Garante per la protezione dei dati personali (Italy) - 10119750
From GDPRhub
| Garante per la protezione dei dati personali - 10119750 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 6 GDPR Article 12(2) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 14 GDPR Article 24 GDPR Art. 130 co. 3 d. lgs. 196/2003 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 25.03.2024 |
| Decided: | 13.02.2025 |
| Published: | |
| Fine: | 15,000 EUR |
| Parties: | Movimento Diritti Europei s.r.l.s. |
| National Case Number/Name: | 10119750 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | GPDP (in IT) |
| Initial Contributor: | cci |
The DPA fined a law firm €15,000 for the unlawful and unsolicited contacting of the shareholders of a defaulting bank in order to enlist them for a class action against the bank.
English Summary
Facts
Movimento Diritti Europei s.r.l.s. (the controller) is a law firm specialized in class actions.
The controller acquired a list of the shareholders of a defaulting bank (the data subjects) from one of the shareholders. The list included the names and addresses of other shareholders. The controller then used the addresses to reach out to 15,000 shareholders by regular mail without their consent, in order to enlist them for a class action against the bank.
Some of the shareholders reported the unsolicited communications to three associations involved in litigation against the bank. In turn, the associations filed a complaint against the controller.
The associations claimed that the personal data of the data subjects were acquired and processed unlawfully. Additionally, the associations claimed that the controller failed to provide the data subjects with information on the processing of their data, and failed to respond to eight requests from data subjects.
Holding
The DPA fined the controller €15,000 and ordered it to stop processing the personal data it unlawfully acquired.
Lawfulness
During the DPA’s investigation, the controller claimed that the processing of personal data was based on the controller’s legitimate interest in enlisting individuals for its class action.
The controller also pointed out that many data subjects later joined the class action, and that only eight of them exercised their data rights with a request. In the controller’s view, this proved that the processing of personal data was appropriate, and that the controller had a tangible and non-hypothetical interest in the processing of the data.
The DPA held that the controller’s activities constituted a form of unsolicited communication. Therefore, as a general rule, such activities required consent under Article 130(3) d. lgs. 196/2003[1].
The DPA found other issues with the legal basis of legitimate interest. In the DPA’s view:
- the controller’s interest was not current and concrete;
- the controller failed to explained how it balanced its interest with the rights and freedoms of the data subjects;
- the data subjects had no relationship with the controller. Therefore, the use of their data did not meet the expectations of the data subjects;
- the controller did not prove that it facilitated the exercise of the data subject’s rights (especially the right to object).
For these reasons, the DPA held that the controller violated Articles 5(1)(a), 5(2), 6, and 24 GDPR.
On transparency
In its investigation, the DPA found that the controller provided data subjects with a notice when they complied the form or showed up to the controller’s informative meetings about its class action. So, information was not provided at the time of the collection of the data.
For this reason, the controller held that the DPA failed to inform the data subjects about the processing of their data upon collection. The DPA held that the controller violated Articles 5(1)(a), 5(2), and 14 GDPR.
On the data subject’s requests
Eight data subjects sent the controller a request to exercise their rights via mail. During the investigation, the controller proved that it answered one of them by mail. The controller claimed that it responded to the other seven by phone but could not provide proof.
The DPA held that the controller failed to respond to the access requests. In this regard, the DPA pointed out that when a data subject sends a request by regular mail, the controller should also respond by regular mail, in order to prove that it did respond.
For this reason, the DPA held that the controller violated Articles 12(2), (3), and (4) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. n. 10119750] Provision of 13 February 2025 Register of provisions n. 73 of 13 February 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”); SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018, no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter “Code”); SEEN the documentation in the files; SEEN the observations formulated by the Secretary General pursuant to art. 15 of the regulation of the Guarantor no. 1/2000, adopted with resolution of 28 June 2000; REPORTER Dr. Agostino Ghiglia; 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT 1.1. Introduction With communication prot. no. 37333/310037 of 25 March 2024 (notified on the same date by certified email), which must be considered fully referred to herein, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a proceeding for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation against MDE – Movimento Diritti Europei s.r.l.s. (hereinafter also “MDE” or “Company”), in the person of its legal representative pro-tempore, with registered office in Treviso, via Jacopo Bernardi n. 25/c, tax code 05315450261. The proceeding originates from an investigation initiated following the receipt of a complaint in which some associations (XX, XX and XX), promoters of a class action against XX (registered in the general register of the Court of Venice with no. 172/2023), complained about certain conduct carried out by MDE. In particular, given that the class action initiated by the associations had as its object the reimbursement of the sums invested in the purchase of shares issued by the aforementioned XX and that, at the time of the complaint, the Court of Venice had yet to rule on the admissibility of the action itself, some shareholders of XX, adhering to the class action, reported to the three associations the receipt of communications sent by MDE with which they were invited to participate in some public meetings dedicated precisely to the shareholders of the Bank, raising the possibility of "recovering the devaluation of the shares suffered over the years". The three associations attached to the complaint the invitations received from their members, the forms prepared by MDE for joining its own collective action, forms also including a notice for the processing of personal data, and some requests for the exercise of the right of access provided for by art. 15 of Regulation (EU) 2016/679 (hereinafter “Regulation”), formulated by the same members towards the Company, which remained unanswered. 1.2. The request for information formulated by the Authority The Office, after having verified that, in addition to the complaint of the associations, the Authority had also received some independent reports from shareholders of XX reached by communications from MDE, sent the Company a request for information and exhibition of documents pursuant to art. 157 of the Code, in order to acquire elements for a complete assessment of the case and to better understand the role of the Company and of XX, indicated several times in the complaint received by the Authority. From the elements provided by the Company during the investigation it emerged that: - MDE is a company whose corporate purpose is the provision of out-of-court assistance services in the field of securities investments, an activity that it also carries out by coordinating initiatives in favor of several subjects that give it a specific mandate; - XX, established in the aftermath of the liquidation of XX and XX, is a non-profit association whose purpose is the protection of savers involved in the corporate affairs of the Veneto banks. In the case under examination, the same would have limited itself to providing, upon request, the forms of MDE's initiatives towards XX; - with reference to the initiatives mentioned above, MDE would have operated in the legal capacity of the controller of the processing of personal data aimed at sending informative communications to the shareholders of XX (in particular relating to the meetings organized to undertake initiatives to recover the value of the investments made with the purchase of the Bank's shares); - MDE sent approximately 15,000 information communications by post to the same number of shareholders of XX, acquiring the names from a list provided by a shareholder of the Bank and therefore processing the data of the first name, last name and postal address of the interested parties; - the legal basis of the processing would lie in the legitimate interest of the Company to provide information on the meetings organized; - the communication sent to the interested parties reported, among other things, the indication of the Company's website where the MDE privacy policy is present; - no further processing of personal data by MDE was envisaged after the sending of the information communications except for those relating to the interested parties who, voluntarily, had decided to join the initiatives of the Company. These subjects, once they had acquired the documentation distributed during the meetings (or delivered upon request to be forwarded via the Company's website), viewed a notice on the processing of personal data and formalized their adhesion to the initiatives. With reference to the subsequent processing, the legal basis is that provided for by art. 6, par. 1, letter b), of the Regulation; - with reference to the methods by which the Company had guaranteed the interested parties the exercise of the rights under Articles 15-22 of the Regulation, MDE stated that it had received eight emails from the interested parties “with requests relevant to privacy purposes”, mostly of identical content, form and structure, without clarifying whether such requests had been responded to and in what terms. The Office examined the information on the Company’s website, at the page https://www.dirittieuropei.com/privacy-policy 1.3. Contestation of the violations Following the investigation, the Office adopted the aforementioned contestation notice no. 37333/310037 of 25 March 2024 in which, first of all, it detected the conduct attributable to the company MDE s.r.l.s., as an independent data controller of the personal data of XX shareholders, contacted by sending 15,000 paper letters in order to inform them of the Company's initiatives to protect the securities investments made by them. It was then observed that MDE had declared that it had acquired the list of XX shareholders, provided by another shareholder, therefore collecting the data relating to the name, surname and contact address of each, associated with the status of shareholder of the Bank and that such data collection and the subsequent processing aimed at sending the paper letters were configured as unlawful because they were not supported by an appropriate legal basis and not related to an appropriate information, issued by the Company in the forms and terms provided for by art. 14 of the Regulation. In terms of terms, the aforementioned information had to be provided to each contacted shareholder at least at the same time as the first communication was sent, in accordance with the provisions of paragraph 3 of the aforementioned Article 14 of the Regulation, and on this point, this requirement could not be considered to have been correctly implemented by simply recalling the address of the Company's website, which contained a summary information, however, only concerning the processing connected to browsing the site. With reference to the legal basis of the processing carried out by the Company for sending information to the shareholders of XX, the Office observed that the same could not reside in the legitimate interest of MDE to publicize its initiatives, since the requirements of concreteness and topicality of such interest could not be identified, the methods by which the Company would have operated the balancing of the aforementioned interest with the fundamental rights and freedoms of the interested parties had not been made explicit, nor did there appear to be a relevant and appropriate relationship between the data controller and the interested parties, such as to lead to the belief that the latter could reasonably expect that a collection of their data for informational-promotional purposes would take place by MDE. The Office also highlighted that, in general, the legal basis of legitimate interest cannot replace the data subject's consent in cases where the latter constitutes the condition for the lawfulness of the processing ordinarily provided for, and that, in the case in question, in compliance with the principles of accountability and transparency, it would have been necessary for MDE to have provided for the concrete implementation of adequate measures to guarantee the rights of the data subjects, and, in particular, to facilitate the exercise of the right to object, something that, from the documents of the investigation, did not appear to emerge. Finally, precisely with reference to the methods with which MDE had planned to guarantee the exercise of the rights of the data subjects pursuant to Articles 15-22 of the Regulation, it resulted, from the statements of the Company and from what was represented by the data subjects themselves, that the letters sent by the latter in order to acquire information on the processing and obtain the deletion of their data had remained unanswered. The conduct indicated above, in the opinion of the Office, also constituted a violation of the principles of fairness, transparency and accountability pursuant to art. 5, paragraphs 1 and 2, of the Regulation. On the basis of the above observations, the Office contested MDE for the following alleged violations: a) art. 5, paragraphs 1, letter a), and 2; art. 6; art. 24 of the Regulation, for having carried out processing consisting of the collection of personal data of the shareholders of XX and the sending to the same of 15,000 informative communications on the initiatives of the MDE Company, in the absence of an appropriate legal basis and in conflict with the principles of lawfulness and accountability; b) art. 5, paragraphs 1, letter a), and 2; art. 13 of the Regulation, for having carried out the above-described processing of personal data without having provided the interested parties with appropriate information, in conflict with the principles of fairness and transparency; c) art. 12, par. 2-4, in relation to arts. 15-22 of the Regulation, for having failed to provide feedback to the requests to exercise the rights formulated by the interested parties. 2. EXERCISE OF THE RIGHT OF DEFENSE BY THE DATA CONTROLLER The Company, exercising its right of defense, sent the Authority a defense brief with note no. 50856 of 30 April 2024 and at the same time requested a hearing before the Guarantor, a hearing duly held on 15 November 2024. In its defense brief, MDE first observed, with reference to the contested processing, that "of approximately 15,000 communications sent, only 8 recipients decided to exercise their rights as data subjects to request information and the deletion of data. On the contrary, several hundred people participated in the meetings. Meetings which, it should be remembered, were freely accessible and without any registration, therefore the relative participation did not generate any collection or processing of personal data by MDE. Just as hundreds of people, having received the letter and participated in the meetings, decided to join the MDE initiative, concluding a contract with the company [...] These numbers must lead, first of all, to correctly evaluate the balance between MDE's interest in sending the informative communication of the meetings and the fundamental rights and freedoms of the recipients. Furthermore, the same numbers also allow to evaluate the characteristics of MDE's interest and the relevance of the relationship between this company and the recipients. The clear disproportion between communications sent (about 15,000) and requests for the exercise of the rights of the interested parties received (8) confirms that the clear majority of the interested parties considered that the treatment did not violate their rights and freedoms. Instead, the fact that, first, several hundred people who received the communication participated in the meetings and that, then, a good part of them relied on MDE for assistance against the bank that betrayed them, confirms both the appropriateness of the relationship between the data controller and the interested parties, and the concreteness and timeliness of MDE's interest in carrying out the processing". Therefore, with reference to the lack of information, the Company represented that "the evidence collected in this proceeding [...] confirms that the personal data indicated (such as, surname and postal address) have not been processed in any other way or for other purposes and that they are deleted by default by MDE as soon as the operations of sending the paper communications are completed. Furthermore, it has already been noted that at the first possible subsequent contact (i.e. on the occasion of the meetings referred to in the communication sent by post), MDE immediately made available to the interested parties who wish to join the initiatives the dedicated privacy information [...]. This confirms MDE's attention to the correct processing of personal data. Therefore, also recalling what is illustrated in the preceding paragraph, it is believed that the evidence that emerged during this proceeding confirms the absence of any consequences for the interested parties due to the alleged absence of the privacy information with reference to the processing of personal data carried out before the meetings”. With regard to the dispute relating to the inadequate response to the requests to exercise the rights that the eight interested parties addressed to MDE, the Company produced the text of the response provided, by letter, to one of the aforementioned requesters, highlighting that “responses of the same tenor were also given to all the other 7 interested parties who communicated with the company to exercise the rights guaranteed to them by the GDPR. These 7 not only sent the emails to the records of the proceeding, but also contacted the company MDE by telephone, speaking with the legal representative who reported to them the same contents as in the response email reported above. […] The only criticality that characterizes the conduct in question of MDE is the absence of written evidence regarding the feedback provided by telephone to the other 7 interested parties who sent emails: certainly a violation of the duty to be able to demonstrate the adoption of appropriate accountability measures, which MDE has already remedied by providing specific manuals for the correct management of the feedback to be provided to interested parties”. During the hearing, the representatives of the Company intended to add that “MDE is a recently established entity, established in 2022, and for this reason its structuring, also with regard to the implementation of procedures regarding the protection of personal data, has been progressive and corresponding to the significant success that its initiatives have achieved. This is to state that any misalignments that occurred in the initial phase of its activity have already been analyzed and intervened upon, so that today it can be considered that the Company has reached a satisfactory level of compliance with privacy obligations, which it intends to further consolidate”. As for the modest number of subjects who have exercised the rights pursuant to Articles 15-22 of the Regulation, as proof of the correspondence of the processing with the expectations of the interested parties, the Company has stated that “the eight requests to exercise the rights were all substantially identical because they were activated at the probable instigation of competitor organizations”. MDE then illustrated the corrective measures already implemented to make the processing fully compliant with the legislation in force: “first of all, as mentioned, a complete review of the information [...] and internal procedures was carried out, also identifying the support of a professional figure as Data Protection Officer. Specific training for staff (composed of three units, in addition to the legal representative who has an operational role) has also been started, which has also led to the proceduralization of the activities for responding to any requests for exercising rights. Security measures have also been significantly increased, in order to guarantee the integrity of the systems and personal data contained therein, taking into account the growth in numerical terms of the affiliates. Finally, the sending of the disputed letters has been immediately stopped, so that to date the Company's initiatives are advertised through social media marketing activities and for this purpose, a landing page has been prepared for those who are interested, which redirects to the Company's information. In the case of leafleting, a QR code or a link is inserted in the message that refers directly to the aforementioned information”. Therefore, the Company, “in light of the good faith demonstrated, the loyal collaboration with the Authority, the measures implemented, the absence of previous violations in terms of personal data protection and the commitment for the future also demonstrated by the growth in trust of its affiliates”, has requested that today's proceedings be archived or at least that any corrective measures be based on the principle of proportionality, reducing the possible afflictive impacts to a minimum. 3. AUTHORITY'S EVALUATIONS The arguments put forward by MDE, although based on loyal collaboration with the Authority and indicative of an appreciable commitment to overcoming the contested critical issues, are not suitable to exclude its liability in relation to the contested violations. In fact, as regards the first dispute, the circumstance that the Company sent 15,000 informative communications by paper mail to as many shareholders of XX, acquiring the names from a list provided by a shareholder of the Bank and therefore processing the data of the name, surname and postal address of the interested parties and the status of shareholder of the bank. These communications promoted MDE's initiatives to protect the aforementioned shareholders and invited them to participate in the meetings organized by the MDE Company in order to gather support for the class action currently being carried out against the Bank. It should be noted that, in the case in question, both the collection of the data reported in the list of shareholders of the Bank and the communication sent to the 15,000 recipients, to be classified as an informational-promotional communication, take on unlawful connotations. With reference to the overall processing of the personal data in question, consisting not only of the sending of communications but also of the preliminary phase of the collection of the personal data of the interested parties associated with the status of shareholder of the Bank, reference should be made to the observations already set out by the Office regarding the substantial requirements of the legal basis provided for by art. 6, par. 1, lett. f) of the Regulation to support the legitimacy of the processing itself (concreteness and topicality of the interest; explanation of the methods of balancing the interest with the fundamental rights and freedoms of the interested parties; existence of a relevant and appropriate relationship between the data controller and the interested parties, such as to suggest that the latter can reasonably expect the processing), requirements that are lacking here as also demonstrated by the unsuitable and irregular method of data collection. In relation to the Company's defensive considerations, it must also be noted that the appropriate and pertinent relationship between the owner and the interested parties, such as to make the processing carried out reasonably expected, cannot be inferred ex post from the absence of "reactions" from the majority of the interested parties themselves, but must be an element that existed before the processing was carried out, an element that is clearly explained, as is that of the balancing of interests in play, in a formal information notice in which the facilitated methods for exercising the right to object are also indicated. To this must be added that, in the case in question, given the informative-promotional nature of the communications made by MDE, the same could be legitimately sent only if the Company had acquired specific consent from all interested parties, as provided for by art. 130, paragraph 3, of the Code, since the current legislation excludes the use of the legal basis of consent only in the case of data taken from public telephone directories, pursuant to the subsequent paragraph 3-bis. For the sake of completeness, it should be reiterated that the invoked legal basis of legitimate interest cannot replace the data subject's consent in cases where the same constitutes the condition for the lawfulness of the processing ordinarily provided for, nor can the data controller retroactively resort to the basis of legitimate interest to remedy gaps in the acquisition of consent, as in the present case (in this regard, see the Art. 29 Group Guidelines on consent pursuant to Regulation (EU) 2016/679, 10 April 2018, WP 259 rev.01, as referred to in the provision of the Guarantor no. 7 of 15 January 2020, in www.gpdp.it, web doc. no. 9256486). With reference to the second objection, concerning the suitability of the information, it should be noted that the information repeatedly referred to by the party, reported on the Company's website, does not appear to be such as to make it possible to consider the owner's obligations to inform the interested parties about the processing carried out as fulfilled, since the same was not explicitly referred to in the communications sent (in which the web address of the site was simply reported) and in any case only concerned the processing connected to navigation on the site itself, without any reference to the processing carried out for the sending of informative-promotional communications, to the related legal basis and to the methods for exercising the rights of the interested parties. The documents of the proceeding highlight that an information with the characteristics mentioned above was not provided, at least within the terms provided for by art. 14 of the Regulation, i.e. in conjunction with the first promotional communication. Finally, with reference to the third dispute, we acknowledge the statements made by the party regarding the circumstance that in seven out of eight cases, the feedback to the requests to exercise the rights was provided to the interested parties verbally or following telephone contact, highlighting however that this element appears insufficient to exclude the liability of MDE given that a request expressed via paper means must correspond to a feedback with the same characteristics, also in order to prove the correct fulfillment of the obligations under art. 12 of the Regulation. On the basis of the above considerations, the violations indicated in the notice of dispute, at points a), b) and c), must be considered confirmed. As for the scope of these violations, while considering that the conduct carried out and the significant number of interested parties involved do not allow them to be classified as "minor violations", the proactive conduct of the Company must be relevant in the case in question. The same, in fact, in addition to having carried out a complete review of the information and internal procedures, also identifying the support of a professional figure such as the DPO, has declared that it has started specific training for staff and proceduralized the response activities to any requests to exercise rights. The same has also represented that it has significantly increased the security measures, in order to guarantee the integrity of the systems and personal data contained therein, taking into account the growth in numerical terms of the affiliates. What is, however, of greater relevance is the interruption of the sending of the disputed letters, for which to date the initiatives of the Company, based on what it has declared, are advertised through social media marketing activities and for this purpose, a landing page has been prepared for those who are interested, which redirects to the Company's information. In the case of flyers, a QR code or a link is inserted in the message that refers directly to the aforementioned information. These choices make it unnecessary to adopt corrective measures, with the exception of the prohibition of further processing of personal data present in the list of XX shareholders, acquired by MDE from a shareholder of the Bank. 4. CONCLUSIONS For the above reasons, MDE is deemed to be liable for the following violations: a) art. 5, paragraphs 1, letter a), and 2; art. 6; art. 24 of the Regulation, for having carried out processing consisting of the collection of personal data of XX shareholders and the sending to them of 15,000 informative communications on the Company's initiatives, in the absence of an appropriate legal basis and in conflict with the principles of lawfulness and accountability; b) art. 5, paragraphs 1, letter a), and 2; art. 13 of the Regulation, for having carried out the above-described processing without having provided the interested parties with appropriate information, in conflict with the principles of fairness and transparency; c) art. 12, paragraphs 2-4, in relation to articles 15-22 of the Regulation, for having failed to provide feedback to the requests to exercise the rights formulated by the interested parties. Having also ascertained the unlawfulness of the processing under examination, it is necessary to: - impose on MDE, pursuant to art. 58, paragraph 2, letter f) of the Regulation, the prohibition of further processing of the data present in the list of shareholders of XX, acquired from a shareholder of the Bank; - adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application against MDE of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation. 1. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application against MDE of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous financial year, if higher); To determine the maximum amount of the pecuniary sanction, it is therefore necessary to refer to the turnover of MDE, as obtained from the ordinary financial statement for the year 2023 and therefore this maximum amount is determined, in the case in question, at € 20,000,000.00. To determine the amount of the fine, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation. In the case in question, the following are relevant: 1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purposes of the processing, attributable to information-promotional activities carried out through the acquisition of the list of members of XX and the sending of 15,000 information-promotional communications to the same number of interested parties; 2) as an aggravating factor, the significantly negligent nature of the conduct of the Company (art. 83, par. 2, letter b) of the Regulation), which, in qualifying the legal basis of the processing, did not take into account the specific conditions that make it possible to apply the legal basis of the legitimate interest of the owner; 3) as a mitigating factor, the measures implemented by the Company to remove the effects of the unlawful conduct (Article 83, paragraph 2, letter c) of the Regulation); 4) as a mitigating factor, the circumstance that the Company has not previously been the recipient of a corrective and sanctioning measure by the Guarantor (Article 83, paragraph 2, letter e) of the Regulation); 5) as a mitigating factor, the degree of cooperation with the Authority (Article 83, paragraph 2, letter f) of the Regulation). Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by Article 83, paragraph 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of €15,000.00 (fifteen thousand/00), equal to 0.075% of the maximum sanction, should be applied to MDE. In the case in question, it is believed that the accessory sanction of the publication on the website of the Guarantor of this injunction order, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, should also be applied, taking into account the seriousness of the violations and the disvalue of the conduct, with reference to the violation of the provisions on paper marketing, as well as the involvement of a significant number of interested parties. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. CONSIDERING ALL THE ABOVE, THE GUARANTOR a) imposes on MDE, Movimento Diritti Europei s.r.l.s., in the person of its legal representative pro-tempore, with registered office in Treviso, via Jacopo Bernardi n. 25/c, tax code 05315450261, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of further processing of the data present in the list of shareholders of XX, acquired from a shareholder of the Bank; b) orders MDE, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measure imposed in letter a) of this provision; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation. ORDERS to MDE, to pay the sum of Euro 15,000.00 (fifteen thousand/00) as an administrative pecuniary sanction for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by fulfilling the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed. ORDERS to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 15,000.00 (fifteen thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive actions pursuant to art. 27 of Law no. 689/1981. PROVIDES a) the publication of this provision, pursuant to Articles 154-bis of the Code and 37 of Regulation no. 1/2019, as well as the application of the accessory sanction of the publication on the website of the Guarantor of this injunction order, as provided for by Articles 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019; b) the annotation of this provision in the internal register of the Authority - provided for by Article 57, paragraph 1, letter u), of the Regulation, as well as by Article 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to the violations and measures adopted in accordance with Article 58, paragraph 2, of the Regulation itself. Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150/2011, of Legislative Decree no. 150 of 1 September 2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 13 February 2025 THE PRESIDENT Stanzione THE REPORTER Ghiglia THE DEPUTY SECRETARY GENERAL Filippi [web doc. no. 10119750] Provision of 13 February 2025 Register of provisions no. 73 of 13 February 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”); HAVING SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter “Code”); SEEN the documentation in the files; SEEN the observations formulated by the Secretary General pursuant to art. 15 of the regulation of the Guarantor no. 1/2000, adopted with resolution of 28 June 2000; REPORTER Dr. Agostino Ghiglia; 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT 1.1. Introduction With communication prot. no. 37333/310037 of 25 March 2024 (notified on the same date by certified e-mail), which must be considered fully referred to here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the provisions referred to in art. 58, par. 2, of the Regulation against MDE – Movimento Diritti Europei s.r.l.s. (hereinafter also “MDE” or “Company”), in the person of its legal representative pro-tempore, with registered office in Treviso, via Jacopo Bernardi n. 25/c, tax code 05315450261. The proceeding originates from an investigation initiated following the receipt of a complaint with which some associations (XX, XX and XX), promoters of a class action against XX (registered in the general register of the Court of Venice with n. 172/2023), complained about certain conduct carried out by MDE. In particular, given that the class action initiated by the associations had as its object the reimbursement of the sums invested in the purchase of shares issued by the aforementioned XX and that, at the time of the complaint, the Court of Venice had yet to rule on the admissibility of the action itself, some shareholders of XX, adhering to the class action, reported to the three associations the receipt of communications sent by MDE with which they were invited to participate in some public meetings dedicated specifically to the shareholders of the Bank, raising the possibility of "recovering the devaluation of the shares suffered over the years". To the complaint, the three associations attached the invitations received from their members, the forms prepared by MDE for joining one of its class action, forms also including an information notice for the processing of personal data, and some requests for the exercise of the right of access provided for by art. 15 of Regulation (EU) 2016/679 (hereinafter “Regulation”), formulated by the same members against the Company, which remained unanswered. 1.2. The request for information formulated by the Authority The Office, after having verified that, in addition to the complaint of the associations, the Authority had also received some independent reports from shareholders of XX reached by the communications of MDE, proceeded to send the Company a request for information and exhibition of documents pursuant to art. 157 of the Code, in order to acquire elements for a complete assessment of the case and to better understand the role of the Company and of XX, indicated several times in the complaint received by the Authority. From the elements provided by the Company during the response, it emerged that: - MDE is a company whose corporate purpose is the provision of out-of-court assistance services in the field of securities investments, an activity that it also carries out by coordinating initiatives in favor of several subjects who give it a specific mandate; - XX, established in the aftermath of the liquidation of XX and XX, is a non-profit association whose purpose is to protect savers involved in the corporate affairs of the Veneto banks. In the case under examination, the association would have limited itself to providing, upon request, the forms for MDE's initiatives towards XX; - with reference to the initiatives mentioned above, MDE would have operated in the legal capacity of the controller of the processing of personal data aimed at sending information communications to XX shareholders (in particular relating to meetings organised to undertake initiatives to recover the value of investments made with the purchase of the Bank's shares); - MDE sent approximately 15,000 information communications by post to the same number of XX shareholders, acquiring the names from a list provided by a shareholder of the Bank and therefore processing the data of the first name, last name and postal address of the interested parties; - the legal basis of the processing would lie in the legitimate interest of the Company to provide information on the meetings organised; - the communication sent to the interested parties reported, among other things, the indication of the Company's website where MDE's privacy policy is present; - no further processing of personal data by MDE was envisaged after the sending of the informative communications with the exception of those relating to the interested parties who, voluntarily, had decided to join the initiatives of the Company. These subjects, once they had acquired the documentation distributed during the meetings (or delivered upon request to be forwarded via the Company's website), viewed a notice on the processing of personal data and formalized their adhesion to the initiatives. With reference to the subsequent processing, the legal basis is that provided for by art. 6, par. 1, letter b), of the Regulation; - with reference to the methods according to which the Company had guaranteed the interested parties the exercise of the rights referred to in arts. 15-22 of the Regulation, MDE stated that it had received eight emails from the interested parties “with requests relevant to privacy purposes”, mostly of identical content, form and structure, without clarifying whether such requests had been responded to and in what terms. The Office examined the information on the Company’s website, at https://www.dirittieuropei.com/privacy-policy 1.3. Contestation of violations Following the investigation, the Office adopted the aforementioned contestation act no. 37333/310037 of 25 March 2024 in which, first of all, it identified the conduct attributable to the company MDE s.r.l.s., as an independent data controller of the personal data of XX shareholders, contacted by sending 15,000 paper letters in order to inform them of the Company’s initiatives to protect the securities investments made by them. It was therefore observed that MDE had declared that it had acquired the list of XX shareholders, provided by another shareholder, thus collecting the data relating to the name, surname and contact address of each, associated with the status of shareholder of the Bank and that such data collection and the subsequent processing aimed at sending the paper letters were configured as unlawful because they were not supported by an appropriate legal basis and not correlated with an appropriate information notice, issued by the Company in the forms and terms provided for by art. 14 of the Regulation. In terms of the terms, the aforementioned information notice had to be provided to each shareholder contacted at least at the same time as the sending of the first communication, in accordance with the provisions of paragraph 3 of the aforementioned article 14 of the Regulation, and on this point it could not be considered correctly implemented by simply recalling the address of the Company's website, where a summary information notice was contained, however, only concerning the processing connected to browsing the site. With reference to the legal basis of the processing carried out by the Company for sending information to the shareholders of XX, the Office observed that the same could not reside in the legitimate interest of MDE to publicize its initiatives, since the requirements of concreteness and topicality of such interest could not be identified, the methods by which the Company would have operated the balancing of the aforementioned interest with the fundamental rights and freedoms of the interested parties had not been made explicit, nor did there appear to be a relevant and appropriate relationship between the data controller and the interested parties, such as to lead to the belief that the latter could reasonably expect that a collection of their data for informational-promotional purposes would take place by MDE. The Office also highlighted that, in general, the legal basis of legitimate interest cannot replace the data subject's consent in cases where the latter constitutes the condition for the lawfulness of the processing ordinarily provided for, and that, in the case in question, in compliance with the principles of accountability and transparency, it would have been necessary for MDE to have provided for the concrete implementation of adequate measures to guarantee the rights of the data subjects, and, in particular, to facilitate the exercise of the right to object, something which, from the documents of the investigation, did not appear to emerge. Finally, precisely with reference to the methods with which MDE had planned to guarantee the exercise of the rights of the data subjects pursuant to Articles 15-22 of the Regulation, it resulted, from the Company's statements and from what was represented by the data subjects themselves, that the letters sent by the latter in order to acquire information on the processing and obtain the deletion of their data had remained unanswered. The conduct indicated above, in the opinion of the Office, also constituted a violation of the principles of fairness, transparency and accountability pursuant to art. 5, paragraphs 1 and 2, of the Regulation. On the basis of the above observations, the Office contested MDE for the alleged following violations: a) art. 5, paragraphs 1, letter a), and 2; art. 6; art. 24 of the Regulation, for having carried out processing consisting of the collection of personal data of the shareholders of XX and the sending to the same of 15,000 informative communications on the initiatives of the MDE Company, in the absence of an appropriate legal basis and in conflict with the principles of lawfulness and accountability; b) art. 5, paragraphs 1, letter a), and 2; art. 13 of the Regulation, for having carried out the above-described processing of personal data without having provided the interested parties with appropriate information, in conflict with the principles of fairness and transparency; c) art. 12, par. 2-4, in relation to articles 15-22 of the Regulation, for having failed to provide feedback to the requests to exercise the rights formulated by the interested parties. 2. EXERCISE OF THE RIGHT OF DEFENSE BY THE DATA CONTROLLER The Company, exercising its right of defense, sent the Authority a defense brief with note no. 50856 of 30 April 2024 and at the same time requested a hearing before the Guarantor, a hearing duly held on 15 November 2024. In its defense brief, MDE first observed, with reference to the contested processing, that "of approximately 15,000 communications sent, only 8 recipients decided to exercise their rights as data subjects to request information and the deletion of data. On the contrary, several hundred people participated in the meetings. Meetings which, it should be remembered, were freely accessible and without any registration, therefore the relative participation did not generate any collection or processing of personal data by MDE. Just as hundreds of people, having received the letter and participated in the meetings, decided to join the MDE initiative, concluding a contract with the company [...] These numbers must lead, first of all, to correctly evaluate the balance between MDE's interest in sending the informative communication of the meetings and the fundamental rights and freedoms of the recipients. Furthermore, the same numbers also allow to evaluate the characteristics of MDE's interest and the relevance of the relationship between this company and the recipients. The clear disproportion between communications sent (about 15,000) and requests for the exercise of the rights of the interested parties received (8) confirms that the clear majority of the interested parties considered that the treatment did not violate their rights and freedoms. Instead, the fact that, first, several hundred people who received the communication participated in the meetings and that, then, a good part of them relied on MDE for assistance against the bank that betrayed them, confirms both the appropriateness of the relationship between the data controller and the interested parties, and the concreteness and timeliness of MDE's interest in carrying out the processing". Therefore, with reference to the lack of information, the Company represented that "the evidence collected in this proceeding [...] confirms that the personal data indicated (such as, surname and postal address) have not been processed in any other way or for other purposes and that they are deleted by default by MDE as soon as the operations of sending the paper communications are completed. Furthermore, it has already been noted that at the first possible subsequent contact (i.e. on the occasion of the meetings referred to in the communication sent by post), MDE immediately made available to the interested parties who wish to join the initiatives the dedicated privacy information [...]. This confirms MDE's attention to the correct processing of personal data. Therefore, also recalling what is illustrated in the preceding paragraph, it is believed that the evidence that emerged during this proceeding confirms the absence of any consequences for the interested parties due to the alleged absence of the privacy information with reference to the processing of personal data carried out before the meetings”. With regard to the dispute relating to the inadequate response to the requests to exercise the rights that the eight interested parties addressed to MDE, the Company produced the text of the response provided, by letter, to one of the aforementioned requesters, highlighting that “responses of the same tenor were also given to all the other 7 interested parties who communicated with the company to exercise the rights guaranteed to them by the GDPR. These 7 not only sent the emails to the records of the proceeding, but also contacted the company MDE by telephone, speaking with the legal representative who reported to them the same contents as in the response email reported above. […] The only criticality that characterizes the conduct in question of MDE is the absence of written evidence regarding the feedback provided by telephone to the other 7 interested parties who sent emails: certainly a violation of the duty to be able to demonstrate the adoption of appropriate accountability measures, which MDE has already remedied by providing specific manuals for the correct management of the feedback to be provided to interested parties”. During the hearing, the representatives of the Company intended to add that “MDE is a recently established entity, established in 2022, and for this reason its structuring, also with regard to the implementation of procedures regarding the protection of personal data, has been progressive and corresponding to the significant success that its initiatives have achieved. This is to state that any misalignments that occurred in the initial phase of its activity have already been analyzed and intervened upon, so that today it can be considered that the Company has reached a satisfactory level of compliance with privacy obligations, which it intends to further consolidate”. As for the modest number of subjects who have exercised the rights pursuant to Articles 15-22 of the Regulation, as proof of the correspondence of the processing with the expectations of the interested parties, the Company has stated that “the eight requests to exercise the rights were all substantially identical because they were activated at the probable instigation of competitor organizations”. MDE then illustrated the corrective measures already implemented to make the processing fully compliant with the legislation in force: “first of all, as mentioned, a complete review of the information [...] and internal procedures was carried out, also identifying the support of a professional figure as Data Protection Officer. Specific training for staff (composed of three units, in addition to the legal representative who has an operational role) has also been started, which has also led to the proceduralization of the activities for responding to any requests for exercising rights. Security measures have also been significantly increased, in order to guarantee the integrity of the systems and personal data contained therein, taking into account the growth in numerical terms of the affiliates. Finally, the sending of disputed letters has been immediately stopped, so that to date the Company's initiatives are advertised through social media marketing activities and for this purpose, a landing page has been prepared for those who are interested, which redirects to the Company's information. In the case of flyers, a QR code or a link is inserted in the message that directly refers to the aforementioned information”. Therefore, the Company, "in light of the good faith demonstrated, the loyal collaboration with the Authority, the measures implemented, the absence of previous violations in the field of personal data protection and the commitment for the future also demonstrated by the growth of trust of its affiliates", has requested that today's proceedings be archived or at least that any corrective measures be based on the principle of proportionality, reducing the possible afflictive impacts to a minimum. 3. AUTHORITY'S EVALUATIONS The arguments put forward by MDE, although based on loyal collaboration with the Authority and indicative of an appreciable commitment to overcoming the contested critical issues, are not suitable to exclude its liability in relation to the contested violations. In fact, as regards the first objection, the circumstance that the Company sent 15,000 informative communications by post to the same number of shareholders of XX is confirmed, acquiring the names from a list provided by a shareholder of the Bank and therefore processing the data of the name, surname and postal address of the interested parties and their status as shareholders of the bank. These communications promoted MDE's initiatives to protect the aforementioned shareholders and invited them to participate in meetings organised by the MDE Company in order to gather support for the class action currently being taken against the Bank. It should be noted that, in the case in question, both the collection of the data reported in the list of shareholders of the Bank and the communication sent to the 15,000 recipients, to be classified as an informative-promotional communication, are unlawful. With reference to the overall processing of personal data in question, consisting not only of the sending of communications but also of the preliminary phase of collecting the personal data of the interested parties associated with the status of shareholder of the Bank, reference must be made to the observations already set out by the Office regarding the substantial requirements of the legal basis provided for by art. 6, par. 1, letter f) of the Regulation to support the legitimacy of the processing itself (concreteness and topicality of the interest; explanation of the methods of balancing the interest with the fundamental rights and freedoms of the interested parties; existence of a relevant and appropriate relationship between the data controller and the interested parties, such as to suggest that the latter can reasonably expect the processing), requirements that are lacking here as also demonstrated by the unsuitable and irregular method of data collection. In relation to the Company's defensive considerations, it must also be noted that the appropriate and pertinent relationship between the owner and the interested parties, such as to make the processing carried out reasonably expected, cannot be inferred ex post from the absence of "reactions" from the majority of the interested parties themselves, but must be an element that existed before the processing was carried out, an element that is clearly explained, as is that of the balancing of interests in play, in a formal information notice in which the facilitated methods for exercising the right to object are also indicated. To this must be added that, in the case in question, given the informative-promotional nature of the communications made by MDE, the same could be legitimately sent only if the Company had acquired specific consent from all interested parties, as provided for by art. 130, paragraph 3, of the Code, since the current legislation excludes the use of the legal basis of consent only in the case of data taken from public telephone directories, pursuant to the subsequent paragraph 3-bis. For the sake of completeness, it should be reiterated that the invoked legal basis of legitimate interest cannot replace the data subject's consent in cases where the same constitutes the condition for the lawfulness of the processing ordinarily provided for, nor can the data controller retroactively resort to the basis of legitimate interest to remedy gaps in the acquisition of consent, as in the present case (in this regard, see the Art. 29 Group Guidelines on consent pursuant to Regulation (EU) 2016/679, 10 April 2018, WP 259 rev.01, as referred to in the provision of the Guarantor no. 7 of 15 January 2020, in www.gpdp.it, web doc. no. 9256486). With reference to the second objection, concerning the suitability of the information, it should be noted that the information repeatedly referred to by the party, reported on the Company's website, does not appear to be such as to make it possible to consider the owner's obligations to inform the interested parties about the processing carried out as fulfilled, since the same was not explicitly referred to in the communications sent (in which the web address of the site was simply reported) and in any case only concerned the processing connected to navigation on the site itself, without any reference to the processing carried out for the sending of informative-promotional communications, to the related legal basis and to the methods for exercising the rights of the interested parties. The documents of the proceeding highlight that an information with the characteristics mentioned above was not provided, at least within the terms provided for by art. 14 of the Regulation, i.e. in conjunction with the first promotional communication. Finally, with reference to the third dispute, we acknowledge the statements made by the party regarding the circumstance that in seven out of eight cases, the feedback to the requests to exercise the rights was provided to the interested parties verbally or following telephone contact, highlighting however that this element appears insufficient to exclude the liability of MDE given that a request expressed via paper means must correspond to a feedback with the same characteristics, also in order to prove the correct fulfillment of the obligations under art. 12 of the Regulation. On the basis of the above considerations, the violations indicated in the notice of dispute, at points a), b) and c), must be considered confirmed. As for the scope of these violations, while considering that the conduct carried out and the significant number of interested parties involved do not allow them to be classified as "minor violations", the proactive conduct of the Company must be relevant in the case in question. The same, in fact, in addition to having carried out a complete review of the information and internal procedures, also identifying the support of a professional figure such as the DPO, has declared that it has started specific training for staff and proceduralized the response activities to any requests to exercise rights. The same has also represented that it has significantly increased the security measures, in order to guarantee the integrity of the systems and personal data contained therein, taking into account the growth in numerical terms of the affiliates. What is, however, of greater relevance is the interruption of the sending of the disputed letters, for which to date the initiatives of the Company, based on what it has declared, are advertised through social media marketing activities and for this purpose, a landing page has been prepared for those who are interested, which redirects to the Company's information. In the case of flyers, a QR code or a link is inserted in the message that refers directly to the aforementioned information. These choices make it unnecessary to adopt corrective measures, with the exception of the prohibition of further processing of personal data present in the list of XX shareholders, acquired by MDE from a shareholder of the Bank. 4. CONCLUSIONS For the above reasons, MDE is deemed to be liable for the following violations: a) art. 5, paragraphs 1, letter a), and 2; art. 6; art. 24 of the Regulation, for having carried out processing consisting of the collection of personal data of XX shareholders and the sending to them of 15,000 informative communications on the Company's initiatives, in the absence of an appropriate legal basis and in conflict with the principles of lawfulness and accountability; b) art. 5, paragraphs 1, letter a), and 2; art. 13 of the Regulation, for having carried out the above-described processing without having provided the interested parties with appropriate information, in conflict with the principles of fairness and transparency; c) art. 12, paragraphs 2-4, in relation to articles 15-22 of the Regulation, for having failed to provide feedback to the requests to exercise the rights formulated by the interested parties. Having also ascertained the unlawfulness of the processing under examination, it is necessary to: - impose on MDE, pursuant to art. 58, paragraph 2, letter f) of the Regulation, the prohibition of further processing of the data present in the list of shareholders of XX, acquired from a shareholder of the Bank; - adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application against MDE of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation. 1. INJUNCTION ORDER FOR THE APPLICATION OF A PECUNIARY ADMINISTRATIVE SANCTIONS The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application against MDE of the administrative pecuniary sanction provided for by Article 83, paragraphs 3 and 5, of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous financial year, if higher); To determine the maximum fine of the pecuniary sanction, it is therefore necessary to refer to the turnover of MDE, as obtained from the ordinary financial statement relating to the year 2023 and therefore this maximum fine is determined, in the case in question, at €20,000,000.00. To determine the amount of the fine, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation. In the case in question, the following are relevant: 1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purposes of the processing, attributable to information-promotional activities carried out through the acquisition of the list of members of XX and the sending of 15,000 information-promotional communications to the same number of interested parties; 2) as an aggravating factor, the significantly negligent nature of the conduct of the Company (art. 83, par. 2, letter b) of the Regulation), which, in qualifying the legal basis of the processing, did not take into account the specific conditions that make it possible to apply the legal basis of the legitimate interest of the owner; 3) as a mitigating factor, the measures implemented by the Company to remove the effects of the unlawful conduct (Article 83, paragraph 2, letter c) of the Regulation); 4) as a mitigating factor, the circumstance that the Company has not previously been the recipient of a corrective and sanctioning measure by the Guarantor (Article 83, paragraph 2, letter e) of the Regulation); 5) as a mitigating factor, the degree of cooperation with the Authority (Article 83, paragraph 2, letter f) of the Regulation). Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by Article 83, paragraph 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of €15,000.00 (fifteen thousand/00), equal to 0.075% of the maximum sanction, should be applied to MDE. In the case in question, it is believed that the accessory sanction of the publication on the website of the Guarantor of this injunction order, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, should also be applied, taking into account the seriousness of the violations and the disvalue of the conduct, with reference to the violation of the provisions on paper marketing, as well as the involvement of a significant number of interested parties. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. GIVEN ALL THE ABOVE, THE GUARANTOR a) imposes on MDE, Movimento Diritti Europei s.r.l.s., in the person of its legal representative pro-tempore, with registered office in Treviso, via Jacopo Bernardi n. 25/c, tax code 05315450261, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of further processing of the data present in the list of shareholders of XX, acquired from a shareholder of the Bank; b) orders MDE, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measure imposed in letter a) of this provision; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation. ORDERS MDE to pay the sum of €15,000.00 (fifteen thousand/00) as an administrative pecuniary sanction for the violations indicated in the reasons, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the provisions given and paying, within thirty days, an amount equal to half of the sanction imposed. ORDERS the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 15,000.00 (fifteen thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. ORDERS a) the publication of this provision, pursuant to art. 154-bis of the Code and 37 of Regulation no. 1/2019, as well as the application of the accessory sanction of the publication on the website of the Guarantor of this injunction order, as provided for by art. 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019; b) the annotation of this provision in the internal register of the Authority - provided for by art. 57, paragraph 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor - relating to violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself. Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, of Legislative Decree no. 150 of 1 September 2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 13 February 2025 THE PRESIDENT Stanzione THE REPORTER Ghiglia THE DEPUTY SECRETARY GENERAL Filippi
