Garante per la protezione dei dati personali (Italy) - 10093485
From GDPRhub
| Garante per la protezione dei dati personali - 10093485 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 12(1) GDPR Article 13 GDPR Article 25(1) GDPR Article 58(2)(b) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 13.11.2024 |
| Published: | 13.11.2024 |
| Fine: | n/a |
| Parties: | G.Glamour |
| National Case Number/Name: | 10093485 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante (in IT) |
| Initial Contributor: | Mgrd |
A website selling clothes and beauty products had a cookie banner, which linked to a privacy policy that could be edited by every visitor. Moreover, no cookie policy was present in the website, in violation of several GDPR articles.
English Summary
Facts
Garante carried out checks on e-commerce websites and found that one of the selected websites was the clothing and beauty website www.gglamoursarzana.it in which its cookie banner shown only basic information and two buttons (“OK” and “No, thanks”), but no information about cookie types, purposes and if any tracking tool was being used was provided. Also, it did not allow users to give specific, informed, and freely given consent.
Also, the cookie banner led to a privacy policy that was editable by any site visitor. Any user was able to modify the content of the privacy policy document on the website without authentication or any user restriction, exposing other visitors to altered or potentially false information.
The website owner later admitted that the editable privacy policy was a configuration error and stated that the site had been created with the help of external developers using a common content management platform. The issue was only corrected after the Garante launched an investigation.
Holding
Garante found that the controller breached Article 5(1)(a) GDPR by failing to ensure lawful and transparent data processing, since users were not properly informed regarding the cookies.
Also, Garante highlighted that the absence of a cookie policy and the editable privacy policy violated Articles 12(1) and 13 GDPR, as the necessary information was not provided in a clear and accessible form.
The failure to apply adequate technical and organisational measures, especially allowing public editing of privacy documentation, was a breach of Article 25(1) GDPR (data protection by design and by default).
Although the controller eventually resolved the technical issues and updated the information available to users, Garante issued a reprimand under Article 58(2)(b) GDPR due to the failure to comply with the provisions regarding the processing of personal data through the use of cookies.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. n. 10093485] Provision of 13 November 2024 Register of provisions n. 670 of 13 November 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”); HAVING SEEN the Guidelines on cookies and other tracking tools of 10 June 2021 (in www.garanteprivacy.it, web doc. no. 9677876, hereinafter the “Cookie Guidelines”); HAVING SEEN the Memorandum of Understanding of 30 March 2021 signed by the Guardia di Finanza and the Guarantor for the protection of personal data; HAVING SEEN note no. 57504 of 21 October 2022 with which the Authority, taking into account the need to carry out a verification of compliance with the aforementioned Guidelines, also in light of the numerous complaints received on the matter, delegated to the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza (hereinafter also “Unit”) the carrying out of a series of online checks, requesting to concentrate the activity, in a first phase, on a sample of possible operators in the e-commerce sector; SEEN note no. 65159 of 17 November 2022 with which the Unit provided the lists of possible recipients, indicating the geographical area of origin and the turnover; SEEN note no. 36204 of 28 February 2023 with which, in compliance with the canons of homogeneity of the intervention and in application of a predetermined and uniform selection criterion throughout the national territory, also based on dimensional and geographical indicators, “G. Glamour” di Riccio Antonietta (hereinafter “Glamour”) was identified among the subjects receiving said checks, actually carried out on 5 May 2023 in relation to the website www.gglamoursarzana.it; CONSIDERING that, at that time, the following emerged: - upon first access to the site, an instant-appearing banner appeared on the home page that provided the following information: “We care about your privacy – We use cookies and similar technologies to provide the best experience on our website. Privacy Policy”; this last link was editable; - inside the banner there were two buttons “OK” and “No thanks”; by selecting the “Privacy Policy” link, a new web page was accessed containing the information on the processing of personal data, without however any reference to the use of cookies, nor was this information found in any other part of the site; SEEN the note of 3 October 2023 with which, pursuant to art. 166, paragraph 5, of the Code, the Authority communicated to Glamour the initiation of the procedure for the possible adoption of the measures referred to in art. 58, paragraph 2, of the Regulation and the alleged violations of the law, identified, in this case, in the violation of arts. 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and art. 122 of the Code, as well as the indications contained in the Cookie Guidelines, attributable to the incompleteness of the information provided regarding the processing of data through the use of cookies, as well as the lack of information regarding the types of cookies used which prevents the granting of free, informed and specific consent; ACKNOWLEDGED that Glamour has not availed itself of the right under art. 166, paragraph 6, of the Code to send written defences or documents, nor of the right to be heard by the Authority; NOTING that following a further access to the site by the Office, carried out on a date subsequent to the investigation conducted by the Unit and the subsequent notification of the communication pursuant to art. 166, paragraph 5 of the Code, it emerged that pending the proceedings the owner has integrated the banner by adding, next to the options already present, also the "Manage preferences" button which refers to a further level of information in which the categories of cookies used by the site are indicated with a pre-set flag only in relation to the site's operation cookies; CONSIDERING that, pursuant to the legislation in force, the owner is required to provide information on the processing of personal data carried out through the use of cookies or other tracking tools and that in the event of the use of cookies or other tracking technologies of a nature other than technical, the owner is also required to acquire the user's consent; FURTHER NOTING that, based on the elements acquired at the time of the investigation carried out by the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza, in the case in question: - given the lack of cookie information and the insufficiency of the information provided with the brief information available in the banner, the Company has processed personal data in violation of Articles 12 and 13 of the Regulation and of what is indicated in the Cookie Guidelines; - the omission of the cookie information found on the website www.gglamoursarzana.it has the additional effect of not allowing to easily determine whether the latter has used exclusively technical cookies or has also used cookies other than technical ones, as the text of the banner would seem to suggest; - in the event of the use of cookies other than technical ones, the owner is further required to obtain the user's consent in advance pursuant to the first paragraph of art. 122 of the Code, also in relation to art. 4, point 11 and 7 of the Regulation, taking into account the precept referred to in art. 25 of the Regulation; CONSIDERING that the conduct carried out by the data controller constitutes a violation of art. 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and art. 122 of the Code, as well as the indications contained in the Cookie Guidelines; CONSIDERING the appreciable effort of the owner to partially remedy the contested violations through the integration of the banner; CONSIDERING, therefore: a) that the implementation of the banner is suitable, only in part, to restore the compliance of the site and, therefore, to have to order the data controller, pursuant to art. 58, par. 2, letter d), of the Regulation, to conform the processing of personal data carried out through cookies and other tracking tools used by the website www.gglamoursarzana.it to the legislation in force on the protection of personal data, by configuring a banner that already at this level allows the user to give specific and informed consent to the use of cookies of a nature other than technical, also integrating the general information on the processing of personal data with specific reference to the processing of data carried out through cookies; b) due to the specific nature of the investigation, to be able to disregard in this case the adoption of measures of a pecuniary sanction nature, limiting itself to issuing to Glamour a warning pursuant to art. 58, par. 2, letter b) of the Regulation, for failure to comply with the provisions set out in the matter of processing personal data through the use of cookies and other tracking tools; CONSIDERING that the conditions exist for proceeding with the annotation in the internal register of the Authority pursuant to art. 57, par. 1, letter u), of the Regulation, in relation to the measures adopted in this case against Glamour in accordance with art. 58, par. 2, of the Regulation itself; SEEN the documentation in the files; SEEN the observations of the Office, formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 of 28 June 2000; REPORTER the lawyer Guido Scorza; GIVEN ALL THE ABOVE, THE GUARANTOR a) ascertains the violation of articles 4, point 11, 5, 7, 12, 13, 24 and 25 of the Regulation and art. 122 of the Code and declares the unlawfulness of the processing; b) pursuant to art. 58, par. 2 letter d) of the Regulation, orders G. Glamour di Riccio Antonietta, with registered office in Sarzana (SP), via G. Mazzini nr. 156/158, VAT number 07345581214, as owner, to conform the processing of personal data carried out through cookies and other tracking tools used by the website www.gglamoursarzana.it to the legislation in force on the protection of personal data and in particular to configure a banner that already at this level allows the user to give specific and informed consent to the use of cookies of a nature other than technical, also integrating the general information on the processing of personal data with specific reference to the processing of data carried out through cookies; c) pursuant to art. 58, par. 2, letter b) of the Regulation, issues a warning to G. Glamour di Riccio Antonietta for failure to comply with the provisions in force on the processing of personal data through the use of cookies and other tracking tools for the reasons better indicated in the reasoned part; PROVIDES pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation, of the violations and the measures adopted. Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed, alternatively, with the court of the place where the data controller resides or has its registered office or with that of the place of residence of the interested party within thirty days from the date of communication of the provision itself or sixty days if the appellant resides abroad. Rome, 13 November 2024 THE PRESIDENT Stanzione THE REPORTER Scorza THE GENERAL SECRETARY Mattei
