Garante per la protezione dei dati personali (Italy) - 10139147

Garante per la protezione dei dati personali - 10139147
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 4(11) GDPR Article 5 GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Art. 122 d. lg. 196/2003
Type:	Investigation
Outcome:	Violation Found
Started:	23.09.2023
Decided:	29.04.2025
Published:
Fine:	n/a
Parties:	n/a
National Case Number/Name:	10139147
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	GPDP (in IT)
Initial Contributor:	cci

Following an ex officio investigation, the DPA warned a business for failing to provide sufficient information about the cookies on its website.

English Summary

Facts

In 2022 the DPA planned several ex officio investigations on the compliance of cookies and cookie banners, with a focus on e-commerce websites, vehicle retailers, tourism agencies, and transportation companies.

In 2023, the DPA started one of its planned investigations, focusing on an unnamed business (the controller).

The DPA found that the website’s cookie banner presented users with the “accept all cookies”, “only accept necessary”, and “settings” options, along with an “X” button that closed the banner. Additionally, the banner only provided very generic information on the use of non-essential cookies. Furthermore, the footer of the website included non-functioning links to the website’s cookie policy.

Holding

The DPA held that the lack of information about cookie use, rendered the user’s consent invalid. For this reason, the DPA reprimanded the controller for violating Articles 4(11), 5, 7, 12, 13, 24 and 25 GDPR as well as Article 122 of the Italian data protection code.

The DPA did not issue a fine. In this regard, the DPA considered that the controller changed the design of the cookie banner and provided more information to visitors during the procedure.

Comment

The decision does not list Article 6 GDPR among the violated provisions. This is likely an oversight, as the motivation explicitly states that the cookie banner did not collect valid consent and that the controller violated Article 4(11) (which defines consent under the GDPR).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10139147]

Provision of 29 April 2025

Register of provisions
no. 246 of 29 April 2025

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Acting Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);

HAVING SEEN the Guidelines on cookies and other tracking tools of 10 June 2021 (in www.gpdp.it, web doc. no. 9677876, hereinafter the “Cookie Guidelines”);

HAVING SEEN the Memorandum of Understanding of 30 March 2021 signed by the Guardia di Finanza and the Guarantor for the protection of personal data;

HAVING SEEN note no. 57504 of 21 October 2022 with which the Authority, taking into account the need to carry out a verification of compliance with the aforementioned Cookie Guidelines, also in light of the numerous complaints and reports received on the matter, delegated to the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza (hereinafter also “Unit”) the carrying out of a series of online checks, requesting to concentrate the activity, in a first phase, on a sample of operators in the field of e-commerce, the marketing of motor vehicles, as well as the treatments carried out by tourism operators and land, sea and air transport companies;

SEEN note no. 38468 of 3 March 2023 with which the Unit provided the lists of possible recipients of the checks, indicating the geographical area of origin and the turnover;

SEEN note no. 130776 of 21 September 2023 with which, in compliance with the canons of homogeneity of the intervention and in application of a predetermined and uniform selection criterion throughout the national territory, also based on dimensional and geographical indicators, XX S.r.l. was indicated, together with other owners, among the subjects receiving said checks, actually carried out on 8 November 2023 in relation to the XX website;

CONSIDERING that the following emerged in that context:

1) when opening the website, an instant-appearing banner appeared on the use of cookies which reported the wording «Information We use cookies or similar technologies, as specified in the cookie policy, to provide a more modern and effective response to site navigation and your preferences. Non-mandatory cookies are deactivated but you can change this choice at any time, as well as having certainty of our privacy and cookie policies, by clicking on the padlock image»;

2) this banner contained the buttons “Accept all”, “Accept only necessary”, “X” and “Options”;

3) while browsing the website, a command depicting a padlock was always visible, clicking which a pop-up called “Privacy Control Center” appeared, divided into five further subsections: “Information on the site”, “My rights”, “My privacy profile”, “Privacy information”, “Cookie management”;

4) the section called “Cookie management” allowed you to customize your preferences on the use of cookies other than technical cookies and contained certain information on the tracking technologies used by the website;

5) by clicking on any of the commands in the banner, the latter disappeared and did not reappear even in the event of subsequent accesses to the site, but a second banner became visible bearing the wording “This site uses third-party cookies and tracking services” and the command “OK”;

CONSIDERING, also, that, following a further access to the XX site, following the investigation carried out by the Special Privacy Unit of the Guardia di Finanza, it emerged that the second banner (see previous point no. 5) was no longer visible; but that, however, the links to the information, reported in the footer of the site, continued to not work;

SEEN the note of 4 March 2024 with which, pursuant to art. 166, paragraph 5, of the Code, the Authority communicated to XX S.r.l. the initiation of the procedure for the possible adoption of the measures referred to in art. 58, paragraph 2, of the Regulation and the alleged violations of the law identified, in the specific case, in the violation of arts. 4, point 11; 5; 7; 12; 13; 24 and 25 of the Regulation and art. 122 of the Code, as well as in the conflict with the Cookie Guidelines, attributable to the failure of the links useful for consulting the privacy policy and the cookie policy, as well as to the generic nature of the information reported in the banner, which invalidated the consents expressed in relation to the use of cookies of a nature other than technical;

SEEN the defensive briefs transmitted on 3 April 2024, to be considered fully recalled and reproduced here, with which the owner preliminarily contested the methods of carrying out the investigative activity and the regularity of the communication of the start of the procedure, also noting that at the time of the inspection activity the XX site was undergoing technical interventions; the Company did not request to be heard by the Authority;

CONSIDERED that it cannot accept the exceptions advanced by the Company, since the objections raised against XX S.r.l. concerned purely documentary aspects, acquired in the files, concerning the correctness and adequacy of the banners and the information used;

FURTHER CONSIDERED that it is not possible to accept the exceptions raised regarding the completeness of the act initiating the proceedings and the alleged violation of the right of defense, since all the contested violations were punctually motivated both from a factual and legal perspective, thus allowing the owner to fully exercise his right of defense;

NOTING that following a further access to the site by the Office, carried out on a date subsequent to the transmission of the aforementioned defense briefs, it emerged that, pending the proceedings, the owner had integrated the privacy information present on the site and had reconfigured the banner in such a way as to allow the user to continue browsing without installing cookies other than those of a technical nature or to express informed, specific and granular consent to the receipt of cookies of a nature other than the technical one;

CONSIDERING that the conduct carried out by the data controller has constituted a violation of Articles 4, point 11; 5; 7; 12; 13; 24 and 25 of the Regulation and Article 122 of the Code, as well as the indications contained in the Cookie Guidelines;

CONSIDERING, however, the appreciable effort of the data controller to remedy the contested violations, by adopting the measures and amendments illustrated;

CONSIDERING, therefore:

a) that the measures adopted by the data controller are suitable for removing the critical issues reported above and, therefore, that it is not necessary to prescribe further corrective measures in this regard;

b) due to the specific nature of the investigation, that in this case it is possible to disregard the adoption of pecuniary sanctions, limiting itself to issuing a warning to XX S.r.l. pursuant to Article 58, paragraph 2, letter b) of the Regulation, for failure to comply with the provisions on the processing of personal data through the use of cookies and other tracking tools detected during the investigation;

CONSIDERING that the conditions exist to proceed with the annotation in the internal register of the Authority referred to in art. 57, par. 1, letter u), of the Regulation, in relation to the measures adopted in this case against XX S.r.l. in accordance with art. 58, par. 2, of the Regulation itself;

SEEN the documentation in the files;

SEEN the observations formulated pursuant to art. 15 of the regulation of the Guarantor no. 1/2000;

REPORTER Prof. Pasquale Stanzione;

CONSIDERING ALL THE ABOVE, THE GUARANTOR

a) considering the measures adopted by the owner to remove the critical issues highlighted in the notice of contestation to be adequate, deems it unnecessary to prescribe further actions in this regard;

b) pursuant to art. 58, par. 2, letter b) of the Regulation, issues a warning to XX S.r.l., with registered office in XX, VAT number XX, as data controller, for failure to comply with the provisions in force regarding the processing of personal data through the use of cookies and other tracking tools as better indicated in the reasoned part;

ORDERS

pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation, of the violations and the measures adopted.

Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree 1 September 2011, no. 150, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed, alternatively, with the court of the place where the data controller resides or has its headquarters or with that of the place of residence of the interested party within thirty days from the date of communication of the provision itself or sixty days if the appellant resides abroad.

Rome, 29 April 2025

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE ACTING SECRETARY GENERAL
Filippi

[web doc. no. 10139147]

Provision of 29 April 2025

Register of provisions
no.246 of 29 April 2025

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Acting Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);

HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the “Code”);

HAVING SEEN the Guidelines on cookies and other tracking tools of 10 June 2021 (in www.gpdp.it, web doc. no. 9677876, hereinafter the “Cookie Guidelines”);

HAVING SEEN the Memorandum of Understanding of 30 March 2021 signed by the Guardia di Finanza and the Guarantor for the protection of personal data;

HAVING SEEN note no. 57504 of 21 October 2022 with which the Authority, taking into account the need to carry out a verification of compliance with the aforementioned Cookie Guidelines, also in light of the numerous complaints and reports received on the matter, delegated to the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza (hereinafter also “Unit”) the carrying out of a series of online checks, requesting to concentrate the activity, in a first phase, on a sample of operators in the field of e-commerce, the marketing of motor vehicles, as well as the treatments carried out by tourism operators and land, sea and air transport companies;

SEEN note no. 38468 of 3 March 2023 with which the Unit provided the lists of possible recipients of the checks, indicating the geographical area of origin and the turnover;

SEEN note no. 130776 of 21 September 2023 with which, in compliance with the canons of homogeneity of the intervention and in application of a predetermined and uniform selection criterion throughout the national territory, also based on dimensional and geographical indicators, XX S.r.l. was indicated, together with other owners, among the subjects receiving said checks, actually carried out on 8 November 2023 in relation to the XX website;

CONSIDERING that the following emerged in that context:

1) when opening the website, an instant-appearing banner appeared on the use of cookies which reported the wording «Information We use cookies or similar technologies, as specified in the cookie policy, to provide a more modern and effective response to site navigation and your preferences. Non-mandatory cookies are deactivated but you can change this choice at any time, as well as having certainty of our privacy and cookie policies, by clicking on the padlock image»;

2) this banner contained the buttons “Accept all”, “Accept only necessary”, “X” and “Options”;

3) while browsing the website, a command depicting a padlock was always visible, clicking which a pop-up called “Privacy Control Center” appeared, divided into five further subsections: “Information on the site”, “My rights”, “My privacy profile”, “Privacy information”, “Cookie management”;

4) the section called “Cookie management” allowed you to customize your preferences on the use of cookies other than technical cookies and contained certain information on the tracking technologies used by the website;

5) by clicking on any of the commands in the banner, the latter disappeared and did not reappear even in the event of subsequent accesses to the site, but a second banner became visible bearing the wording “This site uses third-party cookies and tracking services” and the command “OK”;

CONSIDERING, also, that, following a further access to the XX site, following the investigation carried out by the Special Privacy Unit of the Guardia di Finanza, it emerged that the second banner (see previous point no. 5) was no longer visible; but that, however, the links to the information, reported in the footer of the site, continued to not work;

SEEN the note of 4 March 2024 with which, pursuant to art. 166, paragraph 5, of the Code, the Authority communicated to XX S.r.l. the initiation of the procedure for the possible adoption of the measures referred to in art. 58, paragraph 2, of the Regulation and the alleged violations of the law identified, in the specific case, in the violation of arts. 4, point 11; 5; 7; 12; 13; 24 and 25 of the Regulation and art. 122 of the Code, as well as in the conflict with the Cookie Guidelines, attributable to the failure of the links useful for consulting the privacy policy and the cookie policy, as well as to the generic nature of the information reported in the banner, which invalidated the consents expressed in relation to the use of cookies of a nature other than technical;

SEEN the defensive briefs transmitted on 3 April 2024, to be considered fully recalled and reproduced here, with which the owner preliminarily contested the methods of carrying out the investigative activity and the regularity of the communication of the start of the procedure, also noting that at the time of the inspection activity the XX site was undergoing technical interventions; the Company did not request to be heard by the Authority;

CONSIDERED that it cannot accept the exceptions advanced by the Company, since the objections raised against XX S.r.l. concerned purely documentary aspects, acquired in the files, concerning the correctness and adequacy of the banners and the information used;

FURTHER CONSIDERED that it is not possible to accept the exceptions raised regarding the completeness of the act initiating the proceedings and the alleged violation of the right of defense, since all the contested violations were punctually motivated both from a factual and legal perspective, thus allowing the owner to fully exercise his right of defense;

NOTING that following a further access to the site by the Office, carried out on a date subsequent to the transmission of the aforementioned defense briefs, it emerged that, pending the proceedings, the owner had integrated the privacy information present on the site and had reconfigured the banner in such a way as to allow the user to continue browsing without installing cookies other than those of a technical nature or to express informed, specific and granular consent to the receipt of cookies of a nature other than the technical one;

CONSIDERING that the conduct carried out by the data controller has constituted a violation of Articles 4, point 11; 5; 7; 12; 13; 24 and 25 of the Regulation and Article 122 of the Code, as well as the indications contained in the Cookie Guidelines;

CONSIDERING, however, the appreciable effort of the data controller to remedy the contested violations, by adopting the measures and amendments illustrated;

CONSIDERING, therefore:

a) that the measures adopted by the data controller are suitable for removing the critical issues reported above and, therefore, that it is not necessary to prescribe further corrective measures in this regard;

b) due to the specific nature of the investigation, that in this case it is possible to disregard the adoption of pecuniary sanctions, limiting itself to issuing a warning to XX S.r.l. pursuant to Article 58, paragraph 2, letter b) of the Regulation, for failure to comply with the provisions on the processing of personal data through the use of cookies and other tracking tools detected during the investigation;

CONSIDERING that the conditions exist to proceed with the annotation in the internal register of the Authority referred to in art. 57, par. 1, letter u), of the Regulation, in relation to the measures adopted in this case against XX S.r.l. in accordance with art. 58, par. 2, of the Regulation itself;

SEEN the documentation in the files;

SEEN the observations formulated pursuant to art. 15 of the regulation of the Guarantor no. 1/2000;

REPORTER Prof. Pasquale Stanzione;

CONSIDERING ALL THE ABOVE, THE GUARANTOR

a) considering the measures adopted by the owner to remove the critical issues highlighted in the notice of contestation to be adequate, deems it unnecessary to prescribe further actions in this regard;

b) pursuant to art. 58, par. 2, letter b) of the Regulation, issues a warning to XX S.r.l., with registered office in XX, VAT number XX, as data controller, for failure to comply with the provisions in force regarding the processing of personal data through the use of cookies and other tracking tools as better indicated in the reasoned part;

ORDERS

pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation, of the violations and the measures adopted.

Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree 1 September 2011, no. 150, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed, alternatively, with the court of the place where the data controller resides or has its headquarters or with that of the place of residence of the interested party within thirty days from the date of communication of the provision itself or sixty days if the appellant resides abroad.

Rome, 29 April 2025

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE ACTING SECRETARY GENERAL
Filippi