Garante per la protezione dei dati personali (Italy) - 9784626

From GDPRhub
Garante per la protezione dei dati personali - 9784626
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 6 GDPR
Article 58(2) GDPR
Article 77 GDPR
Article 85(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 06.07.2020
Decided: 26.05.2022
Published:
Fine: 100.000 EUR
Parties: Intesa Sanpaolo SpA
National Case Number/Name: 9784626
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT) (in IT)
Initial Contributor: Jette

The Italian DPA issued a €100,000 fine against a bank for neglecting to check whether a third party (the customer's father) was authorized to access a customers banking account details before communicating her data to him. While he was previously authorized to know them, over time he may have lost this right.

English Summary

Facts

The controller is Intesa Sanpaolo SpA, a bank in Italy. The data subject is a customer of the bank.

The controller communicated the data subject's current account data to her father while she was already of age. The data was disclosed in a pending judgment in the Tribunale di Bari. The documents were meant for limited disclosure. The data subject lodged a complaint with the Italian DPA for unlawful processing of her personal data by the controller, consisting of communication to unauthorized third parties (her father).

The controller justified the incident by invoking the good faith of its employee, as the data subject's father was previously authorized to access her account data, exercising parental authority until she reached the age of majority. Furthermore, her father was a former employee of the controller. This previously existing relationship had led the employee to believe he was still authorized to access the accounting data. Thus, the bank had acted in good faith.

Holding

The DPA stated that there was no legal basis for processing the data subject's account data. The DPA therefore held that the processing in question was unlawful, as it was carried out in violation of the general principles pursuant to Article 5(1)(a) and (f) and Article 6 GDPR. Contrary to what was argued by the controller, the DPA found the exemption of good faith not applicable. Good faith can only exclude liability when it is unavoidable. In the present case, the employee should have checked whether the data subject's father was still authorized to access her account details. The DPA issued a €100,000 fine for these violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9784626]

Injunction order against Intesa Sanpaolo S.p.A. - May 26, 2022

Record of measures
n. 202 of 26 May 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and dr. Claudio Filippi, Deputy Secretary General;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

GIVEN the complaint presented by Ms XX on 06/07/2020 pursuant to art. 77 of the Regulation, with which Intesa Sanpaolo S.p.A was alleged to have violated the personal data protection regulations;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Attorney Guido Scorza;

WHEREAS

1. The complaint and the preliminary investigation.

With the complaint presented to this Authority on 06/07/2020, Ms XX through her lawyer, Avv. XX, complained about the unlawfulness of the processing of personal data concerning her put in place by Intesa Sanpaolo S.p.A. - Bari branch -, consisting in the improper communication to unauthorized third parties (in this case to one's parent) of data relating to the banking relationships maintained by the same with the credit institution.

These data were produced in a judgment pending before the Court of Bari with the wording "for internal use".

With the note dated 11/27/2020 (prot. No. 45200), the Office invited the Bank to provide information and clarifications regarding what is represented in the complaint.

The Bank, with a note dated 11/12/2020, communicated that it had carried out investigations which resulted in that:

- "an employee of the Branch had given a positive response to the request for a copy of the movement of the account formulated by short means by Mr. XX, previously authorized to operate on the relationship as an exerciser of parental authority (parent) until reaching the age of majority of the interested party ";

- "The personal acquaintance of Mr. XX, also belonging to the retired staff of the Bank, had induced the employee in good faith to consider Mr. XX still entitled to access the accounting data of his daughter, without a timely verification of the actuality of this faculty ".

The Office, therefore, notified the Bank of the act of initiating the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 5, par. 1, lett. a) and f), and 6 of the Regulation (prot. no. 1624 of 12/01/2021).

The Bank, on 09/02/2021, sent its defense writings, pursuant to art. 18 of the law n. 689/1981, with which he reiterated that:

- "the incorrect behavior of the Branch Operator [has] occurred in good faith, as a consequence of the consolidated and protracted operation of the parental authority in the interest of Ms. XX, who erroneously led him not to verify ( …) The continuation of the parent's right to access the data (…) ";

- "The personal acquaintance of Mr. XX, also belonging to the retired staff of the Bank, had induced the employee in good faith to consider Mr. XX still entitled to access the accounting data of his daughter, without a timely verification of the actuality of this faculty ";

- “the Bank, in order to promote and internalize the basic principles for the correct treatment and protection of personal data, requires its collaborators to compulsorily follow a training plan on Data Protection (…).

2. The outcome of the investigation.

Upon examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Bank, through one of its employees, accessed the complainant's bank details by communicating them to an unauthorized third party, in the absence of consent or any other legitimacy requirement. Therefore, the processing in question is unlawful as it is carried out in violation of the general principles regarding the protection of personal data, pursuant to art. 5, par. 1, lett. a) and f), and 6 of the Regulations.

Contrary to what has been argued, moreover, the exemption of good faith is considered not applicable to the present case, which, on the basis of a constant jurisprudential orientation (see Cass. Civ. Section II, 17/12/2019 n. ; Civil Cassation section VI, 13/05/2019, n.12629) finds it as a cause for exclusion of liability, only when it is unavoidable, in this regard it is necessary to have positive elements, unrelated to the perpetrator of the infringement, suitable to engender in him the conviction of the lawfulness of his conduct and, above all, that the perpetrator of the infringement did everything possible to observe the law, so that no reproach could be made against him, not even in terms of omissive negligence.

3. Conclusions: illegality of the treatments carried out.

In light of the foregoing assessments, it is noted that the statements made by the data controller in the defensive writings ˗ whose truthfulness may be called to answer pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow archiving, however, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance.

For the above reasons, therefore, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulations, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

4. Order of injunction.

The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, whose unlawfulness has been ascertained, within the terms shown above.

With reference to the elements listed in art. 83, par. 2, of the Regulation for the purpose of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), that, in the present case, the following circumstances were taken into consideration:

- with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, concerning the general principles regarding the processing of personal data;

- the Bank was recently the recipient of a corrective measure (No. 270 adopted by the Authority on 27/05/2021, web doc. 9718112) in relation to the assessment by the Authority and following a complaint presented by an interested party, of a similar violation by its staff. This circumstance highlights the need for extra attention on the part of the data controller with respect to the correct fulfillment of the instructions by the persons authorized to process the data, in particular when, as in the present case and in the one covered by the previous provision cited above, requests for access to data come from personnel who have provided (or still provide) service at the Bank;

- in the proceeding, concerning having an episodic and isolated character, the Bank did not adequately prove, in compliance with the accountability principle envisaged by art. 5, par. 2 and 24 of the Regulation, to have adopted or even just initiated adequate reflection on the instructions provided to staff regarding requests for access to bank data, merely recalling the training activities generally provided;

- the nature of the data processed which, although not falling within the so-called type of data. details referred to in art. 9 of the Regulation, must however be considered of particular delicacy.

In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) to which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2020.

On the basis of the aforementioned elements, evaluated as a whole, it is believed to determine the amount of the financial penalty in the amount of € 100,000.00 (one hundred thousand) for the violation of Articles 5, par. 1, lett. a) and f) and 6 of the Regulations.

In this context, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, this provision should be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f) and 83 of the Regulation, the unlawfulness of the processing carried out, in the terms set out in the motivation, for the violation of Articles 5, par. 1, lett. a) and f) and 6 of the Regulations;

ORDER

to Intesa Sanpaolo S.p.A, in the person of the pro-tempore legal representative, with registered office in Turin, Piazza San Carlo, 156, VAT no. 11991500015, pursuant to art. 58, par. 2, lett. i), of the Regulations, to pay the sum of € 100,000.00 (one hundred thousand) as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

to the same Bank to pay the sum of EUR 100,000.00 (one hundred thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of the d. lgs. n. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, May 26, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Peel

THE DEPUTY SECRETARY GENERAL
Philippi