Garante per la protezione dei dati personali (Italy) - 10091735

Garante per la protezione dei dati personali - 10091735

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 4(11) GDPR Article 5 GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Art. 22 d. lgs. 196/2003
Type:	Investigation
Outcome:	Violation Found
Started:	28.02.2022
Decided:	13.11.2024
Published:
Fine:	n/a
Parties:	Aosom Italy S.r.l.
National Case Number/Name:	10091735
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	GPDP (in IT)
Initial Contributor:	carloc

The Italian supervisory authority investigated the cookie practices of an ecommerce website. The data controller addressed the authority’s concerns during the investigation. The authority issued a warning.

English Summary

Facts

The Italian supervisory authority investigated the cookie practices of an ecommerce website of its own volition. The website belongs to the Aosom Italy S.r.l. (the data controller).

The authority accessed the website and examined the cookie banner. The banner included the following buttons: an “Accept” button; a “Reject” button; a “Cookie Notice” button linking to the website’s cookie notice; and a “Disable Cookies” button linking to an explanation of how to disable cookies via browser settings.

The banner stated that the website used first and third-party cookies for several purposes, including providing targeted advertising. The banner also stated that visitors were able to accept all cookies, reject all cookies, or set granular preferences for specific types of cookies. However, the banner offered no option to set granular cookie preferences. The cookie notice linked in the banner included references to outdated cookie guidelines from the Italian supervisory authority and to a repealed Article of Italian law (Art. 13 d. lgs. 196/2003).

In a preliminary view, the banner did not provide visitors with a mechanism to express a free, specific, and granular choice with regards to cookies. The authority also held that the banner did not provide transparent enough information about the use of cookies. Finally, the authority held that the website’s cookie practices were not in line with the authority’s guidelines on cookies. Overall, the above amounted to a violation of the authority held that the data controller violated Articles 4(11), 5, 7, 12, 13, 24, and 25 GDPR as well as Article 22 of the Italian "Privacy Code" (d. lgs. 196/2003).

The authority communicated its preliminary views to the data controller. The data controller then took steps to mitigate the authority's concerns. The controller added a “Modify” button that allowed visitors to set preferences for specific types of cookies. The controller also updated the legal references found in the cookie policy. Finally, the controller erased all personal data collected via cookies before it changed the cookie banner.

Holding

The authority held that the data controller sufficiently mitigated the initial concerns over its cookie practices. For this reason, the authority only issued a warning.

Comment

The decision stems from a broader set of own volition investigations over the implementation of cookies on e-commerce websites. For a similar decision, see Garante per la protezione dei dati personali (Italy) - 10091156.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. n. 10091735]

Provision of 13 November 2024

Register of provisions
n. 667 of 13 November 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);

HAVING SEEN the Guidelines on cookies and other tracking tools of 10 June 2021 (in www.garanteprivacy.it, web doc. no. 9677876, hereinafter the “Cookie Guidelines”);

HAVING SEEN the Memorandum of Understanding of 30 March 2021 signed by the Guardia di Finanza and the Guarantor for the protection of personal data;

HAVING SEEN note no. 57504 of 21 October 2022 with which the Authority, taking into account the need to carry out a verification of compliance with the aforementioned Cookie Guidelines, also in light of the numerous complaints received on the matter, delegated to the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza (hereinafter also “Unit”) the carrying out of a series of online checks, requesting to concentrate the activity, in a first phase, on a sample of possible operators in the e-commerce sector;

SEEN note no. 65159 of 17 November 2022 with which the Unit provided the lists of possible recipients, indicating the geographical area of origin and the turnover;

SEEN note no. 36204 of 28 February 2023 with which, in compliance with the canons of homogeneity of the intervention and in application of a predetermined and uniform selection criterion throughout the national territory, also based on dimensional and geographical indicators, AOSOM ITALY S.r.l. was identified, together with other owners, among the subjects receiving said checks, actually carried out on 20 April 2023 in relation to the website www.aosom.it;

CONSIDERING that, at that time, the following emerged:

- the banner on the home page presented the following message: “Welcome to Aosom.it! We use our own and third-party cookies to offer you a better browsing experience on our site, to adapt advertising to your interests and measure the use of the website. You can choose to accept or reject all or part of our cookies. Your choice will be stored for a period of 13 months. For more details, you can visit the page relating to our Cookies Policy.”;

- the banner contained the white “Accept” button and the “Refuse” button, in addition to the “Cookies Policy” link that referred to the “Cookies Policy” in which it was clarified that the site also used third-party profiling cookies, while, in the final part, the paragraph “Disabling Cookies” was placed, which contained information and links to allow users to change the settings of the browsers used in order to disable cookies;

- the text of the information notice also referred to the provision of the repealed art. 13 of the Personal Data Protection Code and the previous General Provision on Cookies adopted by the Guarantor in 2014;

SEEN the note of 15 September 2023 with which, pursuant to art. 166, paragraph 5, of the Code, the Authority communicated to AOSOM ITALY S.r.l. the initiation of the procedure for the possible adoption of the measures referred to in art. 58, par. 2, of the Regulation and the alleged violations of the law, identified, in this case, in the violation of art. 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and art. 122 of the Code, as well as the indications contained in the Cookie Guidelines, attributable to the lack of a mechanism that allows the expression of free, specific and granular consent and to the lack of transparency regarding the processing carried out through cookies;

HAVING ACKNOWLEDGED the brief submitted on 12 October 2023 and the subsequent integration of 12 December 2023 - documents to be considered fully referred to and reproduced here - in which the owner has:

- previously acknowledged the possible misalignment from the current legislation of the treatments carried out through cookies, communicating that it has updated the cookie policy to the Cookie Guidelines, as well as having integrated the banner by adding the "Modify" button, which is added to the pre-existing "Accept" and "Refuse" buttons, which allows you to select which cookies to accept and which to refuse;

- declared that, following receipt of the dispute, it has proceeded to delete from its archives the data already acquired through the "Accept" flag in the previous version of the banner;

NOTING that following a further access to the site by the Office, carried out on a date subsequent to the investigation conducted by the Unit and the consequent notification of the communication pursuant to art. 166, paragraph 5 of the Code, it was found that, in reality, the banner presents, in addition to the "Accept" option, the "Settings" button which in fact allows the functions that in the party's brief were linked to the "Modify" button (not present in the version verified by the Office) and the "X" to close the banner. This setting, although formally different from what was represented in the defense briefs, still allows the described functions;

FOUNDING therefore that, based on the elements acquired during the investigation, at the time of the investigation the owner had not adopted mechanisms that allowed for the expression of free, specific and granular consent and had provided unsuitable information about the processing carried out through cookies, thus integrating the violation of articles 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and art. 122 of the Code, as well as the indications contained in the Cookie Guidelines;

CONSIDERING the appreciable effort of the owner to remedy the contested violations also by deleting the previously acquired data, in any case demonstrating broad cooperation with the Authority;

CONSIDERING, therefore:

a) that the measures adopted by the owner are, in the current state of the documents, suitable to remove the critical issues reported above and, therefore, that it is not necessary to prescribe further corrective measures in this regard;

b) due to the specific nature of the investigation, that in this case it is possible to disregard the adoption of pecuniary sanctions, limiting itself to sending AOSOM ITALY S.r.l. a warning pursuant to art. 58, par. 2, letter b) of the Regulation, for failure to comply with the provisions set out in the matter of processing personal data through the use of cookies and other tracking tools;

CONSIDERING that the conditions exist to proceed with the annotation in the internal register of the Authority pursuant to art. 57, par. 1, letter b) of the Regulation. u), of the Regulation, in relation to the measures adopted in this case against AOSOM ITALY S.r.l. in accordance with art. 58, par. 2, of the Regulation itself;

SEEN the documentation in the files;

SEEN the observations of the Office, formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 of 28 June 2000;

REPORTER Prof. Pasquale Stanzione;

CONSIDERING ALL THE ABOVE, THE GUARANTOR

against AOSOM ITALY S.r.l., in the person of its legal representative pro-tempore, with registered office in Assago (MI), Centro Direzionale Milanofiori, VAT number 08567220960

a) ascertains the violation of art. 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and art. 122 of the Code and declares the unlawfulness of the processing;

b) pursuant to art. 58, par. 2, letter b) of the Regulation, issues a warning, as data controller, for failure to comply with the provisions in force regarding the processing of personal data through the use of cookies and other tracking tools, as better specified in the reasoning part of this provision;

PROVIDES

pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation, of the violations and the measures adopted.

Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree 1 September 2011, no. 150, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed, alternatively, with the court of the place where the data controller resides or has its headquarters or with that of the place of residence of the interested party within thirty days from the date of communication of the provision itself or sixty days if the appellant resides abroad.

Rome, November 13, 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei

[web doc. no. 10091735]

Provision of November 13, 2024

Register of provisions
no. 667 of November 13, 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY'S meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, Members, and Council Member Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree10 August 2018, no. 101, hereinafter the “Code”);

SEEN the Guidelines on cookies and other tracking tools of 10 June 2021 (in www.garanteprivacy.it, web doc. no. 9677876, hereinafter the “Cookie Guidelines”);

SEEN the Memorandum of Understanding of 30 March 2021 signed by the Guardia di Finanza and the Guarantor for the protection of personal data;

SEEN note no. 57504 of 21 October 2022 with which the Authority, taking into account the need to carry out a verification of compliance with the aforementioned Cookie Guidelines, also in light of the numerous complaints received on the matter, delegated to the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza (hereinafter also “Unit”) the carrying out of a series of online checks, requesting to concentrate the activity, in a first phase, on a sample of possible operators in the e-commerce sector;