Garante per la protezione dei dati personali (Italy) - 9996609
From GDPRhub
| Garante per la protezione dei dati personali - 9996609 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 4(11) GDPR Article 5 GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Article 28 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 23.08.2021 |
| Decided: | 08.02.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Maggioli S.p.A. |
| National Case Number/Name: | 9996609 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante Per La Protezione Dei Dati Personali (in IT) |
| Initial Contributor: | lm |
In one of the cookie mass complaints filed by noyb, the DPA determined that using an ‘X’ rather than a 'reject' button is permissible when the consequences of clicking on 'X' are discussed in the cookie banner.
English Summary
Facts
In August 2021, noyb (European Centre for Digital Rights) represented data subjects in filing several cookie mass complaints against Maggioli S.p.A. (controller) concerning its use of cookies and other tracking tools. The complaint alleged several violations across a number of the controller’s webpages, including the absence of a reject button at the first layer of the cookie banner, the use of pre-ticked boxes at the second layer and the improper reliance on legitimate interest as a legal basis for processing via cookies.
The Italian DPA (Garante) carried out an investigation. During its investigation, it noted that the controller contracted with OneTrust (processor), a service that classified cookies and reported them in the controller’s cookie banner and cookie policy. Notably, only the processor could directly modify the cookie banner and cookie policy. The Garante also observed that the controller used only technical, non-tracking cookies. The processor, however, had erroneously attributed third parties’ tracking cookies that were on the controller’s webpage to the controller.
On 30 May 2023, the Garante notified the controller of the alleged violations and that it was initiating the procedure pursuant to Article 166(5) of the Code on Protection of Personal Data. On 29 June 2023, the controller replied with a defensive brief. It noted that, upon discovering the processor’s erroneous cookie categorizations, the controller requested that the error be corrected. When the processor failed to do so in breach of their contract, the controller withdrew from the contract and entered into an agreement with a new supplier to alter the cookie banner. The controller also argued that the failure to inform users about the meaning of the X had not resulted in any violation because the controller only used technical non-tracking cookies.
Holding
The Garante found that the controller’s conduct breached Articles 4(11), 5, 7, 12, 13, 24, 25 and 28 GDPR. It focused on three core issues with the controller’s processing.
First, the controller failed to indicate the meaning of the command marked by the ‘X’ graphic in the cookie banner. The Garante considered this a violation of Articles 5(1)(a), 12 and 13 GDPR because it did not provide data subjects the fullest possible awareness regarding the processing of their personal data and choices they are entitled to make under the law.
Second, the Garante found that the controller violated Articles 4(11) and 7 GDPR by erroneously citing legitimate interest as its legal basis for processing via cookies when such processing requires consent as a legal basis. The Garante noted, however, that the controller only actually relied on legitimate interest as a legal basis for its own use of cookies, which were technical and non-tracking. As technical cookies do not require user consent, the Garante found that despite qualifying the incorrect legal basis in the cookie banner, its own processing in fact complied with rules and did not harm data subjects. Nonetheless, the erroneous naming of legitimate interest as the legal basis in the cookie banner was unlawful under Articles 5(1)(a), 12 and 13 GDPR because it misled consumers.
Finally, the Garante noted that the relationship between the controller and processor, and namely the controller’s inability to modify the cookie banner and cookie policy, resulted in violations of Articles 24, 25 and 28 GDPR. It emphasized that Articles 24and 25 GDPR impose a responsibility on the controller to oversee processing and guarantee that processor activities comply with the GDPR.
In light of these violations, the Garante issued a warning, deciding not to impose a fine. It took into account the controller’s changes to banners following receipt of noyb’s complaints, lack of harm to users’ data since the controller itself only used technical cookies, lack of fraudulent intent, and withdrawal from the contract with its supplier after it failed to comply with the controller’s requests, cooperation with the Garante, and the lack of further complaints.
Comment
‘X’ button: The Garante concluded that the ‘X’ function was sufficient where the cookie banner defined the effect of clicking ‘X.’ The issue thus was not the use of the ‘X’ (as opposed to something like a ‘reject’ button), but rather the lack of explanation within the cookie banner. In coming to this conclusion, the Garante rejected the data subjects’ arguments that a mere ‘X’ somewhere on the cookie banner was insufficient and a ‘reject’ button was required.
Cookie usage: The Garante noted that the controller did not itself use profiling cookies. As a result, it found that the controller itself only resorted to the legal basis of legitimate interests in relation to this use of technical cookies, which is a proper legal basis for such cookies, and thus did not harm consumers. Notably, third parties do use tracking cookies to carry out profiling on the controller’s webpage. By concluding that the controller itself processed data in compliance with the Garante’s Guidelines, the Garante implicitly determined that the controller is not responsible for third party cookies that are used on its webpage.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
decisions taken regarding the point subject to reservation. The company provided you with communication sent to the Guarantor on 30 January 2023. 2.2. The Company's business model and related treatments, including in conversation with the complaining association. The Maggioli group was born in the field of traditional publishing (print and volume marketing), but in the last fifteen years or so it has expanded its business orienting itself more, for a predominant part of its operations, towards the sector ICT, with the main objective of providing skills and solutions necessary for the transition public sector digital. The Company is divided into three main areas: ICT (business unit IT), Digital Publishing and Central Staff Services. The latter are further divided into 9 areas (administrative, commercial, compliance, privacy, etc.). The Company currently owns 47 Internet domains, some of which are also accessible by authenticated users as well as by users who they do not have accounts and login credentials. In recent months, about a dozen sites are been discontinued or, in some cases, merged due to specific entrepreneurial choices: they were so about 60 more than a year ago. In May 2021, ten of them were the subject of discussions with association no Austrian profit company Noyb, which sent individual complaints via email relating to alleged illegalities in the implementation, by the company, of the provisions regarding the use of cookies and other tracking tools. The company responded to the findings through the dedicated platform set up by Noyb itself, carried out some of the requested changes and produced the document for the present proceedings proof of this conversation. In particular: the first of them involved the implementation of a mechanism of acquisition of consent to receive third-party profiling cookies compliant with the Guidelines of the Guarantor, already known at that time because they were put out for public consultation. AND a solution was therefore prepared which, in compliance with the principle of privacy by default, allows the user to simply close the banner by selecting the "X", without paying the consent and therefore maintaining the basic settings, which do not allow the installation of cookies other than technical ones. This change, however, was not made explicit in the information provided to the user, either in short form and in the extended form positioned on the second level, with the exception of the two sites www.maggioli.it and www.maggiolieditore.it. The chosen solution, in line with what is contained in the Guidelines of the Guarantor, is different from that desired by Noyb, which required the implementation, in the banner, of a “reject” button or similar. For this reason, and differently from what happened with reference to other complaints, the modification made on this specific point was not object of communication of compliance with Noyb's requests. Following this interlocution, no further contacts took place with Noyb, nor did the Company receive any complaints or similar reports from other interested parties. At the time of the checks carried out by the Office, the Company used, in relation to all the sites, its ownership, as intermediary, of the developed consensus management platform from OneTrust. The relationships with this platform were contractually governed by the agreement of 4 August 2020 and subsequent annual renewals. 2.3. The checks carried out With reference to the sites subject to Noyb's complaints, it should first of all be specified that, as already indicated and as recognized by the Association itself, the majority of complaints raised were resolved by the company before the complaints were lodged Guarantor. Furthermore, the entry into force of the Guidelines on cookies and other tracking tools, following the submission of the complaints, it required the owner to adopt measures and methods suitable to conform the processing of user data carried out through cookies to indications contained therein, and it is therefore above all in light of these indications that the Authority conducted the assessment regarding the lawfulness of the processing in question. It has been ascertained in this regard that, in addition to technical cookies that are essential for their operation, the Company does not use first-party profiling cookies, nor does it carry out data processing profiling of users on their sites using third-party cookies: on the contrary, they are third parties parties that make use of their own cookies, i.e. those of the same third parties, conveyed through the sites Maggioli, to carry out profiling treatments referable to the third parties themselves. During of the overall preliminary investigation it was also ascertained that the storage of third-party cookies on users' devices occurs on 8 of the 10 sites investigated, therefore excluding the sites www.maggioli.it and www.maggiolieditore.it. In fact, for the creation of its online promotional campaigns, the company uses exclusively from the Google Adwords tool, based on the use of keywords and which therefore does not require the use of cookies. As for sending newsletters, it occurs following the completion of a specific form by the interested parties receive it and therefore, also in this case, no cookies are used. It was also clarified that, already at the time of the audit, one of the ten sites in question, in particular www.ingegneri.cc, was no longer active, as it was merged with another site (www.ediltecnico.it). It was also verified that the OneTrust platform also provided a classification service of the cookies used by the individual site on the basis of a database called cookiepedia, which "reads" the cookies used by the domain and interprets them in light of a pre-existing nomenclature, giving them a name that is as uniform as possible, or at least common at least between the framework's associates. This classification was determined and imposed by OneTrust and is divided into 4 categories, moreover reported in the cookie policy published on the group's sites: strictly necessary cookies, of functionality, used for targeted advertising, performance cookies. However, it is possible to modify them although each of them is generated through a OneTrust script. The cookies used on the sites of Maggioli were detected and interpreted by OneTrust through comparison with its own pre-existing database (Cookiepedia), so that they can subsequently be classified as belonging to one or the other of the four categories mentioned. Just in case OneTrust was not able to carry out this comparison and therefore identify a cookie since it was not present in Cookiepedia, it attributed it by default to the owner Maggioli, labeling it as a cookie first part of the company. This procedure could therefore cause errors since all third-party cookies were not registered previously on cookiepedia they could be classified as directly referring to the Company. The latter became aware of this inconvenience, for example, with reference to a non-cookie technical attributable to Facebook, therefore a third-party profiling cookie, which however it was been classified by OneTrust as a first-party cookie from Maggioli itself. The error therefore has concerned not the functional qualification of the cookie, but rather its imputability to a subject place of another and was subsequently remedied. During the inspection it was ascertained that in the information then available on the company's websites company, of which the relevant comprehensive screenshots were also acquired, site by site of the information as it appeared on 31 May 2021 at the time of receipt of the disputes of Noyb (Annex 3 to the minutes of operations completed on 3 August 2022), it was stated "We and our partners we store and/or access information on a device, such as unique IDs in cookies for the processing of personal data. You can accept or manage your choices by clicking below, including your right to object where legitimate interest is used." It was also verified that both the short information contained in the banner and the cookie extended policies present in the second level were prepared and managed by OneTrust according to a pro-forma model and that a part of the information, in particular the one reported above, does not it was editable directly and independently by Maggioli from the control panel (see in this regard the screenshots, sub all. 4 in the report of operations carried out). However, this rigidity of the framework could generally be overcome by requesting formulated to OneTrust, of opening a specific ticket, in order to modify the information making it conform to the factual situation as represented. It turned out that the company made use of the legal basis of legitimate interest, mentioned in the information, exclusively for the use of first-party technical cookies. This legal basis it was not reported in the extended privacy policy, but was clearly indicated in the short info contained in the banner. Following the entry into force of the Guarantor's Guidelines on the use of cookies, the Company has implemented a series of measures, among which, in addition to the already mentioned X mechanism, placed already in existence prior to the expiry of the deadline granted by the Authority for the implementation of the indicated measures and in any case further improved after January 2022 by making a chromatic change that made the relevant command more visible, è The icon relating to the status of consent has been introduced on all sites on which it was not yet available present; a color upgrade of the buttons has been carried out; changes have been adopted usability, for example regarding the reiteration of the banner, to make the configurations adopted more in line with the Guarantor's indications. During the audit, specific checks were carried out through access to the systems computer scientists, as a result of which no critical issues were found regarding the methods of registration of consents obtained or revocation of those obtained previously. 3. CHANGES MADE FOLLOWING THE INSPECTION ASSESSMENT AND REQUEST FOR ACCESS TO DOCUMENTS With communication dated 5 September 2022, upon dissolution of the reservations made, Maggioli S.p.A. has declared: - to have modified and updated the cookie policies of the sites subject to dispute (as per attachments 14, 15, 16, 17, 18, 19, 20, 21, 22 and 23 to the communication of 5 September 2022); this change resulted in the reduction of the four categories to two of cookies described (now divided into technical and profiling), "in order to provide information complete and more understandable for users”; - to have made some changes relating to the classification of third-party cookies, incorrectly classified by the OneTrust automatic tool as first-party cookies part; - to have implemented the addition of a section within the privacy policy of the sites dedicated to cookies with the link to the respective cookie policy (attachments 24, 25, 26, 27, 28, 29, 30, 31, 32 and 33 to the communication of 5 September 2022). Lastly, the company declared that it had requested OneTrust, by opening a specification ticket, the modification of the text of the first level cookie banner relating to 8 of the 10 sites in question (see annexes 34 and 35 of the communication of 5 September 2022). However, and "despite Maggioli's insistence, the supplier did not take action, considering the text of the banner not compliant with the IAB framework". What led to the dispute of breach of contract by the company to OneTrust, to which it was therefore forwarded formal notice of withdrawal from the contract, with simultaneous search for a new supplier (annex 36 of the communication to the Guarantor dated 5 September 2022). The company is based on the results of this research once again reserved the right to keep the Authority updated. On November 10, 2022, the Company then proposed a request for access to the documents to obtain copy of the complaints and related attachments subject to the investigative activities in question. At that instance it is a reply was received on November 21st, with the simultaneous forwarding of the requested documents. Subsequently, on the specific point on which Maggioli S.p.A. had assumed reserve, in absence of more detailed indications and the Authority continuing to remain in a state of waiting indications, the Guarantor sent, on 23 December 2022, a request for information pursuant to of art. 157 of the Code, to which Maggioli S.p.A. responded within the established deadline (January 30th 2023). With the same communication dated January 30th, the Company then, with regard to the disputes of the complaining association, has among other things clarified that it has carried out, as early as the 30th June 2021, the following changes: - regarding the dispute regarding the alleged misleading design of the link: the company has replaced the “manage preferences” hypertext link with a specific button; - regarding the dispute regarding the adoption of misleading button colors: the company has took steps to standardize the colors of the banner buttons, which appear in blue - done exception for the “X” - in line with the company colours; - regarding the complaint relating to the misleading contrast of the buttons: the company has took steps to define the same dimensions for the banner buttons; - regarding the dispute regarding the implementation of a revocation mechanism of consent not easy: the company has installed the icon that allows users to return to the banner to modify the choices expressed; this icon can be reached from all site pages subject of complaint. 4. NOTIFICATION OF VIOLATION PURSUANT TO ART. 166, PARAGRAPH 5, OF THE IN CODE MATTER OF PERSONAL DATA PROTECTION Based on what was possible to ascertain on site and following the examination of the documentation also produced during the supplementary preliminary investigation, with communication dated May 30th 2023, the Authority formally notified the Company of the communication launching the proceedings pursuant to art. 166, paragraph 5, of the Code, which is understood here in its entirety recalled and reproduced, contesting the violations illustrated below. First of all, it was contested that, with reference to eight of the ten websites in the ownership of the Company, any indication relating to the meaning to be attributed to the selection of the command marked with an X, placed inside the banner; resulting in violation of principle of lawfulness, correctness and transparency referred to in art. 5, par. 1, letter. a) as well as articles. 12 pm 13 of the Regulation. Even the short information made available was misleading and erroneous, as it mentioned, for profiling treatments carried out through cookies, the use of the legal basis of legitimate interest and the related right of opposition, which are actually inconfigurable in this case, from given that the use of cookies other than technical ones imposes the obligation to acquire the prior informed consent of the user pursuant to the special regulations referred to to the art. 122 of the Code. The configuration of the websites in question was then found to be illegal as in violation of the principle of lawfulness, correctness and transparency of the processing referred to in the art. 5, par. 1, letter. a), and the provisions of the articles. 12 and 13 of the Regulation, as well as of the same art. 122 of the Code which imposes, in fact, the obligation to obtain consent excluding the use of the legal basis of legitimate interest; as well as the articles. 4, point 11 and 7 of Regulations that define the characteristics and conditions of that consent. In the capacity of owner, by publishing a banner on its sites that does not comply with the rules, prepared by the One Trust supplier, Maggioli S.p.A. has violated the articles. 5, par. 2, 24 and 25 and, in reference to the selection of a technological partner, as responsible, which did not guarantee the conformity of the data processing carried out with the applicable regulations, also art. 28 of Regulation. In conclusion, in light of the above, Maggioli S.p.A. was accused of that the conduct of company, also in contrast with the indications contained in the Cookie Guidelines, has established a violation of the provisions of the articles. 4 point 11; 5; 7; 12; 13; 24; 25 and 28 of the Regulations e of the art. 122 of the Code. 5. THE DEFENSE MEMORIES OF MAGGIOLI S.P.A. The Company responded with a memorandum dated June 29, 2023, stating the following: a) to have stipulated a contract with a new CMP supplier, Iubenda S.r.l., on 11 May 2023, under which a “solution that allows the provision of information on cookies (short and extended) to users, as expected by current legislation, for all 7 sites covered by this investigation file"; to about, However, he underlined that “while waiting for the change of supplier... he already had proceeded to change - before the notification of the start of the procedure - the text of the banner briefly visible on the sites in question, eliminating the reference to the legal basis of the legitimate interest in the processing relating to cookies"; b) that the failure to inform users about the meaning to be attributed to the selection of command marked with X placed inside the banner did not result in any violation, since it is now known to web users that the command in question involves the continuation of navigation in the absence of tracking cookies; c) with reference to the mention of legitimate interest as the legal basis of the processing, already during the inspection the Company worked towards the change in question, with the effect that "at the time of notification of the opening of the proceeding, such indication was no longer present”; provided, however, that in fact and in terms concrete the legal basis actually used for the installation of cookies other than technicians whom Maggioli S.p.A. has always been the user's consent; every good thing, the transition to the new supplier did not involve "any migration activity of the consent already acquired for the installation of profiling cookies from the moment they are introduced presented new banners to users”; d) that “NOYB's objections arise from what - clearly - can be considered an abuse of law", since "Maggioli immediately took action after the original complaints... Among other things, from reading the complaints, the Company verified that the content appeared to be the same as the complaints initially formulated by the complaining association, despite the fact that important actions had already been carried out improvement, specifically reported within the required times on the Noyb platform (e declared during the inspection)”. Finally, the Company requested the scheduling of a specific hearing pursuant to art. 166, paragraph 6, Legislative Decree. lgs. 196/2003. The Authority did so by communicating, on 18 October 2023, that the hearing will take place it would be held the following October 26th. On the established date, however, the Company - without communicating no impediment in this regard - she did not appear, as per the minutes drawn up on the same date and attached in the documents of the proceedings. 6. THE AUTHORITY'S ASSESSMENTS With reference to the factual and legal profiles highlighted, also based on the statements made by the Company under investigation, for which the declarant is liable pursuant to art. 168 of the Code, yes formulate the following legal assessments. First of all, it must be clarified that the arguments put forward by the Company do not appear suitable to completely exclude its liability in relation to the disputed conduct. At the time of the checks, following the receipt of Noyb complaints as well as upon entry into force of the indications and clarifications made in the Guarantor's Guidelines regarding cookies and other tracking tools, eight of the ten sites covered by this investigation, and in particular https://www.leggioggi.it; https://www.theplan.it; https://www.lagazzettadeglienti locali.it; https://www.diritto.it; https://www.comuni.it (now www.servizidemografici.it); https:/ /www.ingegneri.cc/ (then www.ediltecno.it, now decommissioned); https://www. ufficiocommercio.it e https://www.ilpersonale.it, did not contain any indication in the banner regarding the possibility for the user to use the command represented by the "X", placed inside it, to continue the process navigation leaving the default settings unchanged which do not imply acceptance of profiling cookies. In this regard, it should be underlined that the art. 5, par. 1 of the Regulation identifies the principles fundamentals applicable to any processing of personal data. Pursuant to this provision, i personal data must be, among other things, (i) processed in a lawful, correct and transparent manner (principle of lawfulness, correctness and transparency); (ii) processed for specific, explicit and legitimate purposes and (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (minimization principle). In particular, the principle of transparency translates into the obligation, which weighs on the owner of the processing, to provide the interested party with all information relating to the processing of personal data that concern him in an accessible and understandable way, making him aware, among other things, of the information indicated in the articles 12 and 13 of the Regulation, in order to achieve the broadest, fullest awareness of the interested party regarding the processing of his personal information personal and in relation to the choices that are available to him pursuant to the law. As for the principle of correctness, it first of all implies that the owner adopts a conduct always rigorously respectful of the regulatory provisions as well as oriented towards the maximum protection of rights and freedoms of the interested parties. In the present case, the absence of a clear indication regarding the possibility of continuing the Browsing without accepting to be profiled does not ensure full user awareness on the choices in his availability. Having failed to inform the user about the meaning to be attributed to the selection of the command marked with an "X" therefore violates the principle of lawfulness, correctness and transparency referred to in the art. 5, par. 1, letter. a) as well as the articles. 12 and 13 of the Regulation. Inside the banner there was also a short information sheet of the following, literal wording: “We and our partners store and/or access information on a device, such as IDs unique in cookies for the processing of personal data. You can accept or manage yours choices by clicking below, including your right to object where interest is used legitimate ..." (see annex no. 3 to the report of operations carried out dated 2 August 2022). This wording, and first of all the mention of legitimate interest as the legal basis applicable to processing of user data carried out through cookies other than technical ones is incorrect and misleading, therefore illicit as it violates the principle of lawfulness, correctness and transparency of the processing referred to in the art. 5, par. 1, letter. a), and the provisions of the articles. 12 and 13 of Regulation, as well as the same art. 122 of the Code which imposes, in this case, the obligation to acquisition of consent excluding the use of the legal basis of legitimate interest; as as well as the articles. 4, point 11 and 7 of the Regulation which define the characteristics and conditions of the consent that must be given by the interested party. In fact, on the basis of these provisions, any consent acquired on the basis of misleading indications cannot be considered valid. It is acknowledged that the company, already during the inspection assessment, but above all in the phase following, it became aware of the non-compliance of its conduct with the obligations incumbent on the owner pursuant to the aforementioned regulations, working to obtain the modification of the information in question (a possible text more in line with the regulatory provisions was, in fact, already prepared during the inspection by the company and attached under doc. 5 in the minutes of operations completed on 2 August 2022). It is also acknowledged that this critical issue has now been remedied. In fact, given OneTrust's denial of requests to change the indications subject to publication on its sites, the Company has exercised the right of withdrawal from the contract in force, although limiting itself to declaring, in this regard, initially that it had started a research activity a new supplier and subsequently, in the communication of 30 January 2023, to list several potential suppliers, remaining "waiting to receive the latest feedback from the suppliers consulted". Only on a later date, i.e. upon receipt of the communication of start of the proceedings, with the briefs dated 29 June 2023, Maggioli S.p.A. communicated the incident rotation of suppliers and the replacement of one's technological partner with a new one, different entity who implemented a different type of banner. However, also at the outcome of the supplementary investigation it must be noted, in this regard, that pursuant to the articles 24 and 25 of the Regulation it is up to the owner, as defined in the art. 4, par. 1, point 7) of Regulation, not only the determination of the purposes and means of processing, but also the identification of all the most appropriate measures to achieve the dual objective of compliance of the rules and the protection of the rights and freedoms of the interested parties. On this subject, based on art. 5, par. 2 of the Regulation, also entails the obligation to respect all the principles of data protection and privacy prove it. The owner company, by publishing a banner on its sites that does not comply with the rules, has therefore in any case violated articles 5, par. 2, 24 and 25 of the Regulation. Again in light of a provision of the Regulation, and in particular of its art. 28, is necessary to interpret the relationships between Maggioli S.p.A. and OneTrust, a supplier who, in the agreement in being at the time of the facts, held the position of data controller in the ownership of society. In fact, the art. 1.2 of "Annex 1 - addendum on data processing" at General contract conditions attached to the contract signed between the parties in August 2020, e subsequently subjected to continuous annual renewals, entitled “Reports between the parties", that "The Customer (the data controller) designates OneTrust as responsible for the processing of the personal data described in the contract (the “Data”) for the purposes indicated in the Contract (or as otherwise agreed in writing by the parties) (the “Permitted Purpose”). Each party must comply with obligations under applicable data protection legislation…”. It follows that, having defined the interrelationship between the Company and OneTrust in this way, it must recognize that the owner is responsible for the management of the processing carried out by the manager who has appointed, the owner having to rely, to fill this role, on subjects who present sufficient guarantees in terms of specialist knowledge, reliability and resources. That that is, they guarantee that the owner can, also through them, implement the technical measures and organizational that meet the requirements of the Regulation (see recital 81 of the Regulation), and make decisions that comply with the law. The specific task of the owner is, in fact, to evaluate the risk of the processing carried out by those responsible, under penalty of imputability to them culpa in eligendo as well as culpa in vigilando, both recurring in the present case. The having identified a manager who has prepared a banner that does not comply with applicable regulations, not having been aware of the crime, therefore not having adopted the technical and organizational measures adequate, qualifies the company's conduct as illicit since it is in violation of the articles. 24, 25 and 28 of the Regulation. However, it is necessary to take into consideration, in this regard, that the Company has resorted to the basis legal interest of legitimate interest only in relation to the use of technical and non-technical cookies profiling - as technical cookies, pursuant to the Guidelines, are exempt from the obligation of the prior acquisition of the user's consent - and therefore, without prejudice to what is indicated with regarding the information, despite having erroneously qualified the legal basis, the Company in fact has, in this respect, processed the data in compliance with the regulations. It follows that, the mention of the legitimate interest of the owner is classified as incorrect and therefore the information provided in this regard is misleading and incorrect, it must however be taken into account that such conduct did not cause damage to the interested parties. In conclusion, in light of the above, the conduct of Maggioli S.p.A., which also differs from the indications contained in the Cookie Guidelines, therefore constitutes a violation of provisions referred to in the articles. 4 point 11; 5; 7; 12; 13; 24; 25 and 28 of the Regulation and art. 122 of Code. 7. Final evaluations For the above, the liability of the company Maggioli S.p.A. is considered established. in order to the disputed violations. However, also taking into account: - which, following the receipt of the Noyb complaints, and on a date prior to the start of the investigation to this Authority, the owner promptly took steps to carry out the implementation of some of the changes requested by the complainants for the implementation conformity of the different sites in the ownership of the Company; - that the incorrect indication of legitimate interest as the legal basis for the processing of data user data concerned exclusively the use of technical cookies and therefore does not have resulted in damage to the data subjects; - that, in the absence of fraud, the Company erroneously considered it sufficient to rely on a technological partner, appointed responsible, which however, as proven by facts, has not fulfilled the owner's requests aimed at bringing the sites in question into compliance; - that in this regard Maggioli S.p.A., having realized - also following the assessment activity inspection - of the offenses and took note of OneTrust's refusal to adopt the requested changes to make the sites compliant with the law, has exercised the right of withdrawal from existing contract by stipulating a new contract on 11 May 2023 with another CMP supplier, Iubenda S.r.l.; - that following this change the consents already acquired have been canceled and the users are entitled to them the banners were presented from scratch as a result of the changes implemented; - that during the entire procedure, including the inspection phase, the The Company has highlighted an attitude of availability and cooperation with the Authority to the most effective resolution of the critical issues indicated; - that no further reports or complaints appear to have been received either from the Authority or directly to the owner in relation to the data processing covered by this proceeding, it is believed that it is possible to waive the application of an administrative-pecuniary sanction and, verified that all sites currently owned by the Company comply with the regulations law regarding cookies and other tracking tools, pursuant to art. 58, par. 2, letter. b) of Regulation, to issue a warning to Maggioli S.p.A. so that in relation to violations found above of the current regulations. ALL THE FOREGOING, THE GUARANTOR: the illicit nature of the processing carried out by Maggioli has been ascertained, within the terms set out in the justification S.p.A., with registered office in Santarcangelo di Romagna (RN), Via del Carpino 8, C.F. 06188330150, VAT number 02066400405, in the person of the legal representative pro tempore, to pursuant to art. 58, par. 2, letter. b), issues a warning to Maggioli S.p.A. in relation to following profiles of illegality specifically described in the motivation: - the failure to indicate, in the information to interested parties, the possibility of using the command marked by the graphic sign “X” placed inside the banner for continue browsing in the absence of tracking; - the incorrect mention of the legal basis of legitimate interest for data processing of users through cookies; - the identification of a data controller lacking the requirements imposed by the current regulations. HAS pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the entry in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation, violations and corrective measures. Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, a proposal may be made against this provision opposition to the ordinary judicial authority, with an appeal filed with the ordinary court of place where the owner of the personal data processing has his residence, or, alternatively, to court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or for sixty days if the appellant resides abroad.
