Garante per la protezione dei dati personali (Italy) - 10091156

Garante per la protezione dei dati personali - 10091156
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 4(11) GDPR Article 5 GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR d. lgs. 196/2003
Type:	Investigation
Outcome:	Violation Found
Started:	28.02.2023
Decided:	17.10.2024
Published:	23.01.2025
Fine:	n/a
Parties:	Società Onlinestore s.r.l.
National Case Number/Name:	10091156
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	GPDP (in IT)
Initial Contributor:	Carloc

The Italian supervisory authority warned a company over the cookie practices of its ecommerce website. The company voluntarily took its website offline during the investigation.

English Summary

Facts

The Italian supervisory authority investigated the cookie practices of the www.onlinestore.it website on its own volition. The website belonged to e-commerce company Società Onlinestore S.r.l. (the data controller).

The website’s cookie banner stated that the website used cookies (including third-party cookies) to offer a better browser experience and that users could edit their cookie preferences.

The banner included three options: “Accept”, “Customize”, and “Learn more”. The banner included no option to reject cookies and no “X” icon^[1] to close the banner. The “Customized” option opened a drop-down menu with preferences for both necessary cookies and profiling cookies. Profiling cookies were pre-selected by default and could be de-selected by the user.

The authority tested the website and found that the same number of cookies were placed regardless of user preference.

In its preliminary view, the authority held that the data controller did not allow users to express informed, freely given, and granular consent. The authority also held that the controller failed to provide users with a clear and transparent cookie notice. In the authority’s view, the controller violated Articles 4(11), 5, 7, 24, and 25 GDPR, Article 122 d. lgs. 196/2003^[2], and the authority's guidelines on cookies and other trackers^[3].

The data controller took the website offline as soon as it was informed of the investigation. The controller did not challenge the authority’s views and stated that it did not assess the compliance of its cookie implementation.

Holding

The authority held that the data controller violated Articles 4(11), 5, 7, 24, and 25 GDPR, Article 122 d, lgs. 196/2003, and the authority's guidelines on cookies and other trackers.

The authority only issued a warning because the controller immediately took the website offiline. The authority also ordered the data controller to address its non-compliant cookie practices, should it make its website available again.

Comment

The decision stems from a broader set of own volition investigations over the implementation of cookies on e-commerce websites. For a similar decision, see Garante per la protezione dei dati personali (Italy) - 10091735.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10091156]

Provision of 17 October 2024

Register of provisions
no. 649 of 17 October 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);

HAVING SEEN the Guidelines on cookies and other tracking tools of 10 June 2021 (in www.garanteprivacy.it, web doc. no. 9677876, hereinafter the “Cookie Guidelines”);

HAVING SEEN the Memorandum of Understanding of 30 March 2021 signed by the Guardia di Finanza and the Guarantor for the protection of personal data;

HAVING SEEN note no. 57504 of 21 October 2022 with which the Authority, taking into account the need to carry out a verification of compliance with the aforementioned Cookie Guidelines, also in light of the numerous complaints received on the matter, delegated to the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza (hereinafter also “Unit”) the carrying out of a series of online checks, requesting to concentrate the activity, in a first phase, on a sample of possible operators in the e-commerce sector;

SEEN note no. 10808 of 24 January 2023 with which the Unit provided the lists of possible recipients, indicating the geographical area of origin and the turnover;

SEEN note no. 36204 of 28 February 2023 with which, in compliance with the canons of homogeneity of the intervention and in application of a predetermined and uniform selection criterion throughout the national territory, also based on dimensional and geographical indicators, the Company Onlinestore S.r.l. was identified, together with other owners, among the subjects receiving said checks, actually carried out on 13 April 2023 in relation to the website www.onlinestore.it;

CONSIDERING that, in that context, it emerged that:

- upon first access, the immediate pop-up banner on the use of cookies appeared on the home page which reported the following: "This site uses cookies, including third-party cookies, to offer you a better browsing experience" and that "You can manage the enabling of cookies at any time via the cookie management page";

- the banner at the bottom featured 3 (three) buttons labeled “Accept”, “Customize” and “More info”, without either the “X” command or the “Reject” button being provided to continue browsing using only technical cookies;

- accessing the “Customize” button opened a drop-down menu with two pre-selected options, the first referring to “necessary cookies”, which could not be deselected, the second to “advertising and profiling cookies”, which could be deselected;

- the number of cookies installed on the browser used for the assessment, both with both options active and with the deselection of “advertising and profiling cookies”, was always equal to 22;

SEEN the note of 11 September 2023 (prot. 126366/23) with which, pursuant to art. 166, paragraph 5, of the Code, the Authority communicated to Onlinestore S.r.l. the initiation of the procedure for the possible adoption of the measures referred to in art. 58, paragraph 2, of the Regulation and the alleged violations of the law, identified, in this case, in the violation of art. 4 point 11; 5; 7; 12; 13; 24 and 25 of the Regulation and art. 122 of the Code, as well as the indications contained in the Cookie Guidelines, attributable to the failure to provide clear and transparent information and to the failure to configure the banner in such a way as to allow the user to express informed, free and granular consent to the use of cookies other than technical cookies or to continue browsing with the default settings, without the use of cookies other than technical cookies;

HAVING ACKNOWLEDGED that the brief submitted on 10 October 2023 (ref. 138498/23) – to be understood as fully reported and reproduced here – and taking into account what was stated therein by the data controller regarding the fact of “not having carefully checked the setting of cookies on the site, also because there was no report in this regard”;

HAVING ACKNOWLEDGED that the Company did not contest the alleged violations indicated by the Office with the note of 11 September 2023 relating to the initiation of the sanctioning procedure;

HAVING ACKNOWLEDGED that the Company also promptly took the site offline;

NOTING that, based on the elements acquired during the investigation, at the time of the investigation the owner was found to have violated the obligation to provide clear and transparent information and to configure the banner in such a way as to allow the user to express informed, free and granular consent to the use of cookies other than technical cookies or to continue browsing with the default settings, without the use of cookies other than technical cookies, with consequent violation of Articles 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and Article 122 of the Code, as well as the indications contained in the Cookie Guidelines;

CONSIDERING the appreciable effort of the owner to remedy the contested violations by promptly taking the site offline and showing broad cooperation with the Authority;

CONSIDERING, therefore:

a) to have to address to the data controller, pursuant to Article 58, paragraph 2, letter a), of the Regulation, a warning so that, if you intend to put the site www.onlinestore.it online again, you will comply with the processing of personal data carried out through the use of cookies and other tracking tools in accordance with the applicable law, by publishing clear and transparent information and, in the case of use of cookies other than technical cookies, by configuring a banner that allows you to provide informed, free and granular consent or continue browsing with the default settings, without the use of cookies other than technical cookies;

b) due to the specific nature of the investigation, to be able to disregard in this case the adoption of pecuniary sanctions, limiting itself to sending Onlinestore S.r.l a warning pursuant to art. 58, par. 2, letter b) of the Regulation, for failure to comply with the provisions set out in the matter of processing of personal data through the use of cookies and other tracking tools; CONSIDERING that the conditions exist to proceed with the annotation in the internal register of the Authority referred to in art. 57, par. 1, letter u), of the Regulation, in relation to the measures adopted in this case against Onlinestore S.r.l. in accordance with art. 58, par. 2, of the Regulation itself;

SEEN the documentation in the files;

SEEN the observations of the Office, formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 of 28 June 2000;

REPORTER the lawyer Guido Scorza;

CONSIDERING ALL THE ABOVE, THE GUARANTOR

ascertains the violation of art. 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and art. 122 of the Code and declares the unlawfulness of the processing.

For the purpose, with respect to Onlinestore S.r.l., in the person of its legal representative pro-tempore, with registered office in Castelbello Ciardes (BZ) in via della Palude n. 15, 39020 - VAT number 02652600210:

a) pursuant to art. 58, par. 2, letter a) of the Regulation, sends a warning to the owner so that, should he intend to put www.onlinestore.it online again, he conforms the processing of personal data carried out through the use of cookies and other tracking tools to the applicable law, publishing clear and transparent information and, in the case of use of cookies other than technical cookies, configuring a banner that allows the informed, free and granular consent to be given or to continue browsing with the default settings, without the use of cookies other than technical cookies;

b) pursuant to art. 58, par. 2, letter a) of the Regulation, b) of the Regulation, issues a warning to the owner for failure to comply with the provisions in force regarding the processing of personal data through the use of cookies and other tracking tools, both with reference to the specific methods of preparing the banner and for having failed to provide clear and transparent information in relation to the processing of personal data of visitors to the site www.onlinestore.it;

ORDERS

pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation, of the violations and the measures adopted.

Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree 1 September 2011, no. 150, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed, alternatively, with the court of the place where the data controller resides or has its headquarters or with that of the place of residence of the interested party within thirty days from the date of communication of the provision itself or sixty days if the appellant resides abroad.

Rome, 17 October 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE GENERAL SECRETARY
Mattei

[web doc. no. 10091156]

Provision of 17 October 2024

Register of provisions
no. 649 of 17 October 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY'S meeting, attended by Prof.Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, Members, and Council Member Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

HAVING SEEN the Guidelines on cookies and other tracking tools of 10 June 2021 (in www.garanteprivacy.it, web doc. no. 9677876, hereinafter “Cookie Guidelines”);

HAVING SEEN the Memorandum of Understanding of 30 March 2021 signed by the Guardia di Finanza and the Guarantor for the protection of personal data;

HAVING SEEN note no. 57504 of 21 October 2022 with which the Authority, taking into account the need to carry out a verification of compliance with the aforementioned Cookie Guidelines, also in light of the numerous complaints received on the matter, delegated the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza (hereinafter also “Unit”) to carry out a series of online checks, requesting that the activity be concentrated, in an initial phase, on a sample of potential operators in the e-commerce sector;

SEEN note no. 10808 of 24 January 2023 with which the Unit provided the lists of possible recipients, indicating the geographical area of origin and the turnover;

SEEN note no. 36204 of 28 February 2023 with which, in compliance with the canons of homogeneity of the intervention and in application of a predetermined and uniform selection criterion throughout the national territory, also based on dimensional and geographical indicators, the Company Onlinestore S.r.l. was identified, together with other owners, among the subjects to be subject to said checks, actually carried out on 13 April 2023 in relation to the website www.onlinestore.it;

WHEREAS, in that context, it emerged that:

- upon first access, the immediate pop-up banner on the use of cookies appeared on the home page, which reported the following: “This site uses cookies, including third-party cookies, to offer you a better browsing experience” and that “You can manage the enabling of cookies at any time via the cookie management page”;

- the banner at the bottom reported 3 (three) buttons labeled “Accept”, “Customize” and “More info”, without providing either the “X” command or the “Reject” button to continue browsing using only technical cookies;

- accessing the “Customize” button opened a drop-down menu with two pre-selected options, the first referring to “necessary cookies”, which could not be deselected, the second to “advertising and profiling cookies”, which could be deselected;

- the number of cookies installed on the browser used for the assessment, both with both options active and with the deselection of "advertising and profiling cookies", was always 22;

SEEN the note of 11 September 2023 (prot. 126366/23) with which, pursuant to art. 166, paragraph 5, of the Code, the Authority communicated to Onlinestore S.r.l. the initiation of the procedure for the possible adoption of the measures referred to in art. 58, paragraph 2, of the Regulation and the alleged violations of the law, identified, in this case, in the violation of art. 4 point 11; 5; 7; 12; 13; 24 and 25 of the Regulation and art. 122 of the Code, as well as the indications contained in the Cookie Guidelines, attributable to the failure to provide clear and transparent information and to the failure to configure the banner in such a way as to allow the user to express informed, free and granular consent to the use of cookies other than technical cookies or to continue browsing with the default settings, without the use of cookies other than technical cookies;

ACKNOWLEDGING that the brief presented on 10 October 2023 (prot. 138498/23) - to be understood as fully reported and reproduced here - and taking into account what was stated therein by the data controller regarding the fact of "not having carefully checked the settings of cookies on the site, also because there was no report in this regard";

ACKNOWLEDGING that the Company did not contest the alleged violations indicated by the Office with the note of 11 September 2023 relating to the initiation of the sanctioning procedure;

ACKNOWLEDGING that the Company also promptly took the site offline;

NOTED that, based on the elements acquired during the investigation, at the time of the investigation the owner was found to have violated the obligation to provide clear and transparent information and to configure the banner in such a way as to allow the user to express informed, free and granular consent to the use of cookies other than technical cookies or to continue browsing with the default settings, without the use of cookies other than technical cookies, with consequent violation of Articles 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and Article 122 of the Code, as well as the indications contained in the Cookie Guidelines;

CONSIDERING the appreciable effort of the owner to remedy the contested violations by promptly taking the site offline and showing broad collaboration with the Authority;

CONSIDERING, therefore:

a) to have to address to the data controller, pursuant to art. 58, par. 2, letter a), of the Regulation, a warning so that, should he intend to put the site www.onlinestore.it online again, he conforms the processing of personal data carried out through the use of cookies and other tracking tools to the applicable law, by publishing clear and transparent information and, in the case of use of cookies other than technical cookies, by configuring a banner that allows the granting of informed, free and granular consent or continuing browsing with the default settings, without the use of cookies other than technical cookies;

b) due to the specific nature of the investigation, to be able to disregard in this case the adoption of measures of a pecuniary sanctioning nature, limiting himself to addressing Onlinestore S.r.l a warning pursuant to art. 58, par. 2, letter a), b) of the Regulation, for failure to comply with the provisions on the processing of personal data through the use of cookies and other tracking tools;

CONSIDERING that the conditions exist for proceeding with the annotation in the internal register of the Authority referred to in art. 57, par. 1, letter u), of the Regulation, in relation to the measures adopted in this case against Onlinestore S.r.l. in accordance with art. 58, par. 2, of the Regulation itself;

SEEN the documentation in the files;

SEEN the observations of the Office, formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 of 28 June 2000;

REPORTER the lawyer Guido Scorza;

GIVEN ALL THE ABOVE, THE GUARANTOR

ascertains the violation of art. 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and art. 122 of the Code and declares the unlawfulness of the processing.

For the effect, with respect to Onlinestore S.r.l., in the person of the legal representative pro-tempore, with registered office in Castelbello Ciardes (BZ) in via della Palude n. 15, 39020 - VAT number 02652600210:

a) pursuant to art. 58, par. 2 lett. a) of the Regulation, issues a warning to the owner so that, if he intends to put www.onlinestore.it online again, he conforms the processing of personal data carried out through the use of cookies and other tracking tools to the applicable law, by publishing clear and transparent information and, in the case of use of cookies other than technical cookies, by configuring a banner that allows the informed, free and granular consent to be given or to continue browsing with the default settings, without the use of cookies other than technical cookies;

b) pursuant to art. 58, par. 2, letter b) of the Regulation, issues a warning to the owner for failure to comply with the provisions in force regarding the processing of personal data through the use of cookies and other tracking tools, both with reference to the specific methods of preparing the banner and for having failed to provide clear and transparent information in relation to the processing of personal data of visitors to the site www.onlinestore.it;

PROVIDES

pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation, of the violations and the measures adopted.

Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed, alternatively, with the court of the place where the data controller resides or has its registered office or with that of the place of residence of the interested party within thirty days from the date of communication of the provision itself or sixty days if the appellant resides abroad.

Rome, 17 October 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE GENERAL SECRETARY
Mattei