Garante per la protezione dei dati personali (Italy) - 9902472

From GDPRhub
Garante per la protezione dei dati personali - 9902472
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 32(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started: 07.11.2019
Decided: 27.04.2023
Published: 28.06.2023
Fine: 240,000 EUR
Parties: Benetton Group S.r.l.
National Case Number/Name: 9902472
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian DPA website (in IT)
Initial Contributor: DC

The Italian DPA fined Benetton Group €240,000 for storing consumer data for an excessive period and illegally using it for marketing and profiling purposes. The DPA also held that the company did not implement sufficient measures to ensure the security of the data.

English Summary

Facts

In 2019, the Special Privacy Unit of the Guardia di Finanza opened a preliminary investigation on the Benetton Group, the controller, regarding the processing of personal data for marketing and profiling purposes.

In this preliminary procedure, the following issues were identified: a) the cookie banner used on the familycard.benetton.com website did not allow users to deselect some types of cookies and did not mention profiling cookies although they were used; b) the cookie banner on the blackcard.sisley.com site presented a "click here" hypertext link leading to a blank page that did not provide the relevant information; c) contrary to what was informed during the registration procedure, personal data collected for the loyalty programs were being stored since 2015, even for customers who did not give their consent to profiling; d) promotional e-mails were sent to customers even after they had opted out of the loyalty program or withdrawn their consent for marketing communications.

In its defense, the controller stated that the information on the familycard.benetton.com site mentioned cookies for direct marketing, marketing and retargeting cookies of third parties, which, in its view, fell under the definition of profiling cookies. It also claimed that the retention period was in line with the loyalty program, which provided for up to 10 years of retention in order to assess the scores and prizes awarded to members. Moreover, it alleged that its management systems were differentiated between those dedicated to loyalty cards, to digital customers, and its newsletters. According to the controller, each system was managed separately and based on different documentation, so that the customer can decide what type of communication they want to receive. Finally, it claimed to have implemented organizational and technical measures to overcome possible critical profiles identified during the investigations.

The procedure was suspended during the Covid-19 pandemic and resumed only in 2021, when the Italian DPA carried out an on-site inspection to verify the measures that the controller claimed to have implemented. In this inspection, the DPA found that: a) the personal data of customers were being stored for indefinite time without a justification; b) personal data of customers were being transferred to third parties for marketing and profiling purposes without consent; c) vulnerabilities regarding the stores' platform such access to the loyalty program system without the need for a login.

With regard to these findings, the controller stated that the data collected through the website was retained for the purpose of allowing customers to use their services uninterruptedly over time. However, it informed that a retention period of was 10 years would be set, without prejudice to an automatic deactivation system in case of inactivity for 24 months. The controller also admitted that the stores' management platform had some technical limitations, but informed that it was already being replaced by a new one.

Finally, the controller argued that Tik Tok and Facebook are commercial partners with whom it signed a contract for the publication of advertising banners. However, it denied transferring data to them and that they processed data on its behalf. According to the controller, Benetton limited itself to preparing advertising content and purchasing the advertising "spaces" or areas managed exclusively by the partner companies, without providing them with any personal data.

Holding

With regard to the issues identified during the preliminary investigations, the DPA found that the controller significantly improved the management of cookies as well as the the customer database which currently allows the manifestation of specific consent for each purpose. Therefore, the DPA archived the first dispute.

Similarly, the DPA considered as sufficient the explanations provided by the controller regarding the roles played by its commercial partners, Facebook and Tik Tok, and archived the dispute in this regard.

On the other hand, the DPA confirmed that the controller was storing personal data of 249.859 consumers who had already unsubscribed its newsletter as well as information about customers' tastes and preferences for a period of 10 years, although the privacy policy indicated a period of 12 months/24 months for the loyalty card service.

The DPA also confirmed the vulnerabilities of the stores' platform, especially with regard to: a) the lack of particular operational limitations for the stores' computers (screenshots or similar operations could be performed); b) the employee's ability to access the loyalty program without logging-in; c) the absence of a request to change the password when creating the user account for a new store; d) a password that was shared among all the employees, granting access to the store account; e) the consequent impossibility of identifying the person actually responsible for data breach.

For these reasons, the DPA found violations of Article 5(1)(c) and (e) and Article 32(1)(b) and (d) and 32(2) GDPR, imposing a fine of €240,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 28 June 2023
[doc. web no. 9902472]
Provision of April 27, 2023
Register of measures
no. 188 of 27 April 2023
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/EC (General Data Protection Regulation, hereinafter "Regulation");
HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");
CONSIDERING the Regulation of the Guarantor n. 1/2019 concerning the "Internal procedures having external relevance aimed at carrying out the duties and exercising the powers of the Guarantor", published in the Official Gazette 8 May 2019, no. 106;
HAVING REGARD to the documentation in the deeds;
HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;
SPEAKER the lawyer Guido Scorza;
WHEREAS
1. The investigations carried out by the Special Privacy Unit of the Guardia di Finanza and the preliminary investigation carried out by the Office.
As part of the controls scheduled by the Guarantor with resolution no. 42 of 14 February 2019, the Special Privacy Unit of the Guardia di Finanza, in execution of the delegated inspection activity, carried out between 5 and 7 November 2019 at Benetton Group S.r.l. (hereinafter "Company") investigations regarding the processing of personal data for marketing and profiling purposes.
First of all, some documentary insights were carried out, in particular by sending a request for information on 16 November 2020 and obtaining the requested response on the following 11 December, with particular regard to the management of cookies.
Having examined the documents received, the Office, taking into account the number and complexity of the relevant legal and technical profiles, recognized the need to verify the marketing and profiling activities with a new on-site assessment in order to obtain a more complete and detailed picture.
2. First dispute (September 29, 2021).
Pending the new inspection, prevented by the restrictions caused by the Covid-19 pandemic, an administrative procedure was initiated on 29 September 2021, highlighting the following critical issues:
a) with reference to the familycard.benetton.com website, the "information banner relating to the use of own and third-party cookies (technical, marketing and profiling)", was to be accepted without being able to deselect the types of cookies; moreover, the extended information did not mention profiling cookies among the cookies used, as instead indicated in the banner, but only technical, direct marketing, marketing and third-party retargeting cookies (report of operations carried out on 5 November 2019, pp. 4 and 5);
b) with regard to the blackcard.sisley.com site, while presenting a "click here" hypertext link, the cookie banner refers (goes), due to a pointing error to a blank page of the site itself (test area) and the cookie link present on the footer did not have the relative information; furthermore, there was no expression of will form regarding the use of cookies (see op. comp., cit., ibid.)"; with regard to these aspects, the Company, in responding to the aforementioned request for information of 16 November 2020, communicated that "[...]. As emerged during the inspections, the implementation of a new technology for managing cookies was already underway. This technology was definitively implemented on the sites [...] in December 2019, with the adoption of the Cookiebot platform [...]", which "allows the user to independently manage the verification of the current status of the consent, the consent ID, the date of issue of the consent, the modification of the consents issued [...] and their revocation [...]";
c) contrary to what is indicated in the register of treatments and in the information issued to the customer for joining the loyalty programs (based on which the indicated data retention time would be limited to 2 years in relation to both marketing and profiling), the management systems used by the company contained personal data of customers, loyalty card holders, together with information relating to purchases starting from the year 2015, as well as detailed data of receipts, points, of the product sold also with reference to subjects who have not given their consent to profiling ( reports of operations carried out on 6 November 2019, p.10 and 7 November 2019, p.13);
d) following a selective search on the Dynamics management system, it emerged that the company sent promotional e-mails to 13 customers after "the date of their unsubscription from Loyalty marketing" (minutes November 7, 2019, p. 14, all. 15);
e) similarly, a selective search on the "ContactLab" management system revealed that the company sent a "[...] marketing communication to 4,259 consumers registered in the Loyalty program whose consent to the sending of marketing communications (DB Dynamics) was prior to the date of unsubscription from the online Newsletter service [...]", and therefore also after the withdrawal of consent to receive promotional communications (minutes November 7, 2019, p. 15, annex 16 and pec of 18 November 2019, point 1).
Therefore, based on the above considerations, the Office, with the same communication dated 29 September 2021, contested the Company's alleged violation of the following provisions:
-   art. 13 of the Regulation; art. 6 of the Regulation and art. 122 of the Code, also in the light of what is indicated in the provision of the Guarantor of 8 May 2014 "Identification of the simplified procedures for the information and the acquisition of consent for the use of cookies" (in the Official Gazette n. 126 of 3 June 2014), with regard to what is represented in the aforementioned letters. a) and b);
- art. 5, par.1, lett. c) and e), of the Regulation, with regard to what is indicated under lett. c);
- art. 6 of the Regulation and art. 130 of the Code, with regard to the violations referred to in lett. d) and e).
3. The Society's memorandum dated 27 October 2021.
The Company - in relation to this first dispute - sent a defense brief on 27 October 2021, with which, preliminarily, it highlighted how, in its opinion, "the notification of the communication of the alleged violations in question was made by this Authority beyond the term of 120 days from the date of the assessment, set forth in Table B, no. 2), of Regulation no. 2 2/2019 of the Guarantor, stating "the incurable delay in the notification of the disputes brought against the Company ...", as it occurred "... almost two years after the inspections by the Police Department (see minutes of 5-7.11.2019 and Benetton supplementary communication of 18.11.2019) and almost a year after the response provided by Benetton to the last request for information from this Authority (see note GP DP of 11.16.2020 and Benetton reply of 12.11.2020)".
In this regard, Benetton, while also representing the jurisprudential guidelines more favorable to the temporal extension of this term, conclusively supported the contrast of the dispute formulated by the Authority with the "cited principles of fairness and reasonableness affirmed by the Supreme Court on the matter, making the contestation of the aforementioned violations completely untimely and late, with the consequent invalidity and annulment of any subsequent sanctions."; therefore, the same Company requested the filing of the proceeding initiated.
In the same brief, the Company confirmed that it had in any case completed the implementation activities of the organizational and technical measures aimed at overcoming the possible critical profiles identified during the inspection some time ago (see declarations on the layout "Cookie Consent - deploy November 2019", p. 5 minutes and on the ongoing process of migration and unification of the databases, p. 9, minutes cit.), implementing "a new cookie management technology by users, with the adoption of the Cookiebot platform, aimed at allowing the user to autonomously manage any consents issued, also producing new banner and information texts". According to Benetton, "the implementation process (which had already begun in July 2019) of the Single Database project (was) aimed at rationalising, centralizing and guaranteeing the correct management of data and the consents of fidelity card subscribers" and "the critical findings that emerged during the inspection would have been overcome, with specific reference to any data retention issues .... both to the anomalies that emerged during the inspection (report of 7.11.2019) regarding the sending of commercial communications to the interested parties after "the date of unsubscription of the same from Loyalty marketing" or "from the online Newsletter service".
Benetton, with respect to the organizational and technical measures implemented, therefore represented - in the absence of findings in this regard by the Authority in the communication of 29 September 2021 - that it could "deduce that the same have been judged adequate or in any case sufficient ... thus excluding the need ... to adopt the corrective and sanctioning measures pursuant to art. 58, par. 2, of the GDPR and being able, conversely, to lead to the filing of the procedure."
With specific regard to point 2.1 of the dispute, Benetton has objected that the cookie banner relating to the familycard.benetton.it website, which "was to be accepted without being able to deselect the types of cookies", would have been set in compliance with the provisions of the aforementioned General Provision of 8 May 2014, which constituted the point of reference at the time of the disputed facts (see the aforementioned memorandum for further details).
With regard to the further profile concerning the failure to indicate in the extended cookie information of the familycard.benetton.com website of "profiling cookies, such as those indicated in the banner of the same website, but only of technical, direct marketing, marketing and third-party retargeting cookies", Benetton also highlighted that, according to its interpretation of the aforementioned General Provision, "since profiling cookies are defined as cookies aimed at creating user profiles and which are used in order to send advertising messages in line with the expressed preferences you from the same in the context of surfing the net ..., what is indicated in the 'cookie policy' of the Benetton site, regarding the use of direct marketing, marketing and retargeting cookies of third parties does not constitute (should) be anything other than a specification of the profiling cookies used".
In relation to point 2.3 of the dispute, Benetton represented "that the retention of data referring to the interested loyalty card holders, with related receipts and so on, was in line with a purely contractual plan (e.g. acknowledgment of the correctness of the scores attributed and the prizes awarded to members, etc., see also what is indicated in the report of operations carried out on 5 November 2019, page 6), for which ... the related register of treatments (see annex 5 to the report of operations carried out) provided for a retention period of 10 years (see also the information referred to in annex 1 to the minutes of computed operations which reported the duration of the loyalty program as the retention period - while for consents reference was made to 2 years), and disregarded any treatments carried out for profiling purposes, as well as marketing (carried out only in the presence of valid consents for such purposes). "
With reference to what is indicated in points 2.4 and 2.5, the Company reiterated "(in line with what was already expressed during the inspections and subsequent supplementary findings of the Company) as (i) the systems dedicated to issuing and managing loyalty cards, (ii) those dedicated to the management of the so-called digital customers, and (iii) those used for the management of the so-called Newsletters … responded to different logics and, moreover, were established and managed on the basis of different documentation submitted to the interested parties, so that the information dedicated to the latter and any consents issued by them (or the oppositions expressed) during the adhesion or in the management of the relationship relating to the single service were not superimposable. This was also reflected in reverse, e.g. where a specific interested party had denied consent to receive direct marketing communications in the context of a digital purchase but then had subscribed to the newsletter, the same would not have received communications of a commercial nature other than the newsletter".
In the light of all that has been deduced and documented, the Company has requested "the dismissal of the proceeding, also as regards the application of a pecuniary administrative sanction for the alleged violations under dispute, or in any case to wish to proceed with the settlement of the present proceeding pursuant to articles 4, paragraph 3, and art. 14, paragraph 5, of Regulation no. 1/2019, considering that the conduct contested by the Scrivente, dating back to 2019, has exhausted its effects or these effects have been removed by Benetton …. or in any case of wanting to determine the amount of any sanction in the minimum deemed applicable ... ", reserving the possibility of judicial appeal.
4. Inspection assessment conducted by the Authority and related results.
The Authority, in order to verify the concrete implementation of some measures proposed by the Company with the defense brief of 27 October, as well as for the purpose of an investigation, also of a technical nature, on the company systems and databases and on a wider range of treatments for marketing and profiling purposes - taking advantage of an improvement in the pandemic situation which had allowed the resumption, albeit limited and with the adoption of precautions, of circulation within the Italian territory and therefore also the carrying out of on-site checks - carried out, on the dates 8-10 November 2021, an inspection activity at the corporate headquarters.
On this occasion it was possible to gain direct knowledge of the measures implemented by the Company, ascertaining the achieved compliance with the legislation on the subject, with specific reference to the management of cookies, the company CRM, as well as promotional communications (as proposed by the Company with the memorandum of 27 October 2021).
On the basis of the overall examination of the checks carried out, as well as the clarifications provided by the Company in the same circumstance, the following possible violations nevertheless emerged.
A) Violation of the art. 5, par.1, lett. c) and e), of the Regulation
From the checks carried out on site, it emerged (Annex 11, report of 9 November 2021) that the personal data (name, surname, gender, date of birth, e-mail address; telephone number) of XX ("pure inactive online newsletter") were kept, despite having deactivated the newsletter service for him and, as far as in the records, in the absence of justification reasons for such retention. Moreover, the Company represented that "the unsubscribers in 2021 from the Newsletters are 2,318" (att.21).
Furthermore, there were "the personal data of all those customers/former customers who have not requested the cancellation of their account, or who have not made specific requests for anonymisation" (see report of 8.11.2021; similarly, it is indicated in the information provided to the interested parties pursuant to Article 13 of the Regulation: annex 2 to the said report), suggesting that such data will be retained - except for those relating to transactions whose cancellation policy provides for after 24 months – potentially indefinite.
Therefore - without prejudice to the quantitative aspect, which on the occasion of the new dispute the Authority invited the Company to clarify - the conditions for the violation by the Company of art. 5, par.1, lett. c) and e), of the Regulation (principles of minimization and limitation of conservation).
B) Violation of art. 32, par.1, letters b) and d), and par.2, of the Regulation.
With regard to the procedure for creating a store profile on the Dynamics platform, in which the password for accessing the relevant account is sent via e-mail to the District manager (i.e. the person in charge of coordinating several stores) who forwards it to the reference store manager, it emerged that "the psw change is not required by the system." Furthermore, "the store account password is the same for all employees of the single store" (minutes of 11.9.2021).
It was also found (report last cited) that:
• the PC used in the store does not have particular limitations in terms of operation (screenshots can be made, etc.);
• since the fidelity card platform can be reached via a web link, it can be accessed from any device (smartphone, tablet, PC) without prejudice to the policy of accessing only with the tools provided for the relevant tasks (exclusively from store PCs);
• the account of the store in question allows all the employees of the same store to view the data of the customers of the stores of the 7 European countries, where the Benetton Group srl loyalty program is present, to allow customers to be able to accumulate the points relating to their purchases regardless of their nationality also because the policy for assigning the points in question is the same in all the aforementioned countries (1 point = €1);
• the employee can access the loyalty program regardless of whether or not he is logged into the till system (in fact, access to the loyalty card portal is independent of access to the till, for which each operator has different and specific access credentials);
• with regard to the creation of the user relating to a new store, on the loyalty side, the system does not oblige the password to be changed, however it is suggested, as a practice, to change it after the first access;
• at the specific request of the tax inspectors regarding "the carrying out of audits on the processing of data carried out by the Benetton points of sale managed by the company Retail Italia Network Srl (part of the corporate group), as well as on the processing carried out by the Co-marketing partners, the Company represented "which have not yet been carried out, but which are currently in the planning stage.".
Based on the overall examination of the above, the conditions were found to consider the violation of art integrated. 32, par.1, letters b) and d), and par. 2, of the Regulation, with regard to the "ability to ensure the confidentiality ... and integrity on a permanent basis" of the data processed and to guarantee "a procedure for regularly testing, verifying and evaluating the effectiveness of the technical and organizational measures in order to guarantee the security of the processing." (see par. 2: "In assessing the appropriate level of security, particular account is taken of the risks presented by the processing which derive in particular from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or otherwise processed.").
C) Violation of articles 5, par. 2, and 24, of the Regulation.
Finally, with reference to the issue of personal data communications to third parties for marketing and profiling purposes, the Company referred to Tik Tok and Facebook as commercial partners in these activities. However, despite the precise requests made by the Office (see minutes of November 9, 2021), the relationship with these platforms remained unclear and unclear in relation to data processing carried out in the name and/or on behalf of Benetton, as well as the scope and methods of the same, considering that Benetton has provided in this regard only a copy of the terms of service administered via standards from these two third-party companies to the generality of their users, without explaining or producing documentation relating to the role, in this case, of these in the processing of data and any operating instructions given to them. This made it possible to consider a violation of the principle of accountability (articles 5, paragraph 2, and 24, of the Regulation).
The aforementioned alleged violations were the subject of a new further dispute on 11 March this year.
5. The Company's memorandum dated 11 April 2022.
The Company on 11 April u.s. sent a defense brief, with which he highlighted that he wanted to provide "elements, additions and clarifications necessary for the assessment of the reasons for which it is believed that the need to apply any corrective measures and sanctions in the case in question should be excluded, also in the light of the measures adopted or being adopted by Benetton...".
As regards the potential violations indicated in lett. A) of the Dispute, he represented that:
“With reference to Ms XX, the related personal data are still present in Benetton's systems, despite her deactivation from the newsletter service, as the interested party is still the holder and user of our fidelity card. In particular, the interested party signed up for the fidelity card program in 2012 (using, however, the related e-mail address as user-id) and for the newsletter service in 2017. As already represented, between 2019 and 2020 the so-called "Single DB", in the context of which the creation of a single record referring to the individual concerned was envisaged, containing all the related information regarding registration for Benetton services (Newsletter, Fidelity card, e-Commerce). In this database there is therefore a single, specific record referring to Ms XX, as she is still the owner of the fidelity card (which she uses regularly) and the deactivation of the newsletter service also appears in the same record." (see annex 1 to the brief of 11 April last, cit.).
As regards the different profile concerning the presence, in Benetton systems, of data referring to the personal data of customers who have not requested the cancellation of their account or who have not made specific requests for anonymisation, "as similarly indicated in the information to interested parties", the Company observed that "in relation to registration for the e-commerce service (required to make purchases) and registration for the fidelity card programme, these services have been structured without a pre-established duration or deadline, in order to allow the user to be able to use them uninterruptedly over time, also in consideration of the type of products offered by the Company and the frequency of customer purchases which, in general, are also made over time. It should also be kept in mind that, since an automatic process of deletion of data relating to transactions or purchases dating back to a period exceeding 24 months is carried out, it would not theoretically be possible to reconstruct whether the customer has never carried out operations or if he has done them and they have been canceled by the process described. Hence the indication of maintaining the customer's account in the systems until the latter requests (i) the deactivation of the service/account or (ii) the deletion of personal data from the archives (in cases of unsubscription or deactivation, it is possible to consider the interested parties as "former customers").
The Company then added that: "In any case, ... considering the historical depth of the most recent data relating to the aforementioned services, ... it intends to proceed to define a maximum retention period for customer data relating to registration or registration for the aforementioned services, in the event of their inactivity in the last 24 months, to be fixed in the maximum term of 10 years from the date of the same registration or registration (in this sense, the information will be updated to the interested parties). This would also make it possible to preserve the Company's legitimate needs for maintaining, for that period (substantially in line with that established by law for the retention of contractual documents), the data of customers adhering to the aforementioned services, which are also essential in order to be able to defend itself in the event of any subsequent disputes (in fact, in recent years there have been some disputes with the interested parties, with respect to which, if the data had been completely deleted, Benetton would not have been able to protect its rights….). Also for the newsletter service it is envisaged to proceed with data retention for 10 years, without prejudice to the provision of an automatic deactivation system in the event of failure to send communications by the Company or inactivity of the interested party for 24 months and without prejudice to the possibility of requesting the deactivation of the service and the deletion of data. As requested, we also inform you that, to date, the total number of subscribers only to the newsletter, who have deactivated the service, is 249,859. It is confirmed that, in cases of subscription exclusively to the newsletter, data relating only to e-mail addresses and privacy consents issued by users are kept."
With reference to the potential violations indicated in lett. B) of the Dispute, the Company represented that: "With regard to the creation of a store profile on the Dynamics platform, it should be noted that, from a technical point of view, the system does not allow the "psw" change of this profile to be set as mandatory and, for this reason, indications have been provided aimed at recommending the change of psw on first access (see the cashier procedure provided by the company to the store manager, in addition to what was communicated upon delivery of the credentials), in line with what is already provided for in the instructions given more generally to authorized persons (formerly in charge of processing) within the scope of company policies and documents already in place. To deal with the aforementioned technical limits, activities have already started to replace the platform with a new one which will also have the specific functionality of the mandatory pw change. This activity will be completed in the coming months before the end of the year. In any case, in order to further strengthen the aforementioned indications and instructions in this transitional period, it has also been established that, when the psw is communicated to the store manager (separately from the communication of the username) there is also a specific reference to the obligation to change on first access (obviously the modified psw is no longer visible), as well as that, periodically, a communication is sent to remind compliance with this obligation."
Benetton also highlighted: "that the Dynamics platform, while providing for a single account for a single store, allows access to data subjects for viewing only, without the possibility of modification (with the exception of the possibility of creating new fidelity cards) and that the operations carried out with this account are in any case traced through specific logs, which are stored in the system for a suitable period of time, thus allowing specific audits to be carried out, even on a random basis or in the event of any reports of anomalies"; that as of the date of the brief in question, no "complaints or objections from customers have been received with reference to the aforementioned platform. Anyway …. through the activation of further specific technical interventions, it was possible to implement a process which provides for the attribution of users on the Dynamics platform with individual credentials for each employee of the store ....  The Dynamics platform .... necessarily provides for the possibility of access via web link as it also supervises the management of the fidelity cards on the customers' side who access them (such as the stores), without prejudice to the various IT qualifications and authorizations related to the respective accounts (the customer will be able to consult only the information relating to him, while the store employees will be able to view a wider set of information (referring to members of the loyalty program) for the operational management of the fidelity cards and to allow each store to check the points attributed to the customer, where necessary. "
The Company also highlighted that "the system allows access to the data of all members of the fidelity card service (of the stores in the 7 European countries where the program is present), as the service is unique and customers can accumulate points in any store, regardless of where it is located (customers who travel can make purchases in any country where there is a store). Furthermore, access to the Dynamics platform is independent from that of the till system, as these are separate systems, both managed in the cloud, and due to purely technical constraints and limits it is not possible to block access from devices other than those used for the till, even if, as also reported by this Authority, the store employees are obliged to use the store PCs, as indicated in the company policy. In relation to what was recently declared regarding the carrying out of specific audits on Benetton points of sale, it is specified that, as mentioned, the same have been postponed also due to the well-known pandemic situation and that the internal audit function of Retail Italia Network s.r.l. has recently launched several audits on compliance with security procedures (also concerning the management of information security) and is assigned the task of carrying out the audit plan relating to privacy procedures being prepared by the Company within this year. That said, the Company reiterated that it has not received any reports or complaints of any anomalies or irregularities from the stores and their employees in relation to the aspects highlighted above.
As regards the potential violations indicated in lett. C) of the Dispute, with specific reference to relations with Facebook and TikTok, the Company clarified "that, due to a mere clerical error, also due to the particular moment of excitement related to the complex activities of collating, verifying and delivering the documentation requested during the inspection, documents acquired online were delivered in Annex 22 relating to the general conditions of service relating to consumer customers, instead of those relating to the business service contracts to which Benetton had adhered which are attached hereto (see annex 2) - as it is easy to imagine, these are contracts for adhesion, drawn up unilaterally by the subjects, with respect to which the negotiating power of the adherent is rather limited -. In any case, it is specified that, with respect to the overall provisions of these contractual conditions, the competent functions of the Company have activated the so-called services insertion or publication of announcements or, better still, advertising banners which do not result in any processing of personal data 'in the name and/or on behalf of Benetton', nor any communication of personal data between Benetton and the aforementioned subjects, maintaining the parties a distinct ownership of the processing as regards the areas and activities of their respective competence. Basically, like other operators in the sector, Benetton limits itself to preparing advertising content and purchasing the advertising "spaces" or areas managed exclusively by these subjects, using only the services that provide for the insertion of banners within the relative platforms, without providing personal data of customers or users, nor receiving personal data on the users who view them.“
In the light of the elements and documents provided in relation to the measures adopted, Benetton requested "the dismissal of the further proceeding in question, also with regard to the application of a possible administrative fine" and "in any case to want to determine the amount of the possible fine within the minimum deemed applicable", recalling, in addition to the elements set out above, "the statements made at the end of the inspection report of November 10, 2021 regarding the attention paid by the complex corporate organization to privacy aspects and safeguards even during particularly difficult years due to the well-known health emergency situation and the socio-economic crisis situation.”
6. Overall observations of the Authority in the light of the two briefs of the Company.
6.1. The alleged violations contested with the communication of 29 September 2021.
With reference to the defense formulated by the Company in its first statement (October 27, 2021), it must first of all be said that the timing of the assessment by the Office, which since the acquisition of the documents, has deemed it necessary to carry out its own on-site verification activities, to complete and clarify the operations already carried out by the Special Privacy Unit of the Guardia di Finanza in November 2019, were determined by the pandemic emergency that occurred since the beginning of 2020.
The Office has therefore only addressed documentary requests for information pending the end of the well-known restrictions on free movement established by government legislation as well as - once they have been gradually reduced - the mitigation of the risk of contagion from Covid-19, to protect individual and public health.
In this exceptional perspective, the suspension ex lege of all terms relating to the conduct of administrative proceedings pending as of 23 February 2020 or initiated after that date, for the period between this and 15 May 2020 (extension provided for by Article 37, Legislative Decree No. 23/2020, paragraph 1) takes place. That being said, the dispute of 29 September 2021 - despite what the Company believed and precisely in the light of an orientation of the Supreme Court cited in its memorandum dated 27 October last - it certainly cannot be considered untimely, as it is considerably conditioned both by the actual needs to verify and understand Benetton's treatment dynamics and by the exceptional and well-known condition of limitations and uncertainty linked to the pandemic emergency. It must also be considered that - as recalled by the recent provision of the Guarantor of 16 December 2021, doc. web no. 9735672- in general as regards the activity of the independent administrative Authorities, the Cassation (Cass. Civ. Section 2, n. 31635/2018), taking up arguments already expressed previously, reiterated that "the activity of ascertaining the offence, in relation to which to place the dies a quo of the deadline for notification of the details of the violation, cannot coincide with the moment in which the fact is acquired' in its material ity, but must be understood as including the time necessary for the evaluation of the data acquired and pertaining to the elements (objective and subjective) of the infringement and, therefore, of the final phase of deliberation related to the complexity, in this case, of the investigations aimed at verifying the existence of the infringement itself and at acquiring full knowledge of the unlawful conduct, so as to evaluate its consistency in terms of the correct formulation of the dispute (see Court of Cassation no. 13050/2014; Court of Cassation no. 1043/2015 and Cassation n. 770/2017)".
Similarly, with specific reference to the administrative offenses referred to in the Privacy Code, the Supreme Court then recently reiterated that (Cass. civ., sez. 2, n. 18288/2020) "the position of this Court having been consolidated according to which, in terms of administrative offenses referred to in the privacy code, the dies a quo for the calculation of the ninety-day term for the notification of the notification of dispute runs from the ascertainment of the violation , which does not coincide with the generic and approximate perception of the fact and with the acquisition of the documentation relating to it, but requires the processing of the data thus obtained in order to identify the constituent elements of any violations (so, ex multis, Cass. 14678/2018).” While referring this jurisprudence to the 90-day term provided for by article 14 of law no. 689/1981, the principles identified therein can well find a similar application in relation to art. 166, paragraph 5, of the Privacy Code, since this latter provision, following the changes made by Legislative Decree no. 101/2018, contains the new discipline relating to the procedures for the adoption of corrective and sanctioning measures, previously defined exclusively through the reference made by the Code itself to the aforementioned law 689/1981. It follows "that the time for processing and evaluating the data, when not arbitrarily and unreasonably prolonged, will be directly proportional to the level of complexity of the cases involved in the proceeding", also including ... "the method of analysis applied by the Authority" (see provision of 16 December 2021, cit.).
However, it must be considered, as noted during the inspection carried out between 8 and 10 November 2021, that the time that has elapsed has allowed the Company to significantly improve compliance with current legislation on some significant critical issues, the subject of the first dispute (see also the memorandum of 27 October 2021 and the aforementioned inspection reports). Reference is made, in particular, to the renewed management of cookies as well as the implementation of the customer database which currently allows for having, for each of them, a single record, with a single willingness option - positive or negative - with respect to processing for promotional purposes, even in the face of multiple services (fidelity card; e-commerce; subscription to the newsletter), all involving the sending of essentially promotional communications. So, for example, if the interested party unsubscribes from the fidelity program, he should no longer even receive promotional newsletters.
Considering the corrective action - systematic and radical - made by the Company in the revision of the aforementioned treatments, this Authority believes it can proceed with the archiving of the aforementioned first dispute.
6.2. The alleged violations notified with the second charge (March 11, 2022).
In the light of the brief submitted by Benetton on April 11, the hypothesized violation of the principles of minimization and limitation of retention with respect to XX's data (letter A of the dispute) is deemed undetectable, and therefore archiveable, since the Company has clarified that the data in question "are still present in Benetton's systems, despite its deactivation from the newsletter service, as the interested party is still the owner and user of our fidelity card."
Furthermore, due to the reasons given by the Company and the specifications provided regarding the roles covered by the commercial partners, Facebook and Tik Tok, in the processing of personal data for marketing purposes, the dispute of the principle of accountability regarding the processing of data carried out by the aforementioned companies, in the name and/or on behalf of Benetton (letter C of the dispute), can be filed.
Otherwise, while acknowledging the corrective measures that Benetton claimed to have independently implemented, the violation of art. 5, par.1, lett. c) and e), of the Regulation (principles of minimization and limitation of conservation) - referred to in letter A) of the same dispute - with respect to the indefinite conservation of some data of former customers (unsubscribed or deactivated), also in light of the equally essential principle of purpose (see art. 5, cit., letter b). Moreover, on the date of the report of 11 April last, the total number of subscribers only to the newsletter, who appeared to have deactivated the service, and yet still kept by the Company, is of a significant amount (249,859). This criticality is grafted on to the analogous point 2.3 of the first dispute, also concerning the violation of the principles of minimization and limitation of conservation, thus revealing persistent criticalities in this regard, also because there are no specific corrective measures already implemented by the Company, with particular regard to the details of the receipts.
In light of this, the ten-year retention period of the same, especially if rich in details objectively referring to the tastes and preferences of the interested parties - even if used by the Company for marketing or profiling purposes only with specific consent - is to be considered clearly excessive compared to the 12 months / 24 months measure, indicated, in relation to the aforementioned purposes, in the general provision "Fidelity card' and guarantees for consumers. The rules of the Guarantor for loyalty programs" - 24 February 2005, doc. web no. 1103045, also in light of the principles of accountability and "general responsibility" (pursuant to articles 5, paragraphs 2 and 24, as well as Cons. no. 74, of the Regulation).
Considering all of the above, it is deemed necessary to adopt a corrective measure against the Company whereby:
- order the cancellation or anonymisation of the personal data of former customers dating back to a period of more than 10 years, except in cases in which a judicial or extra-judicial dispute is still ongoing;
- enjoin the adoption of suitable organizational and technical solutions aimed at ensuring that the retention of customer and former customer data takes place in compliance with the principles set out in art. 5 of the Regulation, and in particular of purposes, minimization and limitation of conservation.
It must also be confirmed, on the part of Benetton, the violation of art. 32, par. 1, lit. b), also in the light of the provisions of paragraph 2 of the Regulation, referred to in letter B) of the dispute, with regard to:
the procedure for creating a store profile on the Dynamics platform;
the lack of particular limitations in terms of operation (screenshots or similar operations can be performed) of the PC in use at the store;
the ability to access the fidelity card platform accessible via web link, from any device (smartphone, tablet, PC);
the employee's ability to access the loyalty program regardless of whether or not he has logged in to the cash register system;
to the failure to foresee the obligation to change the password at the time of creating the user account for a new store, on the loyalty side, and to the uniqueness of the store account password for all employees of the single store (minutes of 9 November last year), and therefore, moreover, to the lack of possibility of identifying the person actually responsible for a possible 'data breach'.
In fact, pursuant to the aforementioned law, "taking into account the state of the art and implementation costs, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons, the data controller and the data processor implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk, which include, among others: .... b) the ability to ensure the confidentiality of data on a permanent basis". Furthermore, pursuant to par.2, "in assessing the adequate level of security, special account is taken of the risks presented by the processing which derive in particular (also) from unauthorized disclosure or access, in an accidental or illegal manner, to personal data transmitted, stored or otherwise processed."
Furthermore, the violation of the art. 32, par. 1, lit. d), as there was no "procedure to test, verify and regularly evaluate the effectiveness of the technical and organizational measures in order to guarantee the security of the processing". However, these violations must be included in the framework of the general principles of 'security' and 'confidentiality' pursuant to art. 5, par.1, lett. f), Regulation, of which the need to ensure timely and effective protection is recognized, also to avoid the occurrence of the factual conditions for any data breach. In this regard, it is essential to note that the violation pursuant to art. 32 of the Regulation does not constitute an offense of 'damage-event', but an offense of 'danger', therefore - to integrate it - it is sufficient to detect the existence of the conditions established by the European legislator, without it being necessary that a violation of personal data (data breach) has occurred, governed in fact by specific distinct rules (33 and 34, Regulation).
To aggravate these violations, both the considerable mass of data (accessible from each store and referring to all the other stores in the countries where Benetton is present) contribute, as well as the variety of personal details acquired through the use of fidelity cards, therefore provided with great utility, and 'attractiveness', for data enrichment and profiling activities that are increasingly widespread in the data economy.
It is therefore deemed necessary, as a corrective measure, to order the Company to adopt suitable organizational and technical solutions aimed at ensuring that the management of customers' personal data, by store staff, takes place in compliance with art. 32, par.1, lett. b) and d), and par. 2), of the Regulation.
6.3. Overall results and consequent measures to be taken.
Overall, from this ascertainment of the unlawfulness of the Company's conduct with reference to the processing under examination, it is necessary, vis-à-vis Benetton:
pursuant to art. 57, par. 1, lit. f), of the Regulation, to declare the processing carried out by the Company unlawful, in the terms set out in the justification; due, in particular, to the violation of the following provisions:
• art. 5, par.1, lett. c) and e), of the Regulation;
• art. 32, par. 1, lit. b) and d), and par. 2, of the Regulation;
pursuant to art. 58, par. 2, lit. g), of the Regulation, to order the cancellation, or anonymisation, of the personal data of former customers dating back to a period greater than 10 years, except in cases in which a judicial or extra-judicial dispute is still ongoing, within 10 days from the date of receipt of this provision;
pursuant to art. 58, par. 2, lit. d), of the Regulation, order the adoption of suitable organizational and technical solutions aimed at ensuring that the retention of customer and former customer data takes place in compliance with the principles set out in art. 5 of the Regulation, and in particular of purposes, minimization and limitation of conservation, within 30 days from the date of receipt of this provision;
pursuant to art. 58, par. 2, lit. d), of the Regulation, order the same Company to adopt suitable organizational and technical solutions aimed at ensuring that the management of customers' personal data, by store staff, takes place in compliance with art. 32, par.1, lett. b) and d), and par. 2), of the Regulation, within 30 days from the date of receipt of this provision;
pursuant to art. 157 of the Code, ask the same Company to provide adequately documented feedback regarding the aforementioned measures, within 40 days from the date of receipt of this provision;
adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application of the pecuniary administrative sanctions provided for by art. 83, par. 4 and 5, of the Regulation.
7. Injunction order for the application of the pecuniary administrative sanction.
With limited reference to the second complaint sent to the Company, it should be noted that the violations confirmed above (see par. 6.3) require the adoption of an injunction, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Benetton Group s.r.l. of the pecuniary administrative sanction provided for by art. 83, para. 4 and 5, of the Regulation. However, as various provisions of the Regulation and of the Code have been infringed in relation to connected treatments carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or to related treatments, a data controller violates, with malice or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the more serious violation", thus absorbing the less serious violations. Specifically, the aforementioned violations - also having as object the principles of minimization and limitation of conservation, pursuant to art. 5 of the Regulation - are to be traced back, pursuant to art. 83, par. 3 of the same Regulation, in the context of the most serious violation, with consequent application of the sole sanction provided for in art. 83, par. 5, letter. a), of the Regulation.
To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1), it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.
In this case, which aggravating circumstances should be considered:
1) the high number of interested parties and the considerable duration of the violations (letter a);
2) the subjective dimension of the conduct, to be considered seriously culpable due to the non-conformity of the conduct  in the light of the consistent regulatory activity of the Authority, with particular reference to data retention (letter d);
3) the economic importance of the Company (see turnover - "turnover" of Euro 510,143,722.00, according to the "VAT 2021 model" and Euro 817,306,980.00, according to the "VAT 2020 model"; letter K).
As mitigating factors, pursuant to art. 83, par. 2, of the Regulation, it is considered necessary to take into account:
1) the measures envisaged to improve compliance with data protection legislation (letter c);
2) the absence of previous proceedings initiated against the Company (letter e);
3) the collaboration and transparency shown by the Company to the Authority during the inspections and, more generally, in the context of the investigation conducted (letter f);
4) the official verification of the aforementioned violations, in the absence of reports and complaints against the Company (letter h);
5) the pandemic emergency situation in which the assessment in question took place and, in particular, the financial losses represented by the Company (and emerging moreover from the significant negative change in turnover equal to 308,011,179: approximately -37%); as well as "recourse to layoffs one day a week for over a year" (see report of 10 November 2021) (letter k).
Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1 of the Regulation, taking into account the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Benetton Group s.r.l. the administrative fine of the payment of a sum of 240,000 euros (two hundred and forty thousand/00), equal to approximately 1.18 % of the maximum statutory fine (20,405,748 euros).
In the case in question, it is believed that the ancillary sanction of publication on the website of the Guarantor of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the investigation with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers.
Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation.
ALL THIS CONSIDERING THE GUARANTOR
a) pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing carried out by Benetton Group s.r.l., VAT number: 03490770264, with registered office in via Villa Minelli, 1, Ponzano Veneto (Treviso), to be unlawful, in the terms indicated in the justification;
b) pursuant to art. 58, par. 2, lit. g), of the Regulation, orders the same Company to cancel, or anonymise, the personal data of former customers dating back to a period greater than 10 years, except in cases in which a judicial or extra-judicial dispute is still ongoing, within 10 days from the date of receipt of this provision;
c) pursuant to art. 58, par. 2, lit. d), of the Regulation, orders the same Company to adopt suitable organizational and technical solutions aimed at ensuring that the retention of customer and former customer data takes place in compliance with the principles set out in art. 5 of the Regulation, and in particular of purposes, minimization and limitation of conservation, within 30 days from the date of receipt of this provision;
d) pursuant to art. 58, par. 2, lit. d), of the Regulation, orders the same Company to adopt suitable organizational and technical solutions aimed at ensuring that the management of customers' personal data, by store staff, takes place in compliance with art. 32, par.1, lett. b) and d), and par. 2), of the Regulation, within 30 days from the date of receipt of this provision;
e) pursuant to art. 157 of the Code, requests the same Company to provide adequately documented feedback regarding the aforementioned measures, within 40 days from the date of receipt of this provision. Please note that failure to respond to the above requests integrates the details of the administrative offense referred to in art. 166, paragraph 2, of the Code;
ORDER
to Benetton Group s.r.l. to pay the sum of Euro 240,000 (two hundred and forty thousand/00), as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed;
ENJOYS
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 240,000 (two hundred and forty thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981;
HAS
as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party, within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 27 April 2023
PRESIDENT
Station
THE SPEAKER
Zest
THE SECRETARY GENERAL
Matthew