Garante per la protezione dei dati personali (Italy) - 9780409

From GDPRhub
Garante per la protezione dei dati personali - 9780409
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 13 GDPR
Article 15 GDPR
Article 16 GDPR
Article 17 GDPR
Article 24 GDPR
Article 25 GDPR
Article 31 GDPR
Article 129 of the Codice in materia di protezione dei dati personali
Article 157 of the Codice in materia di protezione dei dati personali
Type: Complaint
Outcome: Upheld
Started:
Decided: 26.05.2022
Published: 26.05.2022
Fine: 50,000 EUR
Parties: Fabio Giovanni Petta (data controller of the website www.inelenco.com)
National Case Number/Name: 9780409
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA fined the website www.inelenco.com 50,000€. Among many GDPR infringements, this online telephone directory had no legal basis and processed and published the data of 357,046 data subjects without their knowledge and consent.

English Summary

Facts

Several data subjects randomly searched for their names on the Google Search engine and found out their contact details and names on the website www.inelenco.com. They never knew about the existence of their data on the website and never gave any consent for their publication.

Thus, the Italian DPA received many requests, reports and complaints relating to the unauthorized publication of personal data on this website. Moreover, the data subjects tried several times and for several months to request the erasure of their data without any success. Additionally, it contained incorrect data relating to one of the data subjects concerned. Finally, there was no information on the website that enabled the identification of the controller or its owner.

Firstly, the DPA conducted a preliminary investigation through the hosting provider – to find out who the controller and owner were – which reported that the service was in use by Mr. Fabio Giovanni Petta who was the sole proprietor and data controller of the website. Secondly, on 14 May 2020, the DPA asked the controller to provide clarifications to which the controller replied with a laconic answer, on 26 May 2020, by merely stating that there was a “delete data” link on each page from which one could access a form to be used to enter the number to be deleted, obtaining automatic removal within 72 hours. The controller requested to receive copies of the applications received to verify the date and IP address of the (alleged) registrations.

On 1 September 2020, the DPA forwarded by email, copies of six instances requesting appropriate feedback within 20 days of receipt to the controller. The controller did not respond. On 2 April 2021, the DPA initiated the proceedings for the adoption of corrective measures and sanctions due to the presence of various profiles of unlawfulness found in the processing. The controller did not respond either. Therefore, the DPA had to request the Special Privacy Unit of the Italian Finance Police to provide for the notification of the outstanding acts which was served on 20 December 2021.

On 12 January 2022, the controller gave some information about the functioning of his website. Moreover, he stated that all data was automatically deleted from the system after the data subjects had requested it, but the controller did not provide any documents proving this statement.

After the objection and even after the company's defensive observations, complaints continued to reach the DPA complaining about the presence of personal data on the www.inelenco.com website without the knowledge of the persons concerned. Moreover, despite repeated requests for deletion made through the link on the website, the data continued to be published. Finally, on 4 May 2022, the website still did not contain any information about the data controller and how to exercise rights.

Holding

First, the website consisted in a telephone directory. However, its data processing had no legal basis since the current regulatory framework did not allow the creation of generic telephone directories that are not extracted from the DBU (Data Base Unico), the single electronic archive that collects the telephone numbers and customer data of all the national telephony Operators disseminated through public directories. Moreover, it was recalled that for the inclusion of personal data in such lists, the express, free, specific, informed and documented written consent of the contractors is required. As the website did not conform to these criteria, the DPA held that there was a breach of Article 5(1)(a), Article 5(1)(d), Article 5(2), Article 6 GDPR and 129 of the Code.

The data controller also breached Article 12(2), Article 15 GDPR, Article 16 GDPR and Article 17 GDPR since it proved impossible for the data subject to know the origin of the data and the methods and purposes of the processing, as well as to request the rectification of inaccurate data or their erasure.

A breach of Article 24 GDPR was also found because there was a total lack of adequate technical and organisational measures to ensure that the processing was carried out in accordance with the rules on personal data protection. Moreover, the provision of a contact form that proved ineffective in receiving requests for cancellation also constituted a breach of Article 25 GDPR, since the technical measure adopted was not capable of protecting the rights of the data subjects. Article 12(1) and Article 13 GDPR were also breached due to the lack of an adequate privacy policy on the website. Finally, the data controller breached Article 31 GDPR and 157 of the Code for not having adequately cooperated with the supervisory authority.

It is also worth noting that anyone could enter a person’s personal details (names, address, social networks) on the website with no ways to trace the origin of the person who entered the data into the website, this therefore created a high risk of confidentiality. Moreover, the conduct had a generalized scope and extended to a large number of data subjects (357,046).

Thus, in light of these different infringement and pursuant to Article 58(2)(f), the Italian DPA imposed a prohibition on the data controller to collect, further store and publish personal data and imposed a fine of 50, 000€ to the data controller pursuant to Article 58(2)(i) and Article 83(5). As set forth in Article 166(8) of the Code, the controller had the right to settle the dispute, with the fulfillment of the prescriptions issued and the payment, within the term of thirty days, of an amount equal to half of the fine imposed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO NEWSLETTER OF JUNE 15, 2022



[doc. web no. 9780409]

Injunction order against the sole proprietorship Petta Fabio Giovanni - 26 May 2022*

Register of measures
no. 204 of 26 May 2022204

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

The Guarantor has received various requests - reports and complaints (files 146161, 148223, 149086, 149398, 150008, 149543) relating to the unauthorized publication of personal data (name, address, telephone number) on the website www.inelenco.com, whose owner, following specific investigations, has been identified as the sole proprietorship Petta Fabio Giovanni (hereinafter "Petta" or "company").

In particular, the whistleblowers have shown that they have never authorized the entry of their data on this site but rather that they have learned of its existence, more often than not, only following searches of their name on the Internet using the search engine Google. The whistleblowers also represented that they had attempted (even several times) to cancel using the form on the site but had not obtained it even after several months. A whistleblower also added that the data relating to his telephone usage was erroneously attributed to a company unknown to him.

All complained that the aforementioned website did not contain any data that would allow the site owner and the data controller to be identified and therefore turned to the Guarantor, having found no other way to obtain the deletion of the data.

Given the lack of any type of identification element on the site in question, the Office had to carry out a preliminary verification to identify the data controller through the hosting provider who provided the service called "Dedicated Server" connected to the IP address of the website www.inelenco.com. This, in particular, communicated that the service was "in use by Mr. Fabio Giovanni Petta”. Subsequent investigations in the business register made it possible to identify the sole proprietorship connected to Mr. Petta's tax code.

With a note dated May 14, 2020, the latter was requested to provide clarifications regarding the complained treatment. By e-mail of the following 26 May, the owner provided a laconic reply stating that on every page of the website there is a "delete data" link from which you access a form to be used to enter the number to be deleted, obtaining the removal automatically within 72 hours. In the same note, the same declared that the data entry would have been carried out manually by the users, therefore he requested to receive a copy of the requests received in order to verify the date and the IP address of the (alleged) registrations.

By registered letter dated 1 September 2020, sent in advance by e-mail, the Office proceeded to forward copies of six requests to the holder, asking for an appropriate reply to be given within 20 days of receipt. The request was not answered and the registered mail was in storage for a long time before being returned to the sender.

On 2 April 2021 - due to various profiles of illegality found in the processing - Petta was sent, by registered letter in advance by e-mail, the communication of the initiation of the procedure for the adoption of corrective and sanctioning measures pursuant to art. . 166, paragraph 5, of the Code.

This too remained in storage for a long time before being sent back to the sender.

Therefore, the Office had to ask the special privacy unit of the Guardia di Finanza to provide for the notification of the documents that remained outstanding. The notification was made on 20 12.2021.

By email dated 12 January 2022, Petta replied that “on the inelenco.com website there is a data cancellation request form and a data entry form. InElenco.com is also a search engine just like Google but niche. The site uses particular headers of the standard ISO-OSI http protocol Server side commonly used on high traffic sites to lighten the workload of the server called Cache-Control, caching directives that could display an old deleted page . Our system, through a Crontab that is activated every 72 hours, launches a program that automatically deletes the data of all users who have requested deletion. We do not make phone calls to users of any kind and for any reason.

Furthermore, with regard to the reporters, the company declared that all the data were automatically deleted from the system after the request made by them directly on the website; however, no documentation was provided to prove what was declared.

After the dispute and even after the company's defensive observations, the Guarantor continued to receive complaints about the presence of personal data on the website www.inelenco.com without the knowledge of the interested parties. Also in these cases it was shown that, despite the repeated requests for cancellation made via the link on the site, the data continued to be published. Furthermore, the interested parties continued to complain about the absence of information on the site aimed at allowing the owner to be identified.

The Office verified that, still on May 4, 2022, the website did not carry any information regarding the data controller and the methods for exercising the rights.

2. VIOLATIONS FOUND

With reference to the factual profiles highlighted above, also on the basis of the statements of the company for which the declarant is liable pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

The laconic answers provided by the owner during the proceedings, together with the absence of documentation proving the statements made, do not allow us to overcome the findings made by the Office when contesting the violations which are therefore considered confirmed as follows.

2.1 Disclosure of personal data in the absence of an appropriate legal basis

The numerous reports received and the same examination of the content of the website outline a treatment consisting in the creation of a telephone directory that does not originate from the single database of electronic communication operators (dbu - already envisaged by Agcom resolution no. 36/02/ CONS) and which gives rise to the dissemination of personal data on the Internet in the absence of an appropriate legal basis.

The concise answers provided during the proceeding were not sufficient to clarify the origin of the data with certainty, since the alleged autonomous insertion by various whistleblowers was unlikely, which however was not documented; all the whistleblowers complained about the presence of their personal data on the website without having given any authorization and, in many cases, even without even knowing that their data was present there. Furthermore, it is not clear what benefit an interested party should derive from inclusion in a generic telephone directory given that those who have visibility needs can already see them satisfied by official telephone directories, the only ones authorized by law on the basis of the assumptions referred to below. On the other hand, the economic interest of the company in carrying out this type of treatment appears more evident due to the possibility of publishing advertising banners on the pages of the website.

And in any case, even if we want to admit the existence of an initial consent, this legal basis would certainly not be invoked after the (countless) requests for cancellation sent by the interested parties. Requests which, it should be remembered, were made through the only channel made available on the site (a link to a form), without any error message being returned, according to the requesters, and without, however, having any effect.

With regard to the creation of telephone directories, reference is made to the special regulation pursuant to art. 129 of the Code, adopted in implementation of the community directive n. 2002/58/EC, which is implemented, as required by the provision itself, by specific decisions of the Guarantor and Agcom. In particular, with the prov. July 15, 2004 (web doc 1032381) regarding "alphabetical" telephone directories of the universal service, the Guarantor clarified that "only the formation, distribution and dissemination of directories, in any form created, based on consultation and access" to the d.b.u. (as well as the provision of April 7, 2011, web doc. n. 1810351 and the provision of January 14, 2016, web doc. n. 6053915) and that, for the inclusion of personal data in such lists, the express, free consent is required , specific, informed and documented in writing by the contractors. At the same time, the creation of generic telephone directories is permitted only in the manner described by the aforementioned Agcom resolution no. 36/02/CONS.

That said, it is believed that the conduct described constitutes the violation of the following articles of the Regulation: art. 5, par. 1, lit. a) and d); art. 5, par. 2; art. 6.

2.2 Failure to respect the right to cancellation

The requests received complained, among other things, of the impossibility of exercising the right to cancellation - as well as potentially any other right connected to the protection of personal data - since no contact channel with the owner and the only available tool, an on-line form where you can enter the numbering to be cancelled, would never have had any effect. Contrary to what was declared (but not documented) by the company, the requests for cancellation sent via the form on the site were not handled within the times indicated. The whistleblowers stated that they had tried several times to cancel the number using the procedure described in the form, but that they had not obtained the cancellation even after months. A complainant has attached screenshots of the deletion process which ends with the message “Your request was successful. No. will be removed. 1 data from the database as you requested. The file will be processed within 48 hours” (also indicating a different term from the 72 hours declared by the owner in the answers given to the Guarantor).
With an e-mail dated 12.1.2022, as mentioned, the owner declared that all the data of the whistleblowers were automatically deleted by the system after the request for cancellation entered by them on the site. This statement, for which no IT evidence has been provided, seems difficult to sustain in the face of the fact that many people have been forced to contact the Guarantor precisely because they were unable to delete their data even after several attempts.

Furthermore, given the lack on the website of any other reference suitable for identifying the data controller, it is impossible to exercise the right to cancellation, as well as any other right, using alternative channels.

That said, it is believed that the conduct described constitutes the violation of articles 12, par. 2, 15, 16 and 17 of the Regulation, as it was impossible for the interested parties to know the origin of the data and the methods and purposes of the processing, as well as request the rectification of inaccurate data or cancellation.

What has been described also constitutes a total lack of adequate technical and organizational measures to guarantee that the treatment is carried out in compliance with the rules on the protection of personal data and, for these reasons, the violation of art. 24 of the Regulation.

Furthermore, the preparation of a contact form which has proven to be ineffective in transposing cancellation requests (the only right that can be exercised, even if only formally) also integrates the violation of art. 25 of the Regulation since the technical measure adopted was not able to protect the rights of the interested parties.

2.3 Inadequacy of the information

On the website there is a link "insert private" through which it would be possible to request the insertion of data of a natural person. This link leads to a form in which you are asked to enter the following data (some of which are optional): name, surname, telephone, mobile phone, complete address, any social network contacts. At the bottom of the form there are the options - already selected and non-deselectable - "I accept the privacy conditions" (with link to the information) and "I authorize the publication of my data online". The privacy information, provided in accordance with the version of the Code that is no longer in force, does not contain any indication that allows the data controller to be identified. At the same time, the site does not contain any information relating to the name and VAT number of the economic operator who owns the website, as also required by current legislation on business (see Article 35, paragraph 1, of the Presidential Decree 633 of 26 October 1972 and art. 2250 of the Italian Civil Code).

Finally, it should be noted that in the text of the disclosure - which lacks the information referred to in art. 13 of the Regulation but also contains a consent formula - clauses describing the terms of the service are also inserted.

That said, it is believed that the conduct described constitutes the violation of articles 12, par. 1 and 13 of the Regulation.

2.4 Failure to cooperate with the Supervisory Authority

The lack of essential information on the website has aggravated the proceedings forcing the Authority to carry out a preliminary investigation aimed at identifying the owner of the website.
Furthermore, to the two requests for information sent by registered mail by the Office, only the first received a reply, within the limited terms described above, while the second, albeit anticipated by e-mail, was returned to the sender.

The note initiating the procedure, containing the description of the disputed profiles, was also sent by registered mail in advance but was returned to the sender. Therefore, in order to guarantee the holder knowledge of the deeds to exercise the right of defence, it was necessary to provide for the notification by appointing the special privacy unit of the Guardia di Finanza.

Also in this case the company - to which the notification of the request for integration of information had also been reiterated - limited itself to providing concise clarifications without attaching any documentary evidence.

That said, it is believed that the profiles described constitute the violation of art. 31 of the Regulation and art. 157 of the Code.

3. CONCLUSIONS AND CORRECTIVE MEASURES TAKEN

The treatment implemented by the company through the website www.inelenco.it presents, as seen, numerous and serious profiles of illegality even though the violation referred to in point 2.1 must be considered decisive among them. This in fact, concerning the very presupposition of the treatment, is to be considered absorbing and already sufficient in itself to invalidate the entire treatment, taking into account the fact that the possible rectification of the unlawfulness described in the following points, which also aggravates the conduct, does not it would be sufficient to remedy the fact that the treatment itself is carried out in the absence of a suitable legal basis and above all in violation of the law.

In fact, it should be remembered that the current regulatory framework (described above) does not allow the creation of generic telephone directories that are not extracted from the d.b.u. and that do not comply with the decisions adopted by the Guarantor and by Agcom.

It must be added that the methods of providing the service offered by the site www.inelenco.com do not in any way guarantee the confidentiality of users, not even assuming that such treatment is carried out on the basis of consent. As observable by operating on the site and as described by the owner, it is in fact quite easy for anyone to enter personal data even of unsuspecting subjects and make them public, through the site itself and through indexing in search engines, without any need to demonstrate be the account holder. In this way it would also be possible to make public data (personal data, contact details and social network subscriptions) of people who have higher confidentiality requirements without them being informed and without being able to oppose this treatment.

The presence of grievances of similar content indicates that the conduct is generalized and extended to a large number of subjects; in particular, from the examination of the website carried out on 6 May 2022, adding up the results returned by the "search by surname" function, it emerges that the subjects whose data are present in said list amount to 357,046. Furthermore, the conduct involves a particularly invasive treatment for the right to the protection of personal data, in consideration of the easy availability of the same also through the common search engines and the possibility that other subjects can use the data thus made available for further treatments, difficult to verify and contain, such as unwanted marketing activities.

It follows that the treatment causes widespread damage deriving from the unsolicited and unauthorized publication of contact data, aggravated by the fact that any attempt at cancellation or rectification has proved futile.

That said, taking into account that the conduct described integrates all the violations specified in the previous paragraph and is carried out in violation of the law, it is necessary, pursuant to art. 58, par. 2, lit. f), impose on the data controller the prohibition of collecting, further storing and publishing personal data for the creation and online dissemination of a telephone directory whose data have not been taken from the d.b.u..

Finally, due to the seriousness of the treatments already carried out and taking into account the fact that no changes have been made to the website that is still online, the conditions are deemed to exist for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation.

4. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code have been violated in relation to connected treatments carried out by Petta, for which it is necessary to apply art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or to related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sole sanction provided for by art. 83, par. 5 of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the  Regulation), identifying, for this purpose, a series of elements, listed in paragraph 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, in the present case, the following aggravating circumstances must be considered:

1. the seriousness of the violation due to the fact that the conduct is committed in violation of the law and, in particular, in violation of the provisions of the provision pursuant to art. 129 of the Code and is likely to cause significant damage to the interested parties due to the dissemination of personal contact data on the Internet;

2. the high number of people whose data has been published (357.46 as of 6 May 2022);

3. the duration of the violation since the conduct lasted for several years: the company has been registered in the register of companies since 8 October 2012; moreover, from a check carried out on www.archive.org, the site www.inelenco.com was detected from 27 March 2015 and already then reported the same contents as today's site;

4. the gross negligence of the data controller, as described in point 2, since the rules for the protection of personal data have been completely ignored and have not been taken into consideration even after the intervention of the Guarantor;

5. the total absence of corrective measures and the lack of cooperation with the Authority to remedy the alleged violations;

6. the degree of responsibility of the data controller who has not allowed the interested parties to exercise their rights and has not indicated any identifying element of the company or contact details on the site;

7. the economic benefit deriving from the publication of personal data on the site deriving from the presence of advertising banners on the site itself.

As a mitigating element, it is considered necessary to take into account the economic dimensions of the owner who holds the qualification of small entrepreneur pursuant to art. 2083 of the civil code.

In quantifying the fine, consideration was given to the elements described above as ascertained by the preliminary investigation in the absence of information of an economic nature, as there is no balance sheet in the register of companies and as no element has been provided in this regard by Petta, which was also expressly requested in the note initiating the procedure.

Therefore it is believed that, on the basis of all the elements indicated above, due to the seriousness and number of violations found and above all to the fact that the processing was carried out in violation of the law, the sole proprietorship Petta Fabio Giovanni must apply the administrative sanction for the payment of a sum equal to 50,000.00 euros (fifty thousand/00), equal to 0.25% of the statutory maximum of 20 million euros and, due to the aggravating elements identified, the ancillary sanction for the full publication of the this provision on the Guarantor's website as required by art. 166, paragraph 7 of the Code and by art. 16 of the Guarantor's regulation n. 1/2019.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

Please note that pursuant to art. 170 of the Code, anyone who fails to comply with this prohibition provision, being required to do so, is punished with imprisonment from three months to two years and that, in the event of non-compliance with the same provision, the sanction referred to in art. 83, par. 5, letter. e), of the Regulation.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing described in the terms described in the justification by the sole proprietorship Petta Fabio Giovanni, with registered office in XX, VAT no. 02500600909, and consequently:

- pursuant to art. 58, par. 2, lit. f), of the Regulation, prohibits the collection, storage and publication of personal data for the establishment and online dissemination of a general telephone directory whose data have not been taken from the d.b.u.;

ORDER

to the sole proprietorship Petta Fabio Giovanni, with registered office in XX, VAT no. 02500600909, to pay the sum of 50,000.00 (fifty thousand/00) euros as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 50,000.00 (fifty thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the 'art. 27 of the law n. 689/1981.

HAS

a) pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted;

b) pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the Guarantor's website.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 26 May 2022

PRESIDENT
station

THE SPEAKER
Zest

THE DEPUTY SECRETARY GENERAL
Philippi



*The provision has been contested



SEE ALSO NEWSLETTER OF JUNE 15, 2022



[doc. web no. 9780409]

Injunction order against the sole proprietorship Petta Fabio Giovanni - 26 May 2022*

Register of measures
no. 204 of 26 May 2022204

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

The Guarantor has received various requests - reports and complaints (files 146161, 148223, 149086, 149398, 150008, 149543) relating to the unauthorized publication of personal data (name, address, telephone number) on the website www.inelenco.com, whose owner, following specific investigations, has been identified as the sole proprietorship Petta Fabio Giovanni (hereinafter "Petta" or "company").

In particular, the whistleblowers have shown that they have never authorized the entry of their data on this site but rather that they have learned of its existence, more often than not, only following searches of their name on the Internet using the search engine Google. The whistleblowers also represented that they had attempted (even several times) to cancel using the form on the site but had not obtained it even after several months. A whistleblower also added that the data relating to his telephone usage was erroneously attributed to a company unknown to him.

All complained that the aforementioned website did not contain any data that would allow the site owner and the data controller to be identified and therefore turned to the Guarantor, having found no other way to obtain the deletion of the data.

Given the lack of any type of identification element on the site in question, the Office had to carry out a preliminary verification to identify the data controller through the hosting provider who provided the service called "Dedicated Server" connected to the IP address of the website www.inelenco.com. This, in particular, communicated that the service was "in use by Mr. Fabio Giovanni Petta”. Subsequent investigations in the business register made it possible to identify the sole proprietorship connected to Mr. Petta's tax code.

With a note dated May 14, 2020, the latter was requested to provide clarifications regarding the complained treatment. By e-mail of the following 26 May, the owner provided a laconic reply stating that on every page of the website there is a "delete data" link from which you access a form to be used to enter the number to be deleted, obtaining the removal automatically within 72 hours. In the same note, the same declared that the data entry would have been carried out manually by the users, therefore he requested to receive a copy of the requests received in order to verify the date and the IP address of the (alleged) registrations.

By registered letter dated 1 September 2020, sent in advance by e-mail, the Office proceeded to forward copies of six requests to the holder, asking for an appropriate reply to be given within 20 days of receipt. The request was not answered and the registered mail was in storage for a long time before being returned to the sender.

On 2 April 2021 - due to various profiles of illegality found in the processing - Petta was sent, by registered letter in advance by e-mail, the communication of the initiation of the procedure for the adoption of corrective and sanctioning measures pursuant to art. . 166, paragraph 5, of the Code.

This too remained in storage for a long time before being sent back to the sender.

Therefore, the Office had to ask the special privacy unit of the Guardia di Finanza to provide for the notification of the documents that remained outstanding. The notification was made on 20 12.2021.

By email dated 12 January 2022, Petta replied that “on the inelenco.com website there is a data cancellation request form and a data entry form. InElenco.com is also a search engine just like Google but niche. The site uses particular headers of the standard ISO-OSI http protocol Server side commonly used on high traffic sites to lighten the workload of the server called Cache-Control, caching directives that could display an old deleted page . Our system, through a Crontab that is activated every 72 hours, launches a program that automatically deletes the data of all users who have requested deletion. We do not make phone calls to users of any kind and for any reason.

Furthermore, with regard to the reporters, the company declared that all the data were automatically deleted from the system after the request made by them directly on the website; however, no documentation was provided to prove what was declared.

After the dispute and even after the company's defensive observations, the Guarantor continued to receive complaints about the presence of personal data on the website www.inelenco.com without the knowledge of the interested parties. Also in these cases it was shown that, despite the repeated requests for cancellation made via the link on the site, the data continued to be published. Furthermore, the interested parties continued to complain about the absence of information on the site aimed at allowing the owner to be identified.

The Office verified that, still on May 4, 2022, the website did not carry any information regarding the data controller and the methods for exercising the rights.

2. VIOLATIONS FOUND

With reference to the factual profiles highlighted above, also on the basis of the statements of the company for which the declarant is liable pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

The laconic answers provided by the owner during the proceedings, together with the absence of documentation proving the statements made, do not allow us to overcome the findings made by the Office when contesting the violations which are therefore considered confirmed as follows.

2.1 Disclosure of personal data in the absence of an appropriate legal basis

The numerous reports received and the same examination of the content of the website outline a treatment consisting in the creation of a telephone directory that does not originate from the single database of electronic communication operators (dbu - already envisaged by Agcom resolution no. 36/02/ CONS) and which gives rise to the dissemination of personal data on the Internet in the absence of an appropriate legal basis.

The concise answers provided during the proceeding were not sufficient to clarify the origin of the data with certainty, since the alleged autonomous insertion by various whistleblowers was unlikely, which however was not documented; all the whistleblowers complained about the presence of their personal data on the website without having given any authorization and, in many cases, even without even knowing that their data was present there. Furthermore, it is not clear what benefit an interested party should derive from inclusion in a generic telephone directory given that those who have visibility needs can already see them satisfied by official telephone directories, the only ones authorized by law on the basis of the assumptions referred to below. On the other hand, the economic interest of the company in carrying out this type of treatment appears more evident due to the possibility of publishing advertising banners on the pages of the website.

And in any case, even if we want to admit the existence of an initial consent, this legal basis would certainly not be invoked after the (countless) requests for cancellation sent by the interested parties. Requests which, it should be remembered, were made through the only channel made available on the site (a link to a form), without any error message being returned, according to the requesters, and without, however, having any effect.

With regard to the creation of telephone directories, reference is made to the special regulation pursuant to art. 129 of the Code, adopted in implementation of the community directive n. 2002/58/EC, which is implemented, as required by the provision itself, by specific decisions of the Guarantor and Agcom. In particular, with the prov. July 15, 2004 (web doc 1032381) regarding "alphabetical" telephone directories of the universal service, the Guarantor clarified that "only the formation, distribution and dissemination of directories, in any form created, based on consultation and access" to the d.b.u. (as well as the provision of April 7, 2011, web doc. n. 1810351 and the provision of January 14, 2016, web doc. n. 6053915) and that, for the inclusion of personal data in such lists, the express, free consent is required , specific, informed and documented in writing by the contractors. At the same time, the creation of generic telephone directories is permitted only in the manner described by the aforementioned Agcom resolution no. 36/02/CONS.

That said, it is believed that the conduct described constitutes the violation of the following articles of the Regulation: art. 5, par. 1, lit. a) and d); art. 5, par. 2; art. 6.

2.2 Failure to respect the right to cancellation

The requests received complained, among other things, of the impossibility of exercising the right to cancellation - as well as potentially any other right connected to the protection of personal data - since no contact channel with the owner and the only available tool, an on-line form where you can enter the numbering to be cancelled, would never have had any effect. Contrary to what was declared (but not documented) by the company, the requests for cancellation sent via the form on the site were not handled within the times indicated. The whistleblowers stated that they had tried several times to cancel the number using the procedure described in the form, but that they had not obtained the cancellation even after months. A complainant has attached screenshots of the deletion process which ends with the message “Your request was successful. No. will be removed. 1 data from the database as you requested. The file will be processed within 48 hours” (also indicating a different term from the 72 hours declared by the owner in the answers given to the Guarantor).
With an e-mail dated 12.1.2022, as mentioned, the owner declared that all the data of the whistleblowers were automatically deleted by the system after the request for cancellation entered by them on the site. This statement, for which no IT evidence has been provided, seems difficult to sustain in the face of the fact that many people have been forced to contact the Guarantor precisely because they were unable to delete their data even after several attempts.

Furthermore, given the lack on the website of any other reference suitable for identifying the data controller, it is impossible to exercise the right to cancellation, as well as any other right, using alternative channels.

That said, it is believed that the conduct described constitutes the violation of articles 12, par. 2, 15, 16 and 17 of the Regulation, as it was impossible for the interested parties to know the origin of the data and the methods and purposes of the processing, as well as request the rectification of inaccurate data or cancellation.

What has been described also constitutes a total lack of adequate technical and organizational measures to guarantee that the treatment is carried out in compliance with the rules on the protection of personal data and, for these reasons, the violation of art. 24 of the Regulation.

Furthermore, the preparation of a contact form which has proven to be ineffective in transposing cancellation requests (the only right that can be exercised, even if only formally) also integrates the violation of art. 25 of the Regulation since the technical measure adopted was not able to protect the rights of the interested parties.

2.3 Inadequacy of the information

On the website there is a link "insert private" through which it would be possible to request the insertion of data of a natural person. This link leads to a form in which you are asked to enter the following data (some of which are optional): name, surname, telephone, mobile phone, complete address, any social network contacts. At the bottom of the form there are the options - already selected and non-deselectable - "I accept the privacy conditions" (with link to the information) and "I authorize the publication of my data online". The privacy information, provided in accordance with the version of the Code that is no longer in force, does not contain any indication that allows the data controller to be identified. At the same time, the site does not contain any information relating to the name and VAT number of the economic operator who owns the website, as also required by current legislation on business (see Article 35, paragraph 1, of the Presidential Decree 633 of 26 October 1972 and art. 2250 of the Italian Civil Code).

Finally, it should be noted that in the text of the disclosure - which lacks the information referred to in art. 13 of the Regulation but also contains a consent formula - clauses describing the terms of the service are also inserted.

That said, it is believed that the conduct described constitutes the violation of articles 12, par. 1 and 13 of the Regulation.

2.4 Failure to cooperate with the Supervisory Authority

The lack of essential information on the website has aggravated the proceedings forcing the Authority to carry out a preliminary investigation aimed at identifying the owner of the website.
Furthermore, to the two requests for information sent by registered mail by the Office, only the first received a reply, within the limited terms described above, while the second, albeit anticipated by e-mail, was returned to the sender.

The note initiating the procedure, containing the description of the disputed profiles, was also sent by registered mail in advance but was returned to the sender. Therefore, in order to guarantee the holder knowledge of the deeds to exercise the right of defence, it was necessary to provide for the notification by appointing the special privacy unit of the Guardia di Finanza.

Also in this case the company - to which the notification of the request for integration of information had also been reiterated - limited itself to providing concise clarifications without attaching any documentary evidence.

That said, it is believed that the profiles described constitute the violation of art. 31 of the Regulation and art. 157 of the Code.

3. CONCLUSIONS AND CORRECTIVE MEASURES TAKEN

The treatment implemented by the company through the website www.inelenco.it presents, as seen, numerous and serious profiles of illegality even though the violation referred to in point 2.1 must be considered decisive among them. This in fact, concerning the very presupposition of the treatment, is to be considered absorbing and already sufficient in itself to invalidate the entire treatment, taking into account the fact that the possible rectification of the unlawfulness described in the following points, which also aggravates the conduct, does not it would be sufficient to remedy the fact that the treatment itself is carried out in the absence of a suitable legal basis and above all in violation of the law.

In fact, it should be remembered that the current regulatory framework (described above) does not allow the creation of generic telephone directories that are not extracted from the d.b.u. and that do not comply with the decisions adopted by the Guarantor and by Agcom.

It must be added that the methods of providing the service offered by the site www.inelenco.com do not in any way guarantee the confidentiality of users, not even assuming that such treatment is carried out on the basis of consent. As observable by operating on the site and as described by the owner, it is in fact quite easy for anyone to enter personal data even of unsuspecting subjects and make them public, through the site itself and through indexing in search engines, without any need to demonstrate be the account holder. In this way it would also be possible to make public data (personal data, contact details and social network subscriptions) of people who have higher confidentiality requirements without them being informed and without being able to oppose this treatment.

The presence of grievances of similar content indicates that the conduct is generalized and extended to a large number of subjects; in particular, from the examination of the website carried out on 6 May 2022, adding up the results returned by the "search by surname" function, it emerges that the subjects whose data are present in said list amount to 357,046. Furthermore, the conduct involves a particularly invasive treatment for the right to the protection of personal data, in consideration of the easy availability of the same also through the common search engines and the possibility that other subjects can use the data thus made available for further treatments, difficult to verify and contain, such as unwanted marketing activities.

It follows that the treatment causes widespread damage deriving from the unsolicited and unauthorized publication of contact data, aggravated by the fact that any attempt at cancellation or rectification has proved futile.

That said, taking into account that the conduct described integrates all the violations specified in the previous paragraph and is carried out in violation of the law, it is necessary, pursuant to art. 58, par. 2, lit. f), impose on the data controller the prohibition of collecting, further storing and publishing personal data for the creation and online dissemination of a telephone directory whose data have not been taken from the d.b.u..

Finally, due to the seriousness of the treatments already carried out and taking into account the fact that no changes have been made to the website that is still online, the conditions are deemed to exist for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation.

4. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the foregoing, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Petta, for which it is necessary to apply art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sole sanction provided for by art. 83, par. 5 of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the  Regulation), identifying, for this purpose, a series of elements, listed in paragraph 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, in the present case, the following aggravating circumstances must be considered:

1. the seriousness of the violation due to the fact that the conduct is committed in violation of the law and, in particular, in violation of the provisions of the provision pursuant to art. 129 of the Code and is likely to cause significant damage to the interested parties due to the dissemination of personal contact data on the Internet;

2. the high number of people whose data has been published (357.46 as of 6 May 2022);

3. the duration of the violation since the conduct lasted for several years: the company has been registered in the register of companies since 8 October 2012; moreover, from a check carried out on www.archive.org, the site www.inelenco.com was detected from 27 March 2015 and already then reported the same contents as today's site;

4. the gross negligence of the data controller, as described in point 2, since the rules for the protection of personal data have been completely ignored and have not been taken into consideration even after the intervention of the Guarantor;

5. the total absence of corrective measures and the lack of cooperation with the Authority to remedy the alleged violations;

6. the degree of responsibility of the data controller who has not allowed the interested parties to exercise their rights and has not indicated any identifying element of the company or contact details on the site;

7. the economic benefit deriving from the publication of personal data on the site deriving from the presence of advertising banners on the site itself.

As a mitigating element, it is considered necessary to take into account the economic dimensions of the owner who holds the qualification of small entrepreneur pursuant to art. 2083 of the civil code.

In quantifying the fine, consideration was given to the elements described above as ascertained by the preliminary investigation in the absence of information of an economic nature, as there is no balance sheet in the register of companies and as no element has been provided in this regard by Petta, which was also expressly requested in the note initiating the procedure.

Therefore it is believed that, on the basis of all the elements indicated above, due to the seriousness and number of violations found and above all to the fact that the processing was carried out in violation of the law, the sole proprietorship Petta Fabio Giovanni must apply the administrative sanction for the payment of a sum equal to 50,000.00 euros (fifty thousand/00), equal to 0.25% of the statutory maximum of 20 million euros and, due to the aggravating elements identified, the ancillary sanction for the full publication of the this provision on the Guarantor's website as required by art. 166, paragraph 7 of the Code and by art. 16 of the Guarantor's regulation n. 1/2019.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

Please note that pursuant to art. 170 of the Code, anyone who fails to comply with this prohibition provision, being required to do so, is punished with imprisonment from three months to two years and that, in the event of non-compliance with the same provision, the sanction referred to in art. 83, par. 5, letter. e), of the Regulation.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing described in the terms described in the justification by the sole proprietorship Petta Fabio Giovanni, with registered office in XX, VAT no. 02500600909, and consequently:

- pursuant to art. 58, par. 2, lit. f), of the Regulation, prohibits the collection, storage and publication of personal data for the establishment and online dissemination of a general telephone directory whose data have not been taken from the d.b.u.;

ORDER

to the sole proprietorship Petta Fabio Giovanni, with registered office in XX, VAT no. 02500600909, to pay the sum of 50,000.00 (fifty thousand/00) euros as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 50,000.00 (fifty thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the 'art. 27 of the law n. 689/1981.

HAS

a) pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted;

b) pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the Guarantor's website.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 26 May 2022

PRESIDENT
Station

THE SPEAKER
Zest

THE DEPUTY SECRETARY GENERAL
Philippi



*The provision has been contested