Garante per la protezione dei dati personali (Italy) - 9885177
Garante per la protezione dei dati personali - 9885177 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 60 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 23.03.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 9885177 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante (Italy) (in IT) |
Initial Contributor: | mg |
Following a draft decision submitted by the Dutch DPA under Article 60(3) GDPR, by which the case was dismissed, the Italian DPA adopted the final decision under Article 60(8) GDPR and notified it to the complainant.
English Summary
Facts
A data subject in Italy received by mail a credit card from a bank based in the Netherlands. Since they had never had any contact with the financial institute, the data subject made an access request under Article 15 GDPR which was never answered. A complaint was therefore filed with the Italian DPA. The latter transferred the complaint to the Dutch DPA in the context of the cooperation mechanism envisaged by Article 60 GDPR. The Dutch DPA, considered itself leading supervisory authority pursuant to Article 56 GDPR, and asked the controller to clarify some points. The controller claimed to have received a request for the creation of a bank account by a an individual using the complainant's personal data. Whilst the account creation had meanwhile been interrupted due to suspicion of fraudulent behaviour by the applicant, the credit card had nonetheless already been sent to the data subject’s address. Furthermore, the controller claimed not to have received a proper request from the data subject.
Holding
The Dutch DPA considered these elements sufficient to exclude any GDPR violations. The Dutch DPA issued a draft decision which dismissed the complaint. The Italian DPA agreed with the content of the decision. Therefore, the decision became binding for all the DPAs pursuant to Article 60(6) GDPR. Under Article 60(8) GDPR, the Italian DPA adopted the final decision and notified it to the complainant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9885177] Provision of 23 March 2023 Register of measures no. 92 of 23 March 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia, the lawyer Guido Scorza, components, and the cons. Fabio Mattei general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; HAVING REGARD to the complaint lodged by Ms XX, through her lawyer, with this Authority against Bank Rewire EU B.V.; HAVING CONSIDERED the IMI cooperation procedure pursuant to art. 56 (n. 350195), opened by this Authority in relation to the cross-border processing of personal data and communicated to the other European Supervisory Authorities on 27 December 2021; CONSIDERING that the Dutch authority "Autoriteit Persoonsgegevens" has declared that it is the lead authority in the procedure in question since the data controller has its main establishment in the Netherlands; HAVING REGARD TO the draft decision ("Draft Decision"), as well as the revised draft decision ("Revised Draft Decision") transmitted by the Dutch authority and shared with the other Supervisory Authorities concerned (i.e., France, the German Land of Rhineland-Palatinate , Spain) in compliance with the principles of cooperation established by art. 60 of the Regulation; HAVING EXAMINED the documentation in the deeds; HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000; SPEAKER the lawyer Guido Scorza; WHEREAS 1. The complaint and the preliminary investigation On 19 July 2021, Ms XX, through her lawyer, proposed, pursuant to art. 77 of the Regulations, a complaint to this Authority in which it complained that it had two Mastercard credit cards delivered to its physical address on 19 February 2021 in its name, one of which was issued and sent by Bank Rewire EU B.V. (hereinafter, "Rewire"), despite never having requested it, nor having ever had contractual relationships with the aforementioned bank. Furthermore, he represented that, upon request for access to data pursuant to art. 15 of the Regulation sent via PEC on 21 April 2021 and the subsequent reminder, Rewire would never have provided a reply. Since Rewire, the data controller in question, has its headquarters in Amsterdam, in the Netherlands, this Authority has activated the cooperation mechanism with the other supervisory authorities of the European Economic Area as required by the Regulation (Article 60 et seq.). On 27 December 2021, the Guarantor therefore sent the aforementioned complaint to the Dutch authority (“Autoriteit Persoongegevens”), which declared itself the lead authority pursuant to art. 56 GDPR, as such, competent to initiate the investigation and verify the legitimacy of the data processing. On 12 September 2022, the data controller replied to the request for information sent by the Dutch supervisory authority on 1 September 2022; this response was sent to this Authority on 19 September 2022 together with the assessments of the Dutch authority. In particular, Rewire's response clarified that: a) a request for opening a Rewire account was received on 30.1.2021 in the name of the complainant; a week later (6.2.2021), following the outcome of the identity verification procedure for anti-fraud purposes, the same was reported as a fraudulent account, linked to a possible identity theft; b) as a result, the account opened in the name of the complainant was immediately blocked and still remains blocked; c) during the week in which the account was open, a credit card was sent in the name of the complainant to the address indicated in the account. The card has never been activated and no transaction has taken place; d) finally, the Dutch supervisory authority highlighted how it cannot provide any contribution in prosecuting the perpetrator of the fraudulent act, not being competent in this regard. With regard to the request for access to data, formulated by the interested party pursuant to art. 15 of the Regulations, the internal investigation carried out by Rewire in its systems did not result in any request from the complainant, nor any communication between it and Rewire; in this regard, the Dutch supervisory authority asked Rewire to carry out the relevant verification on the basis of the name of the complainant and her lawyer. The Dutch authority believes that the complainant's request would not have been formulated as a real request for access, pursuant to art. 15 of the Regulation; the application to Rewire, dated April 21, 2021, in fact contained a generic request to communicate the details of the owner and the person responsible for data processing, with the reservation of taking legal actions regarding the unlawful processing of data and distrusting the Company from using of the same data (“to communicate the details of the owner and the person responsible for the processing of personal data, reserving the right to take legal action regarding the unlawful processing of the same, warning you as of now not to use and/or disseminate the data of my client”) for which a violation of art. 15 GDPR. On the basis of the investigation conducted, considering the circumstances of the case, the Dutch authority has therefore come to the conclusion that the data controller has provided an adequate response to the request for information and that a violation of art. 6, par.1 of the Regulation. In any case, the same Dutch authority has made itself available to assist the interested party in any request for cancellation of her data addressed to Rewire. The Dutch authority therefore shared with this and with the other authorities concerned its intention to close the case, having not identified violations of the Regulation that justify the continuation of the proceeding, filing the related complaint. This Authority deemed it necessary to adopt the conclusions of the Dutch authority, having moreover decided in a similar manner on the complaint sent at the same time, by the same interested party and relating to another owner (banking institution based in Italy): in fact, as highlighted above, there is no a violation of personal data by the owner has been identified, but, rather, the existence of a scam, which absorbs any profiles merely related to the processing of personal data and for which the same interested party has made it known that she has already contacted the judicial authority (“on 10.05.2021 he proceeded to file a complaint against unknown persons”). With a note dated November 10, 2022, both the feedback from the owner Rewire and the initial assessments made by the Dutch authority and shared by this Authority were communicated to the interested party. The interested party, through her lawyer, confirmed that a proceeding is underway before the Italian judicial authority and, not contesting the assessments of the Dutch supervisory authority, asked that the latter ensure that Rewire keeps the personal data of the same for the sole duration of the investigations, at the end of which the data must be cancelled; more precisely: "considering the current investigations underway at the Public Prosecutor's Office, in the name and on behalf of Mrs. XX, I invite you to inform the Dutch Authority that my client temporarily authorizes REWIRE BANK to keep her data, but only so that the they can be made available to the Italian Public Prosecutor who is handling the ongoing investigations. My client's data, therefore, cannot be used by Rewire Bank and/or transmitted to third parties under any circumstances but can only be transmitted to the Italian Judicial Authorities competent for ongoing investigations. At the end of the preliminary investigations, REWIRE BANK will have to cancel Ms. XX's data." After receiving the feedback from the interested party transmitted by this authority according to the cooperation procedure, the Dutch supervisory authority then prepared a draft decision, which it shared with the other supervisory authorities concerned, in which provides, in particular, that: - following the investigation into the complaint against Rewire, the Dutch supervisory authority has not identified a violation of the rules pursuant to articles 6, par. 1, and 15 of the Regulation; since a further continuation of the procedure is not necessary, pursuant to art. 60, par.8, the authority rejects the complaint; - moreover, the Dutch supervisory authority, as requested by the interested party, assured that it would ask Rewire to keep the data of the interested party only for the purposes of the ongoing investigation by the Italian Public Prosecutor's Office, in relation to the case of scam, and to delete them once the investigation is closed. This draft - revised following a mere comment from this Authority (Revised Draft Decision) in order to clarify the request recently received from the interested party - has become binding on all the interested authorities, including the Guarantor, pursuant to art. 60, par. 6 of the Regulation. 2. Evaluations by the Authority and decision In the light of the preliminary investigation and the assessment sent by the Dutch authority, we believe we agree with the draft decision. ALL THAT BEING CONSIDERED, THE GUARANTOR pursuant to articles 60, par. 8 of the Regulation, of art.143, paragraph 3, of the Code, as well as of the articles 11, 14, paragraph 1 and 18, paragraph 5 of the "Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data", in its capacity as the authority to which the complaint has been proposed and therefore competent to adopt the decision , DECLARE the complaint unfounded for the aforementioned reasons and orders its archiving. In accordance with art. 60, par. 8 of the Regulation, this provision is notified to the complainant, informing the data controller. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad. Rome, 23 March 2023 PRESIDENT Station THE SPEAKER Zest THE SECRETARY GENERAL Matthew [doc. web no. 9885177] Provision of 23 March 2023 Register of measures no. 92 of 23 March 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia, the lawyer Guido Scorza, components, and the cons. Fabio Mattei general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; HAVING REGARD to the complaint lodged by Ms XX, through her lawyer, with this Authority against Bank Rewire EU B.V.; HAVING CONSIDERED the IMI cooperation procedure pursuant to art. 56 (n. 350195), opened by this Authority in relation to the cross-border processing of personal data and communicated to the other European Supervisory Authorities on 27 December 2021; CONSIDERING that the Dutch authority "Autoriteit Persoonsgegevens" has declared that it is the lead authority in the procedure in question since the data controller has its main establishment in the Netherlands; HAVING REGARD TO the draft decision ("Draft Decision"), as well as the revised draft decision ("Revised Draft Decision") transmitted by the Dutch authority and shared with the other Supervisory Authorities concerned (i.e., France, the German Land of Rhineland-Palatinate , Spain) in compliance with the principles of cooperation established by art. 60 of the Regulation; HAVING EXAMINED the documentation in the deeds; HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000; SPEAKER the lawyer Guido Scorza; WHEREAS 1. The complaint and the preliminary investigation On 19 July 2021, Ms XX, through her lawyer, proposed, pursuant to art. 77 of the Regulations, a complaint to this Authority in which it complained that it had two Mastercard credit cards delivered to its physical address on 19 February 2021 in its name, one of which was issued and sent by Bank Rewire EU B.V. (hereinafter, "Rewire"), despite never having requested it, nor having ever had contractual relationships with the aforementioned bank. Furthermore, he represented that, upon request for access to data pursuant to art. 15 of the Regulation sent via PEC on 21 April 2021 and the subsequent reminder, Rewire would never have provided a reply. Since Rewire, the data controller in question, has its headquarters in Amsterdam, in the Netherlands, this Authority has activated the cooperation mechanism with the other supervisory authorities of the European Economic Area as required by the Regulation (Article 60 et seq.). On 27 December 2021, the Guarantor therefore sent the aforementioned complaint to the Dutch authority (“Autoriteit Persoongegevens”), which declared itself the lead authority pursuant to art. 56 GDPR, as such, competent to initiate the investigation and verify the legitimacy of the data processing. On 12 September 2022, the data controller replied to the request for information sent by the Dutch supervisory authority on 1 September 2022; this response was sent to this Authority on 19 September 2022 together with the assessments of the Dutch authority. In particular, Rewire's response clarified that: a) a request for opening a Rewire account was received on 30.1.2021 in the name of the complainant; a week later (6.2.2021), following the outcome of the identity verification procedure for anti-fraud purposes, the same was reported as a fraudulent account, linked to a possible identity theft; b) as a result, the account opened in the name of the complainant was immediately blocked and still remains blocked; c) during the week in which the account was open, a credit card was sent in the name of the complainant to the address indicated in the account. The card has never been activated and no transaction has taken place; d) finally, the Dutch supervisory authority highlighted how it cannot provide any contribution in prosecuting the perpetrator of the fraudulent act, not being competent in this regard. With regard to the request for access to data, formulated by the interested party pursuant to art. 15 of the Regulations, the internal investigation carried out by Rewire in its systems did not result in any request from the complainant, nor any communication between it and Rewire; in this regard, the Dutch supervisory authority asked Rewire to carry out the relevant verification on the basis of the name of the complainant and her lawyer. The Dutch authority believes that the complainant's request would not have been formulated as a real request for access, pursuant to art. 15 of the Regulation; the application to Rewire, dated April 21, 2021, in fact contained a generic request to communicate the details of the owner and the person responsible for data processing, with the reservation of taking legal actions regarding the unlawful processing of data and distrusting the Company from using of the same data (“to communicate the details of the owner and the person responsible for the processing of personal data, reserving the right to take legal action regarding the unlawful processing of the same, warning you as of now not to use and/or disseminate the data of my client”) for which a violation of art. 15 GDPR. On the basis of the investigation conducted, considering the circumstances of the case, the Dutch authority has therefore come to the conclusion that the data controller has provided an adequate response to the request for information and that a violation of art. 6, par.1 of the Regulation. In any case, the same Dutch authority has made itself available to assist the interested party in any request for cancellation of her data addressed to Rewire. The Dutch authority therefore shared with this and with the other authorities concerned its intention to close the case, having not identified violations of the Regulation that justify the continuation of the proceeding, filing the related complaint. This Authority deemed it necessary to adopt the conclusions of the Dutch authority, having moreover decided in a similar manner on the complaint sent at the same time, by the same interested party and relating to another owner (banking institution based in Italy): in fact, as highlighted above, there is no a violation of personal data by the owner has been identified, but, rather, the existence of a scam, which absorbs any profiles merely related to the processing of personal data and for which the same interested party has made it known that she has already contacted the judicial authority (“on 10.05.2021 he proceeded to file a complaint against unknown persons”). With a note dated November 10, 2022, both the feedback from the owner Rewire and the initial assessments made by the Dutch authority and shared by this Authority were communicated to the interested party. The interested party, through her lawyer, confirmed that a proceeding is underway before the Italian judicial authority and, not contesting the assessments of the Dutch supervisory authority, asked that the latter ensure that Rewire keeps the personal data of the same for the sole duration of the investigations, at the end of which the data must be cancelled; more precisely: "considering the current investigations underway at the Public Prosecutor's Office, in the name and on behalf of Mrs. XX, I invite you to inform the Dutch Authority that my client temporarily authorizes REWIRE BANK to keep her data, but only so that the they can be made available to the Italian Public Prosecutor who is handling the ongoing investigations. My client's data, therefore, cannot be used by Rewire Bank and/or transmitted to third parties under any circumstances but can only be transmitted to the Italian Judicial Authorities competent for ongoing investigations. At the end of the preliminary investigations, REWIRE BANK will have to cancel Ms. XX's data." After receiving the feedback from the interested party transmitted by this authority according to the cooperation procedure, the Dutch supervisory authority then prepared a draft decision, which it shared with the other supervisory authorities concerned, in which provides, in particular, that: - following the investigation into the complaint against Rewire, the Dutch supervisory authority has not identified a violation of the rules pursuant to articles 6, par. 1, and 15 of the Regulation; since a further continuation of the procedure is not necessary, pursuant to art. 60, par.8, the authority rejects the complaint; - moreover, the Dutch supervisory authority, as requested by the interested party, assured that it would ask Rewire to keep the data of the interested party only for the purposes of the ongoing investigation by the Italian Public Prosecutor's Office, in relation to the case of scam, and to delete them once the investigation is closed. This draft - revised following a mere comment from this Authority (Revised Draft Decision) in order to clarify the request recently received from the interested party - has become binding on all the interested authorities, including the Guarantor, pursuant to art. 60, par. 6 of the Regulation. 2. Evaluations by the Authority and decision In the light of the preliminary investigation and the assessment sent by the Dutch authority, we believe we agree with the draft decision. ALL THAT BEING CONSIDERED, THE GUARANTOR pursuant to articles 60, par. 8 of the Regulation, of art.143, paragraph 3, of the Code, as well as of the articles 11, 14, paragraph 1 and 18, paragraph 5 of the "Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data", in its capacity as the authority to which the complaint has been proposed and therefore competent to adopt the decision , DECLARE the complaint unfounded for the aforementioned reasons and orders its archiving. In accordance with art. 60, par. 8 of the Regulation, this provision is notified to the complainant, informing the data controller. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad. Rome, 23 March 2023 PRESIDENT Station THE SPEAKER Zest THE SECRETARY GENERAL Matthew