Garante per la protezione dei dati personali (Italy) - 9737185

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9737185
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 21 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 25.11.2021
Fine: 400000 EUR
Parties: B&T S.p.A.
National Case Number/Name: 9737185
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: sabrina_salmeri

The Italian DPA imposed a fine of €400,000 on a controller for the sending of unwanted advertising SMS without obtaining prior consent and without exercising adequate control over the lawfulness of the processor's activities.

English Summary

Facts

Following the receipt of several marketing SMS from a sender named Dorelan, the data subject tried to stop the unwanted activity by contacting what appeared to be the owner of the Dorelan brand, that is to say the company B&T Spa. The latter, however, claimed to have no involvement in the sending of the SMS and referred the data subject to another third party company, Aimon Srl. The data subject subsequently contacted Aimon in order to exercise their rights of access and objection. However, also Aimon denied any responsibility by claiming that the data subject's contact details had been obtained from other database suppliers.

During the investigation, the Italian DPA verified that B&T Spa had instructed Aimon to send promotional SMS to potential customers. The marketing company then made use of other suppliers who in turn had acquired the databases from third parties. In this succession of steps, based on the model of "Chinese boxes", it emerged that the data of the people contacted came from unverified, most likely unlawful collection activity. Just to name a couple, two data brokers had declared their offices in Florida and Switzerland. None of them had ever appointed their own representative in Italy or, to our knowledge, in any other Member State, in violation of Article 27 GDPR.

Holding

Taking into account the circumstances of the case, the Italian DPA affirmed that B&T was certainly to be qualified as data controller and Aimon as data processor. More precisely, B&T had, among other things, determined the reason for which the processing was carried out (the sending of promotional messages) and had chosen the criteria that Aimon should have followed in carrying out such activity.

The Italian DPA held that B&T had violated different provisions. First, the company did not seek any consent prior to the sending of the advertising SMS, therefore violating Article 6 (1)(a) GDPR and Article 130 of the Italian Privacy Code. Second, the company failed to define the roles within the data processing chain, did not provide clear information to the data subject and, in so doing, made it impossible for the data subject(s) to exercise their right. This amounted to a violation of Article 5 (1)(a), Article 12, Article 13, Article 14 GDPR and Article 21 GDPR.

Therefore, on the basis of all the elements indicated above, the DPA held that a €400,000 fine should be applied to B&T.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.


- SEE ALSO NEWSLETTER OF 31 JANUARY 2022

[doc. web n. 9737185]
Injunction order against B & amp; T S.p.A. - November 25, 2021
Record of measures
n. 413 of 25 November 2021
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
HAVING REGARD to the documentation on file;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
SPEAKER Attorney Guido Scorza;
WHEREAS
1. THE INVESTIGATION ACTIVITY CARRIED OUT
With a complaint of 22 February 2019, submitted to this Authority pursuant to art. 77 of the Regulation, the lawyer XX, representing having received numerous unwanted text messages with the sender "Dorelan", complained about the inability to fully exercise their data access and opposition rights.
In particular, the lawyer XX reconstructed, attaching relevant documentation, the exchanges that took place with B & amp; T S.p.A. (hereinafter, B & amp; T), owner of the Dorelan brand and subject identified by the link at the bottom of the text messages. From these interlocutions it emerged that the B & amp; T had declared itself extraneous to the material sending the text messages, which a third party (not mentioned) would have provided on its behalf, and had invited the complainant to enter his telephone number at the link https: / /www.smsspot.it/privacy-cancellazione/ or to write to support @ smsspot.it. From this last address, entered for information in the exchanges, a further reply was received to the complainant in the name of the Company Aimon s.r.l. who qualified as an “external manager, as… it is aimed at database suppliers”. Aimon also failed to provide information on the owner of the database, qualified as the data controller, but limited itself to informing the complainant that his requests would be forwarded to privacy@runwhip.com. From the documentation on file, it does not appear that the latter address has ever received a reply to the complainant.
The Office, with a note dated 7 November 2019, forwarded the complaint to all parties involved (B & amp; T, Aimon and Runwhip S.r.l.) asking them to provide comments on what is represented.
Runwhip never provided feedback, not even on the occasion of subsequent reminders and notification of the notice of initiation of the procedure by the Guardia di Finanza (this conduct will be assessed in a separate provision).
From the feedback provided by B & amp; T and Aimon to the request for information, the following emerged:
- B & amp; T stated that it did not have the material availability of the data but that it contacted Aimon who would send promotional messages through the "SMS Spot" platform using databases acquired in the market; in the case complained of by XX, a database provided by Runwhip S.r.l was used;
- Aimon, confirming the reconstruction of B & amp; T, added that he had acquired the data of the complainant from Runwhip which would have collected it from company XX and that he had used it for sending the text message; has not, however, provided documentation proving the data acquired and the checks made on the alleged lawfulness of the same;
- both assured that, despite not having the material availability of the complainant's data, they had nevertheless taken note of his opposition to receiving further contacts aimed at promoting the Dorelan brand.
Subsequently - with pec of 20 January 2020 directed to the Guarantor, Aimon, Runwhip and B & amp; T - the lawyer XX complained that he received a further text message containing Dorelan-branded promotional offers, despite the alleged acceptance of the opposition. To this request, Aimon replied on 6 February 2020, with pec addressed to XX and to the Guarantor, that the complainant's number "was made available for the sole purpose of using it for sending the message in favor of the B & amp; T SpA to the undersigned company by company XX [which] markets the data collected in turn by XX ". He also added that the latter company would have collected the data of the XX on May 23, 2016, following a completed registration on the website www.ricercaperte.com and, to substantiate this statement, attached a string extracted from a database in which such information is found together with the fields called "1 ° Privacy" and "2 ° Privacy" valued at "Yes". With regard to the dispatch made after the opposition and despite the assurances provided regarding the implementation of the same, Aimon stated that it was a technical problem.
Finally, on 3 December 2020, in response to a specific request for clarification from the Office also sent to XX, B & amp; T reiterated that it had not acted as data controller, but that it had entrusted the promotional service to Aimon, trusting in the contractual guarantees offered by the latter regarding the lawfulness of the personal data used for the promotional campaign. The same also added that she had terminated the contract with Aimon as a result of the facts that emerged with the complaint.
The one presented with the complaint in question, however, does not represent an isolated case since, on January 20, 2020, a complaint from Mr. XX with almost similar complaints was received: the receipt of a text message with sender "Dorelan" containing promotional offers relating to the Dorelan brand , following which the interested party contacted B & amp; T who invited him to contact Aimon. Also in this case, Aimon replied to the interested party that the data controller is the person who holds the database (in particular, XX).
2. CONTESTATION OF VIOLATIONS AND EXERCISE OF THE RIGHT OF DEFENSE
2.1. The dispute
In light of what emerged from the preliminary investigation, on March 9, 2021, B & amp; T and Aimon were notified of the initiation of the procedure pursuant to art. 166, paragraph 5, of the Code. The Office, in particular, noted that both B & amp; T and Aimon had carried out the processing of personal data, while not recognizing any role in this regard and without consequently regulating their respective roles and responsibilities. Consequently, the violation of art. 5, par. 1, lett. a) and art. 12, 13 and 14 of the Regulations, since adequate information was not even provided to the interested parties and that the latter had not been enabled to exercise their rights correctly.
Furthermore, the violation of art. 21 of the Regulations, as it was not possible to exercise the right to object, as well as the violation of art. 6, par. 1, lett. a) of the Regulations and art. 130 of the Code, by reason of sending the second text message to XX, despite the opposition already expressed by the interested party and allegedly acknowledged by the Companies.
The defensive briefs subsequently forwarded, with which the contractual documentation that had regulated the relations between the parties was produced for the first time, made it possible to reconstruct the concrete attitude of the roles and responsibilities regarding the processing of personal data, beyond the qualification that the parties themselves had attributed and with results in part different from those proposed in the replies provided to the interested parties and to the Guarantor.
2.2. The defense of B & amp; T
B & amp; T, who was also heard at the hearing, stated that it had never had the material apprehension of the data but that it had instructed Aimon, which presented itself as market leader, to find the contact lists, selecting them exclusively among those which guaranteed greater reliability, and to physically provide for the sending of text messages. This assignment had been remunerated with a large consideration precisely by virtue of the greater guarantees required in terms of the lawfulness of the contacts used. Relying on these contractual guarantees and counting on the positive results of the collaboration established, there was no need to exercise a power of control that went beyond the usual verbal interlocutions. Moreover, according to B & amp; T, Aimon had full autonomy in the choice of database suppliers and for these reasons it was also responsible for dealing with any requests for cancellation received (which B & amp; T could not verify in any way not having access to the lists).
In any case, in order to facilitate the protection of the interested parties as much as possible, B & amp; T has implemented some corrective measures such as, for example, the modification of the information published on the landing page accessible from the link at the bottom of the text messages, with indication of the channels to send requests for the exercise of rights. The same also promptly checked every request received by the customer service, forwarding it at the same time to Aimon (as for example in the case complained of by Mr. XX). In this context, the choice to use the Dorelan brand within the messages was inserted with the aim, on the one hand, of guaranteeing greater seriousness in the communication and, on the other hand, of being able to indirectly have a control over the work of the supplier. , through feedback from interested parties.
Finally, precisely as a result of XX's complaint, B & amp; T considered that the trust requirements towards Aimon were no longer valid and terminated the contract, although aware of the losses caused by the interruption of the promotional campaign in full sales period.
2.3. Aimon's defense
In the memorandum of 8 April 2021, Aimon described the activity carried out on behalf of B & amp; T, representing that, where the latter had in fact the role of a mere client, Aimon had acted as data processor on behalf of the subjects who carry out the databases and which are to be considered the only data controllers. In particular, in the reconstruction made by Aimon it was represented that some third parties, using web platforms, have provided for the material collection of the data of the interested parties (for example by participating in competitions or registering for online services) acquiring, after providing information, a specific consent for sending promotional messages and for transmission to third parties. These subjects would then make use of the Aimon platform for the forwarding material of messages whose promotional content concerned third party products such as B & amp; T. Therefore, having defined the purposes of the processing (the exploitation of the collected data for promotional purposes), these list providers have been qualified as owners.
With regard, however, to the specific cases subject to the complaint, Aimon stated that:
- "on 11/29/2018 the XX used the data of the lawyer XX to send, as data controller using our sms sending platform, the message containing information relating to B & amp; T ";
- "on 17/01/2020 the XX Inc used the data of the lawyer XX to send, as data controller using also in this case our sms sending platform, the message, also in this case containing information relating to B & amp; T ";
- "the data of Mr. XX, have also been used on 16/01/2020 always by the XX".
The Company, therefore, "by hosting such data on its platform", would have acted as data processor on behalf of these subjects (hereinafter, XX and XX) also dealing with the management of the cancellation requests received from the interested parties.
Aimon also added that "the relationships with the aforementioned data controllers are the result of the intermediation activity carried out by two different companies through which it was possible to identify these subjects as suppliers". In particular, Runwhip S.r.l. had taken care of acting as a commercial intermediary with XX while XX had promoted the commercial agreement with XX. Both Runwhip and XX, according to what was declared in Aimon's memory, would not have carried out any activity regarding the processing of data, limiting themselves to intermediating the commercial relations between Aimon and the list providers (foreign subjects who want to operate in the Italian market).
The same Company then represented that it had carried out preventive checks on the lawfulness of the lists formed by the persons qualified as data controllers, and in particular:
- "with the active collaboration of intermediaries" (Runwhip and XX), verified the characteristics of the information used at the time of data collection and the existence of suitable consents (verified by sample); however, no documentation proving such sample checks was attached;
- with regard to the first text message sent to XX, he verified that the data subject's data had been collected on the website www.bedrive.it; the party has produced (att. 9 to the memory) a copy of the information published at the time on the said site (from which XX appears as the data controller) and an exchange of emails between XX, Aimon and XX from which it appears that this Ultima replied to XX on January 21, 2019, after having "received the report from ... the Runwhip contact person", indicating the personal data in its possession, the website of the acquisition, the date (January 3, 2017) and the IP with which registration would have been made; it should be noted that XX's response is sent to the email address XX, an address never used by XX in his discussions with the Guarantor and with all those involved and resulting solely from the extraction allegedly carried out from the database of XX itself. In fact, the attachment shows that Runwhip forwarded XX's request to XX, asking her to provide feedback, and that this request came from the complainant's pec address and not from the aforementioned gmail address. It is therefore likely that XX has never received this feedback since the complaint was integrated in March 2019 complaining of the lack of information, as done in subsequent interlocutions until further reporting on January 20, 2020;
- with regard to the second text message sent to XX and the one sent to XX in January 2020, he verified that the data of the interested parties had been collected on the website www.ricercaperte.com, of which they attach the information and two strings indicating the registration, which would have taken place on 23 May 2016 for XX and 18 December 2016 for XX. For both, the fields indicated as “1st privacy” and “2nd privacy” are set to “yes”. Aimon declares that, on the basis of what was confirmed by the supplier XX, the two fields reported respectively indicated the acceptance of "general terms and conditions and I wish to receive information from research open and associated websites" and the consent to treatment "for sending information and commercial offers also from third parties to whom it will be possible for the owner to communicate the personal data provided by me "(see attachment 10 to the memorandum);
- for XX, an exchange of conversations between the interested party, B & amp; T and Aimon (partly already produced with the complaint) is attached, from which it emerges that XX, on 20 January 2020, received from the address privacy@ricercaperte.com the same string proving the registration on the site and the consents given; the communication is signed by "the staff of Cercaaperte" without any other information regarding the identity of the sender. It is noted that, with the reply sent on January 20, 2020 to Aimon, B & amp; T and XX, XX denied the registration and reported that the residence data reported were partly incorrect;
- to assess the adequacy of the measures adopted by the database suppliers, Aimon would have deemed sufficient the indication of the date of acquisition of the consent by selecting the appropriate boxes on the websites and would have verified that "the owners envisaged suitable procedures to guarantee that the the will of the interested party to revoke his consent is effectively respected "; no documentation has been produced of these checks;
- the Company, having taken note of what emerged in the preliminary investigation, has changed some operating procedures, for example by indicating in the text of the messages a reference of the owner, so as to make him contactable directly by the interested parties; moreover, he declared that he had taken steps to have the data of the complainants deleted.
3. THE ASSESSMENTS MADE BY THE OFFICE
Aimon has attached to its defense brief the information that would have been published, at the time of the alleged registration by the interested parties, on the websites of XX and XX. Examination of these information shows that:
- XX, owner of the website www.bedrive.it, is based in Lugano, Switzerland, and indicates as contact details a physical address in Switzerland and the email XX; an establishment in the territory of the European Union is not indicated and the representative in the Union is not indicated (as required by art. 27 of the Regulation); in addition, the storage times indicated in the information are not defined by referring only to "the time strictly necessary to carry out the purposes illustrated";
- XX, owner of the website www.ricercaperte.com, is based in Florida and indicates as contact details a physical address in Florida and emails XX and XX; an establishment in the territory of the European Union is not indicated, nor a representative in the Union; here too, with regard to storage times, reference is made only to the "time necessary to perform the service requested by the user or required by the purposes described";
- with regard to the website www.ricercaperte.com, the Office on 6 October 2021 verified that it contains only a form to be filled in to participate in the contest called "win an iPhone XS". It is required to enter the following data: name, surname, date and place of birth, residential address, email, telephone number; there are four boxes, with optional selection, for the expression of the following consents: acceptance of the contractual terms and receipt of information from the site and from partners; receiving promotional messages from third parties to whom the data may be disclosed; transfer of data to third parties; profiling by promoemail.org and related companies. This site www.promoemail.org contains a very similar form and promises to win an iPad but indicates as the data controller the Company XX XX, based in London and with email address XX Both sites show the link " regulation ", the terms and conditions of the competition which, as indicated, takes place in the territory of the Italian Republic; in no case is the tax representative in the territory of the State indicated, who, being foreign subjects, should instead be appointed as required by art. 5, paragraph 2, of the Presidential Decree of 26 October 2001, n. 430.
Aimon has attached to its defense brief two signed documents called "data processing agreement", one with XX on 5 October 2018, and the other with XX on 6 December 2019. In these documents, Aimon is qualified as the data controller, while XX and XX as holders.
Furthermore, Aimon has attached the contract signed with Runwhip on 5 October 2018 and the one signed with XX on 6 December 2019. From the examination of the two contracts, from the same approach, it emerges that Runwhip and XX are qualified as "intermediary" with the role of facilitate access to the Italian market for subjects, such as XX and XX, holders of databases. It is also specified that these intermediaries operate, in turn, as data processors with respect to the owner of the database, qualified as the owner. The latter subject "making use of the assistance of the intermediary" uploads its database to the platform managed by Aimon for the material to be sent to end users. Furthermore, in both contracts it is specified that the intermediary, as the data processor, declares under his responsibility that the databases have been formed in compliance with the rules for the protection of personal data. It was not possible to concretely verify the role of these "intermediaries" since Runwhip avoided any interlocution and XX, mentioned only at the end of the investigation, was not asked.
Both Aimon and B & amp; T have attached the three contracts signed for the 2018/2019/2020 campaigns.
In particular, from the examination of the contract signed on 4 October 2018 it emerges that Aimon undertook to select a specific target, differentiating the mailings by point of sale / geographical area and would have managed the cancellation requests through the email address supporto @ smsspot .it. There is no qualification of the roles and responsibilities regarding data processing: B & amp; T, as a customer, is defined as an "advertiser" and determines the campaign requirements and message texts; Aimon, on the other hand, "undertakes to send on profiled contacts according to the campaign requirements indicated by the customer". The information is given that the recipients' data come from registrations to online services and that the owners are the "publishers" of the websites. It is also provided that "at the beginning or at the bottom of the text of the text message or e-mail, the identifier of the publisher and / or the data processing manager is inserted, for which up to a maximum of nine characters are used. The identifier ... is a hyperlink type and leads to a web space within which the recipient can obtain detailed information about the signed privacy policy and the references of the data controller ". However, as already described, in the text of the text messages received from the complainants the sender was indicated as “Dorelan” and the link referred to the Dorelan brand site.
The contract signed on January 3, 2019, similar in content, also provides that Aimon manages on behalf of B & amp; T, in the case of interactive campaigns, a database with the data of the subjects who, by replying to messages, have expressed the desire to be contacted .
Finally, from the examination of the contract concluded on December 17, 2019, we note the addition of some passages. In particular, Aimon's responsibility is agreed to "verify the legitimacy of the databases to be used and to make the identification data of the suppliers from which it receives the databases known to the customer .... The customer has the right to oppose the use of certain suppliers" with express indemnity in favor of B & amp; T for any damage that may arise from the use of personal data contained in these databases. The list of database suppliers "of contacts provided under license" to Aimon is attached to this contract.
4. LEGAL ASSESSMENTS
With reference to the factual profiles highlighted above, also based on the statements of the Company to which the declarant responds pursuant to art. 168 of the Code, the following assessments are formulated in relation to the profiles concerning the regulations on the subject of personal data protection.
4.1. On the qualification of roles regarding the processing of personal data
Recalling what has been reconstructed in the previous point 3, it is first observed that, by comparing the prospects reported in the briefs, the attached contracts and the documentation produced by the complainants, the cartel will of the parties does not correspond to the concrete execution of the conduct by Aimon and B & amp; T. In fact, if in the contracts the parties have not given themselves any qualifications in the treatment, they have instead carried out a treatment, albeit with different roles and responsibilities, which has partly deviated in fact from what has been agreed. For example, it is noted that, despite having provided for the insertion of the name of the owner of the database in the text of the SMS, the message actually sent only contained a link to the Dorelan brand landing page (in this case, with reference to point sale of Siena).
Therefore, in order to determine the concrete attitude of the roles and, consequently, the degree of responsibility of B & amp; T and Aimon, it is necessary to jointly examine the declarations of the parties with the documentary elements produced by these in the defense phase.
It is then necessary to recall the definitions of owner and manager pursuant to art. 4 of the Regulation, where the "owner" is the natural or legal person who, individually or together with others, determines the purposes and means of the processing, while the "data processor" is the person who processes personal data on behalf of the owner.
As better clarified in the EDPB Guidelines 7/2020, regardless of the contractual qualification of the roles, the owner is the person who determines the purposes (why) and the means, ie the methods (how), of the processing; on the other hand, the person who works on behalf of the owner is to be considered responsible, carrying out the instructions even with a certain degree of autonomy without however being able to exercise any faculty with regard to the choice of the purposes of the processing.
As already stated by the Guarantor in a similar case (provision of 26 October 2017 web doc no.7320903), the client of a promotional campaign, regardless of the material apprehension of the data, must be considered the data controller having concretely determined the decisions in order the purposes and methods of the processing itself.
In the present case it can be considered that the role of B & amp; T is certainly to be qualified as data controller while that of Aimon, who acted in a delegated way on behalf of B & amp; T, can be classified as responsible. This is because B & amp; T: has concretely determined the reason for which the treatment was put in place (the transmission of promotional messages); has chosen the criteria that Aimon should have followed to carry out the processing (choice of target, frequency of sending, content of messages), thereby defining the essential means of processing; selected the data controller from the market and provided him with instructions on the expected level of quality in choosing the lists, also asking to verify that the data had been collected in compliance with the regulations.
Also the clarification, made during the hearing, regarding the choice to indicate "Dorelan" as the sender in order to have a useful feedback to check the supplier's work, expresses a legitimate prerogative of control by the principal who, at the same time, realizes one of the main responsibilities of the data controller.
Moreover, if the realization of a promotional campaign can (hopefully) bring benefits in terms of increased sales, this can also involve, if not correctly carried out, an infringement of people's rights as well as damage to that corporate image which instead they wanted to promote. It is therefore understandable that a client has an interest in carrying out those activities of selection and supervision, typical of those who work as data controllers, which constitute an obligation for him (as required by art.28 of the Regulation) but at the same time also an important opportunity to verify the correct execution of the order.
Furthermore, consideration must be given to the effects produced on the interested parties. In the specific case, on the basis of what is represented in XX's complaint but also in XX's subsequent complaint, promotional text messages were sent with "Dorelan" as the sender and containing Dorelan branded promotional offers. Such a configuration of the messages evidently generated in the recipients the belief that they had been contacted directly by the company belonging to the Dorelan brand. In fact, they first turned to B & amp; T, on the basis of this legitimate expectation, and hardly understood the subsequent liability charges to other subjects.
In this regard, it is necessary to recall what was clarified by the Guarantor with the general provision of 15 June 2011 (in www.garantepivacy.it, web doc. 1821257) with specific regard to the fact that "... promotional contacts are made in the name, however on behalf and in the interest of the principal company; with the effect that legitimate expectations are created in the interested parties, since they perceive that they are recipients of advertising initiatives conducted directly by the company on behalf of which the proposal for the sale of products or services is formulated ".
In this context, the owners of the databases (XX and XX) acted as independent owners since the treatment they put in place (collection, storage and transmission of data to third parties) is previous and completely independent from the treatment carried out by B & amp; T.
For these reasons, the reconstruction proposed by the parties according to which, in the treatment in question, B & amp; T would have been a mere client with no role, the suppliers of databases XX and XX would have been holders of the specific treatment that led to the '' sending text messages to XX and XX and, finally, Aimon would have acted as data controller on behalf of the database owners.
4.2. On the responsibility of B & amp; T
The failure to qualify the roles in relation to the processing of personal data has resulted in the processing itself being deprived of the requirements of lawfulness, correctness and transparency, in violation of art. 5, par. 1, lett. a) and art. 12, 13 and 14 of the Regulation, since it does not appear that suitable information has been provided to the interested parties nor, in fact, the full exercise of their rights allowed (given the impossibility for them to easily trace the long chain of the subjects involved to obtain the requested information).
However B & amp; T, even though it has not recognized any role in this sense, and having consequently not fulfilled the formal obligations on the part of the data controller, it appears, in fact, to have exercised the prerogatives of the owner himself as already clarified above, demonstrating to have paid attention during the selection and instruction of the manager.
At the same time, it must be taken into account that the control exercised by the owner over the work of the manager, by virtue of the trust placed in professional and contractual guarantees, was not at all adequate.
In fact, according to what was declared, the B & amp; T evaluated the verbal contacts between its employees and the low number of complaints received sufficient to believe that the activity was carried out correctly, while it does not appear that it requested the partner (and examined) the documentation proving the existence of the lawfulness requirements of the processing. For example, it does not appear that B & amp; T has ever asked Aimon to document the origin of the data and, with regard to the advertising campaigns which include the text messages received by the complainants in January 2020, it should be noted that the contract signed between the parties in December 2019 it contained the list of list providers that Aimon intended to use, with B & amp; T having the right to request their replacement. On this occasion, B & amp; T, if it had carried out a check, could well have noticed the lack of some important assumptions to guarantee the lawfulness of the processing.
As reported in point 3 above, from reading the information of XX (indicated for the 2020 campaign) and from a simple consultation of the website www.ricercaperte.com, it was already possible to find elements of dubious compliance with the level of quality expected by the owner.
First of all, it was easy to verify the fact that the data had been collected by entities established outside the EU without any indication of the owner's representative in the Union. This requirement is instead mandatory pursuant to art. 27 of the Regulation, according to which (see Article 27, paragraph 3) this representative must not only be established in the Union but must have its registered office in one of the Member States where the data subjects are located and whose data are processed in '' scope of the offer of goods or services. In addition, as already noted above with regard to the prize competition on the site ricercaaperte.com, there was also no indication of the tax representative in Italy, required by the rules governing prize competitions.
The choice of a subject not resident in the Italian territory, or at least in the EU territory, does not guarantee the interested parties the right to assert their rights and, at the same time, hinders the investigation activities of the Guarantor making it extremely difficult to verify the lawfulness of such treatments and impose corrective measures. These problems, which have already emerged during other investigations still in progress, have also been confirmed in the cases subject to complaint.
Also with regard to the lawfulness of the consents allegedly expressed by the interested parties, it is noted that the documentation produced by the list providers, through Aimon, is not suitable for demonstrating the actual expression of consent to the receipt of promotional messages and the transfer to third parties. In fact, with regard to the first text message sent to XX, the response from XX attached by Aimon only indicates a date and an IP address without any other reference and, for these reasons, it could at most indicate the date of registration on the site but not also document the performance of one or more specific consents. Instead, with regard to the strings produced by XX to document the consents expressed by XX and XX, it is noted that the first consent includes, in a single formula, the acceptance of the contractual terms and the consent to receive information to be researched and opened. associated websites. Furthermore, it was not possible to carry out any type of verification on the veracity of this documentation since XX is based in Florida and, as mentioned, it does not appear to have appointed a representative in Italy either for the processing of data or for the related tax aspects. in the competition with prizes.
Moreover, the documentation of consent through the indication of the IP address only is a method that the Guarantor has already considered insufficient to certify the unequivocal will of the interested parties (see the aforementioned provision of 26 October 2017), since there are alternatives more suitable to guarantee a greater degree of certainty about the genuineness of the manifestation of consent (such as the practice of sending a confirmation message to the address indicated during registration).
The agreed provision of indemnity clauses is of no importance with respect to the guarantees to be given to the interested party but has value only with regard to the contractual liability of the parties. Therefore, despite having B & amp; T leveraged the trust placed in Aimon and the contractual guarantees established, it is not possible to consider it devoid of responsibility for the effects produced on the interested parties (not only the complainants but all the recipients of the promotional activity carried out under such contracts). It is the responsibility of the data controller to make use of managers who offer sufficient guarantees but this is not enough to reduce the degree of responsibility in supervising that the data controller must constantly exercise during the processing activities. And this is even more necessary when the activity involves the involvement of third parties, due to the potential circumvention of the guarantee rules through the negotiated division of responsibilities.
It must be remembered that the orderly conduct of marketing activities, with the use of lawfully collected and updated data, in addition to avoiding dangerous drifts (such as phishing and scams), benefits the market itself by protecting virtuous operators and strengthening the trust of the interested parties. . It is therefore necessary to adopt the utmost diligence in the selection of the databases and it is the task of this Authority to supervise the correct implementation of the treatments and to stem the circulation in the market of personal data whose origin cannot be concretely verified.
4.3. On the exercise of the right of opposition
The lack of qualification of the roles and the number of subjects involved in the processing also entailed the difficulty for the interested parties to exercise their rights since, once the request was addressed to the B & amp; T, correct information was not provided regarding the subjects involved in the processing and how to contact them directly, in violation of art. 12 of the Regulation. This has resulted in a significant limit to the exercise of that self-determination information that is expressed precisely through the control that the interested party can carry out on their data with respect to the risks of dispersion or use that does not comply with the purposes of the related collection. In fact, it cannot be considered that an expression of will initially expressed in a conscious way with respect to certain treatments can have chain effects, through subsequent passages of personal data from one owner to the other in a completely imponderable way for the interested party. In the case in question, the interested party could not do anything other than contact B & amp; T but this, despite being the data controller, had no tools to directly acquire the information requested and appointed Aimon; the latter, despite being the data processor in charge of acquiring the data and finding the requests, did nothing but forward them to the "intermediaries" who in turn forwarded them to the list providers, asking them to respond directly to the interested parties by virtue of the autonomous ownership of another treatment, the one that led to the initial data collection.
It is clear that such a cumbersome and opaque method cannot constitute a correct fulfillment of the owner's obligation to provide the interested parties with all the communications referred to in Articles 15 to 22 of the Regulation. Obligation to which the owner must provide directly, or through his manager, not being able to delegate this task to other independent owners, especially if he cannot directly verify the work.
In addition to not being able to obtain information about who had obtained the data and the documentation of the consent, the interested parties were also unable to correctly exercise the right to object. This is because Aimon, despite having taken note of XX's desire not to receive other communications from B & amp; T, has given greater importance to the fact that the data had been extracted from two different databases, belonging to two different owners and therefore made the second sending.
In general, it must be taken into account that the opposition to the processing presented by the interested party would be nullified - as indeed happened in the case of XX - in the absence of suitable procedures, put in place by the data controller, aimed at keeping track of this opposition (even in the case of entrusting part of the processing to third parties). The acquisition by a business partner of a generic consent for third party promotional activities cannot in fact be considered sufficient to circumvent the desire not to be (any longer) contacted, specifically expressed towards a data controller. It is therefore the responsibility of the owner to ensure that the subjects who have revoked the consent, or have expressed a specific denial, are no longer the subject of promotional activities on their own account (see also provision of 9 July 2020, web doc. 9435753). In the case in question, in fact, Aimon sent a promotional text message in the interest of B & amp; T even after the interested party had expressed his opposition to both companies. The lack of suitable procedures to implement the wishes of the interested parties has not guaranteed the exercise of the right of opposition, in violation of art. 21 of the Regulation resulting, consequently, that the sending of the second text message to XX was carried out in the absence of valid consent, in violation of art. 6, par. 1, lett. a) of the Regulations and art. 130 of the Code.
4.4. Conclusions
Having said all this, it must be considered that the arguments set out in the defense brief of B & amp; T are not sufficient to overcome the disputes raised with the act of initiating the proceedings of March 9, 2021.
On the basis of what has been observed so far, having found a responsibility of B & amp; T in the unlawfulness that has emerged, the violation of Articles 5, par. 1, lett. a), 6, par. 1, lett. a), 12, 13, 14 and 21 of the Regulations and art. 130 of the Code.
Consequently, it is necessary to order the same, pursuant to art. 58, par. 2, lett. d), if it intends in the future to make use of third parties to send promotional messages, to adopt suitable procedures aimed at correctly regulating contractual relations with the data processors, carrying out the necessary checks and preparing adequate information for the interested parties, as well as adopting suitable procedures to guarantee a full and effective response to the exercise of rights.
Furthermore, while having to take into account the fact that the conduct has been interrupted, with regard to the treatments already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to Articles 58, par. 2, lett. i) and 83 of the Regulations.
5. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
On the basis of the above, given the violations referred to, the sanction provided for by art. 83, par. 5 of the Regulation.
For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive "(art. 83, par. 1 of the Regulations), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount.
In compliance with this provision, in the present case, the following aggravating circumstances must be considered:
1. the severity and duration of the violation, since the processing, although not supported by the necessary guarantees, continued from 2018 to 2020, with the sending of text messages to numerous mobile users (respectively: 2,490,000, 1,800 .000, 3.220.000);
2. the degree of responsibility of the data controller who has not put in place any type of control over the activity of the manager, even if he has the possibility.
As mitigating elements, it is believed that we must take into account:
1. of the measures adopted by the B & amp; T in any case in order to contain the prejudice, including the fact that the feedback it provided to the interested parties, even if unsatisfactory for the aforementioned reasons, were in any case timely and the Company has shown that it has promptly taken action to request the intervention of the Aimon manager;
2. of the fact that, even if a fault deriving from negligence and inexperience is recognized, there is no fraud in the conduct since B & amp; T, not possessing the professional skills to select the list providers, has turned to a known subject in the market by making an adequate economic investment with the intention of ensuring a corresponding level of quality;
3. the absence of previous proceedings initiated against the Company;
4. the degree of cooperation shown in the discussions with the Authority;
5. of the fact that the Company, once informed of the procedure established with the Guarantor and even before receiving the formal complaint, has decided to stop the promotional campaign commissioned from Aimon despite the potential losses.
With an overall view of the necessary balance between the rights of the interested parties and freedom of enterprise, and in the first application of the administrative pecuniary sanctions provided for by the Regulation, it is necessary to prudently evaluate the aforementioned criteria, also in order to limit the economic impact of the sanction on the needs. organizational, functional and occupational of the Company.
Therefore it is believed that, based on the set of elements indicated above, in the comparison between the level of gravity of the conduct of the parties and the respective turnover, the administrative sanction of payment of a sum equal to 400,000.00 euros should be applied to the B & amp; T (four hundred thousand / 00), equal to 2% of the maximum authorized and, also due to the aggravating elements found, the ancillary sanction of the publication in full of this provision on the website of the Guarantor as provided for by art. 166, paragraph 7 of the Code and by art. 16 of the regulation of the Guarantor n. 1/2019.
Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.
WHEREAS, THE GUARANTOR
pursuant to art. 57, par. 1, lett. f), of the Regulation, declares illegal the processing described in the terms set out in the motivation by B & amp; T S.p.A., with registered office in Forlì, Via Due Ponti 9, VAT no. 00903510402, and consequently:
a) pursuant to art. 58, par. 2, lett. lett. d), orders the Company, if it intends in the future to make use of third parties to send promotional messages, to adopt suitable procedures aimed at correctly regulating the contractual relations with the data processors, carrying out the necessary checks and preparing adequate information for the interested parties, as well as adopting suitable procedures to ensure full and effective feedback on the exercise of rights.
ORDER
a B & amp; T S.p.A., with registered office in Forlì, Via Due Ponti 9, VAT no. 00903510402, to pay the sum of € 400,000.00 (four hundred thousand / 00) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
INJUNCES
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 400,000.00 (four hundred thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981.
HAS
a) pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted;
b) pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor.
The Guarantor, pursuant to art. 58, par. 1, of Regulation (EU) 2016/679, also invites the data controller to communicate within 30 days from the date of receipt of this provision, which initiatives have been undertaken in order to implement the provisions of this provision and to provide however, adequately documented confirmation. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, lett. e), of Regulation (EU) 2016/679.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as of articles 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.
Rome, November 25, 2021
THE VICE-PRESIDENT
Cerrina Feroni
THE RAPPORTEUR
Peel
THE SECRETARY GENERAL
Mattei