Garante per la protezione dei dati personali (Italy) - 9771545

From GDPRhub
Garante per la protezione dei dati personali - 9771545
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(e) GDPR
Article 12(3) GDPR
Article 13 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 07.04.2022
Published:
Fine: 50000 EUR
Parties: Palumbo Superyacht Ancora s.r.l.
National Case Number/Name: 9771545
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Carloc

The Italian DPA fined Palumbo Superyacht Ancora €50,000 for, among other things, violating the principles of fairness and storage limitation by illegally keeping a former independent contractor's work email account active and preventing them from accessing it.

English Summary[edit | edit source]

Facts[edit | edit source]

On 29 September 2020, the Italian DPA received a complaint from a former commercial agent for Palumbo Superyacht Ancona s.r.l. The data subject is the former commercial agent. The controller is Palumbo Superyacht Ancona.

On 23 June 20, the controller inhibited the data subject from using her work email address without any notice. She was not allowed to retrieve any information from the account beforehand. The data subject's requests for access to the account were ignored by the controller.

The controller stated that the contract with the data subject was terminated over the disclosure of confidential information and that out of court proceedings over said disclosure were ongoing. The controller claimed that the data subject's email account was kept active to investigate the alleged breach of confidentiality, and to store information for later use in the proceedings. The controller argued that the processing was in compliance with the principles of necessity and data minimization, as it neither used the account themselves nor allowed third parties access. The controller also stated that it made itself available to discuss ways for the data subject to access his account and retrieve his personal data, ensuring that she could not alter the information present.

The DPA found that the controller did not provide the data subject with sufficient information on their policies regarding work emails. Furthermore, the DPA found that the controller was unable to prove compliance with the information duties under Article 13 GDPR, as the information allegedly provided to the data subject lacked the requirements laid down in said Article, and the relevant documentation was not signed by the data subject. The DPA further noted that email accounts are not a suitable tool to store data for later use as evidence in proceedings.

Holding[edit | edit source]

The Italian DPA held that the controller violated the principle of fairness and in particular the principle of storage limitation by keeping the data subject's account active after inhibiting her access to it (Article 5(1)(a)(e) GDPR). The DPA specified that, according to its own case law, work emails of employees must be deactivated at the end of the employment relationship. The DPA further clarified that the data rights of workers must be protected in the employment relationship regardless of the legal nature of the relationship itself. The data subject's position as an independent contractor thus did not change this.

The DPA also held that Article 13 GDPR was violated, as the controller failed to provide the data subject with the required information on the processing of her personal data. Finally, the DPA held that the company violated Articles 12(3) and 15 GDPR by failing to respond to the data subject's access request.

The DPA orders the controller to adopt suitable organisational technological measures to allow the data subject to access the email account and to deactivate it within 7 days. Additionally, to adopt an automated system to provide relevant third parties with an alternative (email) address and suitable measures to prevent the display of incoming messages within 10 days. The DPA further orders the controller to adopt measures to ensure requests from data subjects to exercise their rights are handled in a suitable and timely manner. The DPA prohibits the controller to further process personal data on the email account, without prejudice to the preservation necessary for the ongoing procedures regarding the breach of confidentiality. The DPA imposed a fine of €50.000 on the controller.

Comment[edit | edit source]

The DPA also noted that illegally processed data is generally not admissible as proof under Italian procedural law.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.


SEE NEWSLETTER OF 19 MAY 2022

[doc. web n. 9771545]
Order injunction against Palumbo Superyacht Ancona s.r.l. - April 7, 2022
Record of measures
n. 127 of 7 April 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
HAVING REGARD to the documentation on file;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
RAPPORTEUR Dr. Agostino Ghiglia;
WHEREAS
1. THE INVESTIGATION ACTIVITY CARRIED OUT
1.1. The complaint received.
The Authority received a complaint, dated 29 September 2020, from XX, against the company Palumbo Superyacht Ancona s.r.l. (hereinafter referred to as "Company" or "Palumbo"), in which the same represented that:
- in constancy of an employment relationship (exclusive agency) with Palumbo started in April 2018, the same, on 23 June 2020, without any notice or communication, was inhibited from using their company account (XX) , remaining deprived of the possibility to access it;
- the aforementioned account constituted a working tool that the same had used since July 2018 to entertain any relationship of a commercial and pre-contractual nature; it also contained "strictly personal communications, the disclosure of which could cause a serious violation of their rights to dignity, image, honor and confidentiality, as well as damage to their work", such as the loss of numerous customers who, not receiving a reply to their requests via e-mail, they turned elsewhere for their pre-contractual advice;
- the account in question was still active, in fact warnings / requests to enter the new password to re-enter it continued to be received on their computer and phone; in particular, the password was changed remotely without the person concerned having known or authorized it and without, however, being allowed to back up all correspondence;
- on the same 23 June 2020, after receiving a message from the server in which it was communicated that the password had changed, he immediately communicated this circumstance to Palumbo, requesting the timely restoration of the account, essential for business communications and to be able to properly fulfill the contractual obligations assumed with the Company;
- the Company has never provided any feedback to the aforementioned requests sent by certified e-mail, persisting in denying access to said e-mail address;
- their documented requests had been sent not only to the Company but also to the lawyer of the same, both via e-mail and via whatsapp, asking to know why they continued to keep their personal account active, without giving them account of the ge -stione of the same.
This conduct, in the opinion of the complainant, constituted a serious abuse, which it reserved the right to assert also in court, but "in the first place it perpetuates a serious infringement of its right to confidentiality and of the constitutionally guaranteed right to the secrecy of its own correspondence".
The aforementioned, the complainant asked to take against Palumbo “every opportune measure deemed suitable to put an end to this illegal behavior and, in particular,… a) in-timare…. to follow up on the exercise of the rights already exercised ... and remained unanswered, granting ... access to all the data on your account or in any case, providing you with evidence of all communications received from last June 23 to today; b) order ... also the immediate closure of the reserved account ... "; and the possibility, with the tools that the company deems most appropriate, that the many people who still write to that post address are informed of this closure; ... c) impose ... the immediate prohibition of the processing of data contained in the account reserved for you. "
1.2 The Authority's request for information.
With a note dated February 16, 2021, the Office requested, by certified email, Palumbo to provide observations regarding the matters set out in the aforementioned complaint. Since no reply was received, the Office tried in vain, several times, to contact the Company, using the telephone numbers available on its website. Subsequently, the request was renewed, again by certified e-mail, pursuant to art. 157 of the Code, with a note dated 22 April this year. Even this last communication, although it was regularly delivered, remained unanswered.
1.3. Dispute of possible violations and administrative procedure.
In light of the foregoing, the extremes of the possible violation referred to in Articles 157 and 166, paragraph 2, of the Code, punishable under art. 83, par. 5 of the Regulations; therefore, with a note dated 17 June, the related contestation was prepared with the initiation of the procedure for the adoption of the aforementioned sanction. On the same date, the Special Privacy Protection and Technological Fraud Unit of the Guardia di Finanza was involved, based on the provisions of the Memorandum of Understanding signed with the Authority, in order to notify the aforementioned Company: a) the request for information pursuant to art. 157 of the Code, acquiring the relative confirmation, also with regard to the availability of the owner to satisfy the request of the complainant; b) the aforementioned dispute pursuant to art. 166, paragraph 5, of the Code.
The analysis of the minutes drawn up by the Guardia di Finanza on 7 October last year confirmed the circumstances relating to the Company's failure to respond to the requests of the Office. Furthermore, the possible validity of the complaints of the complainant emerged with specific regard to the sudden and protracted lack of access to the company address assigned to her and the persistent vitality of the same, even if the Company has in any case prevented its use by third parties (circumstance verified by the GdF which ascertained the last access occurred on 23 June 2020).
It also turned out that the Company had sent various certified e-mails to the complainant (from 2 July to 26 August 2020) to contest some contractual breaches and to put an end to the existing working relationship starting from 26 August 2020, but without referring to the management. of the e-mail address assigned to you. On the occasion of the said inspection visit, the Company declared that it was available, at the specific request of the complainant, to allow her, with times and methods to be agreed, "access and interrogation of the electronic mailbox in order to identify personal data that concern you ".
As part of the preliminary investigation launched to settle the complaint in question, also on the basis of the findings of the aforementioned minutes, she contacted the Company, again in accordance with art. 157 of the Code, a further request regarding the information and the disciplinary that may be issued to the complainant pursuant to art. 13 of the Regulations with particular regard to the management of company e-mail boxes, during the development of the employment relationship and after the termination of the same.
The Company, with a note dated 28 October, responded to the said supplementary request, stating that: "In relation to the information and the disciplinary relating to the (interested party) .... We inform you that we are not signed, probably for mere distraction and taking into account that the agency contract was negotiated and signed remotely. Our company standard is to present and have signed, upon signing the contract both for an employee and for external consultants or third parties, the privacy policy and the information regarding the use of company equipment and vehicles. ", To - by attaching the models used, in word files (unsigned), and specifying that "the reference to the use of the company email is reported in the ... document ... - Appointment of the persons in charge". On the same occasion, the Company also renewed "its full willingness to reopen a possible conversation with Dr. XX if temporary access to the company email is required, for the recovery of information that is useful to her."
The complainant, addressee for knowledge of the aforementioned reply, on 1 November last year, however, replied that the documents in question would not have been provided to her and that (on 10 February 2020) only the employment contract would be submitted to her for signature, moreover formalized at the Ancona office, in the presence of Mr. Palumbo and other witnesses, specifying that on the occasion the deadline of 31 August 2023 was agreed and finally reiterating the requests already formulated with the complaint.
The Office, on the basis of the overall elements acquired, sent the Company on 12 November this year a further communication of the initiation of the procedure for the adoption of any corrective and sanctioning measures pursuant to art. 166, paragraph 5, of the Code, considering the conditions for the possible violation to be recognized:
- of art. 5, par. 1, lett. a) and e) of the Regulations, due to conduct that does not comply with the principle of correctness and, specifically, the persistent vitality of the company account assigned to the complainant, in violation of the principle of 'conservation limitation';
- of art. 13 of the Regulations, having not proven that it has provided the interested party with appropriate information, also in light of the guidelines of the Guarantor by e-mail and internet of 1 March 2007, publ. in the Official Gazette no. 58 of 10 March 2007 (web doc. 1387522);
- of articles 12, par. 3, and 15 of the Regulations, due, respectively, to the non-response that should have given "without undue delay" and in any case no later than 30 days from receipt of the request of the interested party, as well as the prohibited access to the account company in question.
On 10 December u.s. the Company, through its lawyer, sent a defense brief - the content of which is fully referred to - in which, in reiterating what was communicated to the G.d.F. in the aforementioned circumstance and in the note of 28 October u.s. - it is admitted not to be able to prove the issue of a disclosure to the interested party pursuant to art. 13 of the Regulation, nor of a discipline relating to IT tools, asking however to consider that the emergency situation could have influenced the correct execution of these obligations. He also highlighted:
- of having prevented, from 23 June 2020, access to the mailbox (by changing the password used by the complainant) due to undue disclosure of confidential company information, attributed to the same concerned;
- that this conduct had been the subject of two formal complaints addressed to the complainant in preparation for the termination of the contract for just cause formalized by the Company on 26 August 2020;
- to have kept the box active because it is functional to the business needs of the company as well as due to the ongoing dispute with the complainant and for any "defensive investigations" as well as in order to be able to agree on methods of access to the interested party suitable for the recovery of his information personal, while safeguarding the integrity of the contents;
- that the mailbox in question (merely "lent" to the agent, as a self-employed worker) was to be considered in the exclusive ownership of the employer and intended to contain non-specific data, such as personal data or billing;
- the agent would not be comparable to the subordinate worker (given the inherent organizational and operational autonomy);
- the assignment of the box could be part of the free loan pursuant to art. 1804 of the Italian Civil Code, therefore with the related obligation of prompt repayment in the event of a request from the employer-lender.
Furthermore, also due to the fact that he "frozen" access by third parties, including the owner of the company and did not make any use of the account, he stated that he acted in compliance with the principles of necessity and minimization of processing, also highlighting that it has overseen the wide-ranging review and implementation of its processing policies, also with regard to the provision of specific audits.
2. LEGAL ASSESSMENTS
Following the examination of the declarations made to the Authority during the proceedings as well as the overall documentation acquired, the possible violations subject to the disputes of June 17 and November 12, u.s. are confirmed.
With reference to the first dispute, the violation of art. 83, paragraph 5, of the Regulations (through the failure to reply to the request made pursuant to art. 157, to be considered together with art. 166, paragraph 2; see in this regard the provision 23 January 2020, doc . web n. 9284622) can be considered, however, less serious in consideration of the complicated emergency context (also referred to by the Company on the occasion), in which it is located.
With reference to the second, it is first noted that, in accordance with the constant orientation of the European Court of Human Rights, the protection of private life also extends to the workplace, considering that precisely when carrying out work and / or professional activities relationships develop where the personality of the worker is expressed (see articles 2 and 41, paragraph 2, of the Constitution). Also taking into account that the borderline between the work / professional and the strictly private sphere cannot always be clearly drawn, the Court considers that art. 8 of the European Convention on Human Rights set up to protect private life without distinguishing between the private sphere and the professional sphere (see Niemietz v. Allemagne, 16.12.1992 (rec. No. 13710/88), spec. Para. 29; Copland v. UK, 03.04.2007 (ref. No. 62617/00), spec. Par. 41; Bărbulescu v. Romania [GC], 5.9.2017 (ref. No. 61496/08), spec. Par. 70 -73; Antović and Mirković v. Montenegro, 28.11. 2017 (rec. No. 70838/13), spec. Par. 41-42).
Therefore - even taking into account the structural difference between an employment relationship and an agency relationship - evidently affecting in particular the recallability of the provisions of the Workers' Statute (and therefore also of Articles 113 and 114 of the Code), as well as the decisive nature of the factual plan, in spite of the mere nomen iuris, for the purposes of the correct classification of the existing relationship (see Cass, sentence no. employment relationship must comply with respect for fundamental rights and freedoms as well as the dignity of the data subject, for the protection of workers and third parties (see Recommendation CM / Rec (2015) 5 of the Committee of Ministers to Member States on the processing of personal data in the employment context, spec. point 3).
Having specified this, on the basis of the elements acquired during the preliminary investigation, it emerged, first of all, that the Company has not proved that it has issued the interested party any information regarding the processing of data, much less with reference to the account. company e-mail during the relationship and at the end of this, including the management of the same after the termination of the relationship and the conservation of the data in the electronic mailbox. More fundamentally, the analysis, structural and content, of the 3 documents (1. "Appointment of persons in charge"; 2. "GuaranteesDatiTerzi"; 3. "Procedure for use of IT tools") sent by Palumbo - moreover received by the Authority in file word and unsigned - as they are missing the elements strictly provided for by Article 13 of the Regulation or indications relating to the possible management and conservation of the mailbox assigned by the Company, it does not allow them to be considered suitable, even in an overall assessment of the same, neither as information to the workers concerned, nor as a regulation on the use of e-mail and Internet in compliance with the aforementioned Guidelines of 1 March 2007.
In this regard, what is claimed by Palumbo - with reference to the (professional) role of agent covered by the complainant within the company structure and with regard to the contractual type (free loan) in which the Company believes the e-mail tool can be inserted assigned to the agent - it is neither relevant to the information obligation nor to that of correct and transparent management of the assigned company account, given that these obligations must be considered to exist due to the processing of personal data concerning a specific natural person as 'data subject'. The conduct held by the Company is therefore in contrast with the fundamental obligation provided for by art. 13 of the Regulation (which, as is known, has replaced - according to a line of substantial continuity - the analogous provision of the abrogated art.13 of the Code), according to which the owner is required to provide the interested party in advance with all the information relating to the essential characteristics of the processing (see already provision of 1 March 2007, no. 13 "Guidelines for e-mail and internet", cit .; regarding information, see also provision no. 15 April 2021. 137, web doc. 9670738). Moreover, art. 12, par. 1, in particular, provides that "the data controller takes appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14".
The aforementioned violations must also be examined taking into account that, in the context of the employment relationship, fully informing the worker about the processing of his data is an expression of the general principles of lawfulness and correctness of processing (see Article 5, par. 1, letter a) of the Regulations; in these terms, v. prov. 353 of 29 September 2021, doc. web n. 9719914).
From another point of view, the investigation revealed that the Company, after the termination of the employment relationship with the complainant (dating back to 26 August 2020), kept the individualized e-mail account active for the reasons indicated above. assigned to the same.
In this regard, it must be reiterated that the exchange of electronic correspondence - unrelated to work or not - on an individualized company account configures an operation that allows to know some personal information relating to the interested party (see "Guidelines of the Guarantor by e-mail and Internet ", cit., spec. point 5.2, lett. b)). The Guarantor therefore, with constant orientation, has deemed it necessary, for the purposes of compliance with the principles on the protection of personal data (see provisions 29 September 2021, cit .; 4 December 2019, n.216, web doc. 9215890 ; 1 February 2018, n.53, web doc. simultaneous adoption of automatic systems aimed at informing third parties and providing the latter with alternative e-mail addresses referring to his professional activity. This in application of the 'conservation limitation' principle of art. 5, par. 1, lett. e) of the Regulation - also in light of the connected principle of 'minimization' referred to in the same art. 5, par. 1, lett. c) - which, in this case, appears to have been violated. Violation whose gravity must be detected all the more so where, as in the case in question (based on what was declared by the complainant who does not appear to have received, it has been said, any regulations relating to the correct use of company mail and any related limits ), "strictly personal communications are also kept, the knowledge of which could cause a serious violation of one's rights to dignity, image, honor and confidentiality, as well as damage to one's working activity".
Even in this case, the aforementioned principle of 'lawfulness' enshrined in art. 5, par. 1, lett. a), of the Regulations, through the underlying violation of art. 1 of the Code, on the basis of which: "The processing of personal data takes place according to the rules of the ..." Regulation "and of this Code, respecting human dignity, fundamental rights and freedoms of the person" (see also Considering no. . 10 of the Regulation: "In order to ensure a consistent and high level of protection for individuals and remove obstacles to the circulation of personal data within the Union, the level of protection of the rights and freedoms of individuals with regard to the processing of such data should be equivalent in all Member States "). In this regard, it should be noted that the Court of Cassation (ordinance no. 26778/2019) recognized the composite and imperative nature of the right to the protection of personal data, "containing this legislation precepts that cannot be derogated from private autonomy as to protect general interests, moral and social values relevant to our legal system, aimed at respecting fundamental rights and freedoms, such as dignity, confidentiality, personal identity, protection of personal data ", including therefore professional reputation of the worker who is also expressed through the correct management of the company e-mail service (in particular, by promptly checking the communications received and organizing their activities with colleagues and customers). Furthermore, it must be considered that any damage caused to reputation can be classified within the category of non-pecuniary damage referred to in art. 2059 c. c. and that must be proven, since it cannot be considered in re ipsa- "it must be understood in unitary terms, without distinguishing between 'personal reputation' and 'professional reputation', finding the protection of this right - regardless of the entity and intensity of the aggression or the different development of the harmful path - its foundation in art. 2 of the Constitution and, in particular, in the emphasis it attributes to the dignity of the person as such "(Cass. Civ. Section III, 25 August 2014, no. 18174), as an insurmountable limit with respect to any processing of data of the interested parties (see also Cass., section III, April 5, 2012, no. 5525, which enhances, albeit in a different context, the "identity" and "social image" of the data subjects among the goods-rights protected by the legislation regarding data protection).
It should then be noted that, in the case in question, the processing of personal data carried out for the purpose of protecting one's rights - as invoked by the Company - refers to a dispute (albeit still out of court, although emerging from the investigation conducted) in act "and not to abstract and indeterminate hypotheses of possible defense or protection of rights, given that this extensive interpretation ... would be elusive of the provisions on the criteria for legitimizing the processing (see Articles 6, paragraph 1, letter b), c ) and f) and 9, par. 2, lett. b) of the Regulations "; prov. 29 October 2020, n. 214, doc. web 9518890). However, it must be reiterated "that the legitimate need to ensure the conservation of the documentation necessary for the ordinary performance and continuity of the business, also in relation to relationships with private and public subjects, as well as on the basis of specific provisions of the system, is ensured, first of all, by the preparation of document management systems with which - through the adoption of appropriate organizational and technological measures - identify the documents that, during the course of the work activity, must be gradually archived in a manner suitable for guaranteeing the characteristics of authenticity, integrity, reliability, legibility and availability prescribed by the applicable sector regulations. The e-mail systems, by their very nature, do not allow to ensure these characteristics "(see: provision 29 September 2021, cit .; provision 29 October 2020, cit .; provision 1 February 2018, cit.) .
Furthermore, it is deemed necessary to confirm the violation of Articles 12, par. 3, and 15 of the Regulations. This, respectively, due to the lack of feedback that the Company should have given "without undue delay" and in any case no later than 30 days from receipt of the request of the interested party, as well as for the - sudden - prohibited access to the company account in question , however, two months before the termination of the agency relationship and despite the repeated requests made by the complainant and (as emerged from the documents) not denied by the Company (in this regard, see provision of April 15, 2021, cit.). moreover, based on art. 2-decies of the Code, "personal data processed in violation of the relevant regulations regarding the processing of personal data cannot be used, except as provided for in Article 160-bis".
In light of the foregoing, it is also considered necessary to adopt, in a necessarily broader perspective than the case in question, some corrective measures, associating them with a different timing of fulfillment, in consideration of the requests legitimately formulated by the complainant, of the needs organizational and functional aspects of the Company as well as the different consistency of the interventions requested from it.
3. CONCLUSIONS.
In view of the foregoing, the liability of the Company for the following violations is deemed to be ascertained:
- Articles 157 and 166, paragraph 2, of the Code, for failing to provide a response to a request for information and presentation of documents formulated by the Guarantor;
- art. 5, par. 1, lett. a) and e) of the Regulations, due to conduct that does not comply with the principle of correctness and, specifically, the persistent vitality of the company account assigned to the complainant, in violation of the 'conservation limitation' principle;
- art. 13 of the Regulations, having not proven that it has provided the interested party with suitable information, also in light of the guidelines of the Guarantor by e-mail and internet of 1 March 2007, publ. in the Official Gazette no. 58 of 10 March 2007 (web doc. 1387522);
- Articles 12, par. 3, and 15 of the Regulations, due, respectively, to the lack of feedback that should have given "without undue delay" and in any case no later than 30 days from receipt of the request of the interested party, as well as the prohibited access to the account company in question.
Having also ascertained the unlawfulness of the aforementioned conduct with reference to the treatments examined, it is necessary towards the Company:
- pursuant to art. 57, par. 1, lett. f) of the Regulations, declare the processing carried out as unlawful, within the terms set out in the motivation, and therefore declare the complaint of the complainant well founded;
- pursuant to art. 58, par. 2, lett. c), of the Regulations, to order to adopt suitable organizational and technical solutions to allow the complainant to access the electronic mailbox and "to transpose on paper or computer support the personal data concerning them contained in the correspondence thus preserved" (provision 7 November 2014, web doc. no. 3718714), within the limits - valid for both parties - of the principles referred to in art. 5 of the Regulation, and in particular of purpose, lawfulness and correctness;
- pursuant to art. 58, par. 2, lett. d), of the Regulations, to order the deactivation of the account and the simultaneous adoption of automatic systems aimed at informing third parties and providing the latter with alternative addresses referring to the professional activity of the data controller; as well as to adopt suitable measures to prevent the display of incoming messages during the period in which this automatic system is in operation;
- pursuant to art. 58, par. 2, lett. f), of the Regulation, to impose the prohibition of any processing of data extracted from the company e-mail account referring to the complainant, without prejudice to their conservation for the exclusive purpose of protecting rights in court, for the time necessary for this purpose, within the limits of art. 160-bis of the Code;
- pursuant to art. 58, par. 2, lett. c) of the Regulations, to order to adopt suitable procedures to ensure a complete and timely response to the exercise of the rights of the interested parties pursuant to Articles 15-22 of the Regulations, as well as the issue of an appropriate preventive and documented information regarding the processing of their personal data, pursuant to art. 13 of the Regulations, including the use of the Internet and corporate e-mail by workers, based on the principles and measures indicated in the Guidelines of 1 March 2007;
- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation.
4. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application against Palumbo Superyachts s.r.l. of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulations (payment of a sum up to € 20,000,000).
To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1), the elements indicated in art. 83, par. 2, of the Regulation.
Specifically, which aggravating circumstances must be considered:
1. the subjective dimension of the conduct, to be considered grossly negligent, with particular reference to the lack of information and the repeated nature of the failure to respond to the requests of the interested party (letter b);
2. the inadequate degree of cooperation shown in the initial discussions with the Authority, as the Company did not provide, despite two requests for information, the elements necessary for an adequate assessment of the treatments, requiring recourse to the G.d.F. for the notification of the request made pursuant to art. 157 of the Code (letter f);
3. the discrepancy of the Company's conduct with respect to the consistent and unambiguous provisional activity of the Authority (letter k).
As mitigating elements, it is believed necessary to take into account:
1. the isolated nature of the complaint that concerned only one interested party (letter a):
2. the availability expressed by the Company to the Authority regarding the complainant's request for access to the box in question, as well as the measures envisaged to improve compliance with data protection legislation (letter c);
3. the absence of previous proceedings against the Company (letter e);
4. the pandemic emergency situation in which the case is located (letter k).
Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1, of the Regulation, taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company, it is considered that it should apply - also in consideration of the previous sanctions referred to above with regard to similar cases - to Palumbo Superyacht Ancona s.r.l. the administrative sanction for the payment of a sum of € 50,000 (fifty thousand / 00), equal to 0.25% of the maximum legal limit of € 20 million.
In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at certain data controllers.
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulation.
WHEREAS, THE GUARANTOR
a) pursuant to art. 57, par. 1, lett. f), of the Regulations, declares illegal, within the terms set out in the motivation, the treatment carried out by Palumbo Superyacht Ancona s.r.l. - p. VAT: 02719080422, with registered office in Via Enrico Mattei n. 14, Ancona - and therefore declares Ms. XX's complaint well founded;
b) pursuant to art. 58, par. 2, lett. c), of the Regulation, orders the same Company to adopt suitable organizational and technical solutions to allow the complainant to access, in the presence of a trusted person of the SC, to the electronic mailbox in question and to transpose the personal data that the concern content in the correspondence thus preserved, in compliance with the principles set out in art. 5 of the Regulation, and in particular of purpose, lawfulness and correctness, within 7 days from the date of receipt of this provision;
c) pursuant to art. 58, par. 2, lett. d), of the Regulation, orders the same Company to deactivate the account in question, to provide for the simultaneous adoption of automatic systems aimed at informing third parties and providing the latter with alternative addresses referring to the professional activity of the data controller, as well as to adopt suitable measures to prevent the display of incoming messages during the period in which this automatic system is in operation, within 10 days from the date of receipt of this provision;
d) pursuant to art. 58, par. 2, lett. f), of the Regulation, establishes, with respect to the same Company, the prohibition of the processing of data extracted from the company e-mail account referring to the complainant, without prejudice to their conservation for the exclusive purpose of protecting rights in court, for the time necessary for this purpose, within the limits of art. 160-bis of the Code;
e) pursuant to art. 58, par. 2, lett. c) of the Regulations, orders the same Company to adopt appropriate procedures to ensure complete and timely response to the exercise of the rights of the interested parties pursuant to Articles 15-22 of the Regulations, as well as the issue of an appropriate preventive and documented information regarding the processing of their personal data, pursuant to art. 13 of the Regulations, including the use of the Internet and corporate e-mail by workers, based on the principles and measures indicated in the Guidelines of 1 March 2007, within 30 days from the date of receipt of this provision;
f) pursuant to art. 157 of the Code, asks the same Company to provide adequately documented feedback regarding the aforementioned measures, within 45 days from the date of receipt of this provision. Please note that failure to respond to the above requests integrates the details of the administrative offense pursuant to art. 166, paragraph 2, of the Code;
ORDER
to Palumbo Superyacht Ancona s.r.l. to pay the sum of € 50,000 (fifty thousand / 00), as a pecuniary administrative sanction for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed;
INJUNCES
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 50,000 (fifty thousand / 00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of the law n. 689/1981;
HAS
as an ancillary sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication on the website of the Guarantor of this provision and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as of articles 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.
Rome, April 7, 2022
PRESIDENT
Stanzione
THE RAPPORTEUR
Ghiglia
THE SECRETARY GENERAL
Mattei