Garante per la protezione dei dati personali (Italy) - 9909702

From GDPRhub
Garante per la protezione dei dati personali - 9909702
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 13 GDPR
Article 28 GDPR
Type: Complaint
Outcome: Upheld
Started: 08.09.2021
Decided: 22.06.2023
Published:
Fine: 1,000,000 EUR
Parties: Autostrade per l’Italia S.p.A
National Case Number/Name: 9909702
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: Bernardo Armentano

The Italian DPA imposed a fine of €1,000,000 on Autostrade per l'Italia for erroneously indicating the developer of a toll reimbursement app as the controller. The DPA also found a violation of the principles of lawfulness and transparency.

English Summary

Facts

In October 2021, Autostrade per l’Italia S.p.A. (a public concession for the management of motorway services) signed a settlement agreement with the Ministry of Infrastructure and Transport providing for the implementation of compensation measures for motorway users, including discounts/refunds on toll rates, in view of the delays caused by construction sites on highways managed by the company.

Following this agreement, Free to X, a company owned by Autostrade, was entrusted by the latter with the development and management of a cashback app that would allow users to request a total or partial refund of their toll costs. Both companies agreed that Free to X would be the considered as the controller since it would have "full and autonomous decision-making powers" regarding the purposes and the means of the data processing activities. Free to X launched the homonymous app still in 2021 and the total number of users registered that year was 308,058.

Subsequently, Assoutenti, a consumer association, raised some concerns with the Italian DPA regarding personal data processing activities carried out through the app. The DPA opened an investigation and requested information from Autostrade, as the controller.

In response, the controller argued that it did not act as a controller, as it limited itself "only to determining the purpose" of the app, without intervening in any way on related purposes and means. However, it committed "to change its role, attributing to itself the controlership of the processing of data relating to the cashback service" and to "amend the app's privacy policy and terms and conditions". Finally, Austostrade stated that it could inform all the app users about the changes by email.

Holding

First, DPA highlighted that the reimbursement mechanism (cashback app) was chosen by Austostrade as a way to implement the compensatory measures provided for by the agreement signed with the Ministry and that the company was also defining the methods for the fulfillment of such agreement. In particular, the DPA noted that Austostrade appointed Free to X to develop "an IT tool" aimed at offering "a free, smart and user-friendly solution for managing reimbursements on significant delays caused by the presence of construction sites on the motorway sections". Likewise, the company itself identified the conditions and requirements for the user's request for reimbursement and was the one responsible for periodically providing updates to the Ministry on the performance of the cashback system. On the other hand, Free to X, differently from what was represented by Autostrade during the investigations, was acting under its instructions. In this sense, the DPA considered that the roles designated by the companies were irrelevant and that the relative margin of autonomy of Free to X was only in relation to the conception and management of the app. According to the DPA, the choices made by Free to X were "non-essential means" of the processing, as they related to practical aspects for the execution of the service, while the scope and purposes were determined by Autostrade. For these reasons, the DPA held that Austostrade was the controller and Free to X the processor.

Second, the DPA recalled that the relation between the two companies should have been regulated on the basis of a contract, pursuant to Article 28 GDPR and that this contract should have bound Free to X as a processor to Autostrade, the controller, and not vice versa. Thus, the DPA found a violation of Article 28 GDPR.

Third, the DPA stated that the requalification of the companies’ roles also had immediate repercussions on the respective responsibilities such as the provision of information, pursuant to Article 13 GDPR. It emphasized that Autostrade erroneously identified Free to X as the controller, providing an incorrect information to its customers. According to the DPA, the company also did not provide further information such as the specific purposes of the processing, failing to comply with the principle of lawfulness and transparency provided in Article 5 GDPR, a lawful and transparent processing of personal data. Therefore, the DPA found a violation of Article 5(1)(a) and 13 GDPR.

In view of the above, and taking in consideration the significant number of users affected, the DPA imposed a fine of €1,000,000 on the controller.

Comment

From the decision, it is not possible to know what concerns were raised by the consumer association Assoutenti, as they are not mentioned. Apparently, the DPA took that as a notice of possible violations and opened a broader investigation against the controller.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9909702]

Provision of June 22, 2023

Register of measures
no. 264 of 22 June 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

HAVING REGARD to the report dated 8 September 2021 presented by the National Association of Public Service Users (hereinafter "Assoutenti"), with which the initiative implemented by Autostrade per l'Italia S.p.A. was brought to the attention of the Guarantor. concerning the use of an application aimed at allowing the total or partial reimbursement of the cost of the motorway ticket for delays due to construction sites for works;

HAVING EXAMINED the documentation in the deeds;

GIVEN the observations made by the deputy secretary general pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The preliminary investigation activity against the Company.

With a communication presented on 8 September 2021, Assoutenti raised some critical issues regarding the processing of users' personal data implemented by Autostrade per l'Italia S.p.A. (hereinafter "ASPI") and by Free to X S.r.l., through the application called "Free To X" (hereinafter "App"), aimed at allowing the total or partial reimbursement of the cost of the motorway ticket for delays due to construction sites (so-called Cashback service).

In this regard, ASPI, in responding to the requests for information sent by the Guarantor on 9 November 2021, 10 May 2022 and 18 May 2023, with notes dated 23 November 2021, 24 May 2022 and 29 May 2023, stated that:

- the origin of the reimbursement system for motorway users called Cashback "is to be traced back to the settlement agreement concluded upon settlement of the alleged serious non-fulfillment proceedings against ASPI by MIMS (formerly the Ministry of Infrastructure and Transport - MIT) ("Agreement")". Indeed, ASPI devised this reimbursement mechanism in order to implement the compensatory measures that it undertook to implement with this Agreement, subject to authorization from the Ministry of Infrastructure and Sustainable Mobility (hereinafter "MIMS"). In order to obtain the aforementioned clearance, ASPI presented a formal authorization request on 15 July 2021 where it was "fully and expressly described that the repayment program, envisaged by the Agreement, would be offered through Free to X (company established on 20 January 2021 and wholly controlled by ASPI), with an outsourcing model attributable to the so-called 'turnkey contract' to be paid by the subsidiary" (see note of 24 May 2022, pages 1 and 2);

- after obtaining, on 21 July 2021, the authorization from the MIMS "ASPI has appointed Free To X S.r.l. (..) to manage the [the] service denominated [o] 'Cashback' via the App of the same name (..)

- service for the management of reimbursements on significant delays caused by the presence of construction sites on the motorway sections entrusted under concession to ASPI" (see note of 23 November 2021, page 1);

- with regard to the "processing of personal data implemented as part of the Cashback service, ASPI operates as data controller pursuant to art. 28 GDPR" (see note of 23 November 2021, page 2 and Annexes 1 and 2);

- "the App was officially made available (..) on 14 September 2021, in an experimental regime (..) which began on 15 September 2021" (see note of 23 November 2021, page 1);

- the total number of users registered with the App "is equal to 308,058 (three hundred and eight thousand fifty-eight) - of which only about a third is made up of users registered with the Cashback service - compared to over 800,000,000 (eight hundred million) annual transits along the motorway network ASPI performed by millions of users” (see note of 29 May 2023, page 2).

As part of the preliminary investigation, information was also acquired from Free to X S.r.l. (see notes of the Guarantor dated 9 November 2021 and 10 May 2022), who, with communications dated 23 November 2021, 19 January 2022 and 24 May 2022, represented the following:

- Free to X S.r.l. "is a company wholly owned by ASPI which supplies and manages the App of the same name, through which users can access the 'Cashback' services (see note of 23 November 2021, page 2);

- with particular regard to "the processing of personal data implemented as part of the Cashback service, [the same] operates as data controller" (see note of 23 November 2021, page 2);

- the need to implement the Cashback refund service arose in response to the MIMS agreement for the negotiation of the alleged serious non-fulfillment proceeding against ASPI (hereinafter the "Agreement"), which provided for "measures compensation payable by ASPI on toll rates (…) including amounts to be allocated, in the period 2021-2024, to tariff discounts/refunds for the benefit of motorway users (..). Among the methods for fulfilling the contractual commitments assumed in the terms described above, ASPI has chosen to entrust entirely to Free to X (..) the conception and subsequent management of a system that recognizes reimbursements to motorway users and delays due to the presence of construction sites for the execution of extraordinary maintenance works on the motorway sections pertaining to ASPI (so-called Cashback service)" (see note dated 19 January 2022, page 3; see also page 4 in this sense);

- "although ASPI has contracted the Company to create the [Cashback] service (..), for the purposes of identifying the data owner, Free to X has considered the prevailing circumstance that both the conception and the subsequent management of the entire service would have been the exclusive prerogative of the Company with full and autonomous decision-making powers”; this in order both to the "purposes (i.e. provision of the App and use of the Cashback service with relative payment of refunds to the current account of the App user, assistance from the Free to X customer care during registration and use of the service of Cashback; fulfillment of legal obligations or requests from the competent authorities, sending of newsletters)" and to the "means (essential and otherwise) of processing user data (i.e. the type of personal data to be processed for the Cashback service, the retention periods of the aforementioned data, the recipients of the same, the security measures to be adopted, the subjects to be appointed as data processors)" (see note of 19 January 2022, pages 4 and 5);

- the experimental phase of implementation of the App was formally concluded on 30 December 2021 (see note of 19 January 2022, page 6).

2. Initiation of the procedure for the adoption of corrective measures.

On 19 October 2022, the Office notified the Company, pursuant to art. 166, paragraph 5, of the Code, the alleged violations found, with reference to articles 5, par. 1, lit. a) and 13 of the Regulation, as well as in art. 28 of the Regulation, contesting the inaccurate configuration of the subjective scope of the processing and the inadequacy of the information provided to users.

With the note dated 1 December 2022, the Company sent its defense writings, stating that:

to. within the framework of the aforementioned Agreement, "ASPI is bound exclusively to compliance with macro-parameters, including the amounts to be allocated in the period 2021-2024 to tariff discounts and/or reimbursements for the benefit of motorway users" and "never proposed the creation of a service which necessarily involved the processing of personal data. The Cashback service (..) was in fact entirely designed and created by Free to X through the creation of the homonymous App”; the Company therefore did not act as data controller, as it limited itself "only to determining the purpose" of the same without intervening in any way on the related purposes and means (see note of 1 December 2022, page 2 );

b. in any case, it took note of the Authority's position by providing "to change its role, attributing to itself the ownership of the processing of data relating to the Cashback service". Therefore, "in addition to some (..) technical-management measures aimed at guaranteeing the effective ownership of ASPI", the latter, with effect from 15 December 2022, amended the documents containing the "Information on the Privacy of the app”; the “App Terms and Conditions”; as well as preparing the messages to be sent "by e-mail to all users registered on the App to change the Controller" (see note of 1 December 2022, page 3);

c. on the basis of the above, it also prepared, on 21 November 2022, the "Appointment of manager of Free to X S.r.l. for all App services”, as indicated in attachment no. 1 to the note of 1 December 2022;

d. ASPI "immediately implemented every measure aimed at remedying the original flawed situation and at mitigating any prejudices for the interested parties" and "did not obtain any economic benefit from the treatment subject to the alleged violation", considering that "the Cashback service as well as the additional services related to it, are provided free of charge" (see note of 1 December 2022, pages 5 and 7);

And. lastly he noted "that from the date of the last note sent by ASPI on 05.24.2022, the Authority has had all the elements available to be able to easily ascertain the alleged violation; nevertheless, this violation was notified, through the communication in question, only on 10.19.2022, well beyond the ninety-day term established by law starting from the conclusion of the inspection activity" (see note of 1 December 2022, page 7).

Subsequently, with a note dated December 21, 2022, ASPI pointed out that it had further amended, on December 19, 2022, the documents containing the "App Privacy Policy" and the "Terms and Conditions of the App" above, " by virtue of the obligations assumed with the Competition and Market Authority, ASPI, through Free To X S.r.l.”, in order to proceed with the configuration “by 31 December 2022 [of] a new section of the website www .freeto-x.it aimed at allowing users, in addition/alternative to the methods offered through the "Free To X" App, to register for the Cashback service" (see note of 21 December 2022, page 1 and relative annexes n. 2a containing the "Updated App and Website Privacy Policy" and n. 3a relating to the "Terms and Conditions of the App and Website" ).

3. Observations on the legislation on the protection of personal data relevant in the present case.

As a preliminary point, given what was raised by ASPI in the defense briefs, it is worth making some clarifications regarding the procedural terms, as provided for by the Guarantor's Regulation no. 2/2019, adopted on 4 April 2019, concerning the identification of the terms and organizational units responsible for administrative procedures at the Guarantor for the protection of personal data (hereinafter "Reg. n. 2/2019").

On this point it should be noted that, differently from what was claimed by the Company (see above paragraph 2, letter e), the 90-day term referred to in law does not apply to the proceeding in question. of 24 November 1981, n. 689, but the one specifically identified by the Guarantor, pursuant to art. 154, paragraph 3 and of the art. 166, paragraph 9 of the Code, with the aforementioned Guarantor Regulation no. 2/2019, which entered into force following its publication in the Official Gazette no. 107 of 9 May 2019.

Indeed, the latter establishes that the notification, pursuant to art. 166, paragraph 5 of the Code, relating to the alleged violations, must be carried out within 120 days of the verification of the same (see Table B, part 2) of Reg. no. 2/2019). On this point, however, it should be noted that, as noted by the legitimacy jurisprudence, in the event of multiple violations connected to each other "the adequacy of the total time spent" by the proceeding administration for the purpose of ascertaining the aforementioned violations is in any case closely connected "to the complexity of the investigation activity" carried out by the same (Cass. Section I civ. of 4 April 2018, n. 8326).

In any case, it must be considered that the aforementioned 120-day term "is suspended from 1st to 31st August of each year and resumes from the end of the suspension period" (see art. 6, paragraph 1 of Reg. no. 2/2019). Furthermore, the same runs from when the assessment activity was carried out, or from when both the collection of the preliminary elements and the evaluation of the same by the administration were completed (see, in this sense, Cassation of the 16642 of 8 August 2005; see, also, Cassation of the Civil Section II of 28 November 2012, no. 21114 and Cassation of the Civil Section II of 22 April 2016, no. 8204).

In the light of what has been clarified above with regard to the procedural terms applicable to the case in question, as provided for by current legislation (including those identified by Article 6, paragraph 1 of Reg. No. 2/2019), it follows, therefore, with reference to the procedure in question, the respect of the same by the Authority; this considering the period of time in fact elapsed between the verification of the violation and the contestation of the same.

Having dutifully stated the above, with regard to the violations ascertained by this Office in the specific case, it is represented that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces deeds or false documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".

Based on the elements acquired during the preliminary investigation as well as the subsequent assessments by the Authority in this regard, it has been ascertained that the processing of users' personal data, referred to in the Cashback service, provided through the Free to X App, is been put in place by ASPI, as data controller, in violation of the Regulation, in the terms more fully explained below.

In this regard, first of all, it should be noted that the services offered through the aforementioned App involve separate user processing operations, carried out, for various reasons, by ASPI and Free to X S.r.l.
Specifically, these are those connected to the provision of the Cashback service - the subject of dispute in the case in question -, other related services, as well as those aimed at registering and managing the user account (see in this regard, note from Free to X S.r.l. of 23 November 2021, Annex n. 2 - "App Free To X: Overview of the main features of the app present on the current date in the Apple and Google stores (version 2.21.4)", pp. 2, 18, 21 and 23).

Taking into account what has been specified, for the purposes of the correct application of the legislation on the protection of personal data with respect to the aforementioned treatments, it is therefore necessary to precisely identify the subjects who process the personal data referred to above and clearly define, with reference to the case of species, the respective attributions, in particular that of owner and manager (Article 4, paragraph 1, points 7 and 8 and Article 28 of the Regulation).

In this regard, it should be noted that the data controller is the person who establishes the purposes and means of the same. Decisions regarding the ""why" [i.e. "for what purpose" or "for what" the processing is carried out] and [a]l "how" of the same [i.e. what means are employed to achieve this objective]" (see European Data Protection Board - hereinafter "EDPB", Guidelines n. 07/2020 on the concepts of data controller and data processor pursuant to the GDPR, the 7 July 2021, page 16).

Consequently, the manager − as a person who acts on behalf of the controller (art. 4, n. 8 of the Regulation) − “is called to follow the instructions given [by the latter] (..) as regards the purpose of the treatment and the essential elements that constitute the means” (see EDPB, Guidelines n. 07/2020, cit., page 28).

This represented, it is also understood that, for the purposes of correctly identifying the subjective sphere of the processing, the roles of owner and manager must be established on the basis of an assessment of the concrete circumstances relating to the same.

Indeed, it is an assessment that must take into account the factual elements relevant to the specific case, as it is aimed at identifying the subject who exercises a decisive influence on the processing of the personal data in question (see EDPB, Guidelines no. 07/2020, cited above, page 13).

4. The violations ascertained in relation to the treatment relating to the Cashback service.

Having dutifully clarified this, in relation to the treatment relating to the Cashback service which is the subject of this proceeding, the Company's arguments in the defense briefs dated 1 December 2022 cannot be accepted (see above paragraph 2, letter a); this in the light of the following elements:

- the reimbursement mechanism called Cashback was identified by ASPI as concessionaire for the construction and operation of the motorway network (see Convention of 18 September 1968, n. 9297, approved by interministerial decree of 12 October 1968, n. 2890) , as a form of implementation of the compensatory measures contained in the Agreement signed on 14 October 2021 with the MIMS to settle the proceedings for alleged serious non-compliance against it (see ASPI note of 24 May 2022, pages 1-3);

- from the documentation acquired during the preliminary investigation, it emerged that the nature of the compensatory measures, as well as the methods of fulfillment of the same, were defined independently by ASPI, after obtaining the ministerial authorization and in compliance with the regulatory constraints and parameters defined by the Agreement. It is, in particular, ASPI that specifically "developed [to] the reimbursement mechanism called Cashback", appointing Free to X S.r.l. to develop "an IT tool" aimed at offering "a free, smart and user-friendly solution for managing reimbursements on significant delays caused by the presence of construction sites on the motorway sections entrusted under concession to ASPI" (see ASPI note of the 24 May 2022, Annex 11A

- "Request for clearance presented to MIMS" on 15 July 2021 and Annexes nos. 11Bd and 11Ba);

- likewise, it is the Company itself that has identified the conditions and requirements for the user's request for reimbursement (e.g. the type of delay and its correlation with the presence of construction sites in progress; see ASPI note of 24 May 2022, Annexes 11A and 11Bd); this by entrusting Free to X S.r.l., on the basis of criteria already punctually established by ASPI, with tasks inherent exclusively to the implementation phase of the aforementioned service;

- the latter is the subject required to periodically provide updates to the "MIMS on the performance of the Cashback system", to provide "clarifications and/or information" upon request of the same, as well as to "report on a quarterly basis the progressive amount of the burden incurred” to fulfill the compensatory measures covered by the Agreement (see ASPI note of 24 May 2022, Annex no. 11Bd, page 2).

From the overall picture described, it emerges that, with reference to the processing inherent to the Cashback service, the purposes and the related means have been determined by ASPI in the terms explained above and, therefore, the same plays the role of owner.

On the other hand, Free to X S.r.l., differently from what was represented by the Company during the preliminary investigation (see para. 1 above), acts, in response to the task expressly assigned to it by ASPI with respect to the Cashback service, as manager of the related treatment.

On this point, the indications of ASPI and Free to X S.r.l. are irrelevant. in the act of designation of the manager signed on 20 July 2021 (see ASPI note of 23 November 2021, Annex no. 2 and Free to X S.r.l. note of 23 November 2021, Annex no. 4); this also considering what was specified by the European Data Protection Committee regarding the circumstance that "if a party (..) actually decides the purposes and methods of processing personal data, it will be the owner [of the same] (. .) even where a contract indicates you as responsible" (see EDPB, Guidelines n. 07/2020, cit., page 14). In fact, Free to X S.r.l. carries out a series of activities which underlie the processing of users' personal data, but these activities are carried out on behalf of ASPI and on the basis of the procedure and criteria identified by it.

Furthermore, for the purposes of the correct classification of the roles of data controller and data processor, the recognition, by ASPI, of some margins of decision-making autonomy for Free to X S.r.l. related, specifically, to the conception and management of the App (see note by Free to X of 19 January 2022, pages 4-5).

In fact, the designation as data controller does not exclude the possibility for the latter to autonomously adopt certain decisions regarding the processing, provided however that they comply with the methods of execution of the latter (so-called "non-essential means"; see EDPB, Guidelines No. 07/2020, cit., page 16).

The decision-making powers of Free to X S.r.l., in fact, do not pertain to the purposes and essential means of the treatments relating to the Cashback service, but rather to the development and management of the App as a tool for its concrete implementation.

All this considering that:

- it was ASPI that identified "the automatic evolutionary system of tariff discounts to users in the event of delays generated by construction sites" called Cashback as a method of implementing the compensatory measures and established that the same would be "activated using IT tools included under the denomination Free to X - Cashback, which the user could have accessed by registering and providing the data necessary for the physical execution of the refund" (see ASPI note of 24 May 2022, All. n. 11Bd, pp. 1 -2);

- the choices made by Free to X S.r.l. with regard to the development of the App and the management of the Cashback service through it, therefore concern the "non-essential means" of the processing, as they relate to "practical aspects (..) related to the execution of [the same] ” the scope and related purposes of which were subject, upstream, to exclusive determination by ASPI (see EDPB, Guidelines no. 07/2020, cit., page 16).

Lastly, it remains understood that, in particular contexts, such as for example those relating to processing carried out via mobile applications, the same subject can in any case act simultaneously as data controller with respect to certain processing operations, and as data processor with regard to other treatments (see EDPB, Guidelines no. 07/2020, cit., page 13; see also the opinion of the Guarantor, adopted on 28 July 2022, on the draft decree relating to the digital platform for the provision of economic benefits granted by public administrations, to be adopted, in agreement with the Minister of Economy and Finance, pursuant to art. 28bis, paragraph 3, of Legislative Decree No. 152 of 6 November 2021, converted, with amendments, by Law 29 December 2021, no. 233).

This circumstance appears likely to occur also in the present case, where Free to X S.r.l., with reference to the treatments with respect to which it autonomously determines the respective purposes and the relative means - such as those strictly connected to the registration and management of the user account (cf. note of Free to X S.r.l. of 23 November 2021, Annex no. 2 and lastly note of 21 December 2022, Annex no. 2a, point A "Treatments of which Free To X S.r.l. is the owner") - acts as owner, while holding the role of data controller for the Cashback service.

The aforementioned requalification of the relationship between ASPI and Free to X S.r.l. in the terms explained above, it also has immediate repercussions on the compliance with the legislation on the protection of personal data of the information released, pursuant to art. 13 of the Regulation, to users.

The latter, in fact, identifies Free to X S.r.l. as owner of all the treatments indicated therein, where it also includes the one having the main purpose of providing the Cashback service.

The disclosure, therefore, in the present case, was not adequately formulated, considering that, with reference to the Cashback service, it should have reported the correct indication regarding the actual identity of the owner (i.e. ASPI) and the purposes of the related treatment, as well as further information to ensure, in compliance with the general principles referred to in art. 5 of the Regulation, a correct and transparent treatment towards users.

It follows therefore the violation by ASPI of the art. 5, par. 1, lit. a) of the Regulation as regards the principles of correctness and transparency, as well as art. 13 of the Regulation with reference to the information to be provided to interested parties.

Lastly, in representing that the relations between the two Companies must be regulated, pursuant to art. 28 of the Regulation, on the basis of a contract or other legal act, it is also noted that the same, with reference to the Cashback service, contrary to what emerged from the documentation in the documents, should have bound Free to X S.r.l., as manager of the treatment, to ASPI as owner of the same and not vice versa (see ASPI note of 23 November 2021, All. n. 2 - Appointment as ASPI manager for the service called "Cashback").

Failure to designate Free to X S.r.l. as responsible for the treatment inherent to the Cashback service, therefore determines the violation, by ASPI, of the art. 28 of the Regulation.

The evidence of the aforementioned violations also emerges with reference to what was found during the proceeding regarding the initiative, recently taken by the Company, aimed at adapting the information model to be provided to users to the different configuration of the privacy roles proposed above, as well as designate, pursuant to art. 28 of the Regulation, Free to X S.r.l. as data controller for the Cashback service and for those related to it (see note of 1 December 2022, page 3).

Considering this dutifully, for all the reasons highlighted overall, it appears that the owner has put in place a conduct in contrast with the art. 5, par. 1, lit. a), the art. 13 and the art. 28 of the Regulation for a period of approximately one year (specifically, with reference to the profiles relating to the information from 15 September 2021 until 15 December 2022, while as regards the fulfillment pursuant to art. 28 of the Regulation from 15 September 2021 to 21 November 2022). The aforementioned violations, against what was declared by ASPI (see note of 29 May 2023, page 2), concerned around 100,000 (one hundred thousand) interested parties as users of the Cashback service.

5. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

In light of the overall findings, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and which are therefore unsuitable to order the dismissal of the present proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company is in fact unlawful, in the terms set out above, with reference to the violation of the principles of correctness and transparency (articles 5, paragraph 1, letter a), of art. 13 of the Regulation, given the failure to communicate adequate information in relation to the processing, as well as the obligation of the owner regarding the designation of data processors (Article 28 of the Regulation).

The violation of the aforementioned provisions entails the application of the administrative sanctions provided for by art. 83, par. 4, lit. a) and by art. 83, par. 5, letters a) and b) of the Regulation.

Lastly, as regards the exercise of the corrective powers pursuant to art. 58, par. 2 of the Regulation, we acknowledge the circumstance that ASPI during the procedure has taken steps to align, in accordance with the regulatory framework described above, the subjective scope of the processing, adopting the following measures consisting of:

- the modification of the information model to be provided to users who use the Cashback service after registering via the App and/or the website www.freeto-x.it (see "Information on the Protection of Personal Data pursuant to European Regulation no. 679/2016" updated to 19 December 2022, Annex no. 2a of the note dated 21 December 2022);

- the transmission to the users of the App, starting from 15 December 2022, of the communication containing the indications regarding the changes made to the disclosure model referred to above (see Annex 4 of the note dated 1 December 2022);

- the designation pursuant to art. 28 of the Regulation of Free to X S.r.l. as data controller for the Cashback service (Annex 1 of the note dated 1 December 2022).

In this context, therefore, considering that specific measures have been adopted to bring the processing in question into compliance with current legislation on the protection of personal data, the conditions for adopting the corrective measures pursuant to art. 58, par. 2, of the Regulation.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data put in place by ASPI, of which the illegality has been ascertained, in the terms set out above.

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "if, in relation to the same treatment or to connected treatments, a data controller [...] violates, with malice or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that , in the hypothesis in question, the following circumstances were taken into consideration:

- in relation to the seriousness of the violations, the nature of the same was considered relevant − as they concern the non-compliance with the general principles of treatment, and in particular the principles of correctness and that of transparency −, the relative duration − quantifiable in approximately one year − as well as the high number of interested parties involved as corresponding to a third of the total number of subjects registered in the App. Furthermore, all of the above noted that the aforesaid violations concerned the incorrect configuration of the subjective sphere of the processing put in place by the Company, thus preventing users from having exact information regarding the ownership of the latter (art. 83, par. 2, letter a) of the Regulation);

- with reference to the intentional or negligent nature of the violations pursuant to art. 83, par. 2, lit. b) of the Regulation, the culpable conduct of the Company was taken into consideration, which declared that it had attributed the ownership of the treatments relating to the Cashback service to Free to X S.r.l. having erroneously taken into exclusive consideration the fact that "the same was entirely designed and created by Free to X through the creation of the homonymous App whose operation is entirely managed and administered by the latter" (see note of 1 December 2022, page 2);

- the adoption, by the controller, of measures aimed at mitigating or eliminating the consequences of the violation (Article 83, paragraph 2, letter c) of the Regulation). In this regard, the fact that ASPI promptly adopted the measures described in par. 5 of this provision;

- the circumstance that the Company has actively cooperated with the Authority during the proceedings (Article 83, paragraph 2, letter f) of the Regulation);

- the fact that there are no previous violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation (art. 83, paragraph 2, letter e) of the Regulation).

In favor of the owner, account was also taken of the fact that the Cashback service is provided by the Company free of charge and therefore the latter did not obtain any direct economic benefit from the disputed treatment (Article 83, paragraph 2, letter k) of the Regulation).

It is also believed that the economic conditions of the offender, determined on the basis of the Company's turnover, referred to in the financial statements for the year 2021 (latest available), referring exclusively to the income statement item identified in the so-called "Toll revenue".

In the light of the elements indicated above and the assessments made, it is believed, in the present case, that the administrative sanction of payment of a sum equal to 1,000,000 (one million) euro should be applied against ASPI.

In this context, it is also believed that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website. This in consideration of the type of violations ascertained which affected the general principles of processing, in particular the principles of correctness and transparency, as well as the fact that they concerned the incorrect configuration of the subjective scope of the processing put in place by the Company thus preventing users, for a considerable amount of time, from having exact information regarding the ownership of the latter.

Finally, it is believed that the conditions set forth in art. 17 of the Regulation of the Guarantor n. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

pursuant to articles 57, par. 1, lit. a) and 83, of the Regulation and of the art. 144, paragraph 1 of the Code, reveals the unlawfulness of the processing carried out by Autostrade per l'Italia S.p.A., with registered office in Rome, VAT number 07516911000, in the terms referred to in the justification, for the violation of articles 5, par. 1, lit. a) and 13 of the Regulation, as well as art. 28 of the Regulation;

believes that the conditions set forth in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulation to Autostrade per l'Italia S.p.A., to pay the sum of 1,000,000 (one million) euro as an administrative fine for the violations indicated in this provision.

ENJOYS

then to Autostrade per l'Italia S.p.A. to pay the aforementioned sum of 1,000,000 (one million) euros, according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 22 June 2023

PRESIDENT
station

THE SPEAKER
guille

THE DEPUTY SECRETARY GENERAL
Philippi

[doc. web no. 9909702]

Provision of June 22, 2023

Register of measures
no. 264 of 22 June 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

HAVING REGARD to the report dated 8 September 2021 presented by the National Association of Public Service Users (hereinafter "Assoutenti"), with which the initiative implemented by Autostrade per l'Italia S.p.A. was brought to the attention of the Guarantor. concerning the use of an application aimed at allowing the total or partial reimbursement of the cost of the motorway ticket for delays due to construction sites for works;

HAVING EXAMINED the documentation in the deeds;

GIVEN the observations made by the deputy secretary general pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The preliminary investigation activity against the Company.

With a communication presented on 8 September 2021, Assoutenti raised some critical issues regarding the processing of users' personal data implemented by Autostrade per l'Italia S.p.A. (hereinafter "ASPI") and by Free to X S.r.l., through the application called "Free To X" (hereinafter "App"), aimed at allowing the total or partial reimbursement of the cost of the motorway ticket for delays due to construction sites (so-called Cashback service).

In this regard, ASPI, in responding to the requests for information sent by the Guarantor on 9 November 2021, 10 May 2022 and 18 May 2023, with notes dated 23 November 2021, 24 May 2022 and 29 May 2023, stated that:

- the origin of the reimbursement system for motorway users called Cashback "is to be traced back to the settlement agreement concluded upon settlement of the alleged serious non-fulfillment proceedings against ASPI by MIMS (formerly the Ministry of Infrastructure and Transport - MIT) ("Agreement")". Indeed, ASPI devised this reimbursement mechanism in order to implement the compensatory measures that it undertook to implement with this Agreement, subject to authorization from the Ministry of Infrastructure and Sustainable Mobility (hereinafter "MIMS"). In order to obtain the aforementioned clearance, ASPI presented a formal authorization request on 15 July 2021 where it was "fully and expressly described that the repayment program, envisaged by the Agreement, would be offered through Free to X (company established on 20 January 2021 and wholly controlled by ASPI), with an outsourcing model attributable to the so-called 'turnkey contract' to be paid by the subsidiary" (see note of 24 May 2022, pages 1 and 2);

- after obtaining, on 21 July 2021, the authorization from the MIMS "ASPI has appointed Free To X S.r.l. (..) to manage the [the] service denominated [o] 'Cashback' via the App of the same name (..)

- service for the management of reimbursements on significant delays caused by the presence of construction sites on the motorway sections entrusted under concession to ASPI" (see note of 23 November 2021, page 1);

- with regard to the "processing of personal data implemented as part of the Cashback service, ASPI operates as data controller pursuant to art. 28 GDPR" (see note of 23 November 2021, page 2 and Annexes 1 and 2);

- "the App was officially made available (..) on 14 September 2021, in an experimental regime (..) which began on 15 September 2021" (see note of 23 November 2021, page 1);

- the total number of users registered with the App "is equal to 308,058 (three hundred and eight thousand fifty-eight) - of which only about a third is made up of users registered with the Cashback service - compared to over 800,000,000 (eight hundred million) annual transits along the motorway network ASPI performed by millions of users” (see note of 29 May 2023, page 2).

As part of the preliminary investigation, information was also acquired from Free to X S.r.l. (see notes of the Guarantor dated 9 November 2021 and 10 May 2022), who, with communications dated 23 November 2021, 19 January 2022 and 24 May 2022, represented the following:

- Free to X S.r.l. "is a company wholly owned by ASPI which supplies and manages the App of the same name, through which users can access the 'Cashback' services (see note of 23 November 2021, page 2);

- with particular regard to "the processing of personal data implemented as part of the Cashback service, [the same] operates as data controller" (see note of 23 November 2021, page 2);

- the need to implement the Cashback refund service arose in response to the MIMS agreement for the negotiation of the alleged serious non-fulfillment proceeding against ASPI (hereinafter the "Agreement"), which provided for "measures compensation payable by ASPI on toll rates (…) including amounts to be allocated, in the period 2021-2024, to tariff discounts/refunds for the benefit of motorway users (..). Among the methods for fulfilling the contractual commitments assumed in the terms described above, ASPI has chosen to entrust entirely to Free to X (..) the conception and subsequent management of a system that recognizes reimbursements to motorway users and delays due to the presence of construction sites for the execution of extraordinary maintenance works on the motorway sections pertaining to ASPI (so-called Cashback service)" (see note dated 19 January 2022, page 3; see also page 4 in this sense);

- "although ASPI has contracted the Company to create the [Cashback] service (..), for the purposes of identifying the data owner, Free to X has considered the prevailing circumstance that both the conception and the subsequent management of the entire service would have been the exclusive prerogative of the Company with full and autonomous decision-making powers”; this in order both to the "purposes (i.e. provision of the App and use of the Cashback service with relative payment of refunds to the current account of the App user, assistance from the Free to X customer care during registration and use of the service of Cashback; fulfillment of legal obligations or requests from the competent authorities, sending of newsletters)" and to the "means (essential and otherwise) of processing user data (i.e. the type of personal data to be processed for the Cashback service, the retention periods of the aforementioned data, the recipients of the same, the security measures to be adopted, the subjects to be appointed as data processors)" (see note of 19 January 2022, pages 4 and 5);

- the experimental phase of implementation of the App was formally concluded on 30 December 2021 (see note of 19 January 2022, page 6).

2. Initiation of the procedure for the adoption of corrective measures.

On 19 October 2022, the Office notified the Company, pursuant to art. 166, paragraph 5, of the Code, the alleged violations found, with reference to articles 5, par. 1, lit. a) and 13 of the Regulation, as well as in art. 28 of the Regulation, contesting the inaccurate configuration of the subjective scope of the processing and the inadequacy of the information provided to users.

With the note dated 1 December 2022, the Company sent its defense writings, stating that:

to. within the framework of the aforementioned Agreement, "ASPI is bound exclusively to compliance with macro-parameters, including the amounts to be allocated in the period 2021-2024 to tariff discounts and/or reimbursements for the benefit of motorway users" and "never proposed the creation of a service which necessarily involved the processing of personal data. The Cashback service (..) was in fact entirely designed and created by Free to X through the creation of the homonymous App”; the Company therefore did not act as data controller, as it limited itself "only to determining the purpose" of the same without intervening in any way on the related purposes and means (see note of 1 December 2022, page 2 );

b. in any case, it took note of the Authority's position by providing "to change its role, attributing to itself the ownership of the processing of data relating to the Cashback service". Therefore, "in addition to some (..) technical-management measures aimed at guaranteeing the effective ownership of ASPI", the latter, with effect from 15 December 2022, amended the documents containing the "Information on the Privacy of the app”; the “App Terms and Conditions”; as well as preparing the messages to be sent "by e-mail to all users registered on the App to change the Controller" (see note of 1 December 2022, page 3);

c. on the basis of the above, it also prepared, on 21 November 2022, the "Appointment of manager of Free to X S.r.l. for all App services”, as indicated in attachment no. 1 to the note of 1 December 2022;

d. ASPI "immediately implemented every measure aimed at remedying the original flawed situation and at mitigating any prejudices for the interested parties" and "did not obtain any economic benefit from the treatment subject to the alleged violation", considering that "the Cashback service as well as the additional services related to it, are provided free of charge" (see note of 1 December 2022, pages 5 and 7);

And. lastly he noted "that from the date of the last note sent by ASPI on 05.24.2022, the Authority has had all the elements available to be able to easily ascertain the alleged violation; nevertheless, this violation was notified, through the communication in question, only on 10.19.2022, well beyond the ninety-day term established by law starting from the conclusion of the inspection activity" (see note of 1 December 2022, page 7).

Subsequently, with a note dated December 21, 2022, ASPI pointed out that it had further amended, on December 19, 2022, the documents containing the "App Privacy Policy" and the "Terms and Conditions of the App" above, " by virtue of the obligations assumed with the Competition and Market Authority, ASPI, through Free To X S.r.l.”, in order to proceed with the configuration “by 31 December 2022 [of] a new section of the website www .freeto-x.it aimed at allowing users, in addition/alternative to the methods offered through the "Free To X" App, to register for the Cashback service" (see note of 21 December 2022, page 1 and relative annexes n. 2a containing the "Updated App and Website Privacy Policy" and n. 3a relating to the "Terms and Conditions of the App and Website" ).

3. Observations on the legislation on the protection of personal data relevant in the present case.

As a preliminary point, given what was raised by ASPI in the defense briefs, it is worth making some clarifications regarding the procedural terms, as provided for by the Guarantor's Regulation no. 2/2019, adopted on 4 April 2019, concerning the identification of the terms and organizational units responsible for administrative procedures at the Guarantor for the protection of personal data (hereinafter "Reg. n. 2/2019").

On this point it should be noted that, differently from what was claimed by the Company (see above paragraph 2, letter e), the 90-day term referred to in law does not apply to the proceeding in question. of 24 November 1981, n. 689, but the one specifically identified by the Guarantor, pursuant to art. 154, paragraph 3 and of the art. 166, paragraph 9 of the Code, with the aforementioned Guarantor Regulation no. 2/2019, which entered into force following its publication in the Official Gazette no. 107 of 9 May 2019.

Indeed, the latter establishes that the notification, pursuant to art. 166, paragraph 5 of the Code, relating to the alleged violations, must be carried out within 120 days of the verification of the same (see Table B, part 2) of Reg. no. 2/2019). On this point, however, it should be noted that, as noted by the legitimacy jurisprudence, in the event of multiple violations connected to each other "the adequacy of the total time spent" by the proceeding administration for the purpose of ascertaining the aforementioned violations is in any case closely connected "to the complexity of the investigation activity" carried out by the same (Cass. Section I civ. of 4 April 2018, n. 8326).

In any case, it must be considered that the aforementioned 120-day term "is suspended from 1st to 31st August of each year and resumes from the end of the suspension period" (see art. 6, paragraph 1 of Reg. no. 2/2019). Furthermore, the same runs from when the assessment activity was carried out, or from when both the collection of the preliminary elements and the evaluation of the same by the administration were completed (see, in this sense, Cassation of the 16642 of 8 August 2005; see, also, Cassation of the Civil Section II of 28 November 2012, no. 21114 and Cassation of the Civil Section II of 22 April 2016, no. 8204).

In the light of what has been clarified above with regard to the procedural terms applicable to the case in question, as provided for by current legislation (including those identified by Article 6, paragraph 1 of Reg. No. 2/2019), it follows, therefore, with reference to the procedure in question, the respect of the same by the Authority; this considering the period of time in fact elapsed between the verification of the violation and the contestation of the same.

Having dutifully stated the above, with regard to the violations ascertained by this Office in the specific case, it is represented that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces deeds or false documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".

Based on the elements acquired during the preliminary investigation as well as the subsequent assessments by the Authority in this regard, it has been ascertained that the processing of users' personal data, referred to in the Cashback service, provided through the Free to X App, is been put in place by ASPI, as data controller, in violation of the Regulation, in the terms more fully explained below.

In this regard, first of all, it should be noted that the services offered through the aforementioned App involve separate user processing operations, carried out, for various reasons, by ASPI and Free to X S.r.l.
Specifically, these are those connected to the provision of the Cashback service - the subject of dispute in the case in question -, other related services, as well as those aimed at registering and managing the user account (see in this regard, note from Free to X S.r.l. of 23 November 2021, Annex n. 2 - "App Free To X: Overview of the main features of the app present on the current date in the Apple and Google stores (version 2.21.4)", pp. 2, 18, 21 and 23).

Taking into account what has been specified, for the purposes of the correct application of the legislation on the protection of personal data with respect to the aforementioned treatments, it is therefore necessary to precisely identify the subjects who process the personal data referred to above and clearly define, with reference to the case of species, the respective attributions, in particular that of owner and manager (Article 4, paragraph 1, points 7 and 8 and Article 28 of the Regulation).

In this regard, it should be noted that the data controller is the person who establishes the purposes and means of the same. Decisions regarding the ""why" [i.e. "for what purpose" or "for what" the processing is carried out] and [a]l "how" of the same [i.e. what means are employed to achieve this objective]" (see European Data Protection Board - hereinafter "EDPB", Guidelines n. 07/2020 on the concepts of data controller and data processor pursuant to the GDPR, the 7 July 2021, page 16).

Consequently, the manager − as a person who acts on behalf of the controller (art. 4, n. 8 of the Regulation) − “is called to follow the instructions given [by the latter] (..) as regards the purpose of the treatment and the essential elements that constitute the means” (see EDPB, Guidelines n. 07/2020, cit., page 28).

This represented, it is also understood that, for the purposes of correctly identifying the subjective sphere of the processing, the roles of owner and manager must be established on the basis of an assessment of the concrete circumstances relating to the same.

Indeed, it is an assessment that must take into account the factual elements relevant to the specific case, as it is aimed at identifying the subject who exercises a decisive influence on the processing of the personal data in question (see EDPB, Guidelines no. 07/2020, cited above, page 13).

4. The violations ascertained in relation to the treatment relating to the Cashback service.

Having dutifully clarified this, in relation to the treatment relating to the Cashback service which is the subject of this proceeding, the Company's arguments in the defense briefs dated 1 December 2022 cannot be accepted (see above paragraph 2, letter a); this in the light of the following elements:

- the reimbursement mechanism called Cashback was identified by ASPI as concessionaire for the construction and operation of the motorway network (see Convention of 18 September 1968, n. 9297, approved by interministerial decree of 12 October 1968, n. 2890) , as a form of implementation of the compensatory measures contained in the Agreement signed on 14 October 2021 with the MIMS to settle the proceedings for alleged serious non-compliance against it (see ASPI note of 24 May 2022, pages 1-3);

- from the documentation acquired during the preliminary investigation, it emerged that the nature of the compensatory measures, as well as the methods of fulfillment of the same, were defined independently by ASPI, after obtaining the ministerial authorization and in compliance with the regulatory constraints and parameters defined by the Agreement. It is, in particular, ASPI that specifically "developed [to] the reimbursement mechanism called Cashback", appointing Free to X S.r.l. to develop "an IT tool" aimed at offering "a free, smart and user-friendly solution for managing reimbursements on significant delays caused by the presence of construction sites on the motorway sections entrusted under concession to ASPI" (see ASPI note of the 24 May 2022, Annex 11A

- "Request for clearance presented to MIMS" on 15 July 2021 and Annexes nos. 11Bd and 11Ba);

- likewise, it is the Company itself that has identified the conditions and requirements for the user's request for reimbursement (e.g. the type of delay and its correlation with the presence of construction sites in progress; see ASPI note of 24 May 2022, Annexes 11A and 11Bd); this by entrusting Free to X S.r.l., on the basis of criteria already punctually established by ASPI, with tasks inherent exclusively to the implementation phase of the aforementioned service;

- the latter is the subject required to periodically provide updates to the "MIMS on the performance of the Cashback system", to provide "clarifications and/or information" upon request of the same, as well as to "report on a quarterly basis the progressive amount of the burden incurred” to fulfill the compensatory measures covered by the Agreement (see ASPI note of 24 May 2022, Annex no. 11Bd, page 2).

From the overall picture described, it emerges that, with reference to the processing inherent to the Cashback service, the purposes and the related means have been determined by ASPI in the terms explained above and, therefore, the same plays the role of owner.

On the other hand, Free to X S.r.l., differently from what was represented by the Company during the preliminary investigation (see para. 1 above), acts, in response to the task expressly assigned to it by ASPI with respect to the Cashback service, as manager of the related treatment.

On this point, the indications of ASPI and Free to X S.r.l. are irrelevant. in the act of designation of the manager signed on 20 July 2021 (see ASPI note of 23 November 2021, Annex no. 2 and Free to X S.r.l. note of 23 November 2021, Annex no. 4); this also considering what was specified by the European Data Protection Committee regarding the circumstance that "if a party (..) actually decides the purposes and methods of processing personal data, it will be the owner [of the same] (. .) even where a contract indicates you as responsible" (see EDPB, Guidelines n. 07/2020, cit., page 14). In fact, Free to X S.r.l. carries out a series of activities which underlie the processing of users' personal data, but these activities are carried out on behalf of ASPI and on the basis of the procedure and criteria identified by it.

Furthermore, for the purposes of the correct classification of the roles of data controller and data processor, the recognition, by ASPI, of some margins of decision-making autonomy for Free to X S.r.l. related, specifically, to the conception and management of the App (see note by Free to X of 19 January 2022, pages 4-5).

In fact, the designation as data controller does not exclude the possibility for the latter to autonomously adopt certain decisions regarding the processing, provided however that they comply with the methods of execution of the latter (so-called "non-essential means"; see EDPB, Guidelines No. 07/2020, cit., page 16).

The decision-making powers of Free to X S.r.l., in fact, do not pertain to the purposes and essential means of the treatments relating to the Cashback service, but rather to the development and management of the App as a tool for its concrete implementation.

All this considering that:

- it was ASPI that identified "the automatic evolutionary system of tariff discounts to users in the event of delays generated by construction sites" called Cashback as a method of implementing the compensatory measures and established that the same would be "activated using IT tools included under the denomination Free to X - Cashback, which the user could have accessed by registering and providing the data necessary for the physical execution of the refund" (see ASPI note of 24 May 2022, All. n. 11Bd, pp. 1 -2);

- the choices made by Free to X S.r.l. with regard to the development of the App and the management of the Cashback service through it, therefore concern the "non-essential means" of the processing, as they relate to "practical aspects (..) related to the execution of [the same] ” the scope and related purposes of which were subject, upstream, to exclusive determination by ASPI (see EDPB, Guidelines no. 07/2020, cit., page 16).

Lastly, it remains understood that, in particular contexts, such as for example those relating to processing carried out via mobile applications, the same subject can in any case act simultaneously as data controller with respect to certain processing operations, and as data processor with regard to other treatments (see EDPB, Guidelines no. 07/2020, cit., page 13; see also the opinion of the Guarantor, adopted on 28 July 2022, on the draft decree relating to the digital platform for the provision of economic benefits granted by public administrations, to be adopted, in agreement with the Minister of Economy and Finance, pursuant to art. 28bis, paragraph 3, of Legislative Decree No. 152 of 6 November 2021, converted, with amendments, by Law 29 December 2021, no. 233).

This circumstance appears likely to occur also in the present case, where Free to X S.r.l., with reference to the treatments with respect to which it autonomously determines the respective purposes and the relative means - such as those strictly connected to the registration and management of the user account (cf. note of Free to X S.r.l. of 23 November 2021, Annex no. 2 and lastly note of 21 December 2022, Annex no. 2a, point A "Treatments of which Free To X S.r.l. is the owner") - acts as owner, while holding the role of data controller for the Cashback service.

The aforementioned requalification of the relationship between ASPI and Free to X S.r.l. in the terms explained above, it also has immediate repercussions on the compliance with the legislation on the protection of personal data of the information released, pursuant to art. 13 of the Regulation, to users.

The latter, in fact, identifies Free to X S.r.l. as owner of all the treatments indicated therein, where it also includes the one having the main purpose of providing the Cashback service.

The disclosure, therefore, in the present case, was not adequately formulated, considering that, with reference to the Cashback service, it should have reported the correct indication regarding the actual identity of the owner (i.e. ASPI) and the purposes of the related treatment, as well as further information to ensure, in compliance with the general principles referred to in art. 5 of the Regulation, a correct and transparent treatment towards users.

It follows therefore the violation by ASPI of the art. 5, par. 1, lit. a) of the Regulation as regards the principles of correctness and transparency, as well as art. 13 of the Regulation with reference to the information to be provided to interested parties.

Lastly, in representing that the relations between the two Companies must be regulated, pursuant to art. 28 of the Regulation, on the basis of a contract or other legal act, it is also noted that the same, with reference to the Cashback service, contrary to what emerged from the documentation in the documents, should have bound Free to X S.r.l., as manager of the treatment, to ASPI as owner of the same and not vice versa (see ASPI note of 23 November 2021, All. n. 2 - Appointment as ASPI manager for the service called "Cashback").

Failure to designate Free to X S.r.l. as responsible for the treatment inherent to the Cashback service, therefore determines the violation, by ASPI, of the art. 28 of the Regulation.

The evidence of the aforementioned violations also emerges with reference to what was found during the proceeding regarding the initiative, recently taken by the Company, aimed at adapting the information model to be provided to users to the different configuration of the privacy roles proposed above, as well as designate, pursuant to art. 28 of the Regulation, Free to X S.r.l. as data controller for the Cashback service and for those related to it (see note of 1 December 2022, page 3).

Considering this dutifully, for all the reasons highlighted overall, it appears that the owner has put in place a conduct in contrast with the art. 5, par. 1, lit. a), the art. 13 and the art. 28 of the Regulation for a period of approximately one year (specifically, with reference to the profiles relating to the information from 15 September 2021 until 15 December 2022, while as regards the fulfillment pursuant to art. 28 of the Regulation from 15 September 2021 to 21 November 2022). The aforementioned violations, against what was declared by ASPI (see note of 29 May 2023, page 2), concerned around 100,000 (one hundred thousand) interested parties as users of the Cashback service.

5. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

In light of the overall findings, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and which are therefore unsuitable to order the dismissal of the present proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company is in fact unlawful, in the terms set out above, with reference to the violation of the principles of correctness and transparency (articles 5, paragraph 1, letter a), of art. 13 of the Regulation, given the failure to provide adequate information in relation to the processing, as well as the obligation of the owner regarding the designation of data processors (Article 28 of the Regulation).

The violation of the aforementioned provisions entails the application of the administrative sanctions provided for by art. 83, par. 4, lit. a) and by art. 83, par. 5, letters a) and b) of the Regulation.

Lastly, as regards the exercise of the corrective powers pursuant to art. 58, par. 2 of the Regulation, we acknowledge the circumstance that ASPI during the procedure has taken steps to align, in compliance with the regulatory framework described above, the subjective scope of the treatment, adopting the following measures consisting of:

- the modification of the information model to be provided to users who use the Cashback service after registering via the App and/or the website www.freeto-x.it (see "Information on the Protection of Personal Data pursuant to European Regulation no. 679/2016" updated to 19 December 2022, Annex no. 2a of the note dated 21 December 2022);

- the transmission to the users of the App, starting from 15 December 2022, of the communication containing the indications regarding the changes made to the above disclosure model (see Annex 4 of the note dated 1 December 2022);

- the designation pursuant to art. 28 of the Regulation of Free to X S.r.l. as data controller for the Cashback service (Annex 1 of the note dated 1 December 2022).

In this context, therefore, considering that specific measures have been adopted to bring the processing in question into compliance with current legislation on the protection of personal data, the conditions for adopting the corrective measures pursuant to art. 58, par. 2, of the Regulation.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data put in place by ASPI, of which the illegality has been ascertained, in the terms set out above.

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "if, in relation to the same treatment or to connected treatments, a data controller [...] violates, with malice or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purpose of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (art. 83, par. 1 of the Regulation), it should be noted that, in the hypothesis in question, the circumstances listed below were taken into consideration:

- in relation to the seriousness of the violations, the nature of the same was considered relevant − as they concern the non-compliance with the general principles of treatment, and in particular the principles of correctness and that of transparency −, the relative duration − quantifiable in approximately one year − as well as the high number of interested parties involved as corresponding to a third of the total number of subjects registered in the App. Furthermore, all of the above noted that the aforesaid violations concerned the incorrect configuration of the subjective sphere of the processing put in place by the Company, thus preventing users from having exact information regarding the ownership of the latter (art. 83, par. 2, letter a) of the Regulation);

- with reference to the intentional or negligent nature of the violations pursuant to art. 83, par. 2, lit. b) of the Regulation, the culpable conduct of the Company was taken into consideration, which declared that it had attributed the ownership of the treatments relating to the Cashback service to Free to X S.r.l. having erroneously taken into exclusive consideration the fact that "the same was entirely designed and created by Free to X through the creation of the homonymous App whose operation is entirely managed and administered by the latter" (see note of 1 December 2022, page 2);

- the adoption, by the controller, of measures aimed at mitigating or eliminating the consequences of the violation (Article 83, paragraph 2, letter c) of the Regulation). In this regard, the fact that ASPI promptly adopted the measures described in par. 5 of this provision;

- the circumstance that the Company has actively cooperated with the Authority during the proceedings (Article 83, paragraph 2, letter f) of the Regulation);

- the fact that there are no previous violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation (art. 83, paragraph 2, letter e) of the Regulation).

In favor of the owner, account was also taken of the fact that the Cashback service is provided by the Company free of charge and therefore the latter did not obtain any direct economic benefit from the disputed treatment (Article 83, paragraph 2, letter k) of the Regulation).

It is also believed that the economic conditions of the offender, determined on the basis of the Company's turnover, referred to in the financial statements for the year 2021 (latest available), referring exclusively to the income statement item identified in the so-called "Toll revenue".

In the light of the elements indicated above and the assessments made, it is believed, in the present case, that the administrative sanction of payment of a sum equal to 1,000,000 (one million) euro should be applied against ASPI.

In this context, it is also believed that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website. This in consideration of the type of violations ascertained which affected the general principles of processing, in particular the principles of correctness and transparency, as well as the fact that they concerned the incorrect configuration of the subjective scope of the processing put in place by the Company thus preventing users, for a considerable amount of time, from having exact information regarding the ownership of the latter.

Finally, it is believed that the conditions set forth in art. 17 of the Regulation of the Guarantor n. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

pursuant to articles 57, par. 1, lit. a) and 83, of the Regulation and of the art. 144, paragraph 1 of the Code, reveals the unlawfulness of the processing carried out by Autostrade per l'Italia S.p.A., with registered office in Rome, VAT number 07516911000, in the terms referred to in the justification, for the violation of articles 5, par. 1, lit. a) and 13 of the Regulation, as well as art. 28 of the Regulation;

believes that the conditions set forth in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulation to Autostrade per l'Italia S.p.A., to pay the sum of 1,000,000 (one million) euro as an administrative fine for the violations indicated in this provision.

ENJOYS

then to Autostrade per l'Italia S.p.A. to pay the aforementioned sum of 1,000,000 (one million) euros, according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 22 June 2023

PRESIDENT
Station

THE SPEAKER
guille

THE DEPUTY SECRETARY GENERAL
Philippi