Garante per la protezione dei dati personali (Italy) - 9972788

From GDPRhub
Garante per la protezione dei dati personali - 9972788
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 07.12.2023
Published:
Fine: 1000 EUR
Parties: Sirio S.p.A.
National Case Number/Name: 9972788
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: Luca Brocca

The Italian DPA imposed on Sirio S.p.A. a €1,000 fine for unlawfully processing personal data of an employee, as a deposit card linked to the latter was created without the data subject's consent.

English Summary

Facts

The data subject initiated a complaint with the Italian DPA alleging a violation of the GDPR by his employer, Sirio S.p.A. (The controller). The complaint stemmed from the issuance of a new deposit card, linked to business accounts and allowing for electronic deposits at all ATM machines, by a credit institution on 07 July 2021, pre-filled with the data subject’s personal data without his explicit consent.

As the assistant manager at a point of sale managed by the controller, the data subject argued that the company processed his personal data unlawfully. The complaint specifically highlighted a breach of Article 5(1)(a) GDPR, asserting that the controller failed to provide clear and transparent information regarding the processing of his personal data.

In response, the Italian DPA initiated a preliminary investigation to check the legitimacy of the controller's data processing activities. The controller argued that, due to the data subject’s role, the processing was justified by the employment contract, as per Article 6(1)(b) GDPR, and its legitimate interest, as per Article 6(1)(f) GDPR.

Further investigation was prompted by the DPA to assess the adequacy of information provided to the data subject, in accordance with Article 13 GDPR. The DPA requested additional evidence regarding how the data subject was informed about the processing of his personal data for the issuance of payment cards.

Holding

The Italian DPA found the controller in violation of Article 5(1)(a) GDPR, Article 6 GDPR, and Article 13 GDPR.

To begin with, in terms of Article 6 GDPR, the DPA rejected the controller's argument that the data processing was justified by the employment contract according to Article 6(1)(b) GDPR and legitimate interest according to Article 6(1)(f) GDPR. Firstly, the DPA noted that regarding Article 6(1)(b) GDPR, it should be noted that for it to be recognised, the processing must be objectively 'necessary' for the performance of the contract, considering the purposes which the controller intends to pursue in compliance with the principles of purpose limitation and transparency. Hence, because the data subject had not been informed and there was no document proving that it fell under the employment contract, the controller breached Article 6(1)(b) GDPR. Secondly, the DPA found the controller to have breached Article 6(1)(f) GDPR since the controller did not perform a balancing test between its legitimate interests and the interests or fundamental rights and freedoms of the data subject.

Furthermore, regarding Article 13 GDPR, the DPA concluded that the information provided to the data subject was generic and insufficient. The documentation did not adequately demonstrate that the data subject was informed about the processing of personal data necessary for the employment relationship and the communication of data to third parties. Nor did it include clear information on the data recipients or categories of data recipients and of the purposes of the processing, breaching Article 13(1)(c) GDPR and Article 13(1)(e) GDPR. In connection with this, the DPA determined that the controller failed to provide adequate transparency about the communication of the data subject's personal data to a credit institution for the issuance of the deposit card. Specifically, it failed to give specific instructions to the data subject and the provided documents lacked detailed information, breaching Article 5(1)(a) GDPR.

As a result, the DPA imposed a €1,000 fine on the controller and ordered the controller to conform its processing to data protection provisions, specifically addressing the lack of information provided to the data subject.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9972788]

Provision of 7 December 2023

Register of measures
n. 583 of 7 December 2023

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter “Code”) as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

GIVEN the complaint presented by Mr. XX pursuant to art. 77 of the Regulation, which complained of a violation of the regulations regarding the protection of personal data by Sirio S.p.A.;

EXAMINED the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER the lawyer. Guido Scorza;

PREMISE

1. The complaint and the start of the preliminary investigation.

With the complaint presented to this Authority on 07/15/2021, Mr. XX complained about a violation of the rules on the protection of personal data implemented by Sirio S.p.A. (hereinafter “the Company”), as your employer.

In particular, the complainant represented that he held the position of Assistant Manager at the XX, managed by the aforementioned Company, and that he was responsible, among other things, for the payment of the proceeds of the point of sale to the Company's current account. For this reason, he was the holder of two bank cards activated, with his consent, by the Company at two credit institutions.

However, on 07/07/2021, he received a form for issuing a new so-called card from a credit institution. Deposit, pre-filled with your personal data, which had previously been communicated to the Bank by the Company. With the complaint, therefore, he complained about the unlawful processing of his personal data, as they were communicated in the absence of consent and any information in this regard.

Therefore, the Office started the preliminary investigation, inviting the Company to provide observations regarding the facts subject to the complaint, with the request for information formulated pursuant to art. 157 of the Code (note dated 20/12/2021).

The Company provided feedback with the note dated 01/19/2022, with which it declared that:

- “Due to the role and duties held, the [complainant] carried out, in compliance with the instructions received from the management staff of the store, the activity of manager of the XX refreshment point, dealing in conditions of operational autonomy with conceptual tasks as well as coordination technical - functional of other workers";

- “In particular, following the assignment of this role, the [complainant] was responsible for making payments of the cash collections recorded at the point of sale to the Company's current account, using bank cards registered in his name in exclusive route”;

- following the start of the composition with creditors procedure before the territorially competent Court, "all previous current accounts were blocked and a new current account was opened on 06/21/2021 at (...) with the expected issue of new ones payment cards”;

- therefore, "the Company, on 07/07/2021, forwarded to the employee the bank form for issuing the new "Deposit card" to replace the previous ones so as to guarantee compliance with the Assistant Manager of the new store of their duties regarding the payment of cash".

As regards the legitimacy assumptions underlying the communication of the data to a third party and the methods with which the information was provided to the complainant, the Company declared that:

- “The legal basis that legitimized this treatment is found primarily in the execution of the employment contract of which the [complainant] is a party pursuant to art. 6, paragraph 1, letter. b) of the GDPR (...), as well as in the fulfillment of the consequent legal obligations to which the company Sirio spa, owner of the processing pursuant to art. 6, paragraph 1, letter. c) of the GDPR (…)”;

- in fact, "in the context of the existing subordinate employment relationship, the employer company is entitled (as well as required) to use the personal data provided by employees for the fulfillment of its contractual duties, as well as for the legitimate exercise of its prerogatives in the 'organization of employees' work performance';

- "Sirio spa has therefore legitimately processed the data of the [complainant] (specifically the residence address and personal mobile telephone number) pursuant to the employment contract in place between the parties, communicating to the credit institution involved as strictly necessary for the activation of the cash payment card and to allow [the same] the regular performance of his duties";

- "(...) the existing subordinate employment relationship (...) integrates the details of a qualified legal relationship between the parties such as to legitimize the interest of the employer company in the processing of employee data where they respond to the resolution of corporate needs of a technical, organizational and productive".
In light of the declarations made, the Office invited the Company to provide further elements of evaluation as well as to produce suitable documentation relating to the ways in which the complainant had been informed by the Company on the use of personal data for the issuing of payment cards to his name (note dated 04/14/2022).

The Company, with the note dated 13/05/2022, sent its observations with which it transmitted:

- copy of the information provided to its employees pursuant to art. 13 of the Regulation;

- documentation relating to the relevant collective bargaining agreement (CCNL Turismo - P.E. Confcommercio Fipe), useful for identifying the tasks and duties assigned to the complainant which fall within those of the "manager of the commercial chain catering service";

- form for acquiring consent to the processing of personal data, signed by the complainant upon activation of the first cash payment card.

2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.

On the basis of the declarations made and the documentation produced during the preliminary investigation, the Office notified the Company of the initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles. 5, par. 1, letter. a), 6 and 13 of the Regulation (note dated 09/21/2022).

With the defense briefs sent on 10/21/2022, pursuant to art. 18 of law no. 689/1981, the Company confirmed what was previously communicated, declaring that:

- on the basis of the provisions of the CCNL applicable to the sector to which they belong, the role held by the complainant falls within that envisaged and regulated by the art. 54, 3rd level, which includes "professionalism with a high degree of specialization and expertise gained in the field, capable of carrying out ‹‹conceptual or mainly such tasks›› (...) even in conditions of ‹‹operational autonomy›› , which includes the ‹‹responsible for the commercial chain catering service››”;

- although the regulatory provision does not make express reference to cash management and cash deposit operations, "the request to carry out these tasks appears on closer inspection to be legitimately required by a worker who, in order to carry out this role, is required to operate in compliance with the instructions and directives given by the management of the store ‹‹in conditions of operational autonomy››”, so much so that this function had been regularly carried out by the complainant since 2019;

- in the specific case, particular account must be taken of the legitimate interest of the owner referred to in the art. 6, par. 1, letter. f), of the Regulation, which justifies the processing activity carried out as it is carried out "on the occasion of the existence of a relevant and appropriate relationship between the interested party and the owner" (Cons. 47) and for the pursuit of purposes " compatible with those for which the personal data were initially collected” (Cons. 50);

- following the refusal of the interested party to process the data for the purpose of activating the Deposit card, "the company immediately stopped the processing".

With the note sent on 23/10/2023, the Company communicated its intention to renounce the hearing previously requested, believing there were no further elements to bring to the attention of the Authority, in addition to those already exposed in the defense briefs.

3. The outcome of the investigation and the procedure for the adoption of corrective measures.

Upon examination of the documentation produced and the declarations made by the party during the proceedings, given that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Company, as data controller, carried out processing of personal data, referring to the complainant, which does not comply with the regulations on the protection of personal data.

In particular, following the investigation carried out, it emerged that the Company communicated the complainant's personal data to a credit institution in order to allow the issuing and registration of a deposit card; this processing operation took place without having provided the interested party with adequate information, pursuant to art. 13 of the Regulation, on the basis of which the interested party could have knowledge of the main information relating to the processing actually carried out, as well as in the absence of an appropriate legal basis, among those identified in the art. 6 of the Regulation.

3.1. Violation of articles 5, par. 1, letter. a), and 13 of the Regulation.

Aside from the verification of the correct attribution of the specific task to the employee qualified as Assistant Manager, consisting of cash operations, attention must be paid to the fact that the communication of the complainant's personal data to a third party (specifically the credit institution) , which the Company deemed necessary for the fulfillment of the specific task, was not adequately brought to the attention of the interested party given the absence of suitable information.

In response to a specific request formulated by the Authority (note dated 04/14/2022) to obtain a copy of the information provided to the complainant as well as to know the ways in which he was informed by the Company about the use of his personal data for the In fact, the issue of payment cards in his name, no evidence was produced in documents to prove the fulfillment of the obligation to provide the information.

In fact, the information model that was attached to the note dated 01/19/2022 (annex 16, containing "Information on the processing of personal data EMPLOYEES AND COLLABORATORS) was prepared after the establishment of the employment relationship with the complainant ( which took place on 19/01/2016) and was distributed to all employees via the Payslip portal in April 2021 (annex 17 to the aforementioned note dated 19/01/2022). There is therefore no useful documentation to demonstrate that, in this period of time (i.e. from the date of hiring of the complainant to that of the preparation of the aforementioned information), the complainant was informed regarding the processing of personal data necessary for the establishment and management of the employment relationship and, specifically, to the communication of data to third parties for the declared purpose of fulfilling its tasks.

From this perspective, it is noted that the information document of April 2021 also states that "The data may be communicated to (...) all natural and/or legal persons, public and/or private, when the communication is necessary or functional to the establishment and management of the employment or professional collaboration relationship". The wording is very generic and, in any case, unsuitable for adequately informing interested parties regarding the subjects or categories of subjects to whom the data may be communicated, the type of data being communicated, the purposes and the legitimacy assumptions underlying the relevant processing. (art. 13, par. 1, letters c) and e) of the Regulation).

Furthermore, again with reference to the execution of the task assigned to the complainant as Assistant Manager of proceeding with the payment of the cash into the Company's current account, it is noted that there is no reference even in the contractual documentation provided during the investigation, which could clarify the methods and scope of communication of the data subject's data to a third party, specifically to a credit institution.

It should also be noted that, differently from what the Company believed, the consent acquisition form prepared by the bank and produced in documents, signed by the complainant on 01/07/2019 (annex 20 to the note dated 05/13/2022), it cannot be considered a valid information document, as it is a form referring to a different processing operation.

To further confirm that the complainant was not involved in the communication of the data to the credit institution, please refer to the email exchange produced under all. 27 to the defense documents dated 21/10/2022 between the complainant and other employees of the Company.

This correspondence highlights the need to ask the bank for a new PIN for using the deposit card, as "the employee (the only holder of an XX deposit card) did not respond to the bank's message thinking it was spam" and that "no one, regardless, had warned us that we would receive a message to activate the cards (...)".

Therefore, the finding notified to the party based on which the data controller has not complied with the provisions of the art. must be confirmed. 13 of the Regulation, or the obligation to provide the interested party, at the moment in which the personal data are collected, with suitable information describing the main characteristics of the processing it intends to carry out, indicating the purposes of the processing, the recipients or the categories of recipients of the personal data, the legal basis and retention times of the processed data. This obligation is an expression of the principles of lawfulness, transparency and correctness, enshrined in the art. 5, par. 1, letter. a), of the Regulation.

3.2. Violation of the art. 6 of the Regulation.

As regards the further illicit aspect, concerning the absence of a valid assumption of legitimacy underlying the complained communication of the complainant's data, it is observed that neither the execution of the contract nor the legitimate interest of the owner, both referred to by the Company , can rise to suitable legal bases.

As regards the legitimacy requirement referred to in art. 6, par. 1, letter. b), of the Regulation, it is generally noted that for this to be validly recognised, the processing must be objectively "necessary" for the execution of the contract. The assessment of the necessity of processing must be made taking into account the purposes that the owner intends to pursue in compliance with the principles of purpose limitation and transparency towards the interested party.

In the case in question, given that the interested party was not previously informed of the processing carried out, it does not emerge in any of the documents provided by the Company during the investigation that the role of the Assistant Manager was specifically regulated, which would have legitimized the communication of the data to a third party.

Firstly, the art. 54 of the National Collective Labor Agreement for Public Services Confcommercio, referred to several times by the Company as a rule containing the general reference regulations, in indicating the duties of the workers belonging to the 3rd level, establishes that the manager of the commercial chain catering service "(characterised by plurality of premises with logo identity and standardization of product and operational processes) (...) [is] the person who, subordinate to the management of the store, directly involved in the working phase, operates according to specific instructions, in conditions of operational autonomy and coordination functional technician of other workers".

Beyond the issue relating to the attribution to the Assistant Manager of carrying out cash operations (a matter on which the Authority is not competent to express opinions), it remains understood that, in light of the aforementioned regulation, the management of the point sales must provide their employee with "specific instructions" to follow in carrying out their work duties. On the basis of the documentation in the documents, however, it does not appear that specific instructions relating to the particular activity were provided to the interested party.

Finally, on this specific aspect, it is noted that, based on what was declared by the company, the complainant continued to carry out the function of Assistant Manager even after the refusal to register the card.

As regards the further legal basis identified by the Company in the art. 6, par. 1, letter. f), of the Regulation, it is stated, in general, that legitimate interest can constitute an appropriate legal basis, where "the interests or fundamental rights and freedoms of the interested party do not prevail". The data controller must carry out a careful assessment of the impact that the processing may have on the interests and rights of the interested parties and the possibility that it leads to violations or negative consequences of their rights. This translates into a balancing of interests which, on the basis of art. 6, par. 1, letter. f), is in fact mandatory. That is, the data controller must carry out a comparative test to evaluate the possibility of carrying out the processing of personal data in the presence of a legitimate interest. As the documents stand, it does not appear that the Company has taken steps in this regard.

Recital 47 of the Regulation, referred to by the Company as a basis for its argument, where it recognizes the existence of a legitimate interest of the owner "when a relevant and appropriate relationship exists between the interested party and the data controller, for example when the interested party ( ...) is employed by the owner", does not exempt the owner from the obligation to carry out a comparative assessment aimed at verifying that the rights of the interested party do not prevail over their legitimate interests.

In light of the above, it is noted that the owner has processed personal data relating to his employee in the absence of an appropriate legal basis and, therefore, in violation of the art. 6 of the Regulation.

4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable for allow the archiving of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company is unlawful as, for the reasons set out above, it was carried out in violation of the articles. 5, par. 1, letter. a), 6 and 13 of the Regulation.

5. Injunction order.

The Guarantor, pursuant to art. 58, par. 2, letter. i) of the Regulation and of the art. 166 of the Code, has the power to inflict a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data relating to the complainant, the illicit nature of which has been ascertained, within the terms set out above.

With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (art. 83, par. 1 of the Regulation), it is represented that, in the specific case, the circumstances reported below were taken into consideration:

- with regard to the nature, gravity and duration of the violation, the nature of the violation which concerned the communication of personal data to third parties was considered relevant;

- the absence of previous relevant violations committed by the data controller;

- the circumstance that the violation concerned only one interested party;

In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (art. 83, par. 1, of the Regulation) which the Authority must comply with in determining the amount of the sanction, the economic conditions of the offender were taken into consideration as identified from the financial statements referring to the years 2021 and 2022.

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 1,000.00 (one thousand) euros for the violation of the articles. 5, par. 1, letter. a), 6 and 13 of the Regulation.

In this context, also in consideration of the type of violation ascertained, which affected the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, this provision must be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THE WHEREAS, THE GUARANTOR

notes the illegality of the processing carried out by Sirio S.p.A., in the person of the legal representative pro tempore, with registered office in Ravenna, Via Filippo Re n. 43-45, C.F. 04142890377, pursuant to art. 143 of the Code, for the violation of articles. articles 5, par. 1, letter. a), 6 and 13, of the Regulation;

ORDER

pursuant to art. 58, par. 2, letter. i), of the Regulation to Sirio S.p.A., to pay the sum of 1,000.00 (one thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

pursuant to art. 58, par. 2, letter. d), of the Regulation, to conform the processing to the provisions regarding the protection of personal data, taking care to draw up suitable information pursuant to art. 13 of the Regulation and to notify the Authority within 60 days from the date of notification of this provision.

ORDERS

to the same Company to pay the aforementioned sum of 1,000.00 (one thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981.

Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.

It requires the company to communicate which initiatives have been undertaken in order to implement the provisions of this provision and to provide adequately documented feedback pursuant to the art. 157 of the Code, within 60 days from the date of notification of this provision; any failure to respond may result in the application of the administrative sanction provided for by the art. 83, par. 5, letter. e) of the Regulation.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 7 December 2023

PRESIDENT
Stanzione

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei