2022, the Company sent a supplementary memorandum, resolving reserves, in which it confirmed the update of the organizational and technical measures taken to completely integrate the 6Sicuro unit, acquired in July 2021. In particular, Assiteca declared that it had purchased a Customer Relationship Management (CRM) platform in order to unify the functions of the various company sectors, currently separate, to also allow each user to access their own personal area on the two sites in order to verify their information and autonomously manage the consents. The entire process of modifying company procedures has been accounted for by attaching the related implementation times.

With regard to the specific information that has remained reserved, Assiteca:

a) in relation to the in-depth analysis relating to the problem described in point 5 of the previous list, he declared that a system bug was detected which involved approximately 9,700 master data. The Company declared that it would proceed within the month of March to: i) correct the error, ii) restore the status of the consents, iii) inform any third parties to whom the data had been communicated;

b) provided detailed elements regarding the 863 numbers provided by the tax inspectors;

c) with regard to the anomaly described in point 8 above, the Company considered that it "is attributable to an IT error generated by session interruptions in the context of the data import process from the old to the new IT infrastructure". Since it was not possible to restore the original consents, the anomaly was reported in the systems by adding a fictitious date. However, the problem concerned only 9 users;

d) with regard to the requests to exercise the rights received from interested parties in 2021, the Company declared that they amount to 120,894 of which 98.88% have already been managed;

e) with regard to the pop-up generated while completing the questionnaire, the Company, following the outcome of the checks carried out, declared that no data was kept if the request for a quote was not completed. Therefore, said pop-up would be just a mere typo, deriving from subsequent interventions of a graphic nature, without any consequence in the retention of data and has therefore been removed.

Furthermore, the Company deemed it necessary to provide further clarifications regarding the fact that, when accessed ex officio by the Guarantor's officials, some consents were pre-flagged; the Company confirmed that, at the time of the verification, a procedure was in place which, by recognizing the telephone number, presented the interested party with the latest status of the consents collected. However, it was assured that this procedure would be passed by March 31, 2022.

Finally, on April 7, 2022, the Company spontaneously supplemented the information provided, acknowledging the updates made. In particular, he stated:

a) to have completed the procedure for verifying and correcting the system bug that had led to the undue change of consent for users who had clicked on the "go to quote" button. In this regard, the Company specified that of the approximately 9700 users involved, in reality only 2155 users had undergone the change of consent since in the remaining cases there had only been an overwriting of a consent already given;

b) to have completed the management of the residual requests for revocation of consent not yet processed at the time of presentation of the brief of 18 March 2022;

c) to have definitively suppressed the function that allowed the presentation of the pre-flagged consent in the case of contact data already present in the database.

2. DISPUTING INFRINGEMENTS

Based on the results of the inspection activity, the Company was notified of the start of the proceeding pursuant to art. 166, paragraph 5, of the Code.

On that occasion, the Office considered that there was a picture of overall lack of technical and organizational measures by the controller. This was due to various system errors which had led to circumventing the will expressed by the interested parties with the consequent sending of promotional messages and with the consequent communication to third parties in the absence of a suitable consent (as in fact occurred in the case of the whistleblower referred to in number XX). Even the clarification that of the 9,700 users, "only" 2,155 had been affected by the modification of the consent, did not exempt the other 7,545 from prejudice since for the latter the overwriting of the consent in any case constituted a misrepresentation of the will of the interested party who, despite having given the consent previously, he may not have wanted to give it by filling in a subsequent estimate (therefore also the previous consent should have been considered revoked and was instead confirmed).

It has been observed that the system setup itself, which centered the registry on the basis of the estimate and not of the user, did not allow correct management over time of the will of the interested party who, in the absence of registration as a user in a specific area personnel, could not even make use of the right to verify/modify the data released and the consents given (unless, of course, by writing directly to the Company).

With regard, however, to the suitability of the consents acquired, it was observed that the Company - as described in the privacy information - based the processing for marketing purposes, communication to third parties and profiling on consent. Furthermore, with regard to the "communication and commercial purposes" (point 2.1.e of the information), taking into account the numerous individual consents that were requested at the end of the estimate, it was considered difficult to understand whether this treatment concerned promotional communications from Assiteca or (also or exclusively) communication to third parties for their own promotional purposes. Furthermore, again with regard to communication to third parties, it did not appear that the list of data transferees reported the companies to which such data had actually been transferred. Furthermore, the purposes indicated in point 2.1.g of the information were numerous, heterogeneous and in fact permitted "for any reason".

Instead, with regard to profiling, the purpose of this treatment was not clarified in the information. In point 2.1.f. of the information, entitled "research and profiling purposes" the purpose of the treatment was defined as follows: "carrying out checks concerning the level of satisfaction of Assiteca customers; research and elaboration of statistics, also anonymously, as well as studies and market research, user profiling also with electronic tools". This generic wording would suggest that the profiling activity was mainly aimed at carrying out statistical analyses. However, in point 4 of the disclosure it was stated that failure to provide consent would have made it impossible "for Assiteca to analyze the consumption habits of the interested party in order to process and send specific offers based on the preferences of the same". Here, therefore, the purpose of profiling would seem to be to convey personalized promotional communications.

On these assumptions, it was considered that any consent obtained could not have been considered de facto informed and, consequently, free since the purpose for which the profiling was carried out on the data provided was not clear and, consequently, the concerned was unable to assess the consequences of such processing. Similar considerations were made for communication to third parties and for marketing purposes.

Furthermore, it was noted that "mandatory consents" were requested, a term which in fact represents an oxymoron since, as is well known, consent is characterized by the requirement of freedom. It was therefore assumed that the Company had not adequately assessed the most appropriate legal basis for such processing or had misunderstood as a request for consent the mere declaration of acknowledgment of the information.

Finally, despite having documented that it had initiated investigations, it does not appear that the Company had ever defined the data retention times, which were not specified in the information, with the result that the data collected had never been cancelled.

Therefore, while taking into account the fact that the Company had taken note of the errors found and had corrected them (or had started the procedures for the necessary modifications), it was considered that the treatments thus described had led to the violation of the articles 5, par. 1, lit. a), d) and e), 6, par. 1, lit. a), 7, 13 and 24 of the Regulation and the violation of art. 130 of the Code.

3. THE DEFENSE OF THE COMPANY

With a note dated 19 September 2022, Assiteca sent a defense brief, the contents of which are understood to be referred to in full here, in which it provided detailed clarifications regarding the objections raised by the Office, acknowledging the corrective measures punctually adopted.

In particular, the Company, with regard to the general charge of lack of adequate measures to guarantee the compliance of the treatments, recalled that the merger by incorporation of 6Sicuro S.p.A. it had also led to the need to integrate the related information systems, with the consequent risk of misalignments. For these reasons, Assiteca had started negotiations - as early as October 2021 and therefore well before the inspection by the Guarantor - for the acquisition of a new CRM system. The systems engineering procedure, which required a lot of time and several modifications, was completed in September 2022 resulting in a new version of the 6sicuro.it andclarity.it websites, much more user friendly and focused on the user rather than on the budget . Therefore, the anomalies detected during the inspection by the Guarantor were to be considered as limited effects attributable to the misalignment of the systems and not to a systematic lack of security measures. Furthermore, all the technical anomalies detected were corrected immediately after the inspection.

With regard to other disputed aspects - attributable to the comprehensibility of the treatments by the interested parties - the Company, although deeming that it has adopted methods already compliant with the rules, has taken steps to implement corrective measures in order to improve the understanding by users avoiding any misunderstandings. In particular:

- with regard to the clarity of the privacy information, it proceeded to reformulate the text and communicated it extensively to users;

- with regard to the presence of pre-flagged consents which acknowledged the preferences already registered in the system, while not deeming that this method constituted a violation, the Company took steps to eliminate this functionality on 22 March 2022, therefore well before receiving the the act of initiation of the procedure;

- with regard to the forms of consent whose acceptance was mandatory, it proceeded to clearly distinguish requests for "consent" from mere "acknowledgement" and from declarations of another nature.

Finally, the Company confirmed that it had defined the data retention times for the various purposes and undertook to carry out audits at least every 12 months to verify the functioning of the platform and the compliance of the treatments.

A hearing was held on 5 October 2022 in which the Company provided further details regarding the activities undertaken to optimize the methods with which the treatments are carried out, describing in detail the timing for the creation of the new CRM system and the substantial investments made both to correct the misalignments resulting from the integration of the systems of the merged companies, and to strengthen the guarantee measures of the treatments.

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the declarations of the Company for which one responds pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

4.1 On the lack of technical and organizational measures

Recalling the considerations made in point 2 and taking into account the clarifications provided by Assiteca in its defence, it is believed that the technical measures adopted were not entirely adequate - in the cases specifically subject to verification - to guarantee a treatment that was free from prejudices for the interested. In fact, they had given rise to technical anomalies which had affected the validity of some registrations or the validity of the same consents expressed by some users. However, in the light of the clarifications provided, it is believed that such conduct can be assessed limited to the specific events ascertained (without attributing the value of a violation of a systematic nature), above all by virtue of the fact that the integration of two different corporate systems had recently been carried out , being able to consider these events as the accidental result of a process that the Company already intended to subject to re-engineering.

With regard to the specific aspects related to the pre-flagged consents (due to an already expressed will) and to the treatment focused on the quote rather than on the user, although it is clear that these methods of treatment do not in themselves constitute a violation of the , it must first be clarified that the fact that there is no specific legal obligation does not mean that the treatment is, for that alone, compliant with the provisions of the Regulation. The current legal framework is in fact oriented towards dictating principles rather than specific rules of conduct, due to the impossibility of foreseeing every single treatment method from the outset. In this context, it is up to the owner to choose the methods most in line with his nature and the type of treatment he will have to carry out as well as, obviously, the solutions available at the state of the art. In the case of a company like Assiteca, which processes data from millions of users for different purposes, where users periodically return to the portals to make estimates by adding or overwriting information, it is clear that a method of information management focused on the user rather than on the quote ensures greater clarity for the person concerned who is using the services and therefore constitutes a more appropriate measure for the type of treatment. A similar reasoning can be made regarding the choice of presenting the consent boxes already selected (but modifiable) on the basis of previously expressed consents.

However, it is acknowledged that the Company had already planned, even before the inspection, to update its systems and that, at present, all the changes described have been made. For these reasons, no further action is deemed necessary.

4.2 On the clarity of the information

From an examination of the text of the disclosure present on the Company's websites at the time of the investigation, various interpretative doubts had emerged regarding the actual processing carried out, given the literal content of some passages. In particular, point 2.1.e of the disclosure was not sufficiently clear since, although the Company specified that the intent was only to describe the promotional purposes of Assiteca itself, the reference "to third-party companies - to which the data may be communicated - ... " could imply that the promotional purposes concerned subjects other than the owner.

With regard to point 2.1.f, relating to profiling, the purposes of the processing mentioned were heterogeneous (customer satisfaction, statistics, market research, promotions). In this regard, Assiteca clarified that it did not carry out profiling activities aimed at marketing but that it used this treatment only to allow for the development of the risk profile by virtue of its role as an insurance intermediary.

To date, the text of the disclosure has in any case been modified, acknowledging in a clearer way the treatments carried out and the related legal bases.

For these reasons, no further action is deemed necessary.

4.3 Consent to processing for promotional purposes

From the investigations carried out, as described above, it was found that, due to a system bug, the will of some users was not correctly implemented since some consents were involuntarily given to the system after accessing the e-mail containing the estimate. Even if the Company has clarified that the event originated from involuntary problems of a technical nature, the fact remains that for 9,700 users a consent was registered which does not prove the real will and, for 2,155 of these, a consent was acquired consent that had never been expressed, in violation of articles 6, par. 1, lit. a) and 7 of the Regulation.

Furthermore, with regard to the whistleblower referred to in number XX, the Company maintained, in its brief, that he had only received a service e-mail and not a promotional communication. However, it should be remembered that the complainant had complained of unwanted telephone contacts (even after the opposition) and not the receipt of an e-mail. From the on-site verification it was possible to verify, as reported in the report of 1 March 2022, that no consent had been acquired for that numbering and yet it had been sold for telemarketing campaigns in 2020 and 2021, the year in which two times even after the opposition manifested on 28 January 2021. Therefore it is noted that the processing took place in the absence of the consent of the interested party in violation of art. 6, par. 1, lit. a) of the Regulation and of the art. 130 of the Code.

Given the above, taking into account that the Company has already adopted corrective measures, it is not deemed necessary to impose further requirements and the conditions for the application of an administrative-pecuniary sanction are considered complete, pursuant to art. 58, par. 2, lit. the).

4.4 On the retention times of personal data

As described above (see point 6 of paragraph 1) the Company had not taken steps to define in advance the data retention times for the individual purposes. In defense, Assiteca, while assuring that it had now punctually defined different retention times, nevertheless considered that it had acted correctly since the deletion of the data was ensured in the event of revocation of consent for promotional purposes. In support of its arguments, the Company mentioned a previous ruling by the Guarantor(2) in which it was clarified that consent to the processing of personal data "must be considered valid, regardless of the time that has elapsed, until it is revoked by the interested party". However, it should be noted that the Company has only partially evaluated the judgment it itself cited. The principle expressed by the Guarantor, in fact, does not exempt the holder from the burden of establishing a priori data retention times but rather clarifies precisely that the consent must, yes, be considered valid until revoked, but "provided that it has been correctly originally acquired and which is still valid in the light of the rules applicable at the time of processing as well as the retention times established by the owner, and indicated in the information".

In this regard, we confirm what was disputed with the act of initiation of the procedure, noting that the treatment took place in violation of art. 5, par. 1, lit. e) of the Regulation.

Given the above, taking into account that the Company has already adopted corrective measures, it is not deemed necessary to impose further requirements and the conditions for the application of an administrative-pecuniary sanction are considered complete, pursuant to art. 58, par. 2, lit. the).

5. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Assiteca, for which it is necessary to apply the art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sole sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, in the present case, having verified, on the basis of the latest available financial statements, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 and therefore quantified at 20 million euros as the applicable statutory maximum, the following aggravating circumstances must be considered:

1. the wide range of treatments which involved 9,700 data subjects for a few months (Article 83, paragraph 2, letter a), of the Regulation);

2. the seriousness of the violations detected, due to the fact that, for 9,700 users, the expressed will was misrepresented without their knowledge by exposing their personal data to potential processing for promotional purposes even in the absence of consent (Article 83, paragraph 2 , letter a), of the Regulation);

3. the manner in which the Supervisory Authority became aware of the violations, which emerged during an inspection activity, launched ex officio taking into account some reports and a complaint (Article 83, paragraph 2, lett. h), of the Regulation).

As mitigating elements, it is considered necessary to take into account:

1. of the intentions of the Company which, on the basis of what has been acquired in deeds, do not appear aimed at knowingly realizing the effects of the disputed conduct; this also taking into account the corporate changes that have taken place and the consequent need to integrate different corporate systems and procedures (Article 83, paragraph 2, letter b), of the Regulation);

2. the timely adoption of corrective measures, some of which already started before the inspections, as well as the huge investments made - already decided before the intervention of the Guarantor - to make the treatments compliant with the rules and to improve the management of personal information from part of the users (Article 83, paragraph 2, letters c) and d), of the Regulation);

3. the fact that the Company has acknowledged that it responds in a timely manner to requests for the exercise of rights by the interested parties (article 83, paragraph 2, letters c) and d), of the Regulation);

4. the absence of previous relevant violations committed by the data controller (Article 83, paragraph 2, letter e), of the Regulation);

5. the high degree of cooperation in interaction with the Supervisory Authority (Article 83, paragraph 2, letter f), of the Regulation).

With an overall view of the necessary balance between the rights of the interested parties and the freedom to do business, taking into account that the Company, and in the initial application of the pecuniary administrative sanctions envisaged by the Regulation, it is necessary to evaluate the aforementioned criteria prudently, also in order to limit the economic impact of the fine on the organisational, functional and employment needs of the Company.

Therefore, it is believed that - on the basis of all the elements indicated above and the results of the latest financial statements, the administrative sanction of payment of a sum equal to 0.6% of the maximum statutory sanction of 20 million euros should be applied to Assiteca, corresponding to Euro 120,000.00 (one hundred and twenty thousand). The maximum statutory sanction is identified with reference to the provisions of art. 83, par. 5 of the Regulation, taking into account that 4% of Assiteca's turnover, on the basis of the latest available balance sheet, is less than 20 million euros.

It should be noted that the conditions set out in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

It is also believed - in consideration of the vast extent of the violations detected - that, pursuant to art. 166, paragraph 7, of the Code, and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor, by way of ancillary sanction.

ALL THAT BEING CONSIDERED, THE GUARANTOR

against Assiteca S.p.A., with registered office in Via Costanza Arconati 1, Milan, tax code 09743130156

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulations, to Assiteca S.p.A., in the person of its legal representative, to pay the sum of 120,000.00 (one hundred and twenty thousand) euros as an administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 120,000.00 (one hundred and twenty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. . 27 of the law n. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the Guarantor's website.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 15 December 2022

PRESIDENT
Station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew



(1) See Resolution of 22 December 2021 - Inspection activity on the initiative carried out by the Guarantor's Office, also through the Guardia di Finanza, limited to the period January-June 2022, in www.garanteprivacy.it, web doc n. 9737049.

(2) See provision 15 October 2020, in www.garanteprivacy.it web doc n. 9486485.