Garante per la protezione dei dati personali (Italy) - 9917820
Garante per la protezione dei dati personali - 9917820 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 12(3) GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 01.06.2023 |
Published: | |
Fine: | 20,000 EUR |
Parties: | Cooperjob S.p.A |
National Case Number/Name: | 9917820 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Italian |
Original Source: | Provvedimento del 1° giugno 2023 [9917820 (in IT)] |
Initial Contributor: | Sophia Hassel |
The Italian DPA fined Cooperjob S.p.A a total of 20,000 euros for failing to comply with a request to delete personal data. The request was not complied with in time and only occured after the DPA requested compliance. The DPA found violations under Articles 12(3) and 17.
English Summary
Facts
The data subject had provided his data to a job-seeking company so that they could be presented as a candidate for job offers. On 11/08/21 the data subject sent a request asking to be removed from the controller 's database under Article 17 as they no longer wanted to reveive job offers. The controller did not respond and so the data subject filed a complaint to the Italian DPA on 12/09/21. The DPA sent a message urging the controller to comply on the 21/10/21. 86 days after the initial request from the data subject and only after intervention from the DPA, did the controller respond and delete the data subject's personal data on the 04/11/21.
Holding
The DPA held that the controller failed to provide a response within the timeframe provided in Article 12(3) GDPR which stipulates that a response must be no later than one month from receipt of the request. The controller’s initial failure to delete the data subject’s data also violated the right to be forgotten under Article 17.
While the DPA did not charge the controller under Article 12(4) GDPR, they reminded the controller that in the event of non-compliance, the controller must notify the subject and inform the data subject of the possibility of lodging a complaint with the supervisory authority as well as available judicial remedies.
The DPA fined the company 20,000 euros under Article 58(2)(i) and 83(2).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9917820] Provision of 1 June 2023 Register of measures no. 230 of 1 June 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia, member, and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; CONSIDERING the complaint presented by Mr. XX on 12/09/2021, regularized on 05/10/2021, pursuant to art. 77 of the Regulations, with which Cooperjob S.p.A. has complained of a violation of the regulations on the protection of personal data; HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000; SPEAKER Prof. Pasquale Stanzione; WHEREAS 1. The initiation of proceedings. With the complaint presented to this Authority on 09/12/2021, regularized on 10/05/2021, Mr. XX represented that he had formulated, on 08/11/2021, against Cooperjob S.p.A. (hereinafter "the Company"), an application aimed at obtaining the cancellation of one's personal data, given to the Udine branch as a candidate for job offers. This request was sent to a dedicated e-mail address, without however obtaining any response within the terms of art. 12, par. 3, of the Regulation. With the note dated 21/10/2021 (prot. n. 53024), the Office invited the Company to provide observations on what was represented in the complaint and to comply with the requests of the complainant. The Company, with a note dated 04/11/2021, provided full response to the requests of the complainant, declaring that it had detected the presence of the personal data referred to instantly both within the platform for collecting applications, present on the website www. cooperjob.eu, both within the company management system and to have provided for their cancellation. Furthermore, "in order to improve the management of requests from interested parties, having realized that managing a single account (info@cooperjob.eu) which conveys multiple and different requests from users, could be difficult to manage, (...)" , steps were taken to "activate a special mailbox privacy@cooperjob.eu already indicated in the footer of the website". For the above, the Office proceeded to notify the Company of the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 12, par. 3, and 17 of the Regulation (prot. n. 62568 of 12/17/2021). On 12/01/2022, the Company sent its own written defenses, pursuant to art. 18 of the law n. 689/1981, with which he provided his observations regarding the violations described, in the light of the criteria indicated in art. 83, par. 2 of the Regulation. In particular, it was shown that: - "the violation refers to the failure to respond to a data subject, following his request for data deletion"; - "the culpable nature of the violation, following the difficulty of managing a single account that conveys multiple and different user requests, in particular following the Covid-19 epidemiological emergency"; - "with a note dated 04/11/2021, the company gave evidence of the cancellation of the data subject's data [present within the company platform] by means of (...) screenshots certifying the presence of the data before the cancellation and subsequent screenshots certifying the 'absence of data after cancellation”; - moreover, with reference to the data of the interested party present within the company management system, the evidence of the cancellation was made "through the screenshots certifying the presence of the data before the cancellation and the subsequent absence of the data once the cancellation has been confirmed" ; - technical and organizational measures have been adopted aimed at avoiding the recurrence of similar situations, "by taking steps to update the request management process and the relative training of the authorized subjects involved in the processing". 2. The outcome of the investigation. Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the company, in response to the request to exercise the rights formulated by the complainant on 08/11/2021, did not provide any response within the terms established by art. 12, par. 3 of the Regulation ("without unjustified delay and, in any case, at the latest within one month of receipt of the request"). It should also be noted that the art. 12, par. 4 of the Regulation specifies that in the event that he does not comply with the requests to exercise the rights "the data controller informs the interested party without delay and at the latest within one month of receiving the request, of the reasons for the non-compliance and of the possibility of lodge a complaint with a supervisory authority and to lodge a judicial appeal". In the light of the aforementioned regulatory framework, it has been ascertained that the Company has not provided a timely reply to the request for data cancellation and that, only following the intervention of the Authority, has it proceeded to inform the complainant of the personal data in its possession and their cancellation from their management systems. The conduct thus described, for which the Company has not provided any justification, is in contrast with the obligation to provide feedback "without unjustified delay" to the interested party and in any case within one month of receiving the request pursuant to art. 12 of the Regulation. 3. Conclusions: illegality of the treatments carried out. In the light of the foregoing assessments, it should be noted that the statements made by the data controller in the defense writings ˗ for the truthfulness of which one may be called upon to answer pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow it to be dismissed, since none of the cases envisaged by art. 11 of the Guarantor's regulation n. 1/2019, concerning the internal procedures of the Authority with external relevance. For the above reasons, therefore, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation. 4. Injunction order. The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, the illegality of which has been ascertained, within the terms exposed above. With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the related quantification, taking into account that the fine must be "in each individual case effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were taken into consideration: - with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties; - the absence of previous relevant violations committed by the data controller; - the circumstance that the holder has provided a reply to the claimant's request during the proceeding. In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) with which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2021. Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 20,000.00 (twenty thousand) euros for the violation of articles 12 and 17 of the Regulation. In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, this provision must be published on the Guarantor's website. Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THAT BEING CONSIDERED, THE GUARANTOR declares, pursuant to articles 57, par. 1, lit. f) and 83 of the Regulation, the illegality of the processing carried out, in the terms referred to in the justification, for the violation of the articles 12, par. 3. and 17 of the Regulation; ORDER to Cooperjob S.p.A., in the person of its pro-tempore legal representative, with registered office in Milan, via Ermanno Barigozzi n. 24, P.I. 02558070211, pursuant to art. 58, par. 2, lit. i), of the Regulation, to pay the sum of 20,000.00 (twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; ENJOYS to the same Company to pay the sum of Euro 20,000.00 (twenty thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below. HAS pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set forth in art. 17 of regulation no. 1/2019. Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 1st June 2023 PRESIDENT station THE SPEAKER station THE SECRETARY GENERAL Matthew [doc. web no. 9917820] Provision of 1 June 2023 Register of measures no. 230 of 1 June 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia, member, and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; CONSIDERING the complaint presented by Mr. XX on 12/09/2021, regularized on 05/10/2021, pursuant to art. 77 of the Regulations, with which Cooperjob S.p.A. has complained of a violation of the regulations on the protection of personal data; HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000; SPEAKER Prof. Pasquale Stanzione; WHEREAS 1. The initiation of proceedings. With the complaint presented to this Authority on 09/12/2021, regularized on 10/05/2021, Mr. XX represented that he had formulated, on 08/11/2021, against Cooperjob S.p.A. (hereinafter "the Company"), an application aimed at obtaining the cancellation of one's personal data, given to the Udine branch as a candidate for job offers. This request was sent to a dedicated e-mail address, without however obtaining any response within the terms of art. 12, par. 3, of the Regulation. With the note dated 21/10/2021 (prot. n. 53024), the Office invited the Company to provide observations on what was represented in the complaint and to comply with the requests of the complainant. The Company, with a note dated 04/11/2021, provided full response to the requests of the complainant, declaring that it had detected the presence of the personal data referred to instantly both within the platform for collecting applications, present on the website www. cooperjob.eu, both within the company management system and to have provided for their cancellation. Furthermore, "in order to improve the management of requests from interested parties, having realized that managing a single account (info@cooperjob.eu) which conveys multiple and different requests from users, could be difficult to manage, (...)" , steps were taken to "activate a special mailbox privacy@cooperjob.eu already indicated in the footer of the website". For the above, the Office proceeded to notify the Company of the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 12, par. 3, and 17 of the Regulation (prot. n. 62568 of 12/17/2021). On 12/01/2022, the Company sent its own written defenses, pursuant to art. 18 of the law n. 689/1981, with which he provided his observations regarding the violations described, in the light of the criteria indicated in art. 83, par. 2 of the Regulation. In particular, it was shown that: - "the violation refers to the failure to respond to a data subject, following his request for data deletion"; - "the culpable nature of the violation, following the difficulty of managing a single account that conveys multiple and different user requests, in particular following the Covid-19 epidemiological emergency"; - "with a note dated 04/11/2021, the company gave evidence of the cancellation of the data subject's data [present within the company platform] by means of (...) screenshots certifying the presence of the data before the cancellation and subsequent screenshots certifying the 'absence of data after cancellation”; - moreover, with reference to the data of the interested party present within the company management system, the evidence of the cancellation was made "through the screenshots certifying the presence of the data before the cancellation and the subsequent absence of the data once the cancellation has been confirmed" ; - technical and organizational measures have been adopted aimed at avoiding the recurrence of similar situations, "by taking steps to update the request management process and the relative training of the authorized subjects involved in the processing". 2. The outcome of the investigation. Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the company, in response to the request to exercise the rights formulated by the complainant on 08/11/2021, did not provide any response within the terms established by art. 12, par. 3 of the Regulation ("without unjustified delay and, in any case, at the latest within one month of receipt of the request"). It should also be noted that the art. 12, par. 4 of the Regulation specifies that in the event that he does not comply with the requests to exercise the rights "the data controller informs the interested party without delay and at the latest within one month of receiving the request, of the reasons for the non-compliance and of the possibility of lodge a complaint with a supervisory authority and to lodge a judicial appeal". In the light of the aforementioned regulatory framework, it has been ascertained that the Company has not provided a timely reply to the request for data cancellation and that, only following the intervention of the Authority, has it proceeded to inform the complainant of the personal data in its possession and their cancellation from their management systems. The conduct thus described, for which the Company has not provided any justification, is in contrast with the obligation to provide feedback "without unjustified delay" to the interested party and in any case within one month of receiving the request pursuant to art. 12 of the Regulation. 3. Conclusions: illegality of the treatments carried out. In the light of the foregoing assessments, it should be noted that the statements made by the data controller in the defense writings ˗ for the truthfulness of which one may be called upon to answer pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow it to be dismissed, since none of the cases envisaged by art. 11 of the Guarantor's regulation n. 1/2019, concerning the internal procedures of the Authority with external relevance. For the above reasons, therefore, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation. 4. Injunction order. The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, the illegality of which has been ascertained, within the terms exposed above. With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the related quantification, taking into account that the fine must be "in each individual case effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were taken into consideration: - with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties; - the absence of previous relevant violations committed by the data controller; - the circumstance that the holder has provided a reply to the claimant's request during the proceeding. In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) with which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2021. Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 20,000.00 (twenty thousand) euros for the violation of articles 12 and 17 of the Regulation. In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, this provision must be published on the Guarantor's website. Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THAT BEING CONSIDERED, THE GUARANTOR declares, pursuant to articles 57, par. 1, lit. f) and 83 of the Regulation, the illegality of the processing carried out, in the terms referred to in the justification, for the violation of the articles 12, par. 3. and 17 of the Regulation; ORDER to Cooperjob S.p.A., in the person of its pro-tempore legal representative, with registered office in Milan, via Ermanno Barigozzi n. 24, P.I. 02558070211, pursuant to art. 58, par. 2, lit. i), of the Regulation, to pay the sum of 20,000.00 (twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; ENJOYS to the same Company to pay the sum of Euro 20,000.00 (twenty thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below. HAS pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set forth in art. 17 of regulation no. 1/2019. Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 1st June 2023 PRESIDENT Station THE SPEAKER Station THE SECRETARY GENERAL Matthew