Garante per la protezione dei dati personali (Italy) - 9811300

From GDPRhub
Garante per la protezione dei dati personali - 9811300
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 14 GDPR
Article 15 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 05.08.2022
Published:
Fine: 20.000 EUR
Parties: n/a
National Case Number/Name: 9811300
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: n/a

The Italian DPA fined a controller €20.000 for violating Articles 12, 14 and 15 GDPR, as it did not reply to an access request addressed to a business unit of which it had recently taken control.

English Summary

Facts

The controller took over a business unit of Company XX including existing contracts. The data subjects previously consented to the processing of his personal data by company XX.

One data subject stated that he had received electronic payment invoices from the controller, without ever having a contractual relationship with it. It complained about this fact at the controller. After this, the data subject submitted an access request to discover the origin of his personal data and the other information stated in Article 13 GDPR. The data subject didn’t receive an answer within the time limits set in Article 12(3) GDPR. The data subject filed a complaint at the DPA because of this lack of an answer.

However, the controller stated that it deleted the data subject’s personal data after the data subject complained about receiving the electronic payment invoices. The controller stated that it later informed all customers of company XX about the acquisition by the controller. The controller discovered only after the complaint of the data subject at the DPA that his Pec-address (certified e-mail) was missing because of prior deletion.

The controller stated that the obligation to provide information to data subjects did not exist if the purpose of the processing remained unchanged after the acquisition. The controller stated that it had agreed with company XX that the processing would continue on the same terms, in compliance for the purposes for which the data had been collected, using with the same methods. The controller also held that it didn’t need new consent from data subjects for the same reason.

Holding

The DPA stated that the controller didn’t provide any proof according to Article 5(2) GDPR regarding the information send to the data subjects about the sale of the company. It was therefore not clear if the controller complied with Article 14 GDPR, since it had collected the personal data from the company XX, and not directly from the data subject.

The DPA held that the controller violated Article 12(3) GDPR because it didn’t provide access within the time limit in this provision. It also violated Article 12(4) GDPR because it failed to inform the data subject about the reasons for non-compliance and the possibility of lodging a complaint with the DPA. The DPA also held a violation of Article 14 GDPR because the controller failed to provide the data subject the necessary information.

The DPA also rejected the argument of the controller in which it argued that the obligation to provide information did not exist if, following a change in the ownership of the processing, the purpose of the processing remains unchanged. The DPA held that this interpretation was in violation with the general principles on the protection of personal data, especially the principles of transparency and fairness (Article 5(1)(a) GDPR).

The DPA also stated that it was necessary for the fairness of processing that parties get information from companies participating in the merger. Data subjects should in particular be informed about the new name of the controller and the identification details of any new data processors.

The DPA held that data subjects in this case were not provided with adequate information, regarding the identity and contact details of the new controller (Article 14(1)(a) GDPR). The data subjects could also not be aware that the companies agreed that the processing would continue on the same terms as before and in accordance with the new controller's terms, for the same purposes for which they had been collected and with the same methods.

The DPA held that that the exception of Article 14(5)(b) GDPR GDPR was not applicable, because the controller was able to communicate with data subjects. Communicating with data subjects was therefore not impossible and wouldn’t involve a disproportionate effort.

The DPA also held that the communication that was send from the controller to the data subjects could not be considered suitable under Article 14 GDPR. The absence of adequate information was the reason the data subject filed an access request in the first place. The DPA also stated the violations were established not only for the data subject, but to all other interested parties whose contracts were transferred between the controller and Company XX.

The DPA fined the controller €20,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9811300]
Order of injunction against Cosmopol Security S.p.A. - August 5, 2022
Record of measures
n. 285 of 5 August 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");
GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";
GIVEN the complaint presented by Mr. XX on 04/02/2020, pursuant to art. 77 of the Regulation, with which the failure to respond to the request to exercise the rights formulated against Cosmopol Security S.p.A was complained;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
SPEAKER Prof. Ginevra Cerrina Feroni;
WHEREAS
1. The content of the complaint.
With the complaint presented to this Authority on 04/02/2020, Mr. XX complained of an unlawful processing of personal data carried out by Cosmopol Security S.p.A. (hereinafter "the Company"), consisting in the failure to respond to the request to exercise the rights, formulated by the same to the Company on 10/12/2019.
In particular, the complainant represented that he had received electronic payment invoices from the Company, without however having ever had any contractual relationship with it, reason for which he formulated the request in order to know the origin of his personal data and to read the information pursuant to art. 13 of EU Regulation 679/2016 (hereinafter the "Regulation").
Against the aforementioned request, duly notified to the Company's pec address, no reply was received within the terms set out in art. 12, par. 3, of the aforementioned Regulation.
2. The results of the investigation.
With notes dated 18/09/2020 and 27/11/2020 (prot. N. 34632 and n. 45236), the Company was invited to provide observations on the facts subject of the complaint and to adhere to the request to exercise the rights, advanced by the complainant.
The Company, with the reply dated 28/09/2020, preliminarily declared that, on 05/10/2019, it had acquired the business branch of company XX, automatically taking over all existing contracts, and that "in force of the described operation, the writer has also inherited the contract with Mr. XX, who had evidently given his consent to the processing and transfer of his personal data, when signing the contract with the assignor XX ".
Therefore, having sent the complainant the invoices for the service performed, he declared that “at the first complaint of Mr. XX, we have taken steps to delete from our archive any and all data of the same in accordance with the provisions in force ".
With a subsequent communication dated 17/12/2020, the Company specified that, "aware of the role and legal obligations", it had asked the company Cerved to extract the pec addresses of XX customers in order to inform them of the intervening sale of the company and that, only following the complaint presented to the Authority by Mr. XX, had realized that the complainant's pec address was not on the list and that the aforementioned communication had not been delivered.
As part of the response and with reference to this specific point, the Company has not provided any information regarding the content of the aforementioned communication suitable for proving, pursuant to art. 5, par. 2 of the Regulations, the correct fulfillment of the provisions of art. 14 of the Regulation.
3. The initiation of the sanctioning procedure.
The Office, in light of the above, notified the act of initiating the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of art. 12, par. 3, 14 and 15 of the Regulation (prot. N. 16191 of 25/03/2021).
The Company, on 04/23/2021, sent its defense writings, pursuant to art. 18 of the law n. 689/1981, with which it declared that:
- "the sale of the business unit carried out by XX on 5.10.2019 to Cosmopol Security s.r.l. has not [has] exhausted its effects only on a civil level, but [has] also invested the aspect relating to the protection of personal data of subjects who, before then, had contacts only with the transferring company (at the time the data controller ) ";
- "both companies agreed that, even following the sale of the business branch, the processing of the personal data of the interested parties would continue in substantially unchanged terms compared to before, in compliance with the purposes that had determined the collection and with the 'observance of the procedures followed up to then ”;
- therefore, "by taking over the purchaser in the same position as the transferor, it was considered that the processing of personal data of employees, customers, suppliers and holders of commercial contracts, for the purchase of goods and services related to the management of company sold, does not require any new consent ";
- in light of the above, art. 14, par. 1-4, of the Regulation would not be applicable to the present case, on the basis of the provisions of par. 5 of the same art. 14 ("Paragraphs 1 to 4 do not apply if and to the extent that: a) the interested party already has the information; b) communicating such information is impossible or would involve a disproportionate effort (...) ");
- in the case in question, considering the importance of the relationships subject to the sale of the business unit, "it can actually be considered that there is an objective difficulty in providing information to all interested parties individually and that, in any case, even if this were abstractly feasible, would have involved a manifestly disproportionate use of means - also in terms of costs and burdens - compared to the protected right ";
- "Despite these objective difficulties, the writer has requested the company CERVED to extract the pec addresses of the customers of the transferring company in order to immediately notify the latter of the transfer of the company".
To the defense briefs, the Company has attached the communication sent to customers called "Business Transfer Notice pursuant to art. 2558 and following Of the Civil Code ".
During the hearing held on 22/06/2022, the Company was able to clarify that the choice not to inform customers of the changed ownership of the treatment, by acquiring again their consent to the processing of personal data, was made taking into account I also take into account a decision by the Court of Cagliari (sentence no. 5369 of 6/6/2017) according to which, in the event of a subjective change in the company, it is not necessary to "contact" the interested party again if the purpose of the processing remains unchanged .
Like what occurred in the present case, where the acquiring company continued the same activity as the transferring company, leaving the type and purpose of the processing substantially unchanged, it was considered that there was no obligation to provide the information to the interested parties.
Nevertheless, to ensure greater transparency in contractual relations with its customers, the Company has deemed it appropriate to send them a communication which, due to an information misalignment not dependent on its will, has not reached the complainant.
With specific reference to the contractual relationship with the complainant, moreover, the Company was able to produce the contract signed by the latter with XX, in which it authorized the communication and transfer of data to third parties.
Lastly, the Company represented that, in response to the request to exercise the rights, it canceled the name of the complainant from its database, without however providing him with specific feedback on the matter, considering it to be a communication of withdrawal.
4. The assessments of the Authority.
Upon examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it is ascertained that the Company:
did not respond to the request for access to personal data made by the complainant on 10/12/2019, within the deadline set by art. 12, par. 3, of the Regulations ("without undue delay and, in any case, at the latest within one month of receipt of the request"), nor did it inform the applicant, within the same term, of the reasons for the non-compliance as well as the possibility of propose a complaint to the Authority (Article 12, paragraph 4 of the Regulation);
having collected the personal data of the complainant from the XX (and therefore not directly from the interested party), not proceeding, as it is required, to provide the interested parties with the information according to the methods and terms set out in art. 14 of the Regulations (Information to be provided if personal data have not been obtained from the interested party).
In this last regard, it is noted that the argument of the party on the basis of which the obligation to disclose the information to the interested parties does not exist if, following a change in the ownership of the treatment, the purpose of the treatment remains unchanged.
This interpretation, in fact, does not comply with the general principles regarding the protection of personal data, first of all with those of transparency and fairness towards the interested party (Article 5, paragraph 1, letter a) of the Regulation), nor with the indications, on the subject of company mergers and demergers, contained in the provision adopted by the Guarantor on April 8, 2009 containing “Requirements for mergers and demergers between companies” (web doc. 1609999).
In this provision, the Guarantor was able to clarify that "as a result of the merger by incorporation, the incorporating company assumes the rights and obligations of the incorporated company, continuing in all relationships (assets and liabilities) of the same (including procedural) prior to the merger (Article 2504-bis, paragraph 1, of the Italian Civil Code) ".
From the point of view of the protection of personal data, given that the data must be treated fairly, it is necessary that "the interested parties be provided with the necessary updates to the information provided by the spun-off company or by the companies incorporated or in any case participating in the merger operation," and among them, in particular, the indication of the new name of the data controller and the identification details of any new manager at which to exercise the right of access to personal data and the other rights provided for by art. 7 of the Code "(in the formulation prior to the changes introduced by Legislative Decree 101/2018).
The indications of the aforementioned provision, adopted with reference to the regulatory framework prior to the entry of Regulation (EU) 2016/679 are now confirmed in the provision referred to in art. 14 of the Regulation which provides that "if the data are not obtained from the data subject, the data controller provides the data subject with the following information (...)", indicated in subsequent letters. a) -f), including information relating to the "purpose of the processing for which the personal data are intended, as well as the legal basis".
Furthermore, the law provides that such information is provided to the interested parties within a reasonable period of obtaining the personal data, at the latest within one month, and in the event that the personal data are intended for communication with the interested party within one month. from the first communication (Article 14, paragraph 3, letters a) and b) of the Regulation).
These provisions do not apply only when "the data subject already has the information" or when "communicating such information is impossible or would involve a disproportionate effort (...)", circumstances that in any case do not occur in this case.
In the present case it is clear that the interested parties could not have access, without adequate information, of the information relating to the identity and contact details of the new data controller (Article 14, paragraph 1, letter a), nor could they be aware that "the companies have agreed that, even following the sale of the business unit, the processing of the personal data of the interested parties would continue in terms substantially unchanged compared to before, in compliance with the purposes that had determined the collection and with the observance of the procedures followed up to then ", a circumstance defined in the contract for the sale of a business unit, the content of which is known only between the parties.
As for the derogation provided for by art. 14, par. 5, lett. b), which exempts from fulfilling when "communicating such information is impossible or would involve a disproportionate effort (...)", this impossibility is in fact denied in the present case by the same admission of the Company which has in any case sent a communication via certified e-mail to customers.
It is also noted that, in the case in question, the communication sent by the Company to the clients of XX to inform them of the corporate change, cannot be considered suitable pursuant to the provisions of art. 14 of the Regulations so much so that the complainant, precisely in the absence of adequate information on the processing of their personal data, submitted the application pursuant to art. 15 of the Regulation, aimed in particular at knowing the origin of the personal data being processed.
The violation must therefore be considered ascertained, not only with reference to the complainant, but also of all the other interested parties whose contracts have been transferred between the two companies.
It should also be clarified that the cd. authorization to communicate personal data to third parties, provided for by art. 22 of the service contract signed between the parties, refers to the possibility of communicating, as part of the processing operations carried out by the owner and provided for by the contract, personal data to third parties, authorized or in charge of processing, and not to the different hypothesis (recurring in the present case) of the transfer of data to a different owner.
As for the sentence of the Court of Cagliari referred to by the Company in the defense briefs, it should be noted that it was annulled in the Supreme Court with sentence no. 27325 of 07/10/2021 (Cass. Civ. Section I) which clarified that "the transfer of data from the original owner to another subject, (...), gives rise to the termination of the original treatment - not to the succession in itself - thus entailing the initiation of a distinct treatment by the new owner, who is required to comply with the overall regulations on the subject of information and consent ".
5. Conclusions: illegality of the treatments carried out. Corrective measures.
In light of the foregoing assessments, it is noted that the statements made by the data controller in the defensive writings ˗ the truthfulness of which one may be called to answer pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiation of the procedure and are insufficient to allow archiving, however, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance.
For the above reasons, therefore, the complaint submitted pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulation it:
orders the Company to provide feedback to the request to exercise the rights formulated by the complainant;
also provides for the application of a pecuniary administrative sanction, as required by art. 83, par. 5 of the Regulation.
6. Order of injunction.
The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, whose unlawfulness has been ascertained, within the terms shown above.
With reference to the elements listed in art. 83, par. 2, of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), that, in the present case, the following circumstances were taken into consideration:
- with regard to the nature, severity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties and the obligation to provide information;
- the fact that the violation relating to the omitted disclosure is ascertained, not only with reference to the complainant, but also of all other interested parties whose contracts have been transferred between the two companies;
- the circumstance that, at present, a condition of illegality in the processing of personal data remains;
- the absence of previous relevant violations committed by the data controller, as well as the lack of willful misconduct on the part of the same;
- the degree of cooperation provided by the Company during the procedure.
In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) to which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2020.
Due to the aforementioned elements, assessed as a whole, it is believed to determine the amount of the financial penalty in the amount of € 20,000.00 (twenty thousand) for the violation of Articles 12, 14 and 15 of the Regulation.
In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, this provision should be published on the Guarantor's website.
Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
WHEREAS, THE GUARANTOR
declares, pursuant to art. 57, par. 1, lett. f) and 83 of the Regulation, the unlawfulness of the processing carried out, in the terms set out in the motivation, for the violation of Articles 12, par. 3. and 15 of the Regulations;
ORDER
to Cosmopol Security S.p.A. in the person of the pro-tempore legal representative, with registered office in Rome, Via Savoia n. 80 / B, Tax Code 02849920588, pursuant to art. 58, par. 2, of the Regulations, to conform their treatments to the provisions of art. 12 of the Regulation itself, providing feedback to the interested party within 30 days of receipt of this provision, as well as paying the sum of € 20,000.00 (twenty thousand) as a fine for the violations indicated in the motivation;
INJUNCES
to the same Company to pay the sum of € 20,000.00 (twenty thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of d. lgs. n. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.
HAS
pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of regulation no. 1/2019.
Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.
Rome, 5 August 2022
PRESIDENT
Stanzione
THE RAPPORTEUR
Cerrina Feroni
THE SECRETARY GENERAL
Mattei