Garante per la protezione dei dati personali (Italy) - 9746068

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9746068
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 13 GDPR
Article 15 GDPR
Article 17 GDPR
Article 21 GDPR
Article 157 Code of Privacy
Article 166 (2) Code of Privacy
Type: Complaint
Outcome: Upheld
Started: 12.11.2021
Decided: 27.01.2022
Published:
Fine: 40,000 EUR
Parties: T.S.M. Srl.
National Case Number/Name: 9746068
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Protezione Dati Personali (in IT)
Initial Contributor: Paolo Cucchi

The Italian DPA fined a company €40,000 for not handling a data subject's access request and objection to processing, as well as for its lack of cooperation with the DPA during the proceedings.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject was contacted by cleaning tool company T.S.M. Srl. (the controller) to take part in a professional course, and received various forms to be filled in. The company was not able to answer the data subject properly regarding its involvement in the processing of the data required in the forms. The data subject decided to address the company with requests to exercise their rights to access, to object and to erasure of personal data. T.S.M. replied confirming the deletion of personal data, but did not provide a proper response regarding the right of access and the right to object. Based on the company's lack of response to these requests, the data subject filed a complaint with the Italian DPA (Garante).

Holding[edit | edit source]

The Garante noted T.S.M.'s lack of participation in the proceedings, and neither asked to be heard, nor answered requests made in this sense by the Garante. The Garante held that this lack of cooperation was in breach of Articles 157 and 166 of the Italian Code of Privacy. Nevertheless, the Garante found that the documentation attached to the complaint was sufficient to prove the controller's responsibility in this case.

According to the Garante, the mere deletion of the personal data pursuant to Article 17 GDPR did not exhaust the controller's duties regarding the data subject's requests. The Garante held that T.S.M. should have provided the data subject with information related to the origin of the personal data, the processing activities carried out, and any other recipients of the data, pursuant to Articles 13 and Article 15 GDPR. Additionally, the Garante highlighted that T.S.M. should have confirmed the receipt of the request to object to further processing, and granted the data subject's right under Article 21 GDPR.

Based on these considerations, the Garante issued a fine of €40,000 on T.S.M. for the violation of Articles 13 and Article 15 and 21 GDPR, as well as the aforementioned Italian Privacy Code breaches. The Garante also ordered T.S.M. to ensure future compliance with its obligations to inform data subject's of its processing activities, to answer the complainant's pending right of access and objection requests, and to ensure that future processing of their personal data would not take place according their objection.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9746068]
Order injunction against T.S.M. s.r.l. - January 27, 2022
Record of measures
n. 23 of January 27, 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
HAVING REGARD to the documentation on file;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000, adopted by resolution of June 28, 2000;
RAPPORTEUR prof. Pasquale Stanzione;
1. THE INVESTIGATION ACTIVITY CARRIED OUT
1.1. Premise
With act no. 56828/21 of 12 November 2021 (notified on the same date by certified e-mail), which here must be understood as fully reproduced, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation against T.S.M. s.r.l. (hereinafter "TSM" or "the Company"), in the person of the pro-tempore legal representative, with registered office in Rome, via di Tor Vergata 180, C.F. 15272401009.
The procedure originates from an investigation launched by the Authority, following the receipt of a complaint with which an interested party complained about the incomplete response provided by TSM to a request to exercise rights aimed at obtaining information on the processing of their data ( Article 15 of the Regulations), as well as the cancellation of the same from the company archives (Article 17) and to express opposition to further processing by the Company (Article 21, paragraph 1).
As emerges from the complaint, the interested party, to participate in a professional training course, received some forms from the organizers to be returned filled in, which he did the same, realizing however that these were in the name of TSM and not the person who had originally contacted ("XX"). When asked for explanations to the organizers, the same provided information that the complainant considered unsatisfactory, for which the same decided to formulate a request for access to data, cancellation and opposition pursuant to art. 15, 17 and 21 of the Regulations, towards the Company. The latter provided feedback by communicating the cancellation of all data of the complainant from its archives, but without providing the same information requested pursuant to art. 15 of the Regulation and without ensuring that you have taken note of the opposition of the interested party to future treatments.
1.2. Requests for information made by the Authority
Once the complaint was received, the Office began the necessary investigation by inviting the Company, with a note dated 4 March 2021, notified on the same date by certified e-mail, to provide its own version of the facts and possibly to comply with the requests. of the complainant.
The request was not met so that, on June 17, 2021, the Office formulated a request for information and presentation of documents pursuant to art. 157 of the Code, notified on the same date by certified e-mail, with which he again invited the Company to provide all useful elements for the complete assessment of the case, with the warning that "in the event of non-compliance with this request, the administrative sanction must be applied pecuniary provided for by art. 166 of Legislative Decree no. 196/2003 and 83, par. 5, lett. e) of Regulation (EU) 2016/679 ".
The Company has not provided any feedback to this request either.
1.3. Challenge of administrative violations
The Office, having acknowledged the repeated non-responses of the Company, therefore adopted the aforementioned act of initiation of the administrative procedure no. 56828/21 of 12 November 2021, with which it challenged TSM the following hypotheses of violation:
a) art. 157 and 166, paragraph 2, of the Code, for failing to respond to a request for information and presentation of documents formulated by the Guarantor;
b) articles 15 and 21 of the Regulation, for failing to respond to requests for access to personal data and opposition to future processing, formulated by the complainant;
c) art. 13 of the Regulation, for having processed the complainant's personal data without having provided the same with the necessary information at the time of collection;
2. AUTHORITY ASSESSMENTS
It must be assumed that the TSM Company has not exercised its right of defense, in relation to the disputed charges, and therefore has not produced defensive briefs or requested a hearing pursuant to art. 166, paragraph 6, of the Code and art. 13 of the internal regulation of the Guarantor n. 1/2019.
Although the Company has chosen not to initiate any dialogue with the Authority, the proceeding initiated with the complaint must be considered sufficiently well-informed and full proof of TSM's responsibility with regard to the disputed charges has been acquired.
From the examination of the complaint, which contains declarations and documents about the truthfulness and genuineness of which the complainant also responds criminally, it emerged what was reported in the notice regarding the incomplete confirmation of the Company to the exercise of the rights promoted by the complainant: the itself, in fact, in the face of a request for information on processing, deletion of data and registration of the complainant's opposition to subsequent processing, limited itself to representing that "as per your request, we have eliminated any data referable to your person, keeping only the email address, in order to send you the following communication. We will remove it immediately after sending ", without providing any indication on the treatments carried out and without confirming to the interested party the registration of his will not to be contacted anymore.
From the documentation attached to the complaint, it also emerged that in the first contact emails the person who proposed participation in the professional training course reported in dispute presented himself as "XX", while the contractual forms subsequently sent to the complainant were registered and signed by TSM. This forms, with which, among other things, the interested party was asked to produce a copy of their identity document and their health card, did not contain any information regarding the processing of personal data nor did it clarify the relationship between TSM and the original subject with which the complainant had initiated the dialogue.
The conduct of TSM is therefore documentally proven which, entering into the formation of a contractual relationship between the complainant and the original proponent, without clarifying its role and the extent of the personal data processing that would have been carried out and without providing the additional information referred to to art. 13 of the Regulations, gave incomplete feedback even on the occasion of the subsequent exercise by the interested party of the rights referred to in Articles 15 and 21 of the Regulation (right of access and opposition to processing) thus making the exercise itself impossible and depriving the complainant of control of their personal data.
From this point of view, the mere cancellation of the data of the interested party, as represented by the Company in response to the exercise of the rights, does not exhaust the obligations of the data controller who, in the case in question, should in any case have provided to the requesting all the information that could allow the same at least to trace the origin of the personal data held by TSM, the distribution of responsibilities in the context of the processing, the subjects to whom the data were or would have been communicated and the methods and purposes of the processing and the related legal bases of lawfulness, as well as guaranteeing that appropriate measures have been adopted to prevent further future processing (eg insertion of the name in the blacklist).
The Company also failed to respond to requests for information and the presentation of documents made by the Guarantor, resulting in a burdening of the investigative requirements and a slowdown in administrative action. This circumstance also emerges by tabulas, given that the Office has sent requests for information twice, specifying, in the last one, that a failure to reply could have resulted in the application of administrative sanctions.
All requests were sent to TSM's certified e-mail address as resulting from the information system of the Chambers of Commerce and, in this regard, it is useful to highlight that the Legislative Decree 76/2020 (so-called "simplification decree"), converted with amendments by Law 120/2020, qualified, in art. 37, the certified e-mail address of companies as a "digital home" valid for the purposes of electronic communications with legal value.
It should also be noted that TSM's certified e-mail address was found to be fully functional on the occasion of the Company's reply to the requests in the context of the exercise of rights, a reply which took place five hours after the complainant was sent, as proof that the consultation of the e-mail box took place constantly. From this must be inferred the will of TSM not to provide any response to the requests of the Guarantor, despite the prospect of administrative sanctions, and the evident disinterest of the Company with respect to the procedure initiated with the complaint.
3. CONCLUSIONS
With regard to the foregoing, the responsibility of TSM is deemed to be ascertained in relation to the following violations:
a) art. 157 and 166, paragraph 2, of the Code, for failing to respond to a request for information and presentation of documents formulated by the Guarantor;
b) articles 15 and 21 of the Regulation, for failing to respond to requests for access to personal data and opposition to future processing, formulated by the complainant;
c) art. 13 of the Regulation, for having carried out processing of the complainant's personal data without having provided him with the necessary information;
Having also ascertained the unlawfulness of the Company's conduct with reference to the treatments examined, it is necessary:
- send a warning to TSM, pursuant to art. 58, par. 2, lett. a) of the Regulation, so that it does not carry out treatments of the same type as those described in the complaint, without providing the interested parties with the necessary information referred to in art. 13 of the Regulations;
- to order TSM, pursuant to art. 58, par. 2, lett. c) of the Regulations, to satisfy and respond to the complainant's requests, with reference to the exercise of the rights referred to in Articles 15 and 21 of the Regulations;
- to impose on TSM, pursuant to art. 58, par. 2, lett. f) of the Regulations, the prohibition of any further processing of the complainant's data;
- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application to TSM of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation
4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application to TSM of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulations (payment of a sum up to € 20,000,000);
To determine the amount of the penalty, the elements indicated in art. 83, par. 2, of the Regulations;
In the case in question, the following are relevant:
1) the seriousness of the violation (Article 83, paragraph 2, letter a) of the Regulations), taking into account the repetition of omissive conduct by TSM which has not provided any feedback to the notes sent by the Authority, both in the form of the invitation to adhere to the requests of the interested party, both in the form of the request for information pursuant to art. 157 of the Code;
2) as an aggravating factor, the duration of the conduct put in place (Article 83, paragraph 2, letter a) of the Regulation), which considerably extended the time for processing the complaint and responding to the requests of the interested party, which it has not yet taken place;
3) as an aggravating factor, the lack of cooperation with the Authority in order to remedy the violation (Article 83, paragraph 2, letter f) of the Regulation), despite the fact that the Company was the recipient, in several stages of the procedure, communications whose acknowledgment could have allowed a complete definition of the question;
4) as additional factors to take into consideration to parameterize the sanction (Article 83, paragraph 2, letter k) of the Regulation), the economic deficit recorded by the Company in 2019 and the general socio-economic context, characterized by a profound economic crisis following the serious global epidemiological emergency.
On the basis of all the elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, in the initial application of the administrative pecuniary sanctions provided for by the Regulation, also in order to limit the economic impact of the sanction on the organizational, functional and employees of the Company, it is believed that the administrative sanction of the payment of a sum of € 40,000, equal to 0.2% of the maximum legal sanction, should be applied to TSM.
In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the treatments and conduct of the Company, as well as the elements of risk for the exercise of the rights of the interested parties who may be involved in the treatments considered;
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL OF THIS GIVEN THE GUARANTOR
a) issues a warning to TSM, pursuant to art. 58, par. 2, lett. a) of the Regulation, so that it does not carry out treatments of the same type as those described in the complaint, without providing the interested parties with the necessary information referred to in art. 13 of the Regulations;
b) orders TSM, pursuant to art. 58, par. 2, lett. c) of the Regulations, to satisfy and respond to the complainant's requests, with reference to the exercise of the rights referred to in Articles 15 and 21 of the Regulations;
c) requires TSM, pursuant to art. 58, par. 2, lett. f) of the Regulations, the prohibition of any further processing of the complainant's data;
d) orders TSM, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures adopted; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation
ORDER
to T.S.M. s.r.l., in the person of the pro-tempore legal representative, with registered office in Rome, via di Tor Vergata 180, C.F. 15272401009, to pay the sum of € 40,000.00 (forty thousand / 00) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
INJUNCES
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 40,000.00 (forty thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981.
HAS
The application of the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by Articles 166, paragraph 7 of the Code and 16 of the Guarantor Regulation n. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, par. 1, lett. u), of the Regulations, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures of external significance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself.
Pursuant to art. 152 of the Code and 10 of Legislative Decree n. 150/2011, against this provision, opposition may be proposed to the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .
Rome, January 27, 2022
PRESIDENT
Stanzione
THE RAPPORTEUR
Stanzione
THE SECRETARY GENERAL
Mattei