Garante per la protezione dei dati personali (Italy) - 10102462
From GDPRhub
| Garante per la protezione dei dati personali - 10102462 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 17 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 12.12.2024 |
| Published: | |
| Fine: | 10,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 10102462 |
| European Case Law Identifier: | 10102462 |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante (in IT) |
| Initial Contributor: | elu |
The DPA fined a travel agency €10,000 after they ignored the data subject´s multiple requests to stop sending numerous unsolicited emails and SMS, as well as an erasure request, thus violating Articles 6(1)(a) and 17 GDPR.
English Summary
Facts
The data subject advanced a complaint before the DPA against the controller, a travel agency. The complaint related to numerous unsolicited emails and SMS that the controller would send the data subject for marketing and advertisement purposes.
The data subject subscribed to the controller´s newsletter in 2019, but tried to un-subscribe from the newsletter on the website in March 2020, without any result. Therefore, on 6 April 2020, the data subject advanced an erasure request as per Article 17 GDPR via email. However, the data subject kept receiving emails and SMS periodically, without any possibility of blocking it.
The DPA advanced a request for information, to which the controller replied that the data subject only advanced a request to unsubscribe to the mailing list, but not an erasure request. The controller unsubscribed the data subject from the newsletter already in 2020, and afterwards did not contact the data subject, except for the last emails and SMS which happened due to an error, i.e. the inserting of the data subject in the mailing list. The controller stated that these messages, even if only sent by mistake, could be sent on the basis of the legitimate interest under Article 6(1)(f) GDPR.
Holding
The DPA split the assessment in the following steps.
1. Sending of promotional communications without consent
Concerning the legal basis of the processing, the DPA specified that data processing for marketing purposes is regulated through Article 130 of the Italian Privacy Code (Codice Privacy), which is a lex specialis to the general rule of consent as legal basis under Article 6(1)(a) GDPR. The DPA however, does not deem that Article 130 of the Italian Privacy Code (Codice Privacy) is applicable to the case at hand, indicating that a legal basis under Article 6 GDPR is the one relevant for the lawfulness of the processing.
The DPA dismissed the controller´s claim that Article 6(1)(f) GDPR is the relevant legal basis, and considers that, in this case, consent under Article 6(1)(a) GDPR should be the applicable legal basis. However, the data subject never gave her consent to the processing in question. In fact, the data subject amply demonstrated that he had no interest in receiving such communications; in fact, it was necessary to turn to the DPA to obtain definitive cancellation.
Thus, the controller violated Article 6(1)(a) GDPR.
2. Failure to follow up on an erasure request
The DPA considers that, in the case at hand, the erasure request under Article 17 GDPR was advanced by the data subject multiple times, as the data subject tried more to communicate to the controller the lack of consent behind their data processing.
Such multiple unsuccessful attempts, most recently joined by an erasure request advanced by email to the controller, revoked the consent of the data subject, i.e. the legal basis for processing, on which the controller initially based the processing, materializing the violation mentioned in the previous point.
Thus, the controller violated Article 17 GDPR.
3. Fine
In light of the above, the DPA deemed it appropriate to fine the controller €10,000 for the violation of Article 6(1)(a) GDPR and Article 17 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10102462] Provision of 12 December 2024 Register of provisions no. 775 of 12 December 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”); SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018 no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the “Code”); SEEN the documentation in the files; SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's regulation no. 1/2000; REPORTER the lawyer Guido Scorza; WHEREAS 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT With a complaint dated 18 August 2023, Mr. XX complained about receiving numerous unwanted emails and some text messages from the service offered by the website www.docenti.it of Start To Fly S.r.l. (hereinafter, Start To Fly or the Company). The complainant stated that he had subscribed to the newsletter in 2019 but was then unable to stop receiving messages; in the complaint he stated that he had performed the unsubscription procedure on the www.docenti.it website several times in March 2020 without obtaining results. Therefore, with emails dated 6 and 7 April 2020 he requested cancellation from the service. On 8 April 2020 the data controller appears to have responded by ensuring cancellation from the mailing list. However, the complainant continued to periodically receive unwanted emails and text messages that could not be blocked (an email dated 2 June 2020, an email dated 27 June 2023 and a text message reportedly received on 17 August 2023 are attached to the complaint). With a note dated 20 October 2023, the Company, in response to the Office's request for information, first of all intended to clarify that Mr. XX had requested unsubscription from the mailing list, not cancellation; therefore stated that "Mr. XX was unsubscribed from the newsletter already in 2020" adding that the latter would not receive any further communications for the following three years, except for the last sendings due to a material error that had led to a new inclusion of the complainant in the mailing list. The Company also added that the messages, even if sent by mistake, would still have had content of interest for the complainant and for this reason could be justified by invoking the legal basis of the legitimate interest of the owner and could be assimilated to the case referred to in art. 130, paragraph 4, of the Code (so-called soft spam). The response note from Star To Fly which, contrary to what was requested, had not been brought to the attention of the complainant, was sent to the latter by the Office. On 25 February 2024, Mr. XX responded by declaring that, contrary to what the Company claimed, the receipt of unwanted communications - received both via email and text message - had not stopped at all between 2020 and 2023; in this regard, he produced a copy of the communications received, specifying that it was an extraction by way of example of the entire mass of messages received. In particular, the note dated 25 February 2024 contains emails received on the following dates: 15 September 2021, 17 August 2022, 14 September 2022, 19 December 2022, 27 December 2022, 5 January 2023, 9 January 2023, 23 January 2023, 25 January 2023, 27 February 2023, 23 June 2023, 5 September 2023, 2 October 2023; together with the same note, text messages dated August 17, 2021 and August 16, 2022 were produced. In the same note, the complainant specified that he had attempted to unsubscribe several times by clicking on the appropriate link at the bottom of the emails without ever having obtained any effect (see point 3 of the statement: "I also wonder – ... – what is the purpose of the unsubscribe button from the newsletter at the end of each individual email. I, personally, pressed that button several times as they were communications that were not of interest to me"). 2. DISPUTE OF THE VIOLATIONS The Office disputed the violations detected with the act of initiation of the proceeding of March 12, 2024, prot. no. 30740 /24, notified by registered mail. Since the reasons expressed in the aforementioned act are here fully recalled, Start to Fly was contested for violating art. 6, par. 1, lett. a) of the Regulation and art. 130, paragraph 2 of the Code for having sent numerous promotional emails and text messages to the complainant despite the latter having repeatedly requested, over the years, not to be contacted. Furthermore, the violation of art. 17 of the Regulation was also deemed to have been integrated for not having followed up on the request made by the complainant to be removed from the mailing list. 3. THE COMPANY'S DEFENSE With the defense brief of 19 April 2024, the Company clarified that it is a small business, "in which the legal representative also takes care of the most material tasks". In the case of XX, in fact, it would have been the legal representative who made a mistake because "in the system transition from the software initially used for the mailing lists, to the one used subsequently, the legal representative made a material error, in fact, reactivating the account of today's complainant". In this regard, the Company attached a letter of apology sent to XX in which it stated that it had deleted the data. With regard to the contested failure to respond to the request for cancellation, Start to Fly stated that: a) the complainant's request must be classified as a right of opposition and not as a right of cancellation; b) the communications sent, even if by mistake, can be said to be supported by the legitimate interest of the owner; c) any other newsletter sending activity was in any case suspended pending completion of the necessary checks. A hearing of the party was held on 21 May 2024 in which the legal representative of the Company stated that: a) the complainant did not click the unsubscribe button but only called the office, for this reason his request would not have been handled promptly; he would have been manually unsubscribed on 22 July 2020 in any case; b) on 3 August 2022, a platform change was made and the legal representative would have uploaded an old mailing list, stored on his PC, in which Mr. XX's data was still present; in October 2023, the complainant would have been manually unsubscribed from the list; c) from the checks carried out, no emails would appear to have been sent to Mr. XX between 2020 and 2022 since other sendings are present only after 3 August 2022; d) there would be no explanation for the email received by the complainant in 2021. 4. LEGAL ASSESSMENTS 4.1 Sending promotional communications without consent From the documentation collected in the files, it appears that the Company sent numerous emails and some text messages whose content, having the ultimate purpose of promoting the sale of a service, had promotional purposes. Despite the opposition expressed by the complainant and the numerous attempts to unsubscribe that the latter declared to have made through the link at the bottom of the emails, the sending of communications, via email and SMS, continued for years. With regard to the legal basis applicable to the processing in question, it is recalled that the sending of promotional communications via electronic communication tools is governed by art. 130 of the Code, in implementation of art. 13 of Directive 2002/58/EC, which constitutes a lex specialis where the only permitted legal basis is the user's consent except for some cases, exhaustively described, of derogation. One of these derogations is contained in the provision of art. 130, paragraph 4 of the Code which allows the sending of promotional communications exclusively via email. In this case, the owner may not request the interested party's consent, if the services are similar to those being sold and if the interested party, adequately informed, does not refuse such use initially or on the occasion of subsequent communications. On this specific aspect, the Guarantor expressed itself, most recently, with the provision of 11 January 2023 (in www.garanteprivacy.it, web doc 9861941). It follows that the indication of legitimate interest as a legal basis cannot be admitted in the case in question, nor can the derogation provided for by art. 130, paragraph 4 of the Code be invoked, which operates only when certain requirements are met that are not present in the case in question: the communications were in fact sent, as mentioned, also via SMS and despite the interested party having repeatedly opposed such receipt. The fact that the Company believes that the communications sent are of interest to the complainant is irrelevant since, as mentioned, they could not be sent in the absence of consent and in any case the complainant has amply demonstrated that he has no interest in receiving such communications; it was in fact necessary, lastly, to contact the Guarantor to obtain definitive cancellation. Given the above, since there is no proven legal basis to justify sending communications to the complainant after the withdrawal of consent, it is considered that there has been a violation of art. 6, par. 1, letter a) of the Regulation and art. 130, paragraph 2 of the Code. 4.2 Failure to follow up on the request for cancellation The right to object pursuant to art. 21 of the Regulation, invoked by the Company, does not apply in this case since the processing in question - as clarified above - admits the data subject's consent as the only legal basis. Therefore, in this legal construction, the refusal to process manifests itself as a revocation of consent and not as an opposition pursuant to art. 21 of the Regulation. This right of revocation has been exercised several times by the data subject, who declared that he had made numerous attempts through the available channels; in fact, in the complaint he declared that "in March 2020 I performed the unsubscription procedure from their site, but I continued to receive their communications. I therefore performed this procedure several times"; in the note of February 25, 2024, sent in response to the owner's statements, the complainant added "... I wonder... what purpose the newsletter unsubscribe button at the end of each individual email is for. I, personally, pressed that button several times because they were communications that were not of interest to me". These multiple unsuccessful attempts - to which were added the requests via email to the owner - first of all caused the legal basis (the interested party's consent) - on which the processing was initially based - to fail, thus materializing the violation referred to in the previous point. Subsequently, the complainant, unable to revoke the consent, also requested cancellation from the mailing list by writing directly to the owner on April 6, 2020 (as can be clearly seen from attachment 1 to the complaint of August 18, 2023): "can you permanently remove me from the mailing list?!". He therefore undoubtedly also exercised the right to cancellation. Such exercise of the right, however, would be considered superfluous in this case since, in the event of withdrawal of consent, the owner has no reason to keep the data in the mailing list. It follows that, even in the absence of an express request by the interested party, since the processing has been interrupted, the owner should have proceeded to delete the data from all locations where storage is no longer necessary. In fact, if the complainant's data had been correctly deleted, the erroneous uploading - declared by the owner - could not have occurred, which would have led to the resumption of the mailing activity several years after the request. Not to mention that no action appears to have been taken with regard to the sending of promotional text messages, nor has any justification been provided in this regard. For these reasons, the violation of art. 17 of the Regulation is considered to be integrated. 5. CONCLUSIONS For the above reasons, Start to Fly's liability is considered to be established with regard to the following violations: a) art. 6, par. 1, lett. a) of the Regulation and art. 130, paragraph 2 of the Code, for sending unwanted promotional communications in the absence of the interested party's consent and in the absence of any other legal basis; b) art. 17 of the Regulation, for failure to delete the interested party's data; Furthermore, it is useful to make some considerations regarding the conduct of the owner who, in the case described, provided inconsistent, contradictory and undocumented statements. It is noted that the owner, with an email dated 8 April 2020 addressed to the interested party, confirmed the cancellation: "you are no longer registered. The emails that are still arriving to you follow an automatic delivery. You will see that you will soon no longer receive emails". However, from the documentation produced by the complainant, it is clear that the communications never stopped, proving that the interested party had not been removed from the mailing list. Subsequently, the same owner, during the hearing, declared that Mr. XX was manually unsubscribed only on July 22, 2020 (a full three months after the declared cancellation). Despite this, the complainant's data would still have been present in an old mailing list stored on the legal representative's computer and manually deleted again in October 2023. No justification was given for sending the text messages, nor was the owner able to justify the email received by the complainant in the period between the alleged cancellation in July 2020 and the accidental resumption of sending in 2023, taking into account that the complainant attached an email received in 2021 but pointed out that the numerous copies of emails exhibited in the files constituted only a part of those received overall over the years. Therefore, having ascertained the unlawfulness of Start To Fly's conduct with reference to the processing under examination, it is necessary to: - impose on Start To Fly, pursuant to art. 58, par. 2, lett. f) of the Regulation, the prohibition of any processing for promotional purposes of personal data present in its lists where it is not able to document the presence of an appropriate consent expressed by the interested parties; this is because the Company, in the defensive phase, declared that it had based said processing on the legal basis of legitimate interest and that it had only temporarily suspended the sending of promotional messages pending a review of its technical and organizational procedures; - adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Start to Fly of the administrative pecuniary sanction provided for by art. 58, paragraph 2, letter i) and 83, paragraphs 3 and 5, of the Regulation. In light of the provisions of art. 154-bis, paragraph 3 of the Code, this provision is published on the Authority's website (see also art. 37 of the internal regulation of the Guarantor no. 1/2019. Finally, it is noted that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, paragraph 1, letter u) of the Regulation, are met. 6. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION Based on the above, various provisions of the Regulation and the Code have been violated in relation to connected treatments carried out by Start to Fly, for which reason art. 83, paragraph 3, of the Regulation, according to which, if, in relation to the same processing or to connected processing, a data controller violates, with intent or negligence, several provisions of the Regulation, the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation with consequent application of only the sanction provided for by art. 83, par. 5, of the Regulation. For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum amount set by law at 20 million euros or, for companies, at 4% of the annual worldwide turnover of the preceding financial year if higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1, of the Regulation), identifying, to this end, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount. In compliance with this provision, assuming, on the basis of the information found in the latest balance sheet (recorded on 31 December 2023), the occurrence of the first hypothesis provided for by the aforementioned art. 83, par. 5 and therefore quantified at 20 million euros as the maximum applicable fine, the following aggravating circumstances must be considered: 1. the duration and severity of the violation, since the complainant has tried for years to obtain the interruption of the sending of unwanted messages by the owner without having satisfaction and therefore having to request the intervention of the Guarantor (art. 83, par. 2, letter a), of the Regulation); 2. the grossly negligent nature of the violation, since the Company has demonstrated gross negligence in the processing of personal data (art. 83, par. 2, letter b), of the Regulation); 3. the measures adopted by the data controller, which have proven to be completely insufficient to guarantee compliance with the rights of the data subject, failing to satisfy his requests in any way; it should be noted that the complainant stated that he had tried to unsubscribe several times, both through the website and through the unsubscribe button at the bottom of the emails and finally by writing twice by email to the data controller without ever obtaining the deletion of his data; to this must be added the further justification of the data controller - expressed only during the hearing - concerning the fact that the complainant had contacted the data controller's office by telephone to request the deletion but, not having an adequate structure to receive this type of requests, it would not have been possible on that occasion to receive the will of Mr. XX (art. 83, par. 2, letter c), of the Regulation); 4. the degree of responsibility of the controller, taking into account the absence of adequate measures to guarantee the correctness of the processing carried out for promotional purposes and compliance with the basic rights of the data subject (Article 83, paragraph 2, letter d), of the Regulation); 5. the degree of cooperation with the Supervisory Authority, taking into account the fact that the Company has produced contradictory and undocumented justifications (Article 83, paragraph 2, letter f), of the Regulation). As mitigating factors, it is believed that it is possible to take into account: 1. the number of subjects involved since, as far as the documents show, the conduct would have concerned only the complainant (Article 83, paragraph 2, letter a) of the Regulation); 2. the absence of previous relevant violations committed by the controller (Article 83, paragraph 2, letter e), of the Regulation); 6. of the categories of data affected by the violation, since only common data were involved (art. 83, par. 2, letter g), of the Regulation). In an overall balance between the rights of the interested parties and the freedom of enterprise, it is considered necessary to prudently evaluate the aforementioned criteria for the purpose of determining the amount of the administrative pecuniary sanctions provided for by the Regulation, also in order to limit the economic impact of the sanction. Therefore, it is believed that - based on the set of elements indicated above - the administrative sanction of payment of a sum of €10,000.00 (ten thousand/00) equal to 0.05% of the maximum statutory sanction of €20 million should be applied to Start To Fly. The maximum statutory sanction is identified with reference to the provisions of art. 83, paragraph 5, of the Regulation, taking into account that 4% of Start To Fly's turnover, based on the data reported in the latest financial statement, is less than €20 million. In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the internal regulation of the Guarantor n. 1/2019, this chapter containing the injunction order should be published on the website of the Guarantor. This is in consideration of the elements of risk for the rights and freedoms of the interested parties that have not yet been mitigated by the owner during the investigation regarding the proceeding in question. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, par. 1, letter f), of the Regulation, declares the processing described in the terms of the motivation carried out by Start To Fly S.r.l., with registered office in Serravalle (Republic of San Marino), Strada Torinia, 10, to be unlawful; consequently: a) pursuant to art. 58, par. 2, letter f), imposes on Start To Fly S.r.l. the prohibition of any processing for promotional purposes of personal data present in its lists where it is not able to document the presence of an appropriate consent expressed by the interested parties; b) pursuant to art. 157 of the Code, orders Start To Fly to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measure imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation. ORDERS pursuant to art. 58, par. 2, letter i), of the Regulation, to Start to Fly S.r.l., in the person of its legal representative, to pay the sum of Euro 10,000.00 (ten thousand) as an administrative pecuniary sanction for the violations indicated in the reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed. ORDER the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 10,000.00 (ten thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS a) pursuant to arts. 154-bis of the Code and 37 of the internal regulations of the Guarantor no. 1/2019, the publication of this provision on the website of the Guarantor; b) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the internal regulations of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; c) pursuant to art. 17 of the internal regulation of the Guarantor no. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation, of the violations and the measures adopted. Pursuant to art. 78 of Regulation (EU) 2016/679, as well as arts. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 12 December 2024 THE PRESIDENT Stanzione THE RAPPORTEUR Scorza THE DEPUTY SECRETARY GENERAL Filippi
