Garante per la protezione dei dati personali (Italy) - 9756869: Difference between revisions

Garante per la protezione dei dati personali (Italy) - 9756853
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 6(1) GDPR Article 7 GDPR Article 12(1) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	14.04.2021
Decided:	10.02.2022
Published:	30.03.2022
Fine:	5000 EUR
Parties:	Arte del Vivere S.r.l.
National Case Number/Name:	9756853
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor:	Cesar Manso-Sayao

The Italian DPA issued a fine of €5000 against a company for lacking a valid legal basis to make unsolicited marketing calls using information obtained on the internet, as well as for not handling a data subject's access and deletion requests, in violation of Articles 5(1)(a), 6(1), 7 and 12(1) GDPR.

English Summary

Facts

A data subject filed a complaint with the Italian DPA (Garante per la Protezione dei Dati Personali – Garante) claiming he had received numerous undesired and periodic telephone calls promoting the real estate agency Tecnocasa in relation to a property he owns. The data subject also stated that he had not received a response to access and deletion requests under Article 15 GDPR and Article 17 GDPR respectively, which were forwarded to Studio Colli Aniene Verderocca S.r.l., a marketing company, which was the registered holder of the telephone numbers making the calls.

The Garante initiated an investigation, and determined that the marketing company (and not the real estate agency) was the autonomous controller in this case, since it processed the data based on its own data collection, and had established the purposes and methods of contact for the marketing calls independently.

When responding to the Garante’s request for information, the marketing company argued that they had only called the data subject twice. On the first occasion they had asked for his consent to the calls, which the company acknowledged that the data subject had objected to. The second call was admittedly made by a “mere error in good faith”, in light of the previously acknowledged objection. The company also claimed that the acquisition of the personal data was lawful since it had been found on the internet on publicly available websites as well as through Google searches, and also stated that it had deleted the complainant’s personal data from its databases.

Holding

The Garante noted that irrespective of the amount of calls made to the data subject, the fact that the data was obtained from the internet and that the initial call was made without prior consent or any other legal basis, constituted a violation of Articles 6 and 7 GDPR. Additionally, the Garante stated according to its own jurisprudence (see here) a telephone call aimed at obtaining consent for marketing purposes in itself constitutes processing for marketing purposes, and hence would circumvent the required consent required for the processing to begin with. Moreover, the Garante held that the unwanted telephone call received by the data subject due to a "mere error made in good faith" does not relieve the company of liability since it has not proven the inevitability of this mistake.

Regarding the collection of data using publicly available websites and Google searches, the Garante stated that the controller used the data collected on the internet to promote its services and products, pursuing a different purpose that is incompatible with the original purpose for which the data were made public (i.e. to facilitate the contacts of the data subject with its potential customers, with limited regard to the exercise of his profession) and therefore not according to the data subject’s legitimate expectations. The Garante also clarified that the easy availability of personal data on the internet does not justify the processing of such data for any purpose other than for what it was orignally published, and held that in this case, the collection and processing of this data was also in violation of Article 6(1) GDPR by lacking a valid legal basis.

The Garante also held that the company had violated its transparency obligations under Articles 5(1)(a) and 12(1) GDPR by failing to grant the data subject’s access and deletion requests, and by not providing any proof of internal framework and measures to handle these requests, or of the actual deletion of the data itself.

Based on these considerations, the Garante issued a fine of €5000 against the marketing company. It also ordered the company to take measures to comply with GDPR by ceasing its processing operations related to unsolicited marketing calls and obtaining personal data on the internet without a legal basis, as well as the implementation of procedures to ensure the response to data subjects’ exercise of their data protection rights, and to provide these with appropriate information with regard to the processing of their personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9756853]
Injunction order against Arte delivere S.r.l. - February 10, 2022
Record of measures
n. 48 of 10 February 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, Avv. Guido Scorza, member, and the cons. Fabio Mattei, general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
HAVING REGARD to the documentation on file;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
RAPPORTEUR prof. Pasquale Stanzione;
WHEREAS
1. THE INVESTIGATION ACTIVITY CARRIED OUT
With a complaint registered on April 14, 2021, submitted to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained about the publication of his personal data on the portal www.mondoshiatsu.com without the possibility of having it deleted despite repeated requests. In particular, the complainant represented that he was automatically inserted into this portal - which shows the contact details of various shiatsu operators - after having attended an annual training course at a school of this discipline in 2003; however, having never operated in the sector and having passed many years, the complainant contacted the reference indicated in the portal, Mr. XX, to request cancellation. The request would have been repeated several times, by telephone and by registered letter, without obtaining satisfaction despite verbal assurances.
Having investigated the complaint, the Office verified that the mondoshiatsu.com portal contained information and publications relating to the practice of shiatsu as well as publishing a list in alphabetical order of 1897 people qualified as "certified operators" (including Mr. XX). As there is no information on the protection of personal data, reference was made to the information published on the site and accessible from the link "contact us" on the basis of which it was announced that "MONDOSHIATSU.COM is published by Arte del Vivere" reporting this 'last the contact details and VAT number; furthermore, Mr. XX was indicated as the "responsible director".
Therefore, on 6 May 2021 a request for information was sent, formulated pursuant to art. 157 of the Code, to the Società Arte del Vivere Srl. (Hereinafter also: “Company” or “Arte del Vivere”). Since this was returned to the sender for complete storage, on 30 August 2021 a notice of initiation of the procedure was notified by means of the Guardia di Finanza to contest the failure to respond to the request formulated by the Guarantor with the consequent violation of art. 157 of the Code. In the same note, the violation of articles 12 and 17 of the Regulations since the request for cancellation made by the complainant had not been confirmed and that the personal data of the same were still published on the portal, as ascertained by the Office on 15 June 2021.
On 20 September 2021, Mr. XX, chairman of the board of directors of the Company, sent an e-mail in which he represented that Mr. XX, who had been entrusted with the management of the site, was unable to make changes as he no longer had the necessary login credentials. XX added that he did not know who owned the mondoshiatsu.com domain. In order to conduct further investigations, an extension of the deadline was finally requested.
This extension was granted with a note dated 23 September 2021. On that occasion, moreover, it was clarified that the proceeding had been initiated against Arte delivere because, having examined the content of the portal, it operated as the data controller and undoubtedly presented itself as the subject to whom the portal was referred, regardless of who had materially provided for the registration of the domain.
On 4 October 2021, the Company's lawyers sent an email to Mr. XX to request that he promptly delete all the contents of the portal given the difficulties encountered in deleting the data of only Mr. XX. The same communication was forwarded for information to the Guarantor and to the complainant.
On 9 October 2021, Mr. XX sent an email to the Office communicating that, despite the warning received, Mr. XX had not deleted the data, having to believe that "the failure to delete the data does not depend on inertia but on the fact that the Data Processor of the Data is unable to delete the data ". Therefore, he declared that he had contacted the postal police to request the cancellation of the entire site but, since this was not competent in the absence of a crime, he was considering activating the "abuse" procedure with the domain provider. XX also represented that the website had not been updated since 2014 and contained data from 1897 operators. In order to activate this procedure as well, Mr. XX requested a further extension of the terms and asked for clarification on how to proceed otherwise.
Therefore, on the following 12 October, the Office contacted him by telephone to clarify first of all that the exercise of the right of defense is a faculty granted by the legal system to the person who has received a dispute in order to allow him to justify his conduct and to illustrate any corrective actions. On the other hand, it is not necessary to wait for these interventions to be completed, if it is not possible to complete them within the deadline set for exercising the right of defense. Taking into account that an extension of 15 days had already been granted, it was pointed out that sending a defense brief is an option and not an obligation. Finally, with regard to the difficulties represented in obtaining technical control on the mondoshiatsu.com website (which would have been delegated entirely to Mr. XX), the Office reiterated that the site appeared to all intents and purposes attributable to Arte del Vivere Srl, of whose references and contacts were published. Therefore, since the domain is active, the Company, as the beneficiary of the service, would probably have had contractual or at least accounting documentation relating to this service.
On 12 October 2021, Mr. XX sent an e-mail to the address abusereport@key-systems.net, and for information to the Guarantor, to confirm ownership of the domain and to request its cancellation at the same time.
Finally, with an e-mail dated October 14, also addressed to the complainant, Mr. XX confirmed that he had obtained the obscuration of the site from Mr. XX and added that "the conclusion of this unfortunate affair, highlights that Arte del Vivere srl was not she is not the owner of the Domain and, therefore, she had no possibility to intervene directly on the Domain itself ".
The Office has verified that, currently, the website is no longer accessible.
2. VIOLATIONS FOUND
With reference to the factual profiles highlighted above, also based on the statements of the Company to which the declarant responds pursuant to art. 168 of the Code, the following assessments are formulated in relation to the profiles concerning the regulations on the subject of personal data protection.
What has been reconstructed so far outlines a context in which the Art of Living, the data controller, proved to be completely unable to guarantee compliance with the rules, which, moreover, it seems to have ignored until the intervention of the Guarantor. From what emerged, in fact, the chairman of the board of directors would not have been able to verify the domain ownership of a portal whose contents unquestionably refer to the Company itself. At the same time, he would not have been able to make changes to these contents or to delete the site itself despite being aware of the fact that it was no longer updated since 2014. And such attempts would have been put in place only after receiving the notice of initiation of the procedure by the Guarantor, since the numerous requests of Mr. XX have been disregarded.
According to reports, this would have occurred as a result of a total lack of control over the work of Mr. XX who during the procedure was qualified as a data processor, even without providing documentation in this regard.
However, it should be noted that the aforementioned XX, from what appears in the survey published in the Register of Companies, is the majority shareholder of the Company. Since no documentation has been produced regarding XX's role, it is not possible to understand in what capacity he worked for the Art of Living. The XX, in fact, could have provided his service as a working partner or as an external supplier, having to qualify, respectively, as a person in charge of the treatment or as a manager. In both cases, the Company should have had adequate measures to intervene to protect the data processed and, more generally, its corporate assets, as it is not permissible for the data controller to so easily become a "hostage" of those who manage a service for his account. For these reasons, ascertaining the nature of the contractual relationship between the Company and Mr. XX (never documented) would not be relevant here since it would not change the degree of responsibility of the data controller.
That said, it must be considered that the Company, as the data controller, is directly responsible for the non-cancellation of the complainant's data, regardless of the individual responsibilities of the individuals who acted in it. The organizational deficiencies that emerged from the affair led to the failure to update the data on the website and the failure to respond to the cancellation requests of Mr. XX, in violation of Articles 12 and 17 of the Regulation.
Taking into account that the website, to date, is no longer accessible and that therefore the personal data contained therein are no longer published on the Internet, the conditions for taking corrective measures are not found. However, in consideration of the unlawfulness of the conduct, taking into account the time taken to obtain the cancellation of data published on a website that had not been updated for years and considering that this corrective action was implemented only after the intervention of the Guarantor , it is believed that the conditions are met for the application of a pecuniary administrative sanction pursuant to art. 58, par. 2, lett. i) of the Regulations.
Finally, with regard to the failure to respond to the request for information from the Guarantor of 6 May 2021, due to the complete storage of the registered letter, the following is noted.
This omissive conduct made it necessary to use the Guardia di Finanza for the notification, which took place on 30 August 2021, with a consequent increase in costs and the procedure, with the impossibility of carrying out investigations in the preliminary phase, as all feedback was delegated to the defense following the start of the proceedings.
Therefore, the violation of art. 157 of the Code.
Despite the lack of explicit justifications in this regard, the exceptional context in which the affair took place must be taken into account, acknowledging the difficulties encountered due to the pandemic in progress. For these reasons, it is believed to be able to postpone the application of a specific administrative pecuniary sanction, framing the violation in question only in the more general negligence of the owner, to be assessed in relation to the aforementioned violations of Articles 12 and 17 of the Regulation.
3. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
On the basis of the above, given the violations referred to, the sanction provided for by art. 83, par. 5 of the Regulation.
For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive "(art. 83, par. 1 of the Regulations), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount.
In compliance with this provision, in the present case, the following aggravating circumstances must be considered:
1. the seriousness of the violation given that the data of 1897 people have been published for several years without ever being updated taking into account that, at least in the case indicated by the complainant, they were not included on the basis of a specific request by the interested party and were not removed even after repeated requests;
2. the seriously negligent nature of the data controller, as described in point 2, since the rules for the protection of personal data were completely ignored until the intervention of the Guarantor;
3. the degree of responsibility of the data controller who has not provided feedback to the exercise of the rights of Mr. XX (forcing him to contact the Guarantor) and who has not put in place any type of control over the activity entrusted to Mr. XX since he is not , thus, able to give an account of his work;
As mitigating elements, it is believed that we must take into account:
1. the corrective measures taken by intervening to obscure the website, which is no longer active;
2. the degree of cooperation with the Authority after the initiation of the procedure;
3. the assets of the Company and the economic results recorded in the latest financial statements made available, relating to the 2007 financial year; we also have regard to the exceptional economic context caused by the pandemic which has led to unfavorable consequences especially in production sectors related to personal services, such as the one in which the Art of Living operates;
4. the absence of previous proceedings initiated against the Company.
With an overall view of the necessary balance between the rights of the interested parties and freedom of enterprise, and in the first application of the administrative pecuniary sanctions provided for by the Regulation, it is necessary to prudently evaluate the aforementioned criteria, also in order to limit the economic impact of the sanction on the needs. organizational, functional and occupational of the Company.
Therefore it is believed that, on the basis of all the elements indicated above, having regard to the decisions adopted in previous similar cases and taking into account the economic information made available in the register of companies and since no information has been received on the matter from the Company, the to Arte delivere the administrative sanction of the payment of a sum equal to 5,000.00 euros (five thousand / 00), equal to 0.05% of the maximum authorized amount of 20 million euros and, due to the aggravating elements found, the ancillary sanction of the full publication of this provision on the website of the Guarantor as required by art. 166, paragraph 7 of the Code and by art. 16 of the regulation of the Guarantor n. 1/2019.
Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.
WHEREAS, THE GUARANTOR
pursuant to art. 57, par. 1, lett. f), of the Regulation, declares illegal the processing described in the terms set out in the motivation by Arte delivere S.r.l., with registered office in Milan, Via Luigi Settembrini 52, VAT no. 10666240154, and consequently:
ORDER
a Arte delivere S.r.l., with registered office in Milan, Via Luigi Settembrini 52, VAT no. 10666240154, to pay the sum of € 5,000.00 (five thousand / 00) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
INJUNCES
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 5,000.00 (five thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981.
HAS
a) pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted;
b) pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as of articles 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.
Rome, February 10, 2022
PRESIDENT
Stanzione
THE RAPPORTEUR
Stanzione
THE SECRETARY GENERAL
Mattei