Garante per la protezione dei dati personali (Italy) - 9870014

From GDPRhub
Garante per la protezione dei dati personali - 9870014
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 13 GDPR
Article 14 GDPR
Article 24 GDPR
Article 25 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 23.02.2023
Published:
Fine: 300.000 EUR
Parties: Ediscom S.p.A.
National Case Number/Name: 9870014
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (Italy) (in IT)
Initial Contributor: mg

The Italian DPA fined Ediscom S.p.A. € 300.000. The controller violated several provisions of the GDPR when collecting personal data for marketing purposes both directly on its websites and from third parties.

English Summary

Facts

The controller – Ediscom S.p.A. – was a marketing company whose business consisted in contacting potential customers on behalf of third vendors through sms, emails and automated calls. In order to conduct this activity, the company made use of an extensive database including contact details of more than 21 million people. Personal data were collected both directly by Ediscom and by third parties. In general, Ediscom acknowledged to act as a controller. However, in some cases, Ediscom rented databases from third parties with an aim of monetising them. Although costs and profits were shared, Ediscom considered itself a processor on behalf of the owners of such databases.

Ediscom regularly received withdrawals of consent and erasure requests. As Ediscom relied on several databases with partial overlap of data, it usually put these requests in blacklists in order to avoid to reimport the same data from another source – and use them again. Whenever it considered to operate as a processor, Ediscom notified the original controller about erasure or withdrawal of consent requests.

Some data subjects claimed to have objected to the processing for marketing purposes. However, they still received calls and messages from Ediscom. In the context of these complaints, the Italian DPA started a broader investigation about the Ediscom’s business practices. The investigation concerned both the websites used by the controller to directly collect personal data and personal data disclosed to Ediscom by third parties.

On several websites managed by the Ediscom, users were invited to take part to lotteries or to subscribe to cooking or health newsletters. Theoretically, users could choose whether the Ediscom was allowed to use and share their data for marketing purposes. In practice, the supervisory authority identified numerous GDPR violations.

Several GDPR infringements could also be found with regard to personal data originally collected by third parties.

Holding

Data directly collected by the controller

The DPA found that the websites managed by Ediscom made large use of prohibited dark patterns in the collection of consent. Typically, once the user had already denied their consent to marketing purposes, a new window popped up asking again for the same consent. Moreover, when exploring some of the websites, users had the option to click on a link which brought them to another website managed by Ediscom. In clicking on the link, the data subject imported all their data to the second website, where consent denied in the first one was automatically given. For these reasons, the DPA identified violations of Articles 5(1)(a), 6(1)(a), 7(2) and 25 GDPR.

Data collected by the websites were also excessive in light of purpose limitation and data minimisation. As a matter of fact, Ediscom asked a lot of unnecessary questions, such as users’ annual income, family status or job. Some of these questions were mandatory, while in other cases the option to ignore or skip them was not clearly visible. According to the supervisory authority, such a technique was clearly used to profile data subjects in lack of specific consent for targeted advertising. Therefore, Articles 5(1)(a) to (c), 6 and 7 GDPR were violated.

In one of the websites examined, there was no privacy policy and no statement concerning the identity of the controller. This entailed a violation of Articles 5(1)(a) and 13 GDPR.

Finally, Ediscom asked the user to provide personal data of “friends” potentially interested in the same services. These questions concerning unaware third data subjects, despite not mandatary, could not rely on any valid legal basis and consequently violated Articles 6 and 14 GDPR.

Data collected through the sharing of third parties’ databases

Concerning the role played by Ediscom in the processing of data obtained from third parties, the Italian DPA found that its self-qualification as a data processor was inappropriate. Indeed, the company determined purposes and means of the processing even when managing third parties’ databases. Moreover, when denying its responsibility as a controller, Ediscom did not allow users to exercise their rights under Articles 17 and 21 GDPR, with the result that data subjects that already objected to the processing – at first put in a blacklist – were contacted again because in a third party’s database. Ediscom claimed it could not comply with the data subjects’ requests and merely shifted responsibility on a different company, which in turn denied to be the controller.

The DPA also found that the control performed by Ediscom on the lists provided by third parties was not adequate. Such a control should guarantee that consent on which processing relied was valid. However, among other deficiencies, Ediscom chose to rely only on IP addresses provided by third parties in order to ascertain that consent was validly collected. A more effective option – the DPA stressed – would have been to rely on confirmation emails sent by the original controller to the people involved. In any case, the complaints from which the investigation originally started showed that Ediscom’s control did not achieve its goal. Thus, the controller infringed Articles 5(2) and 24 GDPR.

In light of all the above, the Italian DPA fined Ediscom €300.000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO: Newsletter of April 17, 2023

[doc. web no. 9870014]

Prescriptive and sanctioning measure against Ediscom S.p.A. - February 23, 2023

Register of measures
no. 51 of 23 February

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. THE INVESTIGATION ACTIVITY

1.1 Elements acquired through verifications carried out on site

On 22 and 23 November 2021, in accordance with the planning of the inspection activities of the Guarantor and on the basis of some complaints received, inspections were carried out at Ediscom S.p.A. (hereinafter, Ediscom or Company) aimed at verifying the databases used for marketing purposes, the criteria for selecting suppliers and the ability to respond to requests from interested parties.

The company, founded in 2006, today carries out promotional campaigns for medium-large customers via text messages and e-mails and, only recently, via automated calls. Ediscom's activity consists in conveying the messages received from the client to the subjects present in its database; this activity is carried out directly by Ediscom without transmitting data to the customer. Residually, the Company also offers the list rental service for telemarketing. In this case, the lists are extracted from the database according to criteria indicated by the customer and are conveyed to this by accessing https with login and password.

To carry out its business, the Company makes use of a database containing the data of 21 million interested parties. The database is made up of data collected directly by the Company and data provided by third parties; in particular there are:

1. data collected by Ediscom through its portals containing news, curiosities, cooking recipes or prize contests; during the verification, Ediscom declared that the data are acquired immediately upon submitting, therefore it is not foreseen to send a confirmation communication for the double opt-in; the checks subsequently carried out by the Office starting from the web addresses indicated by the Company are illustrated below;

2. data acquired from third party database suppliers, for which the Company operates as an independent data controller; from the contracts produced it can be seen that Ediscom purchases entire lists of data produced by subjects who have collected them online through portals dedicated to prize competitions or the search for offers;

3. data acquired from third parties who want to monetize their databases set up for the provision of various services: in this case Ediscom acts as data controller. From the contracts produced it emerges that the database is offered on hire and costs and revenues are shared between Ediscom and the supplier on the list; the database remains the property of the person who formed it and Ediscom undertakes to enhance it by using the data contained therein to convey promotional messages from third parties, its customers; the data subject to management are only those which, based on a deduplication activity, are not already available to Ediscom.

With regard to the receipt of requests for cancellation or revocation of consent received from interested parties, the Company has declared that it will register them in the database by simultaneously entering the data in the blacklist in order to avoid re-importing the same data when acquiring new lists by of third parties. In cases in which Ediscom acts as data controller (as described in point 3 of the list above), the requests of the interested parties are also communicated to the respective owners.

On 23 November 2021, access was made to the database in which Ediscom records the data of the subjects that can be contacted. In particular, the checks were carried out starting from the data of some interested parties who had submitted complaints or reports to the Guarantor.

In almost all cases examined, it appeared that data subjects' data had been provided by partner XX based in Germany. In this regard, the Company declared that the aforementioned XX, acting as an intermediary (data broker), had conveyed lists made up of third parties (list editors) who, based on what was acquired in the documents, were all based outside the EU ( XX, XX and XX). The Company has specified that it has no direct contact with the suppliers of these lists as these are conveyed only through the XX.

The General Contract Conditions are attached to each order form, from which it can be seen that XX undertakes to permanently transfer personal data collected from third parties to Ediscom, guaranteeing the lawfulness of the collection and the existence of suitable consent to the treatment.

With regard to the checks carried out on the lists acquired from third parties, Ediscom stated that:

- the landing page, containing the data collection form, is observed, simulating a registration to verify the collection of free and specific consents;

- a compliance check of the privacy information is carried out;

- the supplier is required to send, for each contact, the relative proof of the consents expressed (IP address, date and time of registration, type of consents expressed, registration URL); this is also useful for providing prompt response to any requests from interested parties.

In this regard, the Company has produced documentation containing the checks carried out on some of the websites used by the partners to collect personal data and the related consents (see attachment 7-quater Verifiche_db, subfolder "User experience controls"). This documentation contains, for each of the sites examined, the pages that can be viewed by the user and the privacy information. The date of these accesses is not documented.

The Company also clarified that, in some cases in which the lawfulness of the processing was not sufficiently proven, it refused database offers (see annex 7-quater to the report of 23 November 2021).

During the investigations, it was pointed out by the tax inspectors that the list provider XX (from which the data of some whistleblowers were supplied, through XX), did not indicate in the privacy disclosure the contact details of the representative in Italy (being the non-EU holder) as required by art. 27 of the Regulation. The Company, when questioned on the point, admitted that it did not notice it.

With regard to the individual accesses made to the users subject to the report, it is noted in particular that:

1) in the case of the whistleblower XX, mobile phone XX, it appears that the contact had been canceled from the Ediscom database on 14 December 2017 and then acquired again on 1 October 2020 via "SponsorG Checkmate" (and canceled the following month); however, this user was included in five promotional campaigns in 2019 probably due to the fact that the whistleblower was also present in the database provided by XX at the same time (from which it was deleted on 2 January 2020): XX is qualified as data controller of a database managed by Ediscom. Furthermore, with regard to this whistleblower, it is noted that Ediscom provided feedback directly to the interested party with an email dated 24 November 2020 where it declared that the data, in the complained period, had been extracted from the XX database based in Spain and that Ediscom treated them as responsible. An examination of the access certification provided by XX (and forwarded to the whistleblower) shows that Mr. XX's data were acquired through registration on the https://it.bestdeals-bc.com portal on 22/01/2020 but a specific consent for communication to third parties for promotional purposes is also not documented. Indeed, in this certification the editor specifies the following regarding the consent: "that in the form of participation received it is clear that the user has granted XX free and express consent for the processing of his personal data for marketing purposes, accepting the privacy policy, terms of use and lottery rules…”; it should be noted that no contractual documentation has been provided for partner XX, nor has it been explicitly mentioned in the list of partners provided during the investigation (see annex 2-bis to the minutes of 23 November 2021);

2) in the case of the whistleblower XX, mobile phone XX, it appears that the Company proceeded to manually delete the data subject from the database on 13 November 2020 since he had directly requested Ediscom to delete his data and had opposed the receipt of other promotional contacts. However, the user of the whistleblower was re-entered into the database on 1 June 2021 following the acquisition of the XX database.

The use of the contact details of the complainant XX was also checked. The latter, with a complaint to the Guarantor, complained that he had received a promotional email on behalf of XX and that he had not been able to obtain a clear answer regarding the origin of his data. This is because all the subjects involved in the promotional activity have declined their responsibility referring, lastly, to a company based in England (the XX). Ediscom, already made aware of the facts by XX himself through a request to exercise his rights, declared that the data had been extracted from the database of XX (based in Spain) defined as an "affiliate" of XX, a partner of Ediscom to whom XX has entrusted with the service. The XX, in turn, would have declared that it had acquired the data from the XX. In this regard it must be added that the complainant, after receiving a similar response from XX, carried out further research (also verified by the Guarantor's Office) demonstrating that on the date of alleged acquisition of his data by XX (in 2018), the site indicated as a source of data acquisition was actually a showcase site of a political party, without any data acquisition form or consent formulas to be selected for promotional purposes. The XX has also been registered in the English register of companies since 2021.

After receiving these precise observations from the complainant, and not having received suitable feedback from XX, Ediscom sent a warning to XX and to XX regarding further uses of XX's lists and proceeded to insert Mr. XX's data in the blacklist (see Annex 7-ter to the minutes of 23 November 2021).

With regard to the contractual relationship with XX, during the investigation, the Company produced a partnership agreement signed on 11 October 2011 between Ediscom, XX and XX (attachment 7-bis to the minutes of 23 November 2021). This contract only refers to the possibility of jointly managing the promotional campaigns acquired by one of the three contracting parties with the recognition of a percentage of the earnings. Together with this contract, the Company has produced a deed of appointment as data processor where XX is the data controller and Ediscom is responsible as well as another deed of appointment as data processor where instead Ediscom is the data controller and XX has the role of data processor.

1.2 Elements acquired through the checks carried out on the basis of the documentation delivered by the Company

On 21 and 22 March 2022, official checks were carried out on the websites indicated by the Company as sources from which to acquire personal data directly (see attachment 4 to the report of 22 November 2021).

First of all, it was found that all the sites referred to the same Ediscom privacy policy, which was updated on 3 March 2022. However, the website www.testadiquiz.it did not present any reference on the home page to the owner of the site, nor did it make the privacy information is available before data collection (the link to the information was shown only at the end of the process, in the consent collection checkbox).

All the sites indicated had a form for entering personal data and the same consent acquisition boxes, with the possibility of expressing a separate consent for marketing purposes by Ediscom and for communication to third parties for marketing purposes.

The following is observed:

a) while in some portals the registration closed with a message informing of the sending of a confirmation email, in other cases the process ended with the submit command following which the data should have been directly acquired in the system , as also declared during the inspections; with regard to the website www.rispondievinci.it, the process concluded with the message “Thank you for taking part in the competition. You will shortly receive the information via email to verify if you have won the prize”;

b) in the same sites that allowed registration without confirmation email, if the consent boxes for marketing were not selected, before going ahead with the registration process the following screen was shown to the user asking him to provide the first consensus:

(Figure 1)



If, on the other hand, only the first consent was selected, without selecting the request for communication to third parties for marketing purposes, the following screen was displayed inviting the user to provide the second consent:

(figure 2)

c) in the sites visited, it was required to enter numerous personal data - all mandatory - such as personal data and contact details (e.g. it was mandatory to enter both the email address and the telephone number). Furthermore, in some of them it was required to provide answers to numerous questions - all mandatory - relating to the ability and purchasing habits, the family nucleus, the work activity carried out, the annual income, etc.

(figure 3)

d) on some sites, during the registration process, it was requested to enter the contact details of friends potentially interested in the service with an option to deny entry which is not easily visible:

(figure 4)

e) after completing the registration process on the www.fioriblu.it website to obtain a monthly newsletter on health and well-being, the user was invited to click on a link which led to the www.you.tipiace.it website to download a unspecified e-book; upon access from the link, the site recognized the user and displayed in the profile (already activated) all the registration data entered on www.fioriblu.it. Furthermore, the privacy consents that had not been granted on the fioriblu.it site were all selected on the you.tipiace.it site; similarly, after completing registration on the www.gustissimo.it site to obtain a monthly cooking newsletter, the user was invited to click on the same link which led to the www.you.tipiace.it site to download an e-book. Also in this case the user found his own profile already active with the same personal data entered on www.gustissimo.it even if the consents were not selected;

f) at the bottom of the website www.you.tipiace.it there were links to reach the following partner websites (all owned by Ediscom): www.gustissimo.it, www.ricettaidea.it, www.fioriblu.it, www.joblet.it, www.sullaneve.it, www.guidaconsumatori.it. These last two websites were not present in the list provided by Ediscom (Annex 4 to the minutes of November 22, 2021);

g) the website www.sullaneve.it, which contained the link to Ediscom's privacy information at the bottom, did not provide for subscriptions or registrations to the service: however, in order to be able to publish a comment on the topics proposed, one was asked to fill out a form in which In addition to the comment, it was requested to enter the name and email address with the caveat that a communication would be sent to this email address in order to activate the comment and publish it. At the bottom of the form there were two check boxes which were used, respectively, to confirm having read the privacy information and to consent "... to the processing of my personal data for the optional purposes of promotion and marketing, for the transfer of data to third parties ”.

2. DISPUTING INFRINGEMENTS

With a note dated May 3, 2022, the start of the proceeding was communicated, pursuant to art. 166, paragraph 5, of the Code, for the adoption of corrective measures and sanctions, on the basis of the results of the inspection activity and subsequent official checks.

In particular, the investigations made it possible to make findings with regard to the following aspects.

2.1 Collection of personal data through portals owned by Ediscom

With regard to the investigations described in point 1.2. it was deemed that the collection of personal data did not comply with the provisions of the Regulation with regard to the profiles described below.

2.1.1 use of "dark patterns" to circumvent the will of the interested party

From the accesses made to the portals managed directly by Ediscom it emerged that in many cases the Company adopted unclear communication models with particular regard to the graphic design of the interfaces and the procedures for carrying out the process of registering for the services.

For greater clarity, during the dispute, the clarifications expressed by the EDPB with the guidelines on dark patterns were also recalled (still in public consultation at the time of drafting the deed initiating the procedure).

In some of the portals examined, during the registration process the interested party was asked to express a specific consent regarding the treatment for Ediscom marketing purposes and the communication to third parties for marketing purposes. If one of the two boxes was not selected, a pop-up was presented which highlighted the lack of consent and presented a clearly visible button for accepting the treatment. The link to continue without accepting was placed at the bottom, outside the pop-up, in simple text (without the graphic format of the button) written in a smaller font than the rest of the text and, being superimposed, not very visible (see figure 1 and 2 above).

The pop-up proposition had no use for carrying out the registration process but evidently represented a further attempt to obtain the user's consent despite the fact that he had already clearly expressed his will in the previous screen. This attempt, in addition to unnecessarily aggravating the enrollment process, was characterized by a greater opacity in the ways in which the consent request was presented, increasing the probability that the interested party would give his consent not by conscious choice but rather because he was misled or in the rush to conclude the process.

A similar setting was found in the screen presented to the user to invite him to provide the data of other subjects potentially interested in registering for the services (see figure 4). Faced with invitation messages written in bold and fields with asterisks (even if in fact optional), the option "...or skip" - which should be an alternative to the "continue" button - was shown at the bottom of the page in much smaller font and with completely different graphics compared to the "continue" option.

Furthermore, the checks carried out confirmed that for registration to the services offered by some Ediscom portals, validation by sending an email was not required (collection of consent in double-opt in code mode) as described by the same Company also in inspection site. However, the accesses to the sites also showed that in some cases the registration process ended with a message warning of the forthcoming receipt of a confirmation email.

It should also be noted that the sites for which a confirmation email was not provided were also the same sites for which a collection of excess data had been detected (see point 2.1.2 below) and for which specially designed interfaces were used built to circumvent the will of the interested party regarding the collection of consent. As repeatedly clarified by the Guarantor, the documentation of the consent through the registration IP address alone cannot be considered sufficient to demonstrate the will of the interested party (see provision of 25 November 2021 web doc. n. 9737185 and provision of 26 October 2017 web document n. 7320903 in www.garanteprivacy.it).

In conclusion, it was considered that a consent collected in such ways, deliberately designed to circumvent the rules, aroused many perplexities regarding the freedom and awareness with which the interested party can express his will and therefore could not be considered lawful.

For these reasons, the violation of art. 5, par. 1, lit. a), 7 par. 2 and 25.

2.1.2 Collection of Excess Data

In many of the sites visited, it was requested to enter numerous personal data and to provide answers to numerous questions - all mandatory - relating to purchasing capacity and habits, family unit, work activity, annual income, etc. (see figure 3 above).

The collection of all this information, which did not seem to have any relevance to the service offered, was not necessary for the provision of the same with the consequence that the data collected was more than necessary; moreover, this information was intended to outline a profile of the subscriber and could have included the processing in the purpose described in point 1 c) of the privacy information published by Ediscom itself (analysis and definition of profiles and preferences for marketing purposes). However, for this treatment the interested party was not required to express a specific consent as instead described in the same information. Therefore, the collection of personal data of subscribers, configured in this way, was considered to violate the principle of lawfulness, correctness and transparency because it forced the interested party to provide a lot of information not pertinent to the service. Furthermore, this treatment could violate the principle of purpose limitation if the data collected for service purposes or on the basis of specific consents for marketing, were then also used for user profiling in the absence of a specific consent. Finally, the collection of data beyond the purposes of the processing was deemed to be in conflict with the data minimization principle.

For these reasons, the treatment was carried out in violation of the articles 5, par. 1, lit. a), b) and c), 6 and 7 of the Regulation.

2.1.3 lack of information on the website www.testadiquiz.it

The website www.testadiquiz.it did not present any information on the home page regarding the owner of the site itself (generally indicated in the footer of the home page) nor did it make the link to the privacy information available before starting to collect the data of the interested parties. The link to the information was only displayed at the end of the compilation when the interested party was asked to express consent for the marketing purposes of Ediscom and third parties.



On the site indicated, in addition to not being present any information, there were also no indications regarding the subject to whom the site belonged; therefore the user was invited to enter their personal data in the absence of any information regarding future processing, even in the absence of the same identity as the owner. In this regard, it was recalled that, in addition to the specific provisions of the Regulation on transparency, the publication of company data on the site's homepage is a legal obligation (see art. 35, paragraph 1, Presidential Decree October 26, 1972, n. 633 and art. 2250 of the civil code).

With regard to the specific provisions for the protection of personal data, the art. 13 of the Regulation according to which the owner must provide the interested party with all the information provided "at the time the data are obtained". Therefore, it is necessary that the information on the purposes and methods of the processing is disclosed to the interested party before he starts completing the form in order to allow him to evaluate the conditions proposed by the owner before the processing begins.

For these reasons, the violation of the articles was recognized 5, par. 1, lit. a) and 13 of the Regulation.

2.1.4 data collection of referenced subjects

As can also be seen from figure 4 above, in many of the sites visited there was a screen with which the interested party was asked to provide the name and email address of other subjects potentially interested in the same service. The Office has found that the data of third parties possibly provided by the user during the registration process could not have been considered in any case assisted by a suitable consent for future promotional contacts. This is because the status of "referenced" (which would be recognized to the subject presented by the user) cannot replace the necessary fulfillment of the obligation of the prior acquisition of a specific, documented and unequivocal consent of the interested party since the referring third party is not ( as a rule) entitled to give any valid consent on behalf of the interested party receiving the promotional contact (see provision of 15 January 2020, web doc. n. 9256486).

For these reasons, the collection of personal data of third parties indicated by the user was not justified by any of the legal bases indicated by art. 6 of the Regulation, also taking into account the fact that alternative ways of conveying one's brand through already customers are now widely used without the need to directly acquire the personal data of unsuspecting third parties.

If such data had been used to convey promotional messages without providing suitable information and without acquiring specific consent, this activity would have been unlawfully carried out.

For these reasons it was considered that the treatment constituted the violation of the art. 6 of the Regulation and the provisions of art. 14 of the Regulation and of the art. 130 of the Code.

2.1.5 interaction between the various services with contextual data recording

From the accesses made by the Office to the website www.fioriblu.it, it emerged that the user, after completing the process of subscribing to the wellness and health newsletter, was invited to download an e-book (with unspecified content) by clicking on a link which leads to the site www.you.tipiace.it.

Following the proposed link, one accessed the site www.you.tipiace.it (which contained cooking recipes). The user, who had accessed from the aforementioned link, was recognized with the same data entered on www.fioriblu.it and found himself already created a personal profile with the same data as shown in the following figure:

Furthermore, the privacy consents, which had not been granted on the www.fioriblu.it site, were all already selected on the www.you.tipiace.it site (although they can be manually deselected):

This approach was judged by the Office to be in clear contrast with the assumption of freedom of consent.

For these reasons, the violation of the articles was recognized 5, par. 1, lit. a), 6, para. 1, lit. a) and 7 of the Regulation.

The registration process on the www.gustissimo.it site also ended with a link that redirected to www.you.tipiace.it where one found a user profile already filled in with the same data entered on www.gustissimo.it.

This result was considered likely to derive from an approach that takes into account the fact that the owner is still Ediscom and that the data collected through the various portals, which present the same information, probably flow into a single database. Therefore, if the treatment should in fact be one with a single purpose, the interested party, in the opinion of the Office, was not in any case in a position to fully understand it and, consequently, to interact correctly with the services offered by Ediscom . Furthermore, while the www.fioriblu.it and www.gustissimo.it sites did not require a password, the www.you.tipiace.it site required a password to be added to the profile already created. If this was not followed up, the profile was not canceled in any case because upon subsequent access with the same email the user was recognized as already registered even though he had never requested registration and without having ever entered a password.

As already described, the newsletter subscription process ended with an invitation to click on a link that led to another service. This step, in addition to not being clearly perceivable as optional, also aroused perplexities regarding its connection with the registration process that the user had just completed, since the service offered through the site www.you.tipiace.it does not it had no bearing on the content chosen by the user on the sites of origin.

Given all of the above, the violation of art. 5, par. 1, lit. a) of the Regulation due to the lack of clarity and transparency towards the user; moreover, the violation of the principle of purpose limitation, pursuant to art. 5, par. 1, lit. b) of the Regulations, since the user provided his data to register for a specific service but his same data were also used to register the same user with another portal without this falling within his expectations and without this further registration had no connection with the initial purpose consisting in registering on the first portal.

2.1.6 collection of consents on the portal www.sullaneve.it

As described above, it has been ascertained that for the insertion of a comment on the portal www.sullaneve.it it was required to indicate name and email address. At the bottom of the form there were two check boxes which were used, respectively, to confirm having read the privacy information and to consent "... to the processing of my personal data for the optional purposes of promotion and marketing, for the transfer of data to third parties ”.

It was observed that a single consent box was presented for what in reality would appear to be two distinct treatments. In fact, the privacy policy was also published on this site which distinguished the two treatments in points 1.b and 1.d.

The Office observed that, also with regard to the consent formula indicated on the portal, if the purpose was the same (marketing), the controller who carried out the processing was different (Ediscom itself or the third parties to whom the data were communicated). Therefore, two distinct and specific consents were required, which in fact the Company requested in the other portals examined. In this case, such a formulation did not allow the interested party to express a free and specific will by realizing the violation of articles 6, par. 1, lit. a) and 7 of the Regulation.

2.2 Qualification of roles in the treatment

From what was described by the Company during the investigations and from the examination of the contractual documentation produced, a qualification of Ediscom's role in the processing of personal data emerged which differed on the basis of the commercial relationship established with the partners but which did not find a parallel justification in the actual playing of roles.

Ediscom correctly qualified as independent data controller in all cases in which it acquired lists of data from other independent data controllers. However, the qualification of Ediscom as data processor in the cases described as "database management" on behalf of third parties was not shared - for the reasons set out below. Similar considerations were made for the role of Ediscom in commercial relations defined as "affiliation", where, however, the qualification of the roles has not been clearly proven.

2.2.1 Ediscom's role in the processing of data contained in the databases entrusted to management

In all cases in which the Company established a database management agreement with the commercial counterparty, it qualified as data controller both in the contracts and in the responses provided to the exercise requests of the interested parties.

In reality, this different classification with respect to the cases in which there was a purchase of lists was considered by the Office to be groundless. This is because even in the commercial relationship known as "management" Ediscom is to be considered an independent owner since each data acquisition activity is aimed at enriching Ediscom's database which will then be used to offer promotional services to its customers (in fact the Company has a single database). Therefore, the Office considered that the source of the data (direct sources, such as the portals owned by Ediscom, or databases acquired from third parties, regardless of the legal title on which this acquisition is based) was not relevant. In other words, the cause (purchase, rental, management/use of the database) of the contract signed with the third party cannot be relevant when in fact there is always and in any case an acquisition of data from third parties aimed at the transmission of promotional messages by Ediscom on behalf of its customers.

It follows that, in any case, the treatment always consists in the collection of personal data (regardless of the source) and it is Ediscom that establishes the purpose of this treatment: the commercial exploitation of the database through the transmission of promotional messages from its customers.

After all, the function of data acquisition was clearly that of enriching the Ediscom database given that the contracts signed with third parties state that "the data being managed are those that are not already available to Ediscom S.p.A. on the basis of a preliminary deduplication activity that Ediscom S.p.A. itself reserves the right to compare the COMPANY database with those it has available".

Furthermore, such a setting of roles has been shown to have detrimental consequences for the data subjects. In fact, Ediscom has demonstrated that it has correctly implemented the opposition or cancellation requests received and has registered the interested parties on a black list to avoid having to re-import their data in the event of subsequent acquisition of lists. However, this appropriate caution proved useless in cases in which these lists had been acquired in the form of a database under management since, erroneously qualifying as data controller, Ediscom did not take into account the objections already received (and addressed to Ediscom itself) and consequently conveyed promotional messages to subjects who had already opposed (see the cases of XX and XX described above).

Furthermore, it was observed that in the contracts shown as the typology used for database management, it appeared that Ediscom "will manage the database ... through the concession of the same on lease, for periods not exceeding 3 months, and the sending of commercial text messages for Ediscom partners”. It follows that the consent to the transmission to third parties originally acquired by the person who created the database would have been deemed sufficient, in the case of rental, to communicate the data first to Ediscom and then to the third party renter. However, such a construction would not be acceptable since it cannot admit the validity of this consent indefinitely for all subjects subsequent to the first to whom the data are communicated.

Therefore, the incorrect qualification of data controller in the contractual relationships referred to as database management has led to the belief that the treatment is in contrast with the requirements of lawfulness, correctness and transparency, in violation of art. 5, par. 1, lit. to).

Furthermore, the opposition to the processing presented by the data subjects was thwarted - due to the incorrect qualification of the roles - by circumventing the procedures aimed at keeping track of this opposition. The acquisition by the partner of a generic consent for third party promotional activities cannot, in fact, be considered sufficient to circumvent the desire not to be (any longer) contacted, specifically expressed towards another data controller. This treatment, therefore, did not guarantee the exercise of the right of cancellation and opposition, in violation of the articles 17 and 21 of the Regulation.

2.2.2 Ediscom's role in the context of defined affiliation contracts

The story described in Mr. XX's complaint brought to light an erroneous qualification of the roles also in the treatment implemented in the context of contractual relationships known as affiliation. Also in this case, the parties decided to distinguish these roles in consideration of the difference resulting from the commercial agreements. However, similarly to what was argued in the previous point, the commercial relationship between the parties does not necessarily also affect the qualification of the roles in the treatment and, in the case examined, the Office considered that there were no reasons not to believe that Ediscom had acted as an independent owner believing that the Company, by virtue of the service commissioned by the XX, had found lists of email addresses on the market in order to carry out a promotional activity, regardless of whether these lists had entered its availability directly or had instead been managed on your behalf by a business partner.

As described above, in the case in question, all the protagonists involved have declared themselves responsible for the treatment attributing the ownership only to XX, a company based in England which has not provided any feedback to the interested party, which has not been able to document the collection of a suitable consent and which, as far as it is understood, has not provided explanations even to its business partners.

Furthermore, the Office observed the number of subjects involved in the processing and the scarce ability to document their individual roles, taking into account that Mr. XX's data was present in the XX database (but it is not possible to know its origin) and would be been processed both by the XX and by the XX to finally be made commercially available by Ediscom. In reality, each of these subjects is to be considered an independent data controller, having its own purpose and not revealing the material apprehension of the data.

This behavior results in a significant limit to the exercise of that informative self-determination which is expressed precisely through the control that the interested party can carry out on his own data with respect to the risks of dispersion or use that does not comply with the purposes of the relative collection. In fact, it cannot be assumed that an expression of will initially expressed in a conscious way (provided it is lawfully collected) with respect to certain treatments can unfold chain effects, through successive passages of personal data from one holder to another in a completely imponderable way for the interested party. same.

Consequently, the Office considered that the treatment had been carried out in violation of the principle of lawfulness, correctness and transparency in violation of art. 5, par. 1, lit. a) of the Regulation. Furthermore, having made it impossible for the interested party to obtain the requested information regarding the treatment, he had committed the violation of the articles 12 and 15 of the Regulation.

2.3 Suitability of checks carried out on lists acquired from third parties

Ediscom declared that it carried out some checks on the databases proposed by the partners and requested for each contact the date of acquisition of the consent and proof of the same, consisting of the IP address and the indication of the portal from which the consent was registered .

In this regard, the Office made the following observations:

a) the Company intended to document the checks carried out by producing print screens of the accesses made to some sites of the list suppliers. These documents concerned only a small part of the subjects listed under the item DB Acquisitions (in attachment 9 to the report of November 23, 2021) and did not indicate the date on which the checks were carried out;

b) from these documents it is clear that the Company had read the information on the websites of the partners; as also highlighted during the inspection, despite the lack of indication of a representative in the EU in XX's report, the Company had in any case carried out the acquisition;

c) Ediscom also carried out promotional activities using data from XX. In this regard, this Office had carried out some checks on the portals managed by this subject for the definition of a similar case (to which reference is made for details) finding violations of the rules that are evident and easily observable by anyone operating in the market described (see the provisions 25 November 2021, web doc n. 9736961 and provision 25 November 2021, web doc n. 9737185). In any case, Ediscom used the data coming from this list editor despite the absence of suitable guarantees of lawfulness of the database;

d) in some of the cases observed through access to the Ediscom database it was found that, despite the presence of recently acquired data (2020 or 2021), the consent was dated to a period dating back to and even prior to the full effectiveness of the Regulation (2016 or 2017) without documenting the carrying out of checks aimed at assessing the suitability of the consent even after the change in the regulatory framework;

e) in many cases reported to the Guarantor - of which Ediscom itself was also aware through direct dialogue with the interested parties - the frequent unawareness of the alleged registrations had been highlighted, in some cases unacknowledged by the interested parties or relating to inaccurate data. Often a name different from that of the account holder was associated with the users examined. Yet the Company considered the documentation of the consent by the partners to be sufficient by indicating the IP address alone. This is a method that the Guarantor has already deemed insufficient to certify the unequivocal will of the interested parties (see the provision of 26 October 2017, web doc. n. 7320903 and the aforementioned provisions of 25 November 2021) instead there are more suitable alternatives to guarantee a greater degree of certainty regarding the genuineness of the consent (such as the practice of sending a confirmation message to the address indicated during registration).

Having said that, it was deemed that Ediscom had not implemented all the measures necessary to contain the damage connected to the treatment by acting in violation of articles 5, par. 2 and 24 of the Regulation.

2.4 acquisition of a suitable consent for the sending of promotional messages

In many of the cases described, a suitable consent for promotional purposes was not acquired and documented. First of all, we recall the cases of XX and XX, already described, whose data were processed even after the opposition expressed against Ediscom. Furthermore, with specific regard to Mr. XX, it should be noted that the company XX, from which Ediscom acquired the database, has expressly declared that it has considered consent for promotional purposes by simply registering on its site to participate in a lottery. It is evident that such a method is not at all suitable for documenting the specific will of the interested party. We also recall the case of Mr. XX who received a promotional email without his adequate consent being documented in any way. In all these cases the treatment was carried out in violation of the articles 6, par. 1, lit. a) and 7 of the Regulation as well as in violation of art. 130 of the Code for sending text messages and emails without consent.

3. THE DEFENSE OF THE OWNER

The Company, in exercising its right of defence, sent a memorandum on 1 June 2022 in which, clarifying certain aspects, it indicated the corrective measures adopted.

In particular, the Company has preliminarily clarified that it has always paid close attention to the aspects relating to the protection of personal data, directing the choice of operating methods towards solutions which, after adequate weighting, seemed to offer the right balance between the guarantees for the interested parties and the business needs of the company. In fact, while having to bear in mind that the acquisition of contact data and suitable consent to processing constitutes an essential corporate asset for Ediscom's business, the latter has nonetheless tried to adopt the best solutions available to ensure that such processing, in addition to being commercially useful, they were also lawful and respectful of the needs of the interested parties.

In this context, the Company has based its choices on the current regulatory framework and on the interpretation of this framework currently given by the Guarantor and the EDPB. Therefore, the same considered that the objections raised, which it also proceeded to take note of, had not taken into account the innovative nature of some rulings, such as the aforementioned provisions of the Guarantor of November 2021 or the EDPB Dark Pattern Guidelines definitively adopted only after the initiation of the procedure.

For these reasons, the Company has highlighted the absolute good faith of its conduct, as said result of considered choices, and has assured that it has taken steps to adopt various corrective measures; in particular:

- has taken steps to adapt the graphics of the pop-ups for the confirmation of consent by using a similar color and font for both acceptance and refusal, observing, however, that the EDPB Guidelines on dark patterns should be understood as predominantly intended to regulate the treatments carried out by the large social media while they risk being difficult to apply for small and medium-sized enterprises with the consequence of excessively limiting the entrepreneurial activities of those who work in the marketing sector;

- introduced corrective measures to ensure that a confirmation email is sent to the user when registering for the services;

- initiated the review of the operating mechanisms of the system which provides for the automatic creation of a user profile on the you.tipiace.it portal with a view to improving the user experience and facilitating the interested party in managing their profile;

- initiated the mapping and, where necessary, the renegotiation of the existing contracts with the clients of the promotional activities to adapt them to the indications received from the Guarantor in relation to the roles in the processing;

- set up a corporate procedure to ensure more precise checks on the suitability of databases acquired from third parties.

The Company also highlighted the fact that adequate procedures were already in place to respond promptly to requests to exercise rights.

On other aspects of the act initiating the procedure, Ediscom felt it had to reply as follows:

1. with regard to the dispute relating to the collection of excess data (see point 2.1.2), the Company has specified that all the mandatory questions presented during registration, contrary to the objections of the Guarantor, are to be considered connected to the service offered because "related to the Co-registration activity, meaning by this term to refer to the practice, widespread in the marketing field, which aims to generate and share a database of users, among several sponsor companies that are indicated in the information on data processing made available to interested parties". Therefore, the questions would be asked to verify the effective interest of the person who fills out the form and the answers given are not recorded together with the user's data. Also in this regard, the Company has intended to clarify that, although the information indicates that, with the consent of the interested party, marketing-oriented profiling can be carried out, this treatment has never been carried out and the passage in the information has been formulated only hypothetically. In any case, the Company has ensured that it has made changes to the notices present in the prize contest regulations, specifying to the user that failure to answer the questions will not affect participation in the contest but will be functional to receiving promotional messages in line with the indicated in the responses (if the user has previously consented to processing for marketing purposes);

2. with regard to the portals www.testadiquiz.it and www.sullaneve.it, the Company specified that these sites had been set up only for testing activities without being aimed at collecting data and without ever being used for this purpose. Therefore it has taken steps to eliminate the site www.testadiquiz.it and to update the portal www.sullaneve.it (of which it wishes to keep the domain name);

3. regarding the disputes raised by the Guarantor for the collection of data of subjects presented by other users, the Company, believing that this treatment falls within the personal and domestic sphere, has specified that the data of the referenced subject are not entered in the database of Ediscom but are only used to send an e-mail with “a link to the page indicated by the friendly user. The communication does not contain advertising, nor invitations to release consent to receive marketing mails and following the sending, no data is saved or used further". The Company has also clarified that it has implemented this function also bearing in mind a ruling from the Belgian Data Protection Authority and an opinion from the Working Group pursuant to art. 29 regarding the "invite a friend" function;

4. with regard to the profiles created automatically on the you.tipiace.it portal, the Company declared - with regard to what was detected by the accesses made ex officio by the Guarantor - that the consents were already selected because "the test data used by this Authorities had already been previously used by another test user who had instead released all the consents". However, it has ensured that the choices indicated by the user when registering for a service are also maintained on the you.tipiace.it portal; the Company has also clarified that the intent of this procedure is only to allow the user to keep in a single collection point their choices regarding the processing of personal data and the services offered by Ediscom to which to subscribe. In any case, having taken note of the indications of the Guarantor, it has started a process of reviewing the procedure in order to make it clearer for the user;

5. with regard to the role of Ediscom in the databases entrusted to manage, he specified that he had set the definition of roles on the basis of preliminary and in-depth assessments of the actual activity carried out and, in conclusion, he deemed it necessary to qualify only the partner who provides the database since it is this subject who establishes the purposes, leaving Ediscom, which operates only as an intermediary and which qualifies as a manager, the right to choose the means of the treatment itself; therefore, acting as data controller, no double transfer of data would have occurred after the consent of the interested parties;

6. with regard to Ediscom's role in affiliation contracts, the Company specified that it "acts as an intermediary who puts its customer (the demand) in contact with its suppliers or their sub-suppliers (the offer) without carry out any direct data processing activity, limiting itself to requesting the affiliate or the supplier company to send a communication to its registered users”; also in the case of Mr. XX, Ediscom had not found any lists as the data had never been available. In particular, in the business model in question, Ediscom does not access the data of interested parties but limits itself to requesting partners to send promotional messages on behalf of its third party customers;

7. with regard to the disputed sending of promotional messages without the consent of the interested parties, Ediscom limited itself to observing that the dispute is based on the assumption that in the absence of the double opt-in mechanism, the consent is not to be considered validly given without however that there is a specific regulatory obligation which requires it to do so.

Finally, a hearing was held on 18 July 2022 in which Ediscom acknowledged the company procedures implemented to ensure compliance of the treatment. In particular, the same clarified that it had carried out staff training sessions and increased human resources specifically aimed at checking the lists provided by third parties as well as having launched further improvements to the user profile creation procedure on the you.tipiace portal .it.

On that occasion, Ediscom reiterated that it believes that its role in the affiliation contracts is that of data processor because the Company limits itself to putting the client and the list publisher in contact without determining the means. Similarly, in database management contracts, Ediscom receives instructions from the owner of the database itself who specify which types of campaigns can be carried out with that database and by what means. Therefore Ediscom is to be considered solely responsible for the processing since it processes the data on behalf of its clients.

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the declarations of the Company for which one responds pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

4.1 Use of obscure models to circumvent the will of the data subject

As described in point 2.1.1, the accesses made by the Office revealed that the graphical interfaces chosen to interact with users had settings similar to the so-called "obscure models" recently described by the EDPB in the aforementioned Guidelines.

The Company took note of what was contested with the deed of initiation of the proceeding and made some changes, however representing that this principle would only have been expressed recently and therefore could not be known by Ediscom. However, it must be noted that, beyond the fact that the Guidelines have been issued (mentioned in the act of initiation of the procedure only for greater clarity), the examination of the methods of implementation of the graphical interfaces is independent of the formal qualification and was assessable concretely even before the EDPB formalized the principle of dark patterns in the Guidelines. Moreover, the concept can be considered innovative only in the context of the processing of personal data in the digital world but its genesis dates back to 2010 and it has been repeatedly subject to evaluation, in the context of consumer protection, of the mechanisms for conditioning consent.

Moreover, in the graphic interfaces evaluated by the Office, for which potentially misleading mechanisms were applied, the intentionality and therefore the knowledge of what was being done was quite clear: for example, the use cannot be considered the result of a random choice of a different font for two choices that should be alternatives (and therefore graphically represented in the same way). The intentional choice to create a given interface graphically also presupposes knowledge of the mechanisms that interact with the user's cognitive abilities therefore, even without wanting to give a name to these mechanisms, one cannot fail to believe that they have been adopted in order to circumvent the will of the users.

For these reasons, the violation of articles is considered integrated. 5, par. 1, lit. a), 7 par. 2 and 25 of the Regulation having to apply a pecuniary administrative sanction pursuant to art. 58, par. 2, lit. i) of the Regulation.

Finally, it is considered appropriate to provide general clarifications regarding the application of the principle last described by the EDPB in the national and European entrepreneurial fabric.

The observations made by Ediscom regarding the potential risks for business activity in the event of an overly rigid application of the principle expressed by the EDPB are certainly worthy of note, especially when the owner is not a large web multinational but rather a small and medium-sized European enterprise. However, it must be remembered that each principle must be declined in a proportionate manner in the context in which it is concretely applied without necessarily imposing an unconditional application. However, it is up to this Authority to verify that the owners make an effort to find the right balance between business needs and the guarantees for the interested parties, as Ediscom itself has done by making changes to its interfaces capable of satisfying both needs. After all, the expected benefit from correct treatment also consists in greater trust on the part of users with positive consequences that fall on the entire market from which the owners themselves will benefit. Not to mention that, at an individual level, the guarantee measures adopted by a company operating in the marketing sector are also a measure of the level of quality offered to the clients who are data controllers capable of distinguishing the company from other competitors.

4.2 Collection of Excess Data

With regard to what was disputed in point 2.1.2, having examined the considerations made by Ediscom in the defense brief, no sufficient arguments were found to consider the objections raised by the Office as resolved. First of all, it is not clear how the aforementioned Co-registration procedure - moreover not documented or detected by the Office during the assessment - should justify the collection of data. Please note that the Authority has examined all the sites indicated by Ediscom as portals used for the collection of personal data. In all cases, upon typing in the URL, a website was reached, with an informative or recreational content, without any reference to partner subjects with, at most, advertising banners. And all the sites visited referred to a single information.

Furthermore, the type of questions, extremely heterogeneous and with the same content in all the sites visited, does not allow us to understand why such questions should be considered oriented towards demonstrating a particular interest of the user for a particular sponsor: it should be remembered that the questions asked in all the questionnaires observed concerned the income received, purchasing habits, the composition of the family nucleus, age, the presence of pets or children; there were also some very specific questions aimed at detecting the interest in being recalled for products or services of certain customers (fibre connection, pay TV services, financial services). Therefore, if the intent of the Company was only to collect such specific expressions of interest, it is not understood the usefulness of also asking the preliminary questions aimed at determining purchasing habits and ability (income, age, family composition, etc.) .

Moreover, if the intent of the Company was the mere collection of a specific interest, the fact that other subjects would have been involved in the processing (as clients of the promotional activity and owners of the treatment) nor was it possible to understand the real purpose of the questions: the user was expressly asked to fill in all the fields to obtain the requested benefit (a cooking recipe book, a horoscope, a newsletter, etc.).

The considerations made in the defense are therefore not sufficient to overcome the objections raised and are, moreover, contradictory. In fact, Ediscom declares that the answers provided by users would only be used to verify an impromptu interest in the commercial proposals presented without subsequently being stored together with the data of the interested party. But in the same sentence, the Company declares that the method defined as Co-registration "is a very effective tool ... because it generates a highly qualified data database that collects the contact details of people who are strongly interested in that specific product or service".

Similarly, the Company declared that it does not carry out user profiling activities and that it has mentioned this treatment in the information only for hypothetical future uses without therefore it being necessary to also acquire a specific consent from the interested parties because the activity was never concretely made. However, in the disclaimer proposed for future use on prize contest sites it will be clarified that "you will be asked to answer some questions aimed at ascertaining your interests in order to submit, if you have decided to consent to receiving marketing communications, offered in line with what you will tell us by answering the questions”.

Observing, incidentally, that a purely hypothetical treatment should not be described in the information (as the information must instead be modified in the event of changes in the treatment), such a context does not allow us to exclude that users may be subjected to profiling activities. Even if this Authority has understood that the effective will of the Company would only be to obtain the user's consent to be contacted for a specific commercial proposal, it must however be noted that the setting reconstructed here would also allow, in abstract, to use the data collected to reconstruct a profile of the interested party, since the questions also include, as mentioned, requests relating to spending capacity and purchasing habits (the meaning of which otherwise would not be understood). However, this treatment would take place without the interested party having expressed specific consent to profiling for marketing purposes, since the more general consent (possibly expressed) to receive promotional communications is not sufficient for this.

For these reasons, it is deemed necessary to confirm the detected violations of the articles 5, par. 1, lit. a), b) and c), 6 and 7 of the Regulation and it is necessary, pursuant to art. 58, par. 2, lit. b), address a warning to Ediscom regarding the fact that the illustrated procedure carries out a treatment which, depending on the effective implementation, may involve the profiling of the interested parties without there being a corresponding specific consent.

4.3 Collection of data on the portals www.testadiquiz.it and www.sullaneve.it

While confirming the pertinence of the observations made by the Office regarding the examination of the portals www.testadiquiz.it and www.sullaneve.it, we acknowledge the clarifications provided by the Company, which stated that it used these sites only to carry out tests without ever having used them for the collection of personal data. Taking into account the assurances provided also with regard to the desire to review the content of the domain www.sullaneve.it and considering that the other portals used by the Company did not present the critical issues identified here, it is not deemed necessary to adopt corrective measures.

4.4 Collection of data of referenced subjects

In response to the objections raised by the Office, the Company, as mentioned, invoked the principle of the household exemption expressed in recital no. 18 of the Regulation, citing ad adiuvandum a ruling by the Belgian Guarantor Authority. However, the example cited is not only irrelevant but is also contrary to the interpretative goal that the Company wants to achieve: the case under examination concerned a social networking service which, by its nature, users use to get in touch with other members, such that it is likely to expect that a user of the service can invite another user of his knowledge. This is not the case with the service offered by Ediscom, where the user is asked to fill out questionnaires to obtain a benefit and, incidentally, is invited to enter the name and email address of third parties potentially interested in subscribing to the same service.

Furthermore, the same ruling cited clarifies that the exemption for personal or domestic activities applies only to users and certainly not to the holder (as also clearly established by recital no. 18) who is always required to base the treatment on a of the legal bases of art. 6 of the Regulation. Furthermore, if the legal basis has been identified in the legitimate interest of the owner, the latter is required to demonstrate that he has carried out adequate assessments aimed at demonstrating the balance of interests.

However, we must take note of the clarifications provided by the Company in the defensive phase where it clarified that the data of the referenced subjects are not stored and are not used to send promotional messages. However, the fact remains that the user, during the compilation phase, is not informed either of the content of the message that will be sent in his name, or of the ways in which the third party will be contacted on his behalf. Similarly, the subject who receives the invitation email from the so-called "friend" is not informed of the treatment implemented by the Company.

Given all of the above, it must be concluded that the activity carried out by Ediscom in the manner described cannot be hinged on any of the envisaged legal bases and therefore is carried out in violation of articles 6 and 14 of the Regulation. Consequently, it is necessary, pursuant to art. 58, par. 2, lit. f), impose a ban on Ediscom from processing personal data collected in the absence of an appropriate legal basis.

4.5 Interaction between different services and contextual recording of data

Having recalled the reasons expressed in the act of initiation of the procedure and the arguments of the owner in the defensive phase (summarized here in point 4 of chapter 3), there remain concerns regarding the methods adopted to create a user profile on the site you.tipiace.it. Even the justification put forward by Ediscom regarding the misalignment of the consents – which would be due to the fact that the test data used by the Office had already been used by another user – seems difficult to understand and leads us to believe that even subjects other than the user could easily access already created profiles.

Therefore, deeming the violation of articles 5, par. 1, lit. a), 6 par. 1, lit. a) and 7 of the regulation, taking into account that the Company has started a review process of this procedure, it is deemed sufficient to impose, pursuant to art. 58, par. 2, lit. f), the prohibition of the processing of personal data collected in the manner described where it is not possible to document a consent freely expressed by the interested party.

4.6 Qualification of roles in the treatment

As reconstructed in point 2.2 (whose arguments are understood to be referred to here) and taking into account what the Company argued in its defense brief, it is not possible to go beyond the reasons for the dispute expressed in the deed initiating the proceeding since the qualification of mere intermediary that the The Company has given itself is not sufficient to exclude that it has processed the data in its capacity as data controller, and not as manager, in the case of lists entrusted to manage it.

As ascertained during the inspection, the Ediscom database is unique and fed by various sources, including the so-called "under management" databases. The data deriving from this type of contract therefore become part of the database that the Company uses to carry out promotional campaigns in the same way as a database acquired with a purchase or rental contract. Proof of this is also the fact that the Company, before acquiring such data from the partner, carries out a deduplication activity or a comparison with the data already in its possession, discarding the latter from the calculation of the remuneration due to the subject who entrusts the database .

The erroneous qualification of manager meant that the Company did not register the withdrawals of consent or the requests for opposition coming from subjects whose data had been acquired from the database under management with the result that, in the cases subject to investigation, they were sent promotional messages to individuals who had directly opposed Ediscom.

On the other hand, with regard to cases in which the Company is a party to affiliation contracts, given that the functioning of this business model has not been sufficiently clarified, it is in any case noted that the Company, in the defensive phase, declared that it did not list format starting from the databases of XX and XX partners.

However, it should also be remembered that it is not the material apprehension of the data that determines the role actually played in the treatment; therefore the Company, depending on the actual activity carried out, can qualify as owner or manager but, having in any case a role in the processing, it cannot be considered a mere commercial intermediary. Wanting to simplify, it can be considered that it can act as a co-controller when it acquires data, for any reason, to be included in its database, while it can be considered responsible for the treatment when instead it performs activities only on behalf of the clients but, in this case, remains responsible for the treatments entrusted to any sub-managers, towards the owner (who must first authorize in writing).

In no case can it be identified with "no role" in the treatment nor can a chain of subjects involved in the treatment of the scope of the one described in the case of the complainant XX and the client XX be considered admissible where, having each considered themselves free of responsibility, it is not it was possible to respond adequately to the requests of the complainant and above all to document a suitable consent (which, even if it had been lawfully acquired, could not have reverberated its effects on an indeterminate chain of subjects).

For these reasons, the disputed violation of art. 5, par. 1, lit. a) of the Regulations since the processing carried out did not comply with the principle of lawfulness, correctness and transparency. However, it must be taken into account that Ediscom has taken steps, turning to its partners, to provide answers to the complainant's requests even before the start of the investigation by the Guarantor, providing the answers that it was in its power to give, even if they were unsatisfactory.

Therefore, also taking into account the assurances provided regarding the ongoing review of contracts and roles, it is considered sufficient to issue a warning to the Company, pursuant to art. 58, par. 2, lit. b) of the Regulation, with regard to violations resulting from the establishment of contractual relationships that are not accompanied by a clear definition of the roles in the processing.

4.7 Suitability of checks on lists acquired from third parties

With regard to what is described in point 2.3, the contents of which are understood to be referred to, taking into account the assurances provided by the Company with the defense brief and with the statements made during the hearing, the violations of the articles are confirmed for the past 5, par. 2 and 24 of the Regulation.

Therefore, taking into account the importance assumed by this treatment, since the contribution of third party databases to the Ediscom database is preponderant and it is necessary to intervene in a proportionate and dissuasive manner, the conditions for the application of a pecuniary administrative sanction to pursuant to art. 58, par. 2, lit. the).

4.8 Acquisition of suitable consent for sending promotional messages

With regard to the precise observations made by the Office regarding the sending of promotional communications which for some complainants turned out to be without consent, the Company limited itself to believing that the dispute was based solely on the lack of a consent confirmation mechanism. First of all, it should be stated that the use of the double opt-in method for collecting consent does not constitute a legal obligation but, as clarified several times by the Guarantor, must be considered an adequate measure, and available at the state of the art, to document the will of the interested party. In any case, it is not on this assumption that the objections raised by the Guarantor were based but rather they originated from the facts ascertained during the investigation. We refer in particular to the cases of the complainants XX and XX, whose data were processed even after the opposition to the treatment, also recalling that, with regard to Mr. XX, the data had been acquired by XX which expressly declared that it had considered as consent the simple registration on the website. To this must be added the case of Mr. XX for which no consent has been documented.

For these reasons, it is noted the violation of the articles 6, par. 1, lit. a) and 7) of the Regulation as well as the violation of art. 130 of the Code and it is necessary, pursuant to art. 58, par. 2, lit. i) of the Regulations, impose an administrative fine on Ediscom.

5. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code have been violated in relation to connected treatments carried out by Ediscom, for which it is necessary to apply art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sole sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, in the present case, having verified, on the basis of the latest available financial statements, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 and therefore quantified at 20 million euros as the applicable statutory maximum, the following aggravating circumstances must be considered:

1. the wide scope of the treatments taking into account that the database held by Ediscom at the time of the inspection activity contained the data of 21 million interested parties (Article 83, paragraph 2, letter a), of the Regulation);

2. the degree of guilt of the owner similar to possible willful misconduct in the case of the use of misleading graphical interfaces, since Ediscom has acted intentionally to induce users to prefer some choices rather than others; even in the case of violations related to the inadequacy of the checks made on the databases acquired, given the degree of professional competence of the Company and knowledge of the market, it is deemed that it has acted with gross negligence (Article 83, paragraph 2, letter b) of the Regulation);

3. the manner in which the Supervisory Authority became aware of the violations, which emerged from some complaints and during an inspection (Article 83, paragraph 2, letter h), of the Regulation).

As mitigating elements, it is considered necessary to take into account:

1. the seriousness of the violations detected in consideration of the fact that personal data were used only for sending promotional communications, sending which was interrupted in the event of withdrawal of consent expressed directly to Ediscom (art. 83, paragraph 2 , letter a), of the Regulation);

2. the timely adoption of corrective measures after receipt of the act of initiation of the procedure (Article 83, paragraph 2, letter c), of the Regulation);

3. the absence of previous relevant violations committed by Ediscom (Article 83, paragraph 2, letter e) of the Regulation);

4. the high degree of cooperation in interaction with the Supervisory Authority (Article 83, paragraph 2, letter f), of the Regulation);

5. of the categories of personal data affected by the violation which concerned only the personal data and contact details of the data subjects (Article 83, paragraph 2, letter g), of the Regulation);

6. the fact that the Company has demonstrated that it has in any case paid attention to the rights of the interested parties in carrying out the business activity, adopting contractual precautions in the event of the transfer of databases to third parties and demonstrating that it has made every possible effort, when asked , to provide feedback to the interested parties even before the intervention of the Guarantor by communicating the withdrawals of consent also to the subjects from whom it had received the data (Article 83, paragraph 2, letter k), of the Regulation).

With an overall view of the necessary balance between the rights of the interested parties and the freedom to conduct a business, and in the initial application of the pecuniary administrative sanctions envisaged by the Regulation, it is necessary to evaluate the aforementioned criteria prudently, also in order to limit the economic impact of the sanction on the needs organisational, functional and occupational aspects of the Company.

Therefore, it is believed that - on the basis of all the elements indicated above - the administrative sanction of payment of a sum equal to 300,000 (three hundred thousand) euros should be applied to Ediscom, equal to approximately 2% of the turnover reported in the latest available financial statements.

It should be noted that the conditions set out in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

It is also believed - in consideration of the seriousness of the violations found - that, pursuant to art. 166, paragraph 7, of the Code, and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor, by way of ancillary sanction.

Finally, it should be remembered that pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e), of the Regulation.

ALL THAT BEING CONSIDERED, THE GUARANTOR

against Ediscom S.p.A., with registered office in via Vittorio Alfieri, 11, Turin, VAT number/tax code 09311070016,

a) pursuant to art. 58, par. 2, lit. b), issues a warning regarding the fact that the procedure illustrated in point 4.2 carries out a treatment which may involve the profiling of the interested parties without there being a corresponding specific consent;

b) pursuant to art. 58, par. 2, lit. f), imposes the prohibition of processing personal data, in particular of subjects presented by other users, without an appropriate legal basis;

c) imposes, pursuant to art. 58, par. 2, lit. f), the prohibition of the processing of personal data collected through the interaction of different services where it is not possible to document a consent freely expressed by the interested party;

d) issues a warning, pursuant to art. 58, par. 2, lit. b) of the Regulation, with regard to violations resulting from the establishment of contractual relationships that are not accompanied by a clear definition of the roles in the processing.

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulation, to Ediscom S.p.A., in the person of its legal representative, to pay the sum of 300,000.00 (three hundred thousand) euros as an administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 300,000.00 (three hundred thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. . 27 of the law n. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the Guarantor's website.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 23 February 2023

PRESIDENT
Station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew



SEE ALSO: Newsletter of April 17, 2023

[doc. web no. 9870014]

Prescriptive and sanctioning measure against Ediscom S.p.A. - February 23, 2023

Register of measures
no. 51 of 23 February

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. THE INVESTIGATION ACTIVITY

1.1 Elements acquired through verifications carried out on site

On 22 and 23 November 2021, in accordance with the planning of the inspection activities of the Guarantor and on the basis of some complaints received, inspections were carried out at Ediscom S.p.A. (hereinafter, Ediscom or Company) aimed at verifying the databases used for marketing purposes, the criteria for selecting suppliers and the ability to respond to requests from interested parties.

The company, founded in 2006, today carries out promotional campaigns for medium-large customers via text messages and e-mails and, only recently, via automated calls. Ediscom's activity consists in conveying the messages received from the client to the subjects present in its database; this activity is carried out directly by Ediscom without transmitting data to the customer. Residually, the Company also offers the list rental service for telemarketing. In this case, the lists are extracted from the database according to criteria indicated by the customer and are conveyed to this by accessing https with login and password.

To carry out its business, the Company makes use of a database containing the data of 21 million interested parties. The database is made up of data collected directly by the Company and data provided by third parties; in particular there are:

1. data collected by Ediscom through its portals containing news, curiosities, cooking recipes or prize contests; during the verification, Ediscom declared that the data are acquired immediately upon submitting, therefore it is not foreseen to send a confirmation communication for the double opt-in; the checks subsequently carried out by the Office starting from the web addresses indicated by the Company are illustrated below;

2. data acquired from third party database suppliers, for which the Company operates as an independent data controller; from the contracts produced it can be seen that Ediscom purchases entire lists of data produced by subjects who have collected them online through portals dedicated to prize competitions or the search for offers;

3. data acquired from third parties who want to monetize their databases set up for the provision of various services: in this case Ediscom acts as data processor. From the contracts produced it emerges that the database is offered on hire and costs and revenues are shared between Ediscom and the supplier on the list; the database remains the property of the person who formed it and Ediscom undertakes to enhance it by using the data contained therein to convey promotional messages from third parties, its customers; the data subject to management are only those which, based on a deduplication activity, are not already available to Ediscom.

With regard to the receipt of requests for cancellation or revocation of consent received from interested parties, the Company has declared that it will register them in the database by simultaneously entering the data in the blacklist in order to avoid re-importing the same data when acquiring new lists by of third parties. In cases in which Ediscom acts as data controller (as described in point 3 of the list above), the requests of the interested parties are also communicated to the respective owners.

On 23 November 2021, access was made to the database in which Ediscom records the data of the subjects that can be contacted. In particular, the checks were carried out starting from the data of some interested parties who had submitted complaints or reports to the Guarantor.

In almost all cases examined, it appeared that data subjects' data had been provided by partner XX based in Germany. In this regard, the Company declared that the aforementioned XX, acting as an intermediary (data broker), had conveyed lists made up of third parties (list editors) who, based on what was acquired in the documents, were all based outside the EU ( XX, XX and XX). The Company has specified that it has no direct contact with the suppliers of these lists as these are conveyed only through the XX.

The General Contract Conditions are attached to each order form, from which it can be seen that XX undertakes to permanently transfer personal data collected from third parties to Ediscom, guaranteeing the lawfulness of the collection and the existence of suitable consent to the treatment.

With regard to the checks carried out on the lists acquired from third parties, Ediscom stated that:

- the landing page, containing the data collection form, is observed, simulating a registration to verify the collection of free and specific consents;

- a compliance check of the privacy information is carried out;

- the supplier is required to send, for each contact, the relative proof of the consents expressed (IP address, date and time of registration, type of consents expressed, registration URL); this is also useful for providing prompt response to any requests from interested parties.

In this regard, the Company has produced documentation containing the checks carried out on some of the websites used by the partners to collect personal data and the related consents (see attachment 7-quater Verifiche_db, subfolder "User experience controls"). This documentation contains, for each of the sites examined, the pages that can be viewed by the user and the privacy information. The date of these accesses is not documented.

The Company also clarified that, in some cases in which the lawfulness of the processing was not sufficiently proven, it refused database offers (see annex 7-quater to the report of 23 November 2021).

During the investigations, it was pointed out by the tax inspectors that the list provider XX (from which the data of some whistleblowers were supplied, through XX), did not indicate in the privacy disclosure the contact details of the representative in Italy (being the non-EU holder) as required by art. 27 of the Regulation. The Company, when questioned on the point, admitted that it did not notice it.

With regard to the individual accesses made to the users subject to the report, it is noted in particular that:

1) in the case of the whistleblower XX, mobile phone XX, it appears that the contact had been canceled from the Ediscom database on 14 December 2017 and then acquired again on 1 October 2020 via "SponsorG Checkmate" (and canceled the following month); however, this user was included in five promotional campaigns in 2019 probably due to the fact that the whistleblower was also present in the database provided by XX at the same time (from which it was deleted on 2 January 2020): XX is qualified as data controller of a database managed by Ediscom. Furthermore, with regard to this whistleblower, it is noted that Ediscom provided feedback directly to the interested party with an email dated 24 November 2020 where it declared that the data, in the complained period, had been extracted from the XX database based in Spain and that Ediscom treated them as responsible. An examination of the access certification provided by XX (and forwarded to the whistleblower) shows that Mr. XX's data were acquired through registration on the https://it.bestdeals-bc.com portal on 22/01/2020 but a specific consent for communication to third parties for promotional purposes is also not documented. Indeed, in this certification the editor specifies the following regarding the consent: "that in the form of participation received it is clear that the user has granted XX free and express consent for the processing of his personal data for marketing purposes, accepting the privacy policy, terms of use and lottery rules…”; it should be noted that no contractual documentation has been provided for partner XX, nor has it been explicitly mentioned in the list of partners provided during the investigation (see annex 2-bis to the minutes of 23 November 2021);

2) in the case of the whistleblower XX, mobile phone XX, it appears that the Company proceeded to manually delete the data subject from the database on 13 November 2020 since he had directly requested Ediscom to delete his data and had opposed the receipt of other promotional contacts. However, the user of the whistleblower was re-entered into the database on 1 June 2021 following the acquisition of the XX database.

The use of the contact details of the complainant XX was also checked. The latter, with a complaint to the Guarantor, complained that he had received a promotional email on behalf of XX and that he had not been able to obtain a clear answer regarding the origin of his data. This is because all the subjects involved in the promotional activity have declined their responsibility referring, lastly, to a company based in England (the XX). Ediscom, already made aware of the facts by XX himself through a request to exercise his rights, declared that the data had been extracted from the database of XX (based in Spain) defined as an "affiliate" of XX, a partner of Ediscom to whom XX has entrusted with the service. The XX, in turn, would have declared that it had acquired the data from the XX. In this regard it must be added that the complainant, after receiving a similar response from XX, carried out further research (also verified by the Guarantor's Office) demonstrating that on the date of alleged acquisition of his data by XX (in 2018), the site indicated as a source of data acquisition was actually a showcase site of a political party, without any data acquisition form or consent formulas to be selected for promotional purposes. The XX has also been registered in the English register of companies since 2021.

After receiving these precise observations from the complainant, and not having received suitable feedback from XX, Ediscom sent a warning to XX and to XX regarding further uses of XX's lists and proceeded to insert Mr. XX's data in the blacklist (see Annex 7-ter to the minutes of 23 November 2021).

With regard to the contractual relationship with XX, during the investigation, the Company produced a partnership agreement signed on 11 October 2011 between Ediscom, XX and XX (attachment 7-bis to the minutes of 23 November 2021). This contract only refers to the possibility of jointly managing the promotional campaigns acquired by one of the three contracting parties with the recognition of a percentage of the earnings. Together with this contract, the Company has produced a deed of appointment as data processor where XX is the data controller and Ediscom is responsible as well as another deed of appointment as data processor where instead Ediscom is the data controller and XX has the role of data processor.

1.2 Elements acquired through the checks carried out on the basis of the documentation delivered by the Company

On 21 and 22 March 2022, official checks were carried out on the websites indicated by the Company as sources from which to acquire personal data directly (see attachment 4 to the report of 22 November 2021).

First of all, it was found that all the sites referred to the same Ediscom privacy policy, which was updated on 3 March 2022. However, the website www.testadiquiz.it did not present any reference on the home page to the owner of the site, nor did it make the privacy information is available before data collection (the link to the information was shown only at the end of the process, in the consent collection checkbox).

All the sites indicated had a form for entering personal data and the same consent acquisition boxes, with the possibility of expressing a separate consent for marketing purposes by Ediscom and for communication to third parties for marketing purposes.

The following is observed:

a) while in some portals the registration closed with a message informing of the sending of a confirmation email, in other cases the process ended with the submit command following which the data should have been directly acquired in the system , as also declared during the inspections; with regard to the website www.rispondievinci.it, the process concluded with the message “Thank you for taking part in the contest. You will shortly receive the information via email to verify if you have won the prize”;

b) in the same sites that allowed registration without confirmation email, if the consent boxes for marketing were not selected, before going ahead with the registration process the following screen was shown to the user asking him to provide the first consensus:

(Figure 1)



If, on the other hand, only the first consent was selected, without selecting the request for communication to third parties for marketing purposes, the following screen was displayed inviting the user to provide the second consent:

(figure 2)

c) in the sites visited, it was required to enter numerous personal data - all mandatory - such as personal data and contact details (e.g. it was mandatory to enter both the email address and the telephone number). Furthermore, in some of them it was required to provide answers to numerous questions - all mandatory - relating to the ability and purchasing habits, the family nucleus, the work activity carried out, the annual income, etc.

(figure 3)

d) on some sites, during the registration process, it was requested to enter the contact details of friends potentially interested in the service with an option to deny entry which is not easily visible:

(figure 4)

e) after completing the registration process on the www.fioriblu.it website to obtain a monthly newsletter on health and well-being, the user was invited to click on a link which led to the www.you.tipiace.it website to download a unspecified e-book; upon access from the link, the site recognized the user and displayed in the profile (already activated) all the registration data entered on www.fioriblu.it. Furthermore, the privacy consents that had not been granted on the fioriblu.it site were all selected on the you.tipiace.it site; similarly, after completing registration on the www.gustissimo.it site to obtain a monthly cooking newsletter, the user was invited to click on the same link which led to the www.you.tipiace.it site to download an e-book. Also in this case the user found his own profile already active with the same personal data entered on www.gustissimo.it even if the consents were not selected;

f) at the bottom of the website www.you.tipiace.it there were links to reach the following partner websites (all owned by Ediscom): www.gustissimo.it, www.ricettaidea.it, www.fioriblu.it, www.joblet.it, www.sullaneve.it, www.guidaconsumatori.it. These last two websites were not present in the list provided by Ediscom (Annex 4 to the minutes of November 22, 2021);

g) the website www.sullaneve.it, which contained the link to Ediscom's privacy information at the bottom, did not provide for subscriptions or registrations to the service: however, in order to be able to publish a comment on the topics proposed, one was asked to fill out a form in which In addition to the comment, it was requested to enter the name and email address with the caveat that a communication would be sent to this email address in order to activate the comment and publish it. At the bottom of the form there were two check boxes which were used, respectively, to confirm having read the privacy information and to consent "... to the processing of my personal data for the optional purposes of promotion and marketing, for the transfer of data to third parties ”.

2. THE DISPUTE OF THE VIOLATIONS

With a note dated May 3, 2022, the start of the proceeding was communicated, pursuant to art. 166, paragraph 5, of the Code, for the adoption of corrective measures and sanctions, on the basis of the results of the inspection activity and subsequent official checks.

In particular, the investigations made it possible to make findings with regard to the following aspects.

2.1 Collection of personal data through portals owned by Ediscom

With regard to the investigations described in point 1.2. it was deemed that the collection of personal data did not comply with the provisions of the Regulation with regard to the profiles described below.

2.1.1 use of "dark patterns" to circumvent the will of the interested party

From the accesses made to the portals managed directly by Ediscom it emerged that in many cases the Company adopted unclear communication models with particular regard to the graphic design of the interfaces and the procedures for carrying out the process of registering for the services.

For greater clarity, during the dispute, the clarifications expressed by the EDPB with the guidelines on dark patterns were also recalled (still in public consultation at the time of drafting the deed initiating the procedure).

In some of the portals examined, during the registration process the interested party was asked to express a specific consent regarding the treatment for Ediscom marketing purposes and the communication to third parties for marketing purposes. If one of the two boxes was not selected, a pop-up was presented which highlighted the lack of consent and presented a clearly visible button for accepting the treatment. The link to continue without accepting was placed at the bottom, outside the pop-up, in simple text (without the graphic format of the button) written in a smaller font than the rest of the text and, being superimposed, not very visible (see figure 1 and 2 above).

The pop-up proposition had no use for carrying out the registration process but evidently represented a further attempt to obtain the user's consent despite the fact that he had already clearly expressed his will in the previous screen. This attempt, in addition to unnecessarily aggravating the enrollment process, was characterized by a greater opaqueness in the ways in which the consent request was presented, increasing the probability that the interested party would give his consent not by conscious choice but rather because he was misled or in the rush to conclude the process.

A similar setting was found in the screen presented to the user to invite him to provide the data of other subjects potentially interested in registering for the services (see figure 4). Faced with invitation messages written in bold and fields with asterisks (even if in fact optional), the option "...or skip" - which should be an alternative to the "continue" button - was shown at the bottom of the page in much smaller font and with completely different graphics compared to the "continue" option.

Furthermore, the checks carried out confirmed that for registration to the services offered by some Ediscom portals, validation by sending an email was not required (collection of consent in double-opt in code mode) as described by the same Company also in inspection site. However, the accesses to the sites also showed that in some cases the registration process ended with a message warning of the forthcoming receipt of a confirmation email.

It should also be noted that the sites for which a confirmation email was not provided were also the same sites for which a collection of excess data had been detected (see point 2.1.2 below) and for which specially designed interfaces were used built to circumvent the will of the interested party regarding the collection of consent. As repeatedly clarified by the Guarantor, the documentation of the consent through the registration IP address alone cannot be considered sufficient to demonstrate the will of the interested party (see provision of 25 November 2021 web doc. n. 9737185 and provision of 26 October 2017 web document n. 7320903 in www.garanteprivacy.it).

In conclusion, it was considered that a consent collected in such ways, deliberately designed to circumvent the rules, aroused many perplexities regarding the freedom and awareness with which the interested party can express his will and therefore could not be considered lawful.

For these reasons, the violation of art. 5, par. 1, lit. a), 7 par. 2 and 25.

2.1.2 Collection of Excess Data

In many of the sites visited, it was requested to enter numerous personal data and to provide answers to numerous questions - all mandatory - relating to purchasing capacity and habits, family unit, work activity, annual income, etc. (see figure 3 above).

The collection of all this information, which did not seem to have any relevance to the service offered, was not necessary for the provision of the same with the consequence that the data collected was more than necessary; moreover, this information was intended to outline a profile of the subscriber and could have included the processing in the purpose described in point 1 c) of the privacy information published by Ediscom itself (analysis and definition of profiles and preferences for marketing purposes). However, for this treatment the interested party was not required to express a specific consent as instead described in the same information. Therefore, the collection of personal data of subscribers, configured in this way, was considered to violate the principle of lawfulness, correctness and transparency because it forced the interested party to provide a lot of information not pertinent to the service. Furthermore, this treatment could violate the principle of purpose limitation if the data collected for service purposes or on the basis of specific consents for marketing, were then also used for user profiling in the absence of a specific consent. Finally, the collection of data beyond the purposes of the processing was deemed to be in conflict with the data minimization principle.

For these reasons, the treatment was carried out in violation of the articles 5, par. 1, lit. a), b) and c), 6 and 7 of the Regulation.

2.1.3 lack of information on the website www.testadiquiz.it

The website www.testadiquiz.it did not present any information on the home page regarding the owner of the site itself (generally indicated in the footer of the home page) nor did it make the link to the privacy information available before starting to collect the data of the interested parties. The link to the information was only displayed at the end of the compilation when the interested party was asked to express consent for the marketing purposes of Ediscom and third parties.



On the site indicated, in addition to not being present any information, there were also no indications regarding the subject to whom the site belonged; therefore the user was invited to enter their personal data in the absence of any information regarding future processing, even in the absence of the same identity as the owner. In this regard, it was recalled that, in addition to the specific provisions of the Regulation on transparency, the publication of company data on the site's homepage is a legal obligation (see art. 35, paragraph 1, Presidential Decree October 26, 1972, n. 633 and art. 2250 of the civil code).

With regard to the specific provisions for the protection of personal data, the art. 13 of the Regulation according to which the owner must provide the interested party with all the information provided "at the time the data are obtained". Therefore, it is necessary that the information on the purposes and methods of the processing is disclosed to the interested party before he starts completing the form in order to allow him to evaluate the conditions proposed by the owner before the processing begins.

For these reasons, the violation of the articles was recognized 5, par. 1, lit. a) and 13 of the Regulation.

2.1.4 data collection of referenced subjects

As can also be seen from figure 4 above, in many of the sites visited there was a screen with which the interested party was asked to provide the name and email address of other subjects potentially interested in the same service. The Office has found that the data of third parties possibly provided by the user during the registration process could not have been considered in any case assisted by a suitable consent for future promotional contacts. This is because the status of "referenced" (which would be recognized to the subject presented by the user) cannot replace the necessary fulfillment of the obligation of the prior acquisition of a specific, documented and unequivocal consent of the interested party since the referring third party is not ( as a rule) entitled to give any valid consent on behalf of the interested party receiving the promotional contact (see provision of 15 January 2020, web doc. n. 9256486).

For these reasons, the collection of personal data of third parties indicated by the user was not justified by any of the legal bases indicated by art. 6 of the Regulation, also taking into account the fact that alternative ways of conveying one's brand through already customers are now widely used without the need to directly acquire the personal data of unsuspecting third parties.

If such data had been used to convey promotional messages without providing suitable information and without acquiring specific consent, this activity would have been unlawfully carried out.

For these reasons it was considered that the treatment constituted the violation of the art. 6 of the Regulation and the provisions of art. 14 of the Regulation and of the art. 130 of the Code.

2.1.5 interaction between the various services with contextual data recording

From the accesses made by the Office to the website www.fioriblu.it, it emerged that the user, after completing the process of subscribing to the wellness and health newsletter, was invited to download an e-book (with unspecified content) by clicking on a link which leads to the site www.you.tipiace.it.

Following the proposed link, one accessed the site www.you.tipiace.it (which contained cooking recipes). The user, who had accessed from the aforementioned link, was recognized with the same data entered on www.fioriblu.it and found himself already created a personal profile with the same data as shown in the following figure:

Furthermore, the privacy consents, which had not been granted on the www.fioriblu.it site, were all already selected on the www.you.tipiace.it site (although they can be manually deselected):

This approach was judged by the Office to be in clear contrast with the assumption of freedom of consent.

For these reasons, the violation of the articles was recognized 5, par. 1, lit. a), 6, para. 1, lit. a) and 7 of the Regulation.

The registration process on the www.gustissimo.it site also ended with a link that redirected to www.you.tipiace.it where one found a user profile already filled in with the same data entered on www.gustissimo.it.

This result was considered likely to derive from an approach that takes into account the fact that the owner is still Ediscom and that the data collected through the various portals, which present the same information, probably flow into a single database. Therefore, if the treatment should in fact be one with a single purpose, the interested party, in the opinion of the Office, was not in any case in a position to fully understand it and, consequently, to interact correctly with the services offered by Ediscom . Furthermore, while the www.fioriblu.it and www.gustissimo.it sites did not require a password, the www.you.tipiace.it site required a password to be added to the profile already created. If this was not followed up, the profile was not canceled in any case because upon subsequent access with the same email the user was recognized as already registered even though he had never requested registration and without having ever entered a password.

As already described, the newsletter subscription process ended with an invitation to click on a link that led to another service. This step, in addition to not being clearly perceivable as optional, also aroused perplexities regarding its connection with the registration process that the user had just completed, since the service offered through the site www.you.tipiace.it does not it had no bearing on the content chosen by the user on the sites of origin.

Given all of the above, the violation of art. 5, par. 1, lit. a) of the Regulation due to the lack of clarity and transparency towards the user; moreover, the violation of the principle of purpose limitation, pursuant to art. 5, par. 1, lit. b) of the Regulations, since the user provided his data to register for a specific service but his same data were also used to register the same user with another portal without this falling within his expectations and without this further registration had no connection with the initial purpose consisting in registering on the first portal.

2.1.6 collection of consents on the portal www.sullaneve.it

As described above, it has been ascertained that for the insertion of a comment on the portal www.sullaneve.it it was required to indicate name and email address. At the bottom of the form there were two check boxes which were used, respectively, to confirm having read the privacy information and to consent "... to the processing of my personal data for the optional purposes of promotion and marketing, for the transfer of data to third parties ”.

It was observed that a single consent box was presented for what in reality would appear to be two distinct treatments. In fact, the privacy policy was also published on this site which distinguished the two treatments in points 1.b and 1.d.

The Office observed that, also with regard to the consent formula indicated on the portal, if the purpose was the same (marketing), the controller who carried out the processing was different (Ediscom itself or the third parties to whom the data were communicated). Therefore, two distinct and specific consents were required, which in fact the Company requested in the other portals examined. In this case, such a formulation did not allow the interested party to express a free and specific will by realizing the violation of articles 6, par. 1, lit. a) and 7 of the Regulation.

2.2 Qualification of roles in the treatment

From what was described by the Company during the investigations and from the examination of the contractual documentation produced, a qualification of Ediscom's role in the processing of personal data emerged which differed on the basis of the commercial relationship established with the partners but which did not find a parallel justification in the actual playing of roles.

Ediscom correctly qualified as independent data controller in all cases in which it acquired lists of data from other independent data controllers. However, the qualification of Ediscom as data processor in the cases described as "database management" on behalf of third parties was not shared - for the reasons set out below. Similar considerations were made for the role of Ediscom in commercial relations defined as "affiliation", where, however, the qualification of the roles has not been clearly proven.

2.2.1 Ediscom's role in the processing of data contained in the databases entrusted to management

In all cases in which the Company established a database management agreement with the commercial counterparty, it qualified as data controller both in the contracts and in the responses provided to the exercise requests of the interested parties.

In reality, this different classification with respect to the cases in which there was a purchase of lists was considered by the Office to be groundless. This is because even in the commercial relationship known as "management" Ediscom is to be considered an independent owner since each data acquisition activity is aimed at enriching Ediscom's database which will then be used to offer promotional services to its customers (in fact the Company has a single database). Therefore, the Office considered that the source of the data (direct sources, such as the portals owned by Ediscom, or databases acquired from third parties, regardless of the legal title on which this acquisition is based) was not relevant. In other words, the cause (purchase, rental, management/use of the database) of the contract signed with the third party cannot be relevant when in fact there is always and in any case an acquisition of data from third parties aimed at the transmission of promotional messages by Ediscom on behalf of its customers.

It follows that, in any case, the treatment always consists in the collection of personal data (regardless of the source) and it is Ediscom that establishes the purpose of this treatment: the commercial exploitation of the database through the transmission of promotional messages from its customers.

After all, the function of data acquisition was clearly that of enriching the Ediscom database given that the contracts signed with third parties state that "the data being managed are those that are not already available to Ediscom S.p.A. on the basis of a preliminary deduplication activity that Ediscom S.p.A. itself reserves the right to compare the COMPANY database with those it has available".

Furthermore, such a setting of roles has been shown to have detrimental consequences for the data subjects. In fact, Ediscom has demonstrated that it has correctly implemented the opposition or cancellation requests received and has registered the interested parties on a black list to avoid having to re-import their data in the event of subsequent acquisition of lists. However, this appropriate caution proved useless in cases in which these lists had been acquired in the form of a database under management since, erroneously qualifying as data controller, Ediscom did not take into account the objections already received (and addressed to Ediscom itself) and consequently conveyed promotional messages to subjects who had already opposed (see the cases of XX and XX described above).

Furthermore, it was observed that in the contracts shown as the typology used for database management, it appeared that Ediscom "will manage the database ... through the concession of the same on lease, for periods not exceeding 3 months, and the sending of commercial text messages for Ediscom partners”. It follows that the consent to the transmission to third parties originally acquired by the person who created the database would have been deemed sufficient, in the case of rental, to communicate the data first to Ediscom and then to the third party renter. However, such a construction would not be acceptable since it cannot admit the validity of this consent indefinitely for all subjects subsequent to the first to whom the data are communicated.

Therefore, the incorrect qualification of data controller in the contractual relationships referred to as database management has led to the belief that the treatment is in contrast with the requirements of lawfulness, correctness and transparency, in violation of art. 5, par. 1, lit. to).

Furthermore, the opposition to the processing presented by the data subjects was thwarted - due to the incorrect qualification of the roles - by circumventing the procedures aimed at keeping track of this opposition. The acquisition by the partner of a generic consent for third party promotional activities cannot, in fact, be considered sufficient to circumvent the desire not to be (any longer) contacted, specifically expressed towards another data controller. This treatment, therefore, did not guarantee the exercise of the right of cancellation and opposition, in violation of the articles 17 and 21 of the Regulation.

2.2.2 Ediscom's role in the context of defined affiliation contracts

The story described in Mr. XX's complaint brought to light an erroneous qualification of the roles also in the treatment implemented in the context of contractual relationships known as affiliation. Also in this case, the parties decided to distinguish these roles in consideration of the difference resulting from the commercial agreements. However, similarly to what was argued in the previous point, the commercial relationship between the parties does not necessarily also affect the qualification of the roles in the treatment and, in the case examined, the Office considered that there were no reasons not to believe that Ediscom had acted as an independent owner believing that the Company, by virtue of the service commissioned by the XX, had found lists of email addresses on the market in order to carry out a promotional activity, regardless of whether these lists had entered its availability directly or had instead been managed on your behalf by a business partner.

As described above, in the case in question, all the protagonists involved have declared themselves responsible for the treatment attributing the ownership only to XX, a company based in England which has not provided any feedback to the interested party, which has not been able to document the collection of a suitable consent and which, as far as it is understood, has not provided explanations even to its business partners.

Furthermore, the Office observed the number of subjects involved in the processing and the scarce ability to document their individual roles, taking into account that Mr. XX's data was present in the XX database (but it is not possible to know its origin) and would be been processed both by the XX and by the XX to finally be made commercially available by Ediscom. In reality, each of these subjects is to be considered an independent data controller, having its own purpose and not revealing the material apprehension of the data.

This behavior results in a significant limit to the exercise of that informative self-determination which is expressed precisely through the control that the interested party can carry out on his own data with respect to the risks of dispersion or use that does not comply with the purposes of the relative collection. In fact, it cannot be assumed that an expression of will initially expressed in a conscious way (provided it is lawfully collected) with respect to certain treatments can unfold chain effects, through successive passages of personal data from one holder to another in a completely imponderable way for the interested party. same.

Consequently, the Office considered that the treatment had been carried out in violation of the principle of lawfulness, correctness and transparency in violation of art. 5, par. 1, lit. a) of the Regulation. Furthermore, having made it impossible for the interested party to obtain the requested information regarding the treatment, he had committed the violation of the articles 12 and 15 of the Regulation.

2.3 Suitability of checks carried out on lists acquired from third parties

Ediscom declared that it carried out some checks on the databases proposed by the partners and requested for each contact the date of acquisition of the consent and proof of the same, consisting of the IP address and the indication of the portal from which the consent was registered .

In this regard, the Office made the following observations:

a) the Company intended to document the checks carried out by producing print screens of the accesses made to some sites of the list suppliers. These documents concerned only a small part of the subjects listed under the item DB Acquisitions (in attachment 9 to the report of November 23, 2021) and did not indicate the date on which the checks were carried out;

b) from these documents it is clear that the Company had read the information on the websites of the partners; as also highlighted during the inspection, despite the lack of indication of a representative in the EU in XX's report, the Company had in any case carried out the acquisition;

c) Ediscom also carried out promotional activities using data from XX. In this regard, this Office had carried out some checks on the portals managed by this subject for the definition of a similar case (to which reference is made for details) finding violations of the rules that are evident and easily observable by anyone operating in the market described (see the provisions 25 November 2021, web doc n. 9736961 and provision 25 November 2021, web doc n. 9737185). In any case, Ediscom used the data coming from this list editor despite the absence of suitable guarantees of lawfulness of the database;

d) in some of the cases observed through access to the Ediscom database it was found that, despite the presence of recently acquired data (2020 or 2021), the consent was dated to a period dating back to and even prior to the full effectiveness of the Regulation (2016 or 2017) without documenting the carrying out of checks aimed at assessing the suitability of the consent even after the change in the regulatory framework;

e) in many cases reported to the Guarantor - of which Ediscom itself was also aware through direct dialogue with the interested parties - the frequent unawareness of the alleged registrations had been highlighted, in some cases unacknowledged by the interested parties or relating to inaccurate data. Often a name different from that of the account holder was associated with the users examined. Yet the Company considered the documentation of the consent by the partners to be sufficient by indicating the IP address alone. This is a method that the Guarantor has already deemed insufficient to certify the unequivocal will of the interested parties (see the provision of 26 October 2017, web doc. n. 7320903 and the aforementioned provisions of 25 November 2021) instead there are more suitable alternatives to guarantee a greater degree of certainty regarding the genuineness of the consent (such as the practice of sending a confirmation message to the address indicated during registration).

Having said that, it was deemed that Ediscom had not implemented all the measures necessary to contain the damage connected to the treatment by acting in violation of articles 5, par. 2 and 24 of the Regulation.

2.4 acquisition of a suitable consent for the sending of promotional messages

In many of the cases described, a suitable consent for promotional purposes was not acquired and documented. First of all, we recall the cases of XX and XX, already described, whose data were processed even after the opposition expressed against Ediscom. Furthermore, with specific regard to Mr. XX, it should be noted that the company XX, from which Ediscom acquired the database, has expressly declared that it has considered consent for promotional purposes by simply registering on its site to participate in a lottery. It is evident that such a method is not at all suitable for documenting the specific will of the interested party. We also recall the case of Mr. XX who received a promotional email without his adequate consent being documented in any way. In all these cases the treatment was carried out in violation of the articles 6, par. 1, lit. a) and 7 of the Regulation as well as in violation of art. 130 of the Code for sending text messages and emails without consent.

3. THE DEFENSE OF THE OWNER

The Company, in exercising its right of defence, sent a memorandum on 1 June 2022 in which, clarifying certain aspects, it indicated the corrective measures adopted.

In particular, the Company has preliminarily clarified that it has always paid close attention to the aspects relating to the protection of personal data, directing the choice of operating methods towards solutions which, after adequate weighting, seemed to offer the right balance between the guarantees for the interested parties and the business needs of the company. In fact, while having to bear in mind that the acquisition of contact data and suitable consent to processing constitutes an essential corporate asset for Ediscom's business, the latter has nonetheless tried to adopt the best solutions available to ensure that such processing, in addition to being commercially useful, they were also lawful and respectful of the needs of the interested parties.

In this context, the Company has based its choices on the current regulatory framework and on the interpretation of this framework currently given by the Guarantor and the EDPB. Therefore, the same considered that the objections raised, which it also proceeded to take note of, had not taken into account the innovative nature of some rulings, such as the aforementioned provisions of the Guarantor of November 2021 or the EDPB Dark Pattern Guidelines definitively adopted only after the initiation of the procedure.

For these reasons, the Company has highlighted the absolute good faith of its conduct, as said result of considered choices, and has assured that it has taken steps to adopt various corrective measures; in particular:

- has taken steps to adapt the graphics of the pop-ups for the confirmation of consent by using a similar color and font for both acceptance and refusal, observing, however, that the EDPB Guidelines on dark patterns should be understood as predominantly intended to regulate the treatments carried out by the large social media while they risk being difficult to apply for small and medium-sized enterprises with the consequence of excessively limiting the entrepreneurial activities of those who work in the marketing sector;

- introduced corrective measures to ensure that a confirmation email is sent to the user when registering for the services;

- initiated the review of the operating mechanisms of the system which provides for the automatic creation of a user profile on the you.tipiace.it portal with a view to improving the user experience and facilitating the interested party in managing their profile;

- initiated the mapping and, where necessary, the renegotiation of the existing contracts with the clients of the promotional activities to adapt them to the indications received from the Guarantor in relation to the roles in the treatment;

- set up a corporate procedure to ensure more precise checks on the suitability of databases acquired from third parties.

The Company also highlighted the fact that adequate procedures were already in place to respond promptly to requests to exercise rights.

On other aspects of the act initiating the procedure, Ediscom felt it had to reply as follows:

1. with regard to the dispute relating to the collection of excess data (see point 2.1.2), the Company has specified that all the mandatory questions presented during registration, contrary to the objections of the Guarantor, are to be considered connected to the service offered because "related to the Co-registration activity, meaning by this term to refer to the practice, widespread in the marketing field, which aims to generate and share a database of users, among several sponsor companies that are indicated in the information on data processing made available to interested parties". Therefore, the questions would be asked to verify the effective interest of the person who fills out the form and the answers given are not recorded together with the user's data. Also in this regard, the Company has intended to clarify that, although the information indicates that, with the consent of the interested party, marketing-oriented profiling can be carried out, this treatment has never been carried out and the passage in the information has been formulated only hypothetically. In any case, the Company has ensured that it has made changes to the notices present in the prize contest regulations, specifying to the user that failure to answer the questions will not affect participation in the contest but will be functional to receiving promotional messages in line with the indicated in the responses (if the user has previously consented to processing for marketing purposes);

2. with regard to the portals www.testadiquiz.it and www.sullaneve.it, the Company specified that these sites had been set up only for testing activities without being aimed at collecting data and without ever being used for this purpose. Therefore it has taken steps to eliminate the site www.testadiquiz.it and to update the portal www.sullaneve.it (of which it wishes to keep the domain name);

3. with regard to the disputes raised by the Guarantor for the collection of data of subjects presented by other users, the Company, believing that this treatment falls within the personal and domestic sphere, specified that the data of the referenced subject are not entered in the Ediscom database but they are used only to send an e-mail with “a link to the page indicated by the friendly user. The communication does not contain advertising, nor invitations to release consent to receive marketing mails and following the sending, no data is saved or used further". The Company has also clarified that it has implemented this function also bearing in mind a ruling from the Belgian Data Protection Authority and an opinion from the Working Group pursuant to art. 29 regarding the "invite a friend" function;

4. with regard to the profiles created automatically on the you.tipiace.it portal, the Company declared - with regard to what was detected by the accesses made ex officio by the Guarantor - that the consents were already selected because "the test data used by this Authorities had already been previously used by another test user who had instead released all the consents". However, it has ensured that the choices indicated by the user when registering for a service are also maintained on the you.tipiace.it portal; the Company has also clarified that the intent of this procedure is only to allow the user to keep in a single collection point their choices regarding the processing of personal data and the services offered by Ediscom to which to subscribe. In any case, having taken note of the indications of the Guarantor, it has started a process of reviewing the procedure in order to make it clearer for the user;

5. with regard to the role of Ediscom in the databases entrusted to manage, he specified that he had set the definition of roles on the basis of preliminary and in-depth assessments of the actual activity carried out and, in conclusion, he deemed it necessary to qualify only the partner who provides the database since it is this subject who establishes the purposes, leaving Ediscom, which operates only as an intermediary and which qualifies as a manager, the right to choose the means of the treatment itself; therefore, acting as data controller, no double transfer of data would have occurred after the consent of the interested parties;

6. with regard to Ediscom's role in affiliation contracts, the Company specified that it "acts as an intermediary who puts its customer (the demand) in contact with its suppliers or their sub-suppliers (the offer) without carry out any direct data processing activity, limiting itself to requesting the affiliate or the supplier company to send a communication to its registered users”; also in the case of Mr. XX, Ediscom had not found any lists as the data had never been available. In particular, in the business model in question, Ediscom does not access the data of interested parties but limits itself to requesting partners to send promotional messages on behalf of its third party customers;

7. with regard to the disputed sending of promotional messages without the consent of the interested parties, Ediscom limited itself to observing that the dispute is based on the assumption that in the absence of the double opt-in mechanism, the consent is not to be considered validly given without however that there is a specific regulatory obligation which requires it to do so.

Finally, a hearing was held on 18 July 2022 in which Ediscom acknowledged the company procedures implemented to ensure compliance of the treatment. In particular, the same clarified that it had carried out staff training sessions and increased human resources specifically aimed at checking the lists provided by third parties as well as having launched further improvements to the user profile creation procedure on the you.tipiace portal .it.

On that occasion, Ediscom reiterated that it believes that its role in the affiliation contracts is that of data processor because the Company limits itself to putting the client and the list publisher in contact without determining the means. Similarly, in database management contracts, Ediscom receives instructions from the owner of the database itself who specify which types of campaigns can be carried out with that database and by what means. Therefore Ediscom is to be considered solely responsible for the processing since it processes the data on behalf of its clients.

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the declarations of the Company for which one responds pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

4.1 Use of obscure models to circumvent the will of the data subject

As described in point 2.1.1, the accesses made by the Office revealed that the graphical interfaces chosen to interact with users had settings similar to the so-called "obscure models" recently described by the EDPB in the aforementioned Guidelines.

The Company took note of what was contested with the deed of initiation of the proceeding and made some changes, however representing that this principle would only have been expressed recently and therefore could not be known by Ediscom. However, it must be noted that, beyond the fact that the Guidelines have been issued (mentioned in the act of initiation of the procedure only for greater clarity), the examination of the methods of implementation of the graphical interfaces is independent of the formal qualification and was assessable concretely even before the EDPB formalized the principle of dark patterns in the Guidelines. Moreover, the concept can be considered innovative only in the context of the processing of personal data in the digital world but its genesis dates back to 2010 and it has been repeatedly subject to evaluation, in the context of consumer protection, of the mechanisms for conditioning consent.

Moreover, in the graphic interfaces evaluated by the Office, for which potentially misleading mechanisms were applied, the intentionality and therefore the knowledge of what was being done was quite clear: for example, the use cannot be considered the result of a random choice of a different font for two choices that should be alternatives (and therefore graphically represented in the same way). The intentional choice to create a given interface graphically also presupposes knowledge of the mechanisms that interact with the user's cognitive abilities therefore, even without wanting to give a name to these mechanisms, one cannot fail to believe that they have been adopted in order to circumvent the will of the users.

For these reasons, the violation of articles is considered integrated. 5, par. 1, lit. a), 7 par. 2 and 25 of the Regulation having to apply a pecuniary administrative sanction pursuant to art. 58, par. 2, lit. i) of the Regulation.

Finally, it is considered appropriate to provide general clarifications regarding the application of the principle last described by the EDPB in the national and European entrepreneurial fabric.

The observations made by Ediscom regarding the potential risks for business activity in the event of an overly rigid application of the principle expressed by the EDPB are certainly worthy of note, especially when the owner is not a large web multinational but rather a small and medium-sized European enterprise. However, it must be remembered that each principle must be declined in a proportionate manner in the context in which it is concretely applied without necessarily imposing an unconditional application. However, it is up to this Authority to verify that the owners make an effort to find the right balance between business needs and the guarantees for the interested parties, as Ediscom itself has done by making changes to its interfaces capable of satisfying both needs. After all, the expected benefit from correct treatment also consists in greater trust on the part of users with positive consequences that fall on the entire market from which the owners themselves will benefit. Not to mention that, at an individual level, the guarantee measures adopted by a company operating in the marketing sector are also a measure of the level of quality offered to the clients who are data controllers capable of distinguishing the company from other competitors.

4.2 Collection of Excess Data

With regard to what was disputed in point 2.1.2, having examined the considerations made by Ediscom in the defense brief, no sufficient arguments were found to consider the objections raised by the Office as resolved. First of all, it is not clear how the aforementioned Co-registration procedure - moreover not documented or detected by the Office during the assessment - should justify the collection of data. Please note that the Authority has examined all the sites indicated by Ediscom as portals used for the collection of personal data. In all cases, upon typing in the URL, a website was reached, with an informative or recreational content, without any reference to partner subjects with, at most, advertising banners. And all the sites visited referred to a single information.

Furthermore, the type of questions, extremely heterogeneous and with the same content in all the sites visited, does not allow us to understand why such questions should be considered oriented towards demonstrating a particular interest of the user for a particular sponsor: it should be remembered that the questions asked in all the questionnaires observed concerned the income received, purchasing habits, the composition of the family nucleus, age, the presence of pets or children; there were also some very specific questions aimed at detecting the interest in being recalled for products or services of certain customers (fibre connection, pay TV services, financial services). Therefore, if the intent of the Company was only to collect such specific expressions of interest, it is not understood the usefulness of also asking the preliminary questions aimed at determining purchasing habits and ability (income, age, family composition, etc.) .

Moreover, if the intent of the Company was the mere collection of a specific interest, the fact that other subjects would have been involved in the processing (as clients of the promotional activity and owners of the treatment) nor was it possible to understand the real purpose of the questions: the user was expressly asked to fill in all the fields to obtain the requested benefit (a cooking recipe book, a horoscope, a newsletter, etc.).

The considerations made in the defense are therefore not sufficient to overcome the objections raised and are, moreover, contradictory. In fact, Ediscom declares that the answers provided by users would only be used to verify an impromptu interest in the commercial proposals presented without subsequently being stored together with the data of the interested party. But in the same sentence, the Company declares that the method defined as Co-registration "is a very effective tool ... because it generates a highly qualified data database that collects the contact details of people who are strongly interested in that specific product or service".

Similarly, the Company declared that it does not carry out user profiling activities and that it has mentioned this treatment in the information only for hypothetical future uses without therefore it being necessary to also acquire a specific consent from the interested parties because the activity was never concretely made. However, in the disclaimer proposed for future use on prize contest sites it will be clarified that "you will be asked to answer some questions aimed at ascertaining your interests in order to submit, if you have decided to consent to receiving marketing communications, offered in line with what you will tell us by answering the questions”.

Observing, incidentally, that a purely hypothetical treatment should not be described in the information (as the information must instead be modified in the event of changes in the treatment), such a context does not allow us to exclude that users may be subjected to profiling activities. Even if this Authority has understood that the effective will of the Company would only be to obtain the user's consent to be contacted for a specific commercial proposal, it must however be noted that the setting reconstructed here would also allow, in abstract, to use the data collected to reconstruct a profile of the interested party, since the questions also include, as mentioned, requests relating to spending capacity and purchasing habits (the meaning of which otherwise would not be understood). However, this treatment would take place without the interested party having expressed specific consent to profiling for marketing purposes, since the more general consent (possibly expressed) to receive promotional communications is not sufficient for this.

For these reasons, it is deemed necessary to confirm the detected violations of the articles 5, par. 1, lit. a), b) and c), 6 and 7 of the Regulation and it is necessary, pursuant to art. 58, par. 2, lit. b), address a warning to Ediscom regarding the fact that the illustrated procedure carries out a treatment which, depending on the effective implementation, may involve the profiling of the interested parties without there being a corresponding specific consent.

4.3 Collection of data on the portals www.testadiquiz.it and www.sullaneve.it

While confirming the pertinence of the observations made by the Office regarding the examination of the portals www.testadiquiz.it and www.sullaneve.it, we acknowledge the clarifications provided by the Company, which stated that it used these sites only to carry out tests without ever having used them for the collection of personal data. Taking into account the assurances provided also with regard to the desire to review the content of the domain www.sullaneve.it and considering that the other portals used by the Company did not present the critical issues identified here, it is not deemed necessary to adopt corrective measures.

4.4 Collection of data of referenced subjects

In response to the objections raised by the Office, the Company, as mentioned, invoked the principle of the household exemption expressed in recital no. 18 of the Regulation, citing ad adiuvandum a ruling by the Belgian Guarantor Authority. However, the example cited is not only irrelevant but is also contrary to the interpretative goal that the Company wants to achieve: the case under examination concerned a social networking service which, by its nature, users use to get in touch with other members, such that it is likely to expect that a user of the service can invite another user of his knowledge. This is not the case with the service offered by Ediscom, where the user is asked to fill out questionnaires to obtain a benefit and, incidentally, is invited to enter the name and email address of third parties potentially interested in subscribing to the same service.

Furthermore, the same ruling cited clarifies that the exemption for personal or domestic activities applies only to users and certainly not to the holder (as also clearly established by recital no. 18) who is always required to base the treatment on a of the legal bases of art. 6 of the Regulation. Furthermore, if the legal basis has been identified in the legitimate interest of the owner, the latter is required to demonstrate that he has carried out adequate assessments aimed at demonstrating the balance of interests.

However, we must take note of the clarifications provided by the Company in the defensive phase where it clarified that the data of the referenced subjects are not kept and are not used to send promotional messages. However, the fact remains that the user, during the compilation phase, is not informed either of the content of the message that will be sent in his name, or of the ways in which the third party will be contacted on his behalf. Similarly, the subject who receives the invitation email from the so-called "friend" is not informed of the treatment implemented by the Company.

Given all of the above, it must be concluded that the activity carried out by Ediscom in the manner described cannot be hinged on any of the envisaged legal bases and therefore is carried out in violation of articles 6 and 14 of the Regulation. Consequently, it is necessary, pursuant to art. 58, par. 2, lit. f), impose a ban on Ediscom from processing personal data collected in the absence of an appropriate legal basis.

4.5 Interaction between different services and contextual recording of data

Having recalled the reasons expressed in the act of initiation of the procedure and the arguments of the owner in the defensive phase (summarized here in point 4 of chapter 3), there remain concerns regarding the methods adopted to create a user profile on the site you.tipiace.it. Even the justification put forward by Ediscom regarding the misalignment of the consents – which would be due to the fact that the test data used by the Office had already been used by another user – seems difficult to understand and leads us to believe that even subjects other than the user could easily access already created profiles.

Therefore, deeming the violation of articles 5, par. 1, lit. a), 6 par. 1, lit. a) and 7 of the regulation, taking into account that the Company has started a review process of this procedure, it is deemed sufficient to impose, pursuant to art. 58, par. 2, lit. f), the prohibition of the processing of personal data collected in the manner described where it is not possible to document a consent freely expressed by the interested party.

4.6 Qualification of roles in the treatment

As reconstructed in point 2.2 (whose arguments are understood to be referred to here) and taking into account what the Company argued in its defense brief, it is not possible to go beyond the reasons for the dispute expressed in the deed initiating the proceeding since the qualification of mere intermediary that the The Company has given itself is not sufficient to exclude that it has processed the data in its capacity as data controller, and not as manager, in the case of lists entrusted to manage it.

As ascertained during the inspection, the Ediscom database is unique and fed by various sources, including the so-called "under management" databases. The data deriving from this type of contract therefore become part of the database that the Company uses to carry out promotional campaigns in the same way as a database acquired with a purchase or rental contract. Proof of this is also the fact that the Company, before acquiring such data from the partner, carries out a deduplication activity or a comparison with the data already in its possession, discarding the latter from the calculation of the remuneration due to the subject who entrusts the database .

The erroneous qualification of manager meant that the Company did not register the withdrawals of consent or the requests for opposition coming from subjects whose data had been acquired from the database under management with the result that, in the cases subject to investigation, they were sent promotional messages to individuals who had directly opposed Ediscom.

On the other hand, with regard to cases in which the Company is a party to affiliation contracts, given that the functioning of this business model has not been sufficiently clarified, it is in any case noted that the Company, in the defensive phase, declared that it did not list format starting from the databases of XX and XX partners.

However, it should also be remembered that it is not the material apprehension of the data that determines the role actually played in the treatment; therefore the Company, depending on the actual activity carried out, can qualify as owner or manager but, having in any case a role in the processing, it cannot be considered a mere commercial intermediary. Wanting to simplify, it can be considered that it can act as a co-controller when it acquires data, for any reason, to be included in its database, while it can be considered responsible for the treatment when instead it performs activities only on behalf of the clients but, in this case, remains responsible for the treatments entrusted to any sub-managers, towards the owner (who must first authorize in writing).

In no case can it be identified with "no role" in the treatment nor can a chain of subjects involved in the treatment of the scope of the one described in the case of the complainant XX and the client XX be considered admissible where, having each considered themselves free of responsibility, it is not it was possible to respond adequately to the requests of the complainant and above all to document a suitable consent (which, even if it had been lawfully acquired, could not have reverberated its effects on an indeterminate chain of subjects).

For these reasons, the disputed violation of art. 5, par. 1, lit. a) of the Regulations since the processing carried out did not comply with the principle of lawfulness, correctness and transparency. However, it must be taken into account that Ediscom has taken steps, turning to its partners, to provide answers to the complainant's requests even before the start of the investigation by the Guarantor, providing the answers that it was in its power to give, even if they were unsatisfactory.

Therefore, also taking into account the assurances provided regarding the ongoing review of contracts and roles, it is considered sufficient to issue a warning to the Company, pursuant to art. 58, par. 2, lit. b) of the Regulation, with regard to violations resulting from the establishment of contractual relationships that are not accompanied by a clear definition of the roles in the processing.

4.7 Suitability of checks on lists acquired from third parties

With regard to what is described in point 2.3, the contents of which are understood to be referred to, taking into account the assurances provided by the Company with the defense brief and with the statements made during the hearing, the violations of the articles are confirmed for the past 5, par. 2 and 24 of the Regulation.

Therefore, taking into account the importance assumed by this treatment, since the contribution of third party databases to the Ediscom database is preponderant and it is necessary to intervene in a proportionate and dissuasive manner, the conditions for the application of a pecuniary administrative sanction to pursuant to art. 58, par. 2, lit. the).

4.8 Acquisition of suitable consent for sending promotional messages

With regard to the precise observations made by the Office regarding the sending of promotional communications which for some complainants turned out to be without consent, the Company limited itself to believing that the dispute was based solely on the lack of a consent confirmation mechanism. First of all, it should be stated that the use of the double opt-in method for collecting consent does not constitute a legal obligation but, as clarified several times by the Guarantor, must be considered an adequate measure, and available at the state of the art, to document the will of the interested party. In any case, it is not on this assumption that the objections raised by the Guarantor were based but rather they originated from the facts ascertained during the investigation. We refer in particular to the cases of the complainants XX and XX, whose data were processed even after the opposition to the treatment, also recalling that, with regard to Mr. XX, the data had been acquired by XX which expressly declared that it had considered as consent the simple registration on the website. To this must be added the case of Mr. XX for which no consent has been documented.

For these reasons, it is noted the violation of the articles 6, par. 1, lit. a) and 7) of the Regulation as well as the violation of art. 130 of the Code and it is necessary, pursuant to art. 58, par. 2, lit. i) of the Regulations, impose an administrative fine on Ediscom.

5. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code have been violated in relation to connected treatments carried out by Ediscom, for which it is necessary to apply art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sole sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, in the present case, having verified, on the basis of the latest available financial statements, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 and therefore quantified at 20 million euros as the applicable statutory maximum, the following aggravating circumstances must be considered:

1. the wide scope of the treatments taking into account that the database held by Ediscom at the time of the inspection activity contained the data of 21 million interested parties (Article 83, paragraph 2, letter a), of the Regulation);

2. the degree of guilt of the owner similar to possible willful misconduct in the case of the use of misleading graphical interfaces, since Ediscom has acted intentionally to induce users to prefer some choices rather than others; even in the case of violations related to the inadequacy of the checks made on the databases acquired, given the degree of professional competence of the Company and knowledge of the market, it is deemed that it has acted with gross negligence (Article 83, paragraph 2, letter b) of the Regulation);

3. the manner in which the Supervisory Authority became aware of the violations, which emerged from some complaints and during an inspection (Article 83, paragraph 2, letter h), of the Regulation).

As mitigating elements, it is considered necessary to take into account:

1. the seriousness of the violations detected in consideration of the fact that personal data were used only for sending promotional communications, sending which was interrupted in the event of withdrawal of consent expressed directly to Ediscom (art. 83, paragraph 2 , letter a), of the Regulation);

2. the timely adoption of corrective measures after receipt of the act of initiation of the procedure (Article 83, paragraph 2, letter c), of the Regulation);

3. the absence of previous relevant violations committed by Ediscom (Article 83, paragraph 2, letter e) of the Regulation);

4. the high degree of cooperation in interaction with the Supervisory Authority (Article 83, paragraph 2, letter f), of the Regulation);

5. of the categories of personal data affected by the violation which concerned only the personal data and contact details of the data subjects (Article 83, paragraph 2, letter g), of the Regulation);

6. the fact that the Company has demonstrated that it has in any case paid attention to the rights of the interested parties in carrying out the business activity, adopting contractual precautions in the event of the transfer of databases to third parties and demonstrating that it has made every possible effort, when asked , to provide feedback to the interested parties even before the intervention of the Guarantor by communicating the withdrawals of consent also to the subjects from whom it had received the data (Article 83, paragraph 2, letter k), of the Regulation).

With an overall view of the necessary balance between the rights of the interested parties and the freedom to conduct a business, and in the initial application of the pecuniary administrative sanctions envisaged by the Regulation, it is necessary to evaluate the aforementioned criteria prudently, also in order to limit the economic impact of the sanction on the needs organisational, functional and occupational aspects of the Company.

Therefore, it is believed that - on the basis of all the elements indicated above - the administrative sanction of payment of a sum equal to 300,000 (three hundred thousand) euros should be applied to Ediscom, equal to approximately 2% of the turnover reported in the latest available financial statements.

It should be noted that the conditions set out in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

It is also believed - in consideration of the seriousness of the violations found - that, pursuant to art. 166, paragraph 7, of the Code, and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor, by way of ancillary sanction.

Finally, it should be remembered that pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e), of the Regulation.

ALL THAT BEING CONSIDERED, THE GUARANTOR

against Ediscom S.p.A., with registered office in via Vittorio Alfieri, 11, Turin, VAT number/tax code 09311070016,

a) pursuant to art. 58, par. 2, lit. b), issues a warning regarding the fact that the procedure illustrated in point 4.2 carries out a treatment which may involve the profiling of the interested parties without there being a corresponding specific consent;

b) pursuant to art. 58, par. 2, lit. f), imposes the prohibition of processing personal data, in particular of subjects presented by other users, without an appropriate legal basis;

c) imposes, pursuant to art. 58, par. 2, lit. f), the prohibition of the processing of personal data collected through the interaction of different services where it is not possible to document a consent freely expressed by the interested party;

d) issues a warning, pursuant to art. 58, par. 2, lit. b) of the Regulation, with regard to violations resulting from the establishment of contractual relationships that are not accompanied by a clear definition of the roles in the processing.

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulation, to Ediscom S.p.A., in the person of its legal representative, to pay the sum of 300,000.00 (three hundred thousand) euros as an administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 300,000.00 (three hundred thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. . 27 of the law n. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the Guarantor's website.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 23 February 2023

PRESIDENT
Station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew