Garante per la protezione dei dati personali (Italy) - 9756869: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 7: Line 7:
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)


|Case_Number_Name=9756853
|Case_Number_Name=9756869
|ECLI=
|ECLI=


|Original_Source_Name_1=Garante per la Protezione dei Dati Personali
|Original_Source_Name_1=Garante per la Protezione dei Dati Personali
|Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9756853
|Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9756869
|Original_Source_Language_1=Italian
|Original_Source_Language_1=Italian
|Original_Source_Language__Code_1=IT
|Original_Source_Language__Code_1=IT
Line 35: Line 35:




|Party_Name_1=Arte del Vivere S.r.l.
|Party_Name_1=Studio Colli Aniene Verderocca S.r.l.
|Party_Link_1=
|Party_Link_1=https://roma82.tecnocasa.it/roma/tiburtina-colli-aniene/
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
Line 85: Line 85:


<pre>
<pre>
[doc. web n. 9756853]
[doc. web n. 9756869]
Injunction order against Arte delivere S.r.l. - February 10, 2022
Order injunction against Studio Colli Aniene Verderocca S.r.l. - February 10, 2022
Record of measures
Record of measures
n. 48 of 10 February 2022
n. 49 of 10 February 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, Avv. Guido Scorza, member, and the cons. Fabio Mattei, general secretary;
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, Avv. Guido Scorza, member, and the cons. Fabio Mattei, general secretary;
Line 95: Line 95:
HAVING REGARD to the documentation on file;
HAVING REGARD to the documentation on file;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
RAPPORTEUR prof. Pasquale Stanzione;
SPEAKER Prof. Ginevra Cerrina Feroni;
WHEREAS
WHEREAS
1. THE INVESTIGATION ACTIVITY CARRIED OUT
1. THE INVESTIGATION ACTIVITY CARRIED OUT
With a complaint registered on April 14, 2021, submitted to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained about the publication of his personal data on the portal www.mondoshiatsu.com without the possibility of having it deleted despite repeated requests. In particular, the complainant represented that he was automatically inserted into this portal - which shows the contact details of various shiatsu operators - after having attended an annual training course at a school of this discipline in 2003; however, having never operated in the sector and having passed many years, the complainant contacted the reference indicated in the portal, Mr. XX, to request cancellation. The request would have been repeated several times, by telephone and by registered letter, without obtaining satisfaction despite verbal assurances.
With the complaint of May 14, 2021 presented to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained that he received unwanted "periodic phone calls" aimed at promoting the services of the Tecnocasa Agency regarding a property he owned and, moreover, represented that he had not received a response to the request to exercise the rights, pursuant to art. 15 and 17 of the Regulations, sent via certified email on 17 February 2020 to the Affiliate Studio Colli Aniene Verderocca S.r.l. (hereinafter «Studio Colli Aniene», or «Company») “holder of the telephone numbers” calling; the same complainant highlighted the perpetuation of further unwanted contacts on the part of the aforementioned Company up to the date of the filing of the complaint.
Having investigated the complaint, the Office verified that the mondoshiatsu.com portal contained information and publications relating to the practice of shiatsu as well as publishing a list in alphabetical order of 1897 people qualified as "certified operators" (including Mr. XX). As there is no information on the protection of personal data, reference was made to the information published on the site and accessible from the link "contact us" on the basis of which it was announced that "MONDOSHIATSU.COM is published by Arte del Vivere" reporting this 'last the contact details and VAT number; furthermore, Mr. XX was indicated as the "responsible director".
In this regard, the Office has launched an investigation, with requests for information made on the dates of May 19 and June 24, 2021 (the latter requested on September 2, 2021, pursuant to Article 157 of the Code), in order to to acquire elements of evaluation which allowed to exclude violations of Tecnocasa Franchising SpA with regard to the promotional contacts complained of in the complaint, as carried out by the company Studio Colli Aniene Verderocca S.r.l., as an independent data controller, on the basis of its own independent data collection.
Therefore, on 6 May 2021 a request for information was sent, formulated pursuant to art. 157 of the Code, to the Società Arte del Vivere Srl. (Hereinafter also: “Company” or “Arte del Vivere”). Since this was returned to the sender for complete storage, on 30 August 2021 a notice of initiation of the procedure was notified by means of the Guardia di Finanza to contest the failure to respond to the request formulated by the Guarantor with the consequent violation of art. 157 of the Code. In the same note, the violation of articles 12 and 17 of the Regulations since the request for cancellation made by the complainant had not been confirmed and that the personal data of the same were still published on the portal, as ascertained by the Office on 15 June 2021.
In response to the aforementioned requests for information, the Company, with notes dated 8 June and 3 September 2021, declared that it had contacted the complainant in only two circumstances (6 February and 14 May 2020), adding that it had requested consent to the processing. of personal data for promotional, market research and profiling purposes, on the occasion of the first phone call and providing, in this circumstance, to register the refusal opposed by Mr. XX, only to then contact the latter again for "mere mistake made in total good faith". The Company, which has ensured that it has deleted the complainant's data from its databases, also represented that it lawfully processed the same data as it was found on the Internet, by consulting the websites www.trovanumeri.com and www.psicologi.it and carrying out a nominal survey on the search engine "Google".
On 20 September 2021, Mr. XX, chairman of the board of directors of the Company, sent an e-mail in which he represented that Mr. XX, who had been entrusted with the management of the site, was unable to make changes as he no longer had the necessary login credentials. XX added that he did not know who owned the mondoshiatsu.com domain. In order to conduct further investigations, an extension of the deadline was finally requested.
The complainant, in the observations sent to this Authority on 23 June 2021 and formulated regarding the response of 8 June 2021, with regard to the telephone calls received, objected to the smallness of the same in the terms represented by the Company, pointing out, on the contrary, that the same allegedly omitted "the numerous other phone calls, even in previous years, where it had already been pointed out, with extreme courtesy, that they do not like calls with the offer of unsolicited services, not failing to invite, with equal kindness, the cancellation of their data and his wife from their databases ".
This extension was granted with a note dated 23 September 2021. On that occasion, moreover, it was clarified that the proceeding had been initiated against Arte delivere because, having examined the content of the portal, it operated as the data controller and undoubtedly presented itself as the subject to whom the portal was referred, regardless of who had materially provided for the registration of the domain.
2. CONTESTATION OF VIOLATIONS AND EXERCISE OF THE RIGHT OF DEFENSE
On 4 October 2021, the Company's lawyers sent an email to Mr. XX to request that he promptly delete all the contents of the portal given the difficulties encountered in deleting the data of only Mr. XX. The same communication was forwarded for information to the Guarantor and to the complainant.
2.1. The dispute
On 9 October 2021, Mr. XX sent an email to the Office communicating that, despite the warning received, Mr. XX had not deleted the data, having to believe that "the failure to delete the data does not depend on inertia but on the fact that the Data Processor of the Data is unable to delete the data ". Therefore, he declared that he had contacted the postal police to request the cancellation of the entire site but, since this was not competent in the absence of a crime, he was considering activating the "abuse" procedure with the domain provider. XX also represented that the website had not been updated since 2014 and contained data from 1897 operators. In order to activate this procedure as well, Mr. XX requested a further extension of the terms and asked for clarification on how to proceed otherwise.
In light of what emerged from the preliminary investigation in the terms summarized above, also on the basis of the statements of the Company to which the declarant responds pursuant to art. 168 of the Code, on 12 November 2021 Studio Colli Aniene was notified of the initiation of the procedure pursuant to art. 166, paragraph 5, of the Code.
Therefore, on the following 12 October, the Office contacted him by telephone to clarify first of all that the exercise of the right of defense is a faculty granted by the legal system to the person who has received a dispute in order to allow him to justify his conduct and to illustrate any corrective actions. On the other hand, it is not necessary to wait for these interventions to be completed, if it is not possible to complete them within the deadline set for exercising the right of defense. Taking into account that an extension of 15 days had already been granted, it was pointed out that sending a defense brief is an option and not an obligation. Finally, with regard to the difficulties represented in obtaining technical control on the mondoshiatsu.com website (which would have been delegated entirely to Mr. XX), the Office reiterated that the site appeared to all intents and purposes attributable to Arte del Vivere Srl, of whose references and contacts were published. Therefore, since the domain is active, the Company, as the beneficiary of the service, would probably have had contractual or at least accounting documentation relating to this service.
It should be noted in advance that Studio Colli Aniene is to be considered the owner of the processing of personal data, since it has established both the purposes and the methods of contact (see Article 28 of the Regulations); therefore, both the obligations set by the legislation on the protection of personal data and the responsibility for the violations detected are directly attributable to the same Company.
On 12 October 2021, Mr. XX sent an e-mail to the address abusereport@key-systems.net, and for information to the Guarantor, to confirm ownership of the domain and to request its cancellation at the same time.
Having said this, the Office, in particular, observed that, regardless of the number of contacts complained of, personal data processing operations appear to have been carried out, both with regard to the systematic collection of data found on the network and the subsequent commercial contact activity ( at least on February 6 and May 14, 2020) in the absence of the necessary prior informed consent of the interested party in relation to the marketing activity and in the absence of another suitable legal basis, thus integrating the violation of articles 6 and 7 of the Regulation and 130 of the Code.
Finally, with an e-mail dated October 14, also addressed to the complainant, Mr. XX confirmed that he had obtained the obscuration of the site from Mr. XX and added that "the conclusion of this unfortunate affair, highlights that Arte del Vivere srl was not she is not the owner of the Domain and, therefore, she had no possibility to intervene directly on the Domain itself ".
Furthermore, it did not appear that the Company provided the data subject with the information referred to in art. 14 of the Regulation for data not collected directly from the same, nor that the same has found the request to exercise the rights (sent via certified email by the complainant) within the terms provided for by art. 12, par. 3, of the Regulations, the reception of which has not, however, been denied. During the procedure, the Company did not provide explanations regarding the lack of response, despite this being expressly requested by the Office, and it does not even appear that it adequately acknowledged the opposition expressed by the interested party during the complained contacts, considering the '' admission by the same Company of the making, for an alleged error, of a further unwanted phone call. Therefore, it does not appear that Studio Colli Aniene has adopted a system that facilitates the exercise of the rights of the interested parties; therefore, overall, the possible violation of articles 12, par. 3, 14, 15, 17 and 21 of the Regulations;
The Office has verified that, currently, the website is no longer accessible.
Moreover, the information requested by the Office to supplement the first response (of 8 June 2021) was found to be late (having been received only following the reminder made on 2 September 2021, pursuant to art.157 of the Code) and overall unsatisfactory. . In particular, the Company, with communication dated 3 September 2021, limited itself to confirming what has already been expressed with the first aforementioned reply and to declare generically that it carries out "a marketing and research activity, aimed at bringing together supply and demand real estate in a specific area, carrying out their work in compliance with the provisions of the law ". It also did not produce the various additional elements required, with particular regard to the number of data collected online for the promotional campaign, any profiling carried out and the measures taken to ensure the exercise of the right of opposition of the interested parties.
2. VIOLATIONS FOUND
This conduct, therefore, is in contrast with the provisions contained in Articles 5, par. 2, and 24 of the Regulation which frame the responsibilities of the owner with a view to accountability aimed at ensuring the implementation of the obligations provided for by the Regulation and to prove, at the appropriate time (in particular possibly following requests from the 'Office or, even earlier, at the requests of the interested parties), the fulfilments carried out.
With reference to the factual profiles highlighted above, also based on the statements of the Company to which the declarant responds pursuant to art. 168 of the Code, the following assessments are formulated in relation to the profiles concerning the regulations on the subject of personal data protection.
3. LEGAL ASSESSMENTS
What has been reconstructed so far outlines a context in which the Art of Living, the data controller, proved to be completely unable to guarantee compliance with the rules, which, moreover, it seems to have ignored until the intervention of the Guarantor. From what emerged, in fact, the chairman of the board of directors would not have been able to verify the domain ownership of a portal whose contents unquestionably refer to the Company itself. At the same time, he would not have been able to make changes to these contents or to delete the site itself despite being aware of the fact that it was no longer updated since 2014. And such attempts would have been put in place only after receiving the notice of initiation of the procedure by the Guarantor, since the numerous requests of Mr. XX have been disregarded.
As already emerged in the introduction (paragraph 1), it is noted that the Company has declared that it has requested consent to the processing of personal data for promotional, market research and profiling purposes, on the occasion of the first phone call to the interested party (who Studio Colli Aniene dates back to 6 February 2020), confirming, therefore, that it had carried out the aforementioned treatment in the absence of the necessary legal basis for the commercial activity. This telephone call, aimed at obtaining consent for marketing purposes, is to be considered "commercial communication", as recently established by the jurisprudence of legitimacy (Cass. Civ., Section I, ord. April 26, 2021, n. 11019) that - in confirming the validity of the provision of the Guarantor of 22 June 2016 n. 275 (web doc. 5255159) on the unlawfulness of telephone calls for the "recovery of consent" of the interested parties - has, once again, highlighted that "The purpose to which the consent required for processing is unavoidably linked cannot fail to contribute to qualify the processing itself, reason why the processing of the data of the interested party to request consent for marketing purposes is itself a processing for marketing purposes "(see in the same sense the Guidelines on promotional activities and contrast to spam - 4 July 2013; web doc. 2542348). It follows that the contact, even if carried out exclusively to obtain consent for promotional purposes, would have eluded the fundamental principle of self-determination of the interested party with regard to the processing of his personal data which manifests itself in the related fulfillment of free, specific and documented consent for the aforementioned commercial purpose.
According to reports, this would have occurred as a result of a total lack of control over the work of Mr. XX who during the procedure was qualified as a data processor, even without providing documentation in this regard.
It should also be noted that the unsolicited phone call received by the interested party for "mere error committed in total good faith" does not relieve the Company of the liability deriving from the violation of the aforementioned provisions nor does it allow for the application of the exemption, even if invoked by the same Company , pursuant to art. 3 of the law n. 689/1981, having not been able to prove the inevitability.
However, it should be noted that the aforementioned XX, from what appears in the survey published in the Register of Companies, is the majority shareholder of the Company. Since no documentation has been produced regarding XX's role, it is not possible to understand in what capacity he worked for the Art of Living. The XX, in fact, could have provided his service as a working partner or as an external supplier, having to qualify, respectively, as a person in charge of the treatment or as a manager. In both cases, the Company should have had adequate measures to intervene to protect the data processed and, more generally, its corporate assets, as it is not permissible for the data controller to so easily become a "hostage" of those who manage a service for his account. For these reasons, ascertaining the nature of the contractual relationship between the Company and Mr. XX (never documented) would not be relevant here since it would not change the degree of responsibility of the data controller.
Furthermore, in the context of the feedback, Studio Colli Aniene did not produce, in a collaborative and proactive perspective, adequate answers regarding the elements requested, that is, such as to better understand the factual dynamics and its treatment policy, replying with generic formulas and standardized and preventing a more in-depth evaluation of the treatments by the Authority. As already pointed out, in fact, in response to the request of the Office of 24 June 2021, aimed at supplementing the information provided with the first reply of 8 June 2021, the Company has not provided any response, except after having been in this sense requested with the note dated 2 September 2021, formulated pursuant to art. 157 of the Code. In this regard, it should be remembered that the elements useful for defining the investigation framework should be promptly provided by the recipients of the Authority's requests in the competent investigation center to avoid lengthening and burdening the procedural process, as occurred in the present case (see in this regard, engineering order 13 May 2021, web doc. 9670025; provision 16 December 2021, web doc. no. 9735672).
That said, it must be considered that the Company, as the data controller, is directly responsible for the non-cancellation of the complainant's data, regardless of the individual responsibilities of the individuals who acted in it. The organizational deficiencies that emerged from the affair led to the failure to update the data on the website and the failure to respond to the cancellation requests of Mr. XX, in violation of Articles 12 and 17 of the Regulation.
Moreover, in the incomplete representation provided, the Company limited itself to ensuring that it had proceeded with the cancellation of the complainant's personal data, without however giving evidence of the actions taken, especially in a more articulated framework of measures and interventions that, at company level, should be foreseen for the management of these problems.
Taking into account that the website, to date, is no longer accessible and that therefore the personal data contained therein are no longer published on the Internet, the conditions for taking corrective measures are not found. However, in consideration of the unlawfulness of the conduct, taking into account the time taken to obtain the cancellation of data published on a website that had not been updated for years and considering that this corrective action was implemented only after the intervention of the Guarantor , it is believed that the conditions are met for the application of a pecuniary administrative sanction pursuant to art. 58, par. 2, lett. i) of the Regulations.
The negligent nature of the conduct with which the Company did not provide the requested information, to be considered grossly negligent, reveals a serious flaw in the transparency obligations of Studio Colli Aniene (articles 5, paragraph 1 letter a) and 12, par. 1, of the Regulations) which, in the opacity of its work, has violated the aforementioned fundamental guarantees provided by law.
Finally, with regard to the failure to respond to the request for information from the Guarantor of 6 May 2021, due to the complete storage of the registered letter, the following is noted.
With regard to the collection of personal data online and the use of these for marketing purposes (as happened for the data of Mr. XX collected by consulting the websites www.psicologi.it and www.trovanumeri.com and carrying out a nominal survey on the Google search engine), it was considered possible to deduce that these practices fall within the usual operating methods or, at least, are not considered to be in conflict with them. As already described above, the Company reaffirmed its conviction regarding the lawfulness of the online acquisition of the registry lists relating to telephone numbers to be used for marketing purposes, as a preordained operating mode for the execution of subsequent business contacts. In the present case, therefore, Studio Colli Aniene used the data collected on the Internet to promote its services and products, pursuing a different and incompatible purpose with the original one for which the data were made public (such as facilitating contacts with 'interested with his own potential customers, with limited regard to the exercise of his profession) and therefore does not fall within the legitimate expectations of the complainant who, moreover, from the documents, does not appear to have ever expressed and advertised the will to put his own immobile.
This omissive conduct made it necessary to use the Guardia di Finanza for the notification, which took place on 30 August 2021, with a consequent increase in costs and the procedure, with the impossibility of carrying out investigations in the preliminary phase, as all feedback was delegated to the defense following the start of the proceedings.
In this regard, it should be remembered that the Guarantor has repeatedly clarified that "the easy availability of personal data on the internet (such as telephone numbers or e-mail addresses) does not involve the free availability of the same nor does it authorize the processing of such data for any purposes, but - in compliance with the principles of correctness and purpose (see art. 5, par. 1, lett. a) and b), Regulation) - only for the purposes underlying their publication "(see general provision on the subject of electoral propaganda and political communication - 18 April 2019; web doc. 9105201; Guidelines on spam, cit.). Therefore, also with regard to marketing activities, the general prohibition of using the data found on the web for this purpose must be highlighted, without specific informed consent for the aforementioned purpose (see articles 6, 7 and 14, Regulation; for a similar case, relating to real estate services subject to promotional communications sent to contact data taken from the web, and in particular from the social network Linkedin, deviating from the purpose for which the data were published: see injunction order of 16 September 2021, web doc. 9705632). The conduct described therefore entailed, as highlighted above, that the processing of data - which resulted in the collection of the data and the making of telephone calls for promotional purposes - took place in the absence of a suitable legal basis, not being attributable to any of the conditions of lawfulness pursuant to art. 6, par. 1, of the Regulation.
Therefore, the violation of art. 157 of the Code.
Having acknowledged that the Company has not presented defensive writings or requested to be heard by the Authority, it is deemed necessary to confirm the alleged violations.
Despite the lack of explicit justifications in this regard, the exceptional context in which the affair took place must be taken into account, acknowledging the difficulties encountered due to the pandemic in progress. For these reasons, it is believed to be able to postpone the application of a specific administrative pecuniary sanction, framing the violation in question only in the more general negligence of the owner, to be assessed in relation to the aforementioned violations of Articles 12 and 17 of the Regulation.
Therefore, it is necessary, pursuant to art. 58, par. 2, lett. f), prohibit the processing for promotional purposes of personal data found on the Internet and for which the Company is unable to prove the acquisition of suitable consent by the interested parties. Furthermore, since the Company has not provided feedback to the complainant's requests, unless after the intervention of the Guarantor, it is deemed necessary to order Studio Colli Aniene, pursuant to art. 58, par. 2, lett. d), to adopt appropriate procedures to ensure full and effective feedback to the exercise of rights. Furthermore, it is necessary to order the Company to issue suitable prior information to the interested parties regarding the processing of their data.
3. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
Finally, with regard to the treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to Articles 58, par. 2, lett. i) and 83 of the Regulation, by means of the following injunction order.
On the basis of the above, given the violations referred to, the sanction provided for by art. 83, par. 5 of the Regulation.
4. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive "(art. 83, par. 1 of the Regulations), identifying, for this purpose, a series of elements, listed in par. 2, to be assessed when quantifying the relative amount.
On the basis of the above, given the violations referred to, the sanction provided for by art. 83, par. 5, of the Regulation.
In compliance with this provision, in the present case, the following aggravating circumstances must be considered:
For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive "(art. 83, par. 1 of the Regulations), identifying, for this purpose, a series of elements listed in par. 2 of art. 83 in question, to be assessed when quantifying the relative amount.
1. the seriousness of the violation given that the data of 1897 people have been published for several years without ever being updated taking into account that, at least in the case indicated by the complainant, they were not included on the basis of a specific request by the interested party and were not removed even after repeated requests;
What aggravating circumstances, in the present case, must be considered:
2. the seriously negligent nature of the data controller, as described in point 2, since the rules for the protection of personal data were completely ignored until the intervention of the Guarantor;
1. the subjective dimension of the conduct, to be considered grossly negligent, with particular reference to the repeated and insistent nature of the telephone contacts complained of even after the opposition to the processing, as well as the continuing substantial avoidance of the information requested by both the interested party and the Authority ( letter b);
3. the degree of responsibility of the data controller who has not provided feedback to the exercise of the rights of Mr. XX (forcing him to contact the Guarantor) and who has not put in place any type of control over the activity entrusted to Mr. XX since he is not , thus, able to give an account of his work;
2. the inadequate degree of cooperation shown in the discussions with the Authority as the Company did not provide, even in the face of two requests for information, the necessary additions for an adequate assessment of the treatments (letter f);
As mitigating elements, it is believed that we must take into account:
3. the discrepancy of the Company's conduct with respect to the substantial provisional activity of the Authority (letter k).
1. the corrective measures taken by intervening to obscure the website, which is no longer active;
As mitigating elements, it is believed that we must instead take into account:
2. the degree of cooperation with the Authority after the initiation of the procedure;
1. the nature of the data processed, of a common type (letters a, g);
3. the assets of the Company and the economic results recorded in the latest financial statements made available, relating to the 2007 financial year; we also have regard to the exceptional economic context caused by the pandemic which has led to unfavorable consequences especially in production sectors related to personal services, such as the one in which the Art of Living operates;
2. the isolated nature of the complaint which, as far as it was possible to ascertain, given the lack of cooperation of the Company, concerned only one interested party (letter a);
4. the absence of previous proceedings initiated against the Company.
3. the limited volume of business for the year 2020, as resulting from the "VAT 2021 model" (approximately 125,000 euros);
With an overall view of the necessary balance between the rights of the interested parties and freedom of enterprise, and in the first application of the administrative pecuniary sanctions provided for by the Regulation, it is necessary to prudently evaluate the aforementioned criteria, also in order to limit the economic impact of the sanction on the needs. organizational, functional and occupational of the Company.
4. the absence of previous proceedings against the Company (letter e).
Therefore it is believed that, on the basis of all the elements indicated above, having regard to the decisions adopted in previous similar cases and taking into account the economic information made available in the register of companies and since no information has been received on the matter from the Company, the to Arte delivere the administrative sanction of the payment of a sum equal to 5,000.00 euros (five thousand / 00), equal to 0.05% of the maximum authorized amount of 20 million euros and, due to the aggravating elements found, the ancillary sanction of the full publication of this provision on the website of the Guarantor as required by art. 166, paragraph 7 of the Code and by art. 16 of the regulation of the Guarantor n. 1/2019.
Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1, of the Regulation, taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company in proportion to the turnover resulting from the financial statements of the company, it is believed that it should apply to Studio Colli Aniene Verderocca Srl - also taking into account other similar cases (see for example the provision of 16 September 2021, cit.) - the administrative sanction of the payment of a sum of 5,000.00 (five thousand / 00) euros, equal to 0.05% of the maximum legal limit of 20 million euros.
Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.
In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at certain data controllers and on which the attention of the 'user.
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.
WHEREAS, THE GUARANTOR
WHEREAS, THE GUARANTOR
pursuant to art. 57, par. 1, lett. f), of the Regulation, declares illegal the processing described in the terms set out in the motivation by Arte delivere S.r.l., with registered office in Milan, Via Luigi Settembrini 52, VAT no. 10666240154, and consequently:
pursuant to art. 57, par. 1, lett. f), of the Regulations, declares illegal the processing described in the terms set out in the motivation by Studio Colli Aniene Verderocca S.r.l., based in Rome, Viale Sacco and Vanzetti 191, VAT no. 07803151005, and consequently:
- pursuant to art. 58, par. 2, lett. f), of the Regulations, orders the definitive limitation of the processing of personal data of interested parties found on the web and for which he does not have an informed, free and specific consent for the promotional purpose or of another suitable and documented legal basis pursuant to of articles 6 and 7 of the Regulations;
- pursuant to art. 58, par. 2, lett. d), orders the Company to adopt appropriate procedures to ensure a complete and timely response to the exercise of the rights of the interested parties as well as the release of suitable prior information regarding the processing of their personal data, pursuant to Articles 13 and 14 of the Regulation.
ORDER
ORDER
a Arte delivere S.r.l., with registered office in Milan, Via Luigi Settembrini 52, VAT no. 10666240154, to pay the sum of € 5,000.00 (five thousand / 00) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
to Studio Colli Aniene Verderocca S.r.l., with registered office in Rome, Viale Sacco and Vanzetti 191, VAT no. 07803151005, to pay the sum of € 5,000.00 (five thousand / 00) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
INJUNCES
INJUNCES
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 5,000.00 (five thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981.
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 5,000.00 (five thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981.
HAS
HAS
a) pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted;
as an ancillary sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication on the website of the Guarantor of this provision and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted.
b) pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor.
The Guarantor, pursuant to art. 58, par. 1, of the Regulations, also invites the data controller to communicate, within 30 days from the date of receipt of this provision, which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction referred to in art. 83, par. 5, lett. e), of the Regulations.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as of articles 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as of articles 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.
Rome, February 10, 2022
Rome, February 10, 2022
Line 149: Line 152:
Stanzione
Stanzione
THE RAPPORTEUR
THE RAPPORTEUR
Stanzione
Cerrina Feroni
THE SECRETARY GENERAL
THE SECRETARY GENERAL
Mattei
Mattei
</pre>
</pre>

Latest revision as of 14:22, 6 April 2022

Garante per la protezione dei dati personali (Italy) - 9756869
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 7 GDPR
Article 12(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 14.04.2021
Decided: 10.02.2022
Published: 30.03.2022
Fine: 5000 EUR
Parties: Studio Colli Aniene Verderocca S.r.l.
National Case Number/Name: 9756869
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Cesar Manso-Sayao

The Italian DPA issued a fine of €5000 against a company for lacking a valid legal basis to make unsolicited marketing calls using information obtained on the internet, as well as for not handling a data subject's access and deletion requests, in violation of Articles 5(1)(a), 6(1), 7 and 12(1) GDPR.

English Summary

Facts

A data subject filed a complaint with the Italian DPA (Garante per la Protezione dei Dati Personali – Garante) claiming he had received numerous undesired and periodic telephone calls promoting the real estate agency Tecnocasa in relation to a property he owns. The data subject also stated that he had not received a response to access and deletion requests under Article 15 GDPR and Article 17 GDPR respectively, which were forwarded to Studio Colli Aniene Verderocca S.r.l., a marketing company, which was the registered holder of the telephone numbers making the calls.

The Garante initiated an investigation, and determined that the marketing company (and not the real estate agency) was the autonomous controller in this case, since it processed the data based on its own data collection, and had established the purposes and methods of contact for the marketing calls independently.

When responding to the Garante’s request for information, the marketing company argued that they had only called the data subject twice. On the first occasion they had asked for his consent to the calls, which the company acknowledged that the data subject had objected to. The second call was admittedly made by a “mere error in good faith”, in light of the previously acknowledged objection. The company also claimed that the acquisition of the personal data was lawful since it had been found on the internet on publicly available websites as well as through Google searches, and also stated that it had deleted the complainant’s personal data from its databases.

Holding

The Garante noted that irrespective of the amount of calls made to the data subject, the fact that the data was obtained from the internet and that the initial call was made without prior consent or any other legal basis, constituted a violation of Articles 6 and 7 GDPR. Additionally, the Garante stated according to its own jurisprudence (see here) a telephone call aimed at obtaining consent for marketing purposes in itself constitutes processing for marketing purposes, and hence would circumvent the required consent required for the processing to begin with. Moreover, the Garante held that the unwanted telephone call received by the data subject due to a "mere error made in good faith" does not relieve the company of liability since it has not proven the inevitability of this mistake.

Regarding the collection of data using publicly available websites and Google searches, the Garante stated that the controller used the data collected on the internet to promote its services and products, pursuing a different purpose that is incompatible with the original purpose for which the data were made public (i.e. to facilitate the contacts of the data subject with its potential customers, with limited regard to the exercise of his profession) and therefore not according to the data subject’s legitimate expectations. The Garante also clarified that the easy availability of personal data on the internet does not justify the processing of such data for any purpose other than for what it was orignally published, and held that in this case, the collection and processing of this data was also in violation of Article 6(1) GDPR by lacking a valid legal basis.

The Garante also held that the company had violated its transparency obligations under Articles 5(1)(a) and 12(1) GDPR by failing to grant the data subject’s access and deletion requests, and by not providing any proof of internal framework and measures to handle these requests, or of the actual deletion of the data itself.

Based on these considerations, the Garante issued a fine of €5000 against the marketing company. It also ordered the company to take measures to comply with GDPR by ceasing its processing operations related to unsolicited marketing calls and obtaining personal data on the internet without a legal basis, as well as the implementation of procedures to ensure the response to data subjects’ exercise of their data protection rights, and to provide these with appropriate information with regard to the processing of their personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. 

[doc. web n. 9756869]
Order injunction against Studio Colli Aniene Verderocca S.r.l. - February 10, 2022
Record of measures
n. 49 of 10 February 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, Avv. Guido Scorza, member, and the cons. Fabio Mattei, general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
HAVING REGARD to the documentation on file;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
SPEAKER Prof. Ginevra Cerrina Feroni;
WHEREAS
1. THE INVESTIGATION ACTIVITY CARRIED OUT
With the complaint of May 14, 2021 presented to this Authority pursuant to art. 77 of the Regulations, Mr. XX complained that he received unwanted "periodic phone calls" aimed at promoting the services of the Tecnocasa Agency regarding a property he owned and, moreover, represented that he had not received a response to the request to exercise the rights, pursuant to art. 15 and 17 of the Regulations, sent via certified email on 17 February 2020 to the Affiliate Studio Colli Aniene Verderocca S.r.l. (hereinafter «Studio Colli Aniene», or «Company») “holder of the telephone numbers” calling; the same complainant highlighted the perpetuation of further unwanted contacts on the part of the aforementioned Company up to the date of the filing of the complaint.
In this regard, the Office has launched an investigation, with requests for information made on the dates of May 19 and June 24, 2021 (the latter requested on September 2, 2021, pursuant to Article 157 of the Code), in order to to acquire elements of evaluation which allowed to exclude violations of Tecnocasa Franchising SpA with regard to the promotional contacts complained of in the complaint, as carried out by the company Studio Colli Aniene Verderocca S.r.l., as an independent data controller, on the basis of its own independent data collection.
In response to the aforementioned requests for information, the Company, with notes dated 8 June and 3 September 2021, declared that it had contacted the complainant in only two circumstances (6 February and 14 May 2020), adding that it had requested consent to the processing. of personal data for promotional, market research and profiling purposes, on the occasion of the first phone call and providing, in this circumstance, to register the refusal opposed by Mr. XX, only to then contact the latter again for "mere mistake made in total good faith". The Company, which has ensured that it has deleted the complainant's data from its databases, also represented that it lawfully processed the same data as it was found on the Internet, by consulting the websites www.trovanumeri.com and www.psicologi.it and carrying out a nominal survey on the search engine "Google".
The complainant, in the observations sent to this Authority on 23 June 2021 and formulated regarding the response of 8 June 2021, with regard to the telephone calls received, objected to the smallness of the same in the terms represented by the Company, pointing out, on the contrary, that the same allegedly omitted "the numerous other phone calls, even in previous years, where it had already been pointed out, with extreme courtesy, that they do not like calls with the offer of unsolicited services, not failing to invite, with equal kindness, the cancellation of their data and his wife from their databases ".
2. CONTESTATION OF VIOLATIONS AND EXERCISE OF THE RIGHT OF DEFENSE
2.1. The dispute
In light of what emerged from the preliminary investigation in the terms summarized above, also on the basis of the statements of the Company to which the declarant responds pursuant to art. 168 of the Code, on 12 November 2021 Studio Colli Aniene was notified of the initiation of the procedure pursuant to art. 166, paragraph 5, of the Code.
It should be noted in advance that Studio Colli Aniene is to be considered the owner of the processing of personal data, since it has established both the purposes and the methods of contact (see Article 28 of the Regulations); therefore, both the obligations set by the legislation on the protection of personal data and the responsibility for the violations detected are directly attributable to the same Company.
Having said this, the Office, in particular, observed that, regardless of the number of contacts complained of, personal data processing operations appear to have been carried out, both with regard to the systematic collection of data found on the network and the subsequent commercial contact activity ( at least on February 6 and May 14, 2020) in the absence of the necessary prior informed consent of the interested party in relation to the marketing activity and in the absence of another suitable legal basis, thus integrating the violation of articles 6 and 7 of the Regulation and 130 of the Code.
Furthermore, it did not appear that the Company provided the data subject with the information referred to in art. 14 of the Regulation for data not collected directly from the same, nor that the same has found the request to exercise the rights (sent via certified email by the complainant) within the terms provided for by art. 12, par. 3, of the Regulations, the reception of which has not, however, been denied. During the procedure, the Company did not provide explanations regarding the lack of response, despite this being expressly requested by the Office, and it does not even appear that it adequately acknowledged the opposition expressed by the interested party during the complained contacts, considering the '' admission by the same Company of the making, for an alleged error, of a further unwanted phone call. Therefore, it does not appear that Studio Colli Aniene has adopted a system that facilitates the exercise of the rights of the interested parties; therefore, overall, the possible violation of articles 12, par. 3, 14, 15, 17 and 21 of the Regulations;
Moreover, the information requested by the Office to supplement the first response (of 8 June 2021) was found to be late (having been received only following the reminder made on 2 September 2021, pursuant to art.157 of the Code) and overall unsatisfactory. . In particular, the Company, with communication dated 3 September 2021, limited itself to confirming what has already been expressed with the first aforementioned reply and to declare generically that it carries out "a marketing and research activity, aimed at bringing together supply and demand real estate in a specific area, carrying out their work in compliance with the provisions of the law ". It also did not produce the various additional elements required, with particular regard to the number of data collected online for the promotional campaign, any profiling carried out and the measures taken to ensure the exercise of the right of opposition of the interested parties.
This conduct, therefore, is in contrast with the provisions contained in Articles 5, par. 2, and 24 of the Regulation which frame the responsibilities of the owner with a view to accountability aimed at ensuring the implementation of the obligations provided for by the Regulation and to prove, at the appropriate time (in particular possibly following requests from the 'Office or, even earlier, at the requests of the interested parties), the fulfilments carried out.
3. LEGAL ASSESSMENTS
As already emerged in the introduction (paragraph 1), it is noted that the Company has declared that it has requested consent to the processing of personal data for promotional, market research and profiling purposes, on the occasion of the first phone call to the interested party (who Studio Colli Aniene dates back to 6 February 2020), confirming, therefore, that it had carried out the aforementioned treatment in the absence of the necessary legal basis for the commercial activity. This telephone call, aimed at obtaining consent for marketing purposes, is to be considered "commercial communication", as recently established by the jurisprudence of legitimacy (Cass. Civ., Section I, ord. April 26, 2021, n. 11019) that - in confirming the validity of the provision of the Guarantor of 22 June 2016 n. 275 (web doc. 5255159) on the unlawfulness of telephone calls for the "recovery of consent" of the interested parties - has, once again, highlighted that "The purpose to which the consent required for processing is unavoidably linked cannot fail to contribute to qualify the processing itself, reason why the processing of the data of the interested party to request consent for marketing purposes is itself a processing for marketing purposes "(see in the same sense the Guidelines on promotional activities and contrast to spam - 4 July 2013; web doc. 2542348). It follows that the contact, even if carried out exclusively to obtain consent for promotional purposes, would have eluded the fundamental principle of self-determination of the interested party with regard to the processing of his personal data which manifests itself in the related fulfillment of free, specific and documented consent for the aforementioned commercial purpose.
It should also be noted that the unsolicited phone call received by the interested party for "mere error committed in total good faith" does not relieve the Company of the liability deriving from the violation of the aforementioned provisions nor does it allow for the application of the exemption, even if invoked by the same Company , pursuant to art. 3 of the law n. 689/1981, having not been able to prove the inevitability.
Furthermore, in the context of the feedback, Studio Colli Aniene did not produce, in a collaborative and proactive perspective, adequate answers regarding the elements requested, that is, such as to better understand the factual dynamics and its treatment policy, replying with generic formulas and standardized and preventing a more in-depth evaluation of the treatments by the Authority. As already pointed out, in fact, in response to the request of the Office of 24 June 2021, aimed at supplementing the information provided with the first reply of 8 June 2021, the Company has not provided any response, except after having been in this sense requested with the note dated 2 September 2021, formulated pursuant to art. 157 of the Code. In this regard, it should be remembered that the elements useful for defining the investigation framework should be promptly provided by the recipients of the Authority's requests in the competent investigation center to avoid lengthening and burdening the procedural process, as occurred in the present case (see in this regard, engineering order 13 May 2021, web doc. 9670025; provision 16 December 2021, web doc. no. 9735672).
Moreover, in the incomplete representation provided, the Company limited itself to ensuring that it had proceeded with the cancellation of the complainant's personal data, without however giving evidence of the actions taken, especially in a more articulated framework of measures and interventions that, at company level, should be foreseen for the management of these problems.
The negligent nature of the conduct with which the Company did not provide the requested information, to be considered grossly negligent, reveals a serious flaw in the transparency obligations of Studio Colli Aniene (articles 5, paragraph 1 letter a) and 12, par. 1, of the Regulations) which, in the opacity of its work, has violated the aforementioned fundamental guarantees provided by law.
With regard to the collection of personal data online and the use of these for marketing purposes (as happened for the data of Mr. XX collected by consulting the websites www.psicologi.it and www.trovanumeri.com and carrying out a nominal survey on the Google search engine), it was considered possible to deduce that these practices fall within the usual operating methods or, at least, are not considered to be in conflict with them. As already described above, the Company reaffirmed its conviction regarding the lawfulness of the online acquisition of the registry lists relating to telephone numbers to be used for marketing purposes, as a preordained operating mode for the execution of subsequent business contacts. In the present case, therefore, Studio Colli Aniene used the data collected on the Internet to promote its services and products, pursuing a different and incompatible purpose with the original one for which the data were made public (such as facilitating contacts with 'interested with his own potential customers, with limited regard to the exercise of his profession) and therefore does not fall within the legitimate expectations of the complainant who, moreover, from the documents, does not appear to have ever expressed and advertised the will to put his own immobile.
In this regard, it should be remembered that the Guarantor has repeatedly clarified that "the easy availability of personal data on the internet (such as telephone numbers or e-mail addresses) does not involve the free availability of the same nor does it authorize the processing of such data for any purposes, but - in compliance with the principles of correctness and purpose (see art. 5, par. 1, lett. a) and b), Regulation) - only for the purposes underlying their publication "(see general provision on the subject of electoral propaganda and political communication - 18 April 2019; web doc. 9105201; Guidelines on spam, cit.). Therefore, also with regard to marketing activities, the general prohibition of using the data found on the web for this purpose must be highlighted, without specific informed consent for the aforementioned purpose (see articles 6, 7 and 14, Regulation; for a similar case, relating to real estate services subject to promotional communications sent to contact data taken from the web, and in particular from the social network Linkedin, deviating from the purpose for which the data were published: see injunction order of 16 September 2021, web doc. 9705632). The conduct described therefore entailed, as highlighted above, that the processing of data - which resulted in the collection of the data and the making of telephone calls for promotional purposes - took place in the absence of a suitable legal basis, not being attributable to any of the conditions of lawfulness pursuant to art. 6, par. 1, of the Regulation.
Having acknowledged that the Company has not presented defensive writings or requested to be heard by the Authority, it is deemed necessary to confirm the alleged violations.
Therefore, it is necessary, pursuant to art. 58, par. 2, lett. f), prohibit the processing for promotional purposes of personal data found on the Internet and for which the Company is unable to prove the acquisition of suitable consent by the interested parties. Furthermore, since the Company has not provided feedback to the complainant's requests, unless after the intervention of the Guarantor, it is deemed necessary to order Studio Colli Aniene, pursuant to art. 58, par. 2, lett. d), to adopt appropriate procedures to ensure full and effective feedback to the exercise of rights. Furthermore, it is necessary to order the Company to issue suitable prior information to the interested parties regarding the processing of their data.
Finally, with regard to the treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to Articles 58, par. 2, lett. i) and 83 of the Regulation, by means of the following injunction order.
4. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
On the basis of the above, given the violations referred to, the sanction provided for by art. 83, par. 5, of the Regulation.
For the purposes of quantifying the administrative sanction, the aforementioned art. 83, par. 5, in setting the maximum legal limit in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year, whichever is higher, specifies the methods of quantifying the aforementioned sanction, which must "in any case [ be] effective, proportionate and dissuasive "(art. 83, par. 1 of the Regulations), identifying, for this purpose, a series of elements listed in par. 2 of art. 83 in question, to be assessed when quantifying the relative amount.
What aggravating circumstances, in the present case, must be considered:
1. the subjective dimension of the conduct, to be considered grossly negligent, with particular reference to the repeated and insistent nature of the telephone contacts complained of even after the opposition to the processing, as well as the continuing substantial avoidance of the information requested by both the interested party and the Authority ( letter b);
2. the inadequate degree of cooperation shown in the discussions with the Authority as the Company did not provide, even in the face of two requests for information, the necessary additions for an adequate assessment of the treatments (letter f);
3. the discrepancy of the Company's conduct with respect to the substantial provisional activity of the Authority (letter k).
As mitigating elements, it is believed that we must instead take into account:
1. the nature of the data processed, of a common type (letters a, g);
2. the isolated nature of the complaint which, as far as it was possible to ascertain, given the lack of cooperation of the Company, concerned only one interested party (letter a);
3. the limited volume of business for the year 2020, as resulting from the "VAT 2021 model" (approximately 125,000 euros);
4. the absence of previous proceedings against the Company (letter e).
Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1, of the Regulation, taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company in proportion to the turnover resulting from the financial statements of the company, it is believed that it should apply to Studio Colli Aniene Verderocca Srl - also taking into account other similar cases (see for example the provision of 16 September 2021, cit.) - the administrative sanction of the payment of a sum of 5,000.00 (five thousand / 00) euros, equal to 0.05% of the maximum legal limit of 20 million euros.
In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at certain data controllers and on which the attention of the 'user.
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.
WHEREAS, THE GUARANTOR
pursuant to art. 57, par. 1, lett. f), of the Regulations, declares illegal the processing described in the terms set out in the motivation by Studio Colli Aniene Verderocca S.r.l., based in Rome, Viale Sacco and Vanzetti 191, VAT no. 07803151005, and consequently:
- pursuant to art. 58, par. 2, lett. f), of the Regulations, orders the definitive limitation of the processing of personal data of interested parties found on the web and for which he does not have an informed, free and specific consent for the promotional purpose or of another suitable and documented legal basis pursuant to of articles 6 and 7 of the Regulations;
- pursuant to art. 58, par. 2, lett. d), orders the Company to adopt appropriate procedures to ensure a complete and timely response to the exercise of the rights of the interested parties as well as the release of suitable prior information regarding the processing of their personal data, pursuant to Articles 13 and 14 of the Regulation.
ORDER
to Studio Colli Aniene Verderocca S.r.l., with registered office in Rome, Viale Sacco and Vanzetti 191, VAT no. 07803151005, to pay the sum of € 5,000.00 (five thousand / 00) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
INJUNCES
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 5,000.00 (five thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to 'art. 27 of the law n. 689/1981.
HAS
as an ancillary sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication on the website of the Guarantor of this provision and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted.
The Guarantor, pursuant to art. 58, par. 1, of the Regulations, also invites the data controller to communicate, within 30 days from the date of receipt of this provision, which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction referred to in art. 83, par. 5, lett. e), of the Regulations.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as of articles 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.
Rome, February 10, 2022
PRESIDENT
Stanzione
THE RAPPORTEUR
Cerrina Feroni
THE SECRETARY GENERAL
Mattei
Retrieved from "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9756869&oldid=25167"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki