Garante per la protezione dei dati personali (Italy) - 9756853

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9756853
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started: 14.04.2021
Decided: 10.02.2022
Published: 30.03.2022
Fine: 5000 EUR
Parties: Arte del Vivere S.r.l.
National Case Number/Name: 9756853
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: Cesar Manso-Sayao

The Italian DPA issued a fine of €5000 against a website listing shiatsu practitioners for failing to delete a data subject's personal data after multiple requests, in violation of Articles 12 and 17 GDPR.

English Summary

Facts

A data subject filed a complaint with the Italian DPA (Garante per la Protezione dei Dati Personali – Garante) due to the publication of his personal data on www.mondoshiatsu.com, a website which shows the contact details of various certified shiatsu massage practitioners. The data subject stated that he was automatically inserted into this portal after having attended an annual training course in this discipline in 2003. Due to the amount of time that had passed since then, and the fact that he never became an actual practitioner, he made numerous requests via telephone and email in order to delete his data, which were not responded.

The Garante initiated an investigation, and determined that the company responsible for the publication of the website was Arte del Vivere S.r.l. The Garante then made a request for information related to the company’s failure to respond to the data subject’s request for deletion of his personal data. The Garante was initially unable to notify this request, and had to employ the Finance Police in order to successfully do so. When the company eventually replied, its director stated that they were not the owners of the domain, and had delegated the maintenance of the website to a third party processor. However, the company argued that the website could not be updated because the processor no longer had the credentials to do so. The Garante noted that the contents of the website clearly attribute it to Arte del Vivere, and that as a beneficiary of this website, the company should have contractual or accounting documentation related to the web hosting service. The company was then eventually able to delete the entire website, which had not been updated since 2014, by reporting the issue to the website’s net service host.

Holding

The Garante stated that Arte del Vivere, as a data controller, proved to be completely unable to guarantee compliance with GDPR and the data subject’s deletion request. The Garante also noted that the company showed a total lack of control over the role of the data processor, including a failure to provide documentation in this regard. Additionally, the Garante stated that the company, as the controller, should have adequate measures to intervene in order to handle the data processed, and was directly responsible for the non-deletion of the complainant's data, regardless of the individual responsibilities delegated for processing purposes. Therefore, the Garante held that these organisational deficiencies led to the failure to grant the data subject his right to the deletion of his personal data, in violation of Articles 12 and 17 GDPR. Based on these violations, the Garante issued a fine of €5000 against Arte del Vivere.

The amount of the fine was based on the following aggravating factors: the seriousness of the violation, given that almost 2000 data subjects' personal data were published without an update since 2014, many of which might have been added without a specific request from these data subjects, as was the case with the complainant; the controller’s negligence and failure to carry out its obligations and grant the data subject’s rights under GDPR, which it seems to have ignored until the intervention of the Garante; the fact that the controller displayed an omissive conduct when the Garante made its initial requests for information, making it necessary to employ the Financial Police in order to address the Garante’s notification, which resulted in increased costs within the procedure, and the impossibility of carrying out a thorough investigation in the preliminary phase.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9756853]
Injunction order against Arte delivere S.r.l. - February 10, 2022
Record of measures
n. 48 of 10 February 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, Avv. Guido Scorza, member, and the cons. Fabio Mattei, general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
HAVING REGARD to the documentation on file;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
RAPPORTEUR prof. Pasquale Stanzione;
WHEREAS
1. THE INVESTIGATION ACTIVITY CARRIED OUT
With a complaint registered on April 14, 2021, submitted to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained about the publication of his personal data on the portal www.mondoshiatsu.com without the possibility of having it deleted despite repeated requests. In particular, the complainant represented that he was automatically inserted into this portal - which shows the contact details of various shiatsu operators - after having attended an annual training course at a school of this discipline in 2003; however, having never operated in the sector and having passed many years, the complainant contacted the reference indicated in the portal, Mr. XX, to request cancellation. The request would have been repeated several times, by telephone and by registered letter, without obtaining satisfaction despite verbal assurances.
Having investigated the complaint, the Office verified that the mondoshiatsu.com portal contained information and publications relating to the practice of shiatsu as well as publishing a list in alphabetical order of 1897 people qualified as "certified operators" (including Mr. XX). Since there is no information on the protection of personal data, reference was made to the information published on the site and accessible from the link "contact us" on the basis of which it was announced that "MONDOSHIATSU.COM is published by Arte del Vivere" reporting this 'last the contact details and VAT number; furthermore, Mr. XX was indicated as the "responsible director".
Therefore, on 6 May 2021 a request for information was sent, formulated pursuant to art. 157 of the Code, to the Società Arte del Vivere Srl. (Hereinafter also: “Company” or “Arte del Vivere”). Since this was returned to the sender for complete storage, on 30 August 2021 a notice of initiation of the procedure was notified by means of the Guardia di Finanza to contest the failure to respond to the request formulated by the Guarantor with the consequent violation of art. 157 of the Code. In the same note, the violation of articles 12 and 17 of the Regulations since the request for cancellation made by the complainant had not been confirmed and that the personal data of the same were still published on the portal, as ascertained by the Office on 15 June 2021.
On 20 September 2021, Mr. XX, chairman of the board of directors of the Company, sent an e-mail in which he represented that Mr. XX, who had been entrusted with the management of the site, was unable to make changes as he no longer had the necessary login credentials. XX added that he did not know who owned the mondoshiatsu.com domain. In order to conduct further investigations, an extension of the deadline was finally requested.
This extension was granted with a note dated 23 September 2021. On that occasion, moreover, it was clarified that the proceeding had been initiated against Arte delivere because, having examined the content of the portal, it operated as the data controller and undoubtedly presented itself as the subject to whom the portal was referred, regardless of who had materially provided for the registration of the domain.
On 4 October 2021, the Company's lawyers sent an email to Mr. XX to request that he promptly delete all the contents of the portal given the difficulties encountered in deleting the data of only Mr. XX. The same communication was forwarded for information to the Guarantor and to the complainant.
On 9 October 2021, Mr. XX sent an email to the Office communicating that, despite the warning received, Mr. XX had not deleted the data, having to believe that "the failure to delete the data does not depend on inertia but on the fact that the Data Processor of the Data is not able to delete the data ". Therefore, he declared that he had contacted the postal police to request the cancellation of the entire site but, since this was not competent in the absence of a crime, he was considering activating the "abuse" procedure with the domain provider. XX also represented that the website had not been updated since 2014 and contained data from 1897 operators. In order to activate this procedure as well, Mr. XX requested a further extension of the terms and asked for clarification on how to proceed otherwise.
Therefore, on the following 12 October, the Office contacted him by telephone to clarify first of all that the exercise of the right of defense is a faculty granted by the legal system to the person who has received a dispute in order to allow him to justify his conduct and to illustrate any corrective actions. On the other hand, it is not necessary to wait until these interventions are also completed, if it is not possible to complete them within the deadline set for exercising the right of defense. Taking into account that an extension of 15 days had already been granted, it was pointed out that sending a defense brief is an option and not an obligation. Finally, with regard to the difficulties represented in obtaining technical control on the mondoshiatsu.com website (which would have been delegated entirely to Mr. XX), the Office reiterated that the site appeared to all intents and purposes attributable to Arte del Vivere Srl, of whose references and contacts were published. Therefore, since the domain is active, the Company, as the beneficiary of the service, would probably have had contractual or at least accounting documentation relating to this service.
On 12 October 2021, Mr. XX sent an e-mail to the address abusereport@key-systems.net, and for information to the Guarantor, to confirm ownership of the domain and to request its cancellation at the same time.
Finally, with an e-mail dated October 14, also addressed to the complainant, Mr. XX confirmed that he had obtained the obscuration of the site from Mr. XX and added that "the conclusion of this unfortunate event, highlights that Arte del Vivere srl was not she is not the owner of the Domain and, therefore, she had no possibility to intervene directly on the Domain itself ".
The Office has verified that, currently, the website is no longer accessible.
2. VIOLATIONS FOUND
With reference to the factual profiles highlighted above, also based on the statements of the Company to which the declarant responds pursuant to art. 168 of the Code, the following assessments are formulated in relation to the profiles concerning the regulations on the subject of personal data protection.
What has been reconstructed so far outlines a context in which the Art of Living, the data controller, proved to be completely unable to ensure compliance with the rules, which, moreover, it seems to have ignored until the intervention of the Guarantor. From what emerged, in fact, the chairman of the board of directors would not have been able to verify the domain ownership of a portal whose contents unquestionably refer to the Company itself. At the same time, he would not have been able to make changes to these contents or to delete the site itself despite being aware of the fact that it was no longer updated since 2014. And such attempts would have been put in place only after receiving the notice of initiation of the procedure by the Guarantor, since the numerous requests of Mr. XX have been disregarded.
According to what has been reported, this would have happened as a result of a total lack of control over the work of Mr. XX who during the procedure was qualified as a data processor, even without providing documentation in this regard.
However, it should be noted that the aforementioned XX, from what appears in the survey published in the Register of Companies, is the majority shareholder of the Company. Since no documentation has been produced regarding XX's role, it is not possible to understand in what capacity he worked for the Art of Living. The XX, in fact, could have provided his service as a working partner or as an external supplier, having to qualify, respectively, as a person in charge of the treatment or as a manager. In both cases, the Company should have had adequate measures to intervene to protect the data processed and, more generally, its corporate assets, as it is not permissible for the data controller to so easily become a "hostage" of those who manage a service for his account. For these reasons, ascertaining the nature of the contractual relationship between the Company and Mr. XX (never documented) would not be relevant here since it would not change the degree of responsibility of the data controller.
That said, it must be considered that the Company, as the data controller, is directly responsible for the non-cancellation of the complainant's data, regardless of the individual responsibilities of the individuals who acted in it. The organizational deficiencies that emerged from the affair led to the failure to update the data on the website and the failure to respond to the cancellation requests of Mr. XX, in violation of Articles 12 and 17 of the Regulation.
Taking into account that the website, to date, is no longer accessible and that therefore the personal data contained therein are no longer published on the Internet, the conditions for taking corrective measures are not found. However, in consideration of the unlawfulness of the conduct, taking into account the time taken to obtain the cancellation of data published on a website that had not been updated for years and considering that this corrective action was implemented only after the intervention of the Guarantor , it is believed that the conditions are met for the application of a pecuniary administrative sanction pursuant to art. 58, par. 2, lett. i) of the Regulations.
Finally, with regard to the failure to respond to the request for information from the Guarantor of 6 May 2021, due to the complete storage of the registered letter, the following is noted.
This omissive conduct made it necessary to use the Guardia di Finanza for the notification, which took place on 30 August 2021, with a consequent increase in costs and the procedure, with the impossibility of carrying out investigations in the preliminary phase, as all feedback was delegated to the defense following the start of the proceedings.
Therefore, the violation of art. 157 of the Code.
Despite the lack of explicit justifications in this regard, the exceptional context in which the affair took place must be taken into account, acknowledging the difficulties encountered due to the pandemic in progress. For these reasons, it is believed to be able to postpone the application of a specific administrative pecuniary sanction, framing the violation in question only in the more general negligence of the owner, to be assessed in relation to the aforementioned violations of Articles 12 and 17 of the Regulation.
3. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
On the basis of the above, given the violations referred to, the sanction provided for by art. 83, par. 5 of the Regulation.
For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive "(art. 83, par. 1 of the Regulations), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount.
In compliance with this provision, in the present case, the following aggravating circumstances must be considered:
1. the seriousness of the violation given that the data of 1897 people have been published for several years without ever being updated taking into account that, at least in the case indicated by the complainant, they were not included on the basis of a specific request by the interested party and were not removed even after repeated requests;
2. the seriously negligent nature of the data controller, as described in point 2, since the rules for the protection of personal data were completely ignored until the intervention of the Guarantor;
3. the degree of responsibility of the data controller who has not provided feedback to the exercise of the rights of Mr. XX (forcing him to contact the Guarantor) and who has not put in place any type of control over the activity entrusted to Mr. XX since he is not , thus, able to give an account of his work;
As mitigating elements, it is believed that we must take into account:
1. the corrective measures taken by intervening to obscure the website, which is no longer active;
2. the degree of cooperation with the Authority after the initiation of the procedure;
3. the assets of the Company and the economic results recorded in the latest financial statements made available, relating to the 2007 financial year; we also have regard to the exceptional economic context caused by the pandemic which has led to unfavorable consequences especially in production sectors related to personal services, such as the one in which the Art of Living operates;
4. the absence of previous proceedings initiated against the Company.
With an overall view of the necessary balance between the rights of the interested parties and freedom of enterprise, and in the first application of the administrative pecuniary sanctions provided for by the Regulation, it is necessary to prudently evaluate the aforementioned criteria, also in order to limit the economic impact of the sanction on the needs. organizational, functional and occupational of the Company.
Therefore it is believed that, on the basis of all the elements indicated above, having regard to the decisions adopted in previous similar cases and taking into account the economic information made available in the register of companies and since no information has been received on the matter from the Company, the to Arte delivere the administrative sanction of the payment of a sum equal to 5,000.00 euros (five thousand / 00), equal to 0.05% of the maximum authorized amount of 20 million euros and, due to the aggravating elements found, the ancillary sanction of the full publication of this provision on the website of the Guarantor as required by art. 166, paragraph 7 of the Code and by art. 16 of the regulation of the Guarantor n. 1/2019.
Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.
WHEREAS, THE GUARANTOR
pursuant to art. 57, par. 1, lett. f), of the Regulation, declares illegal the processing described in the terms set out in the motivation by Arte delivere S.r.l., with registered office in Milan, Via Luigi Settembrini 52, VAT no. 10666240154, and consequently:
ORDER
a Arte delivere S.r.l., with registered office in Milan, Via Luigi Settembrini 52, VAT no. 10666240154, to pay the sum of € 5,000.00 (five thousand / 00) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
INJUNCES
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 5,000.00 (five thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981.
HAS
a) pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted;
b) pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as of articles 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.
Rome, February 10, 2022
PRESIDENT
Stanzione
THE RAPPORTEUR
Stanzione
THE SECRETARY GENERAL
Mattei