Garante per la protezione dei dati personali (Italy) - 9815931

From GDPRhub
Revision as of 13:41, 2 November 2022 by Jg (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9815931
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 31 GDPR
Article 157 Codice in Materia di Protezione dei Dati Personali
Article 166 (2) Codice in Materia di Protezione dei Dati Personali
Article 166 (5) Codice in Materia di Protezione dei Dati Personali
Type: Complaint
Outcome: Upheld
Started: 15.09.2022
Decided:
Published: 15.09.2022
Fine: 2,000 EUR
Parties: An employee from the Royal Palace hotel of Rome managed by Sofisticated Luxury Flats s.r.l. (the data subject)
Sofisticated Luxury Flats s.r.l. (the controller)
National Case Number/Name: 9815931
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian DPA website (in IT)
Initial Contributor: n/a

The Italian DPA imposed a €2,000 fine on Sophisticated Luxury Flats s.r.l. for failing to cooperate with the DPA during an investigation.

English Summary

Facts

The Royal Palace Hotel is owned by Luxury Flats s.r.l. (the controller). An employee (the data subject) from the Royal Palace Hotel in Rome filed a complaint against the controller for the use of a biometric device aimed at recording the employees’ attendance at work. This tool had the ability to register the start and end of the employees’ workday by scanning their fingerprints.

Following the complaint, the DPA opened an investigation into the case. On 10 August 2020, the DPA gave the controller the opportunity to provide feedback, followed by two other inquiries on 5 January 2020 and 29 April 2021. The controller did not respond to any of them. Therefore, the DPA delegated the case to the Special Unit for the Protection of Privacy and Technological Fraud of the Italian finance police to acquire the requested information and to notify the controller of the initiation of sanctioning proceedings pursuant to Article 166(5) of the Personal Data Protection Code (Codice in materia di protezione dei dati personali).

During the visit from the Special Unit, the controller declared that it "did not understand the meaning of the DPA's emails regarding the investigation" and "was not aware that it had to respond to these inquiries." The controller stated that the device had not been used since January or February 2020 since it did not work properly. It could not recall where the device was, nor could it provide documentation on the model of the device.

Holding

Based on the facts and the statements of the controller, the DPA found no objective element's that would allow for a sanction.

However, due to its failure to respond to the multiple requests of the DPA, the controller breached Article 157 (request for information and production of documents) in relation to Article 166(2) of the Code. Therefore, the DPA held that a fine was necessary.

The DPA held that, with reference to Recital 148 GDPR, the infringement could not be regarded as 'minor'. Having regard to the nature, seriousness and duration of the infringement, as well as the degree of responsibility and the way the DPA became aware of the infringement, the DPA fined the controller €2,000 for the aforementioned violations.

Comment

Although the Garante only referred to national legislation, it is worth noting that, in this case, the controller did not fulfil its obligations, under Article 31 GDPR, to cooperate with the supervisory authority in the performance of its tasks.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9815931]

Injunction order against Sofisticated Luxury Flats s.r.l. - September 15, 2022

Record of measures
n. 301 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the report filed on December 17, 2019 against Sofisticated Luxury Flats s.r.l .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Prof. Ginevra Cerrina Feroni;

WHEREAS

1. Reporting to the Company and inspections at the company's registered office.

With notification dated 17 December 2019, an employee of the Royal Palace hotel in Rome, managed by Sofisticated Luxury Flats s.r.l. (hereinafter, the Company), complained about alleged violations of current legislation with reference, as far as the Authority is concerned, to the use of a biometric device for the purpose of detecting presence in service.

The Authority initiated an investigation into the case on 10 August 2020 (prot. 30317/145487), with an invitation to the Company to provide feedback on the fact that is the subject of the report. As no response was received, despite the request being regularly delivered to the company's Pec address, on January 5, 2021 the Office renewed the invitation, pursuant to art. 157 of the Code, to provide the information already requested (prot. 504.05 / 01/2021).

Since no reply was received from the Company, even to this further request (which was duly delivered), after a further reminder sent on April 29, 2021 (prot. 23845/145487), the Authority has delegated the Special Privacy Protection Unit and technological fraud by the Guardia di Finanza the carrying out of an inspection in order to acquire the information already requested and notify the Company of the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code for the failure to reply to the Authority's request for information (act of initiation of the sanctioning procedure no. 49240 of 01/10/2021).

The inspection took place on 27 October 2021 at the registered office of the Company whose legal representative stated that:

to. "In your presence, I checked the company's certified e-mail address and found the notes from the Guarantor Authority sent over time. Honestly, I did not understand the meaning of the notes received and therefore I had no knowledge of the fact that I had to respond to the Guarantor "(inspection report 20/10/2021, p. 2);

b. the device being reported "is no longer active since January or February 2020. If I remember correctly, between July and September 2018, for practical reasons [...] I purchased a device online, called" employee attendance detector ", through which it was possible to acquire the start and end times of employees by issuing their fingerprint "(minutes cit., p. 2-3);

c. "Through that device, which now I can't even say what happened to it, I think it was thrown away because it no longer works, I had the ability to detect attendance and entry and exit times of employees, who were reported to my accountant at the end of the month for the calculations due "(minutes quoted, p. 3);

d. "I have no documentary evidence that can lead us to the model of device used" (minutes cit., P. 4);

And. "I tried to look for the device in question or its documentation, but I could not find anything" (minutes quoted, p. 5).

2. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

With reference to the facts reported, no objective elements emerged from the investigation that would allow the Authority to express itself.

However, it is ascertained that the Company has failed to respond to requests for information sent by the Authority, in particular to the invitation of 10 August 2020, to the request made pursuant to art. 157 of the Code sent on January 2, 2021 (containing the express notice that "in the event of non-compliance with this request, the pecuniary administrative sanction envisaged by art. 166, paragraph 2 of the Code must be applied") and the subsequent reminder of 29 April 2021, despite all three communications from the Guarantor's offices having been duly notified and, based on what was declared by the Company, also viewed (nevertheless the data controller would not have understood that such communications - concerning, respectively, a " Invitation to provide feedback ", the" Request for information pursuant to Article 157 of Legislative Decree 196/2003 "and the" Request for information pursuant to Article 157 of Legislative Decree 196/2003 "- required to provide a reply).

According to the aforementioned article 157 of the Code "Within the scope of the powers referred to in article 58 of the Regulation, and for the performance of its duties, the Guarantor may request the owner, [...] to provide information and exhibit documents" . Art. 166, paragraph 2, of the Code establishes that the violation of art. 157 of the Code is subject to the administrative sanction referred to in Article 83, par. 5, of the Regulation.

The failure of the Company to reply to the Guarantor's request for information therefore occurred in violation of art. 157 of the Code in relation to the provisions of art. 166, paragraph 2, of the Code, with consequent application of the administrative sanction referred to in Article 83, par. 5, of the Regulation.

3. Corrective measures pursuant to art. 58, par. 2, Regulations.

The Authority believes that the statements and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and that they are therefore unsuitable for allowing the filing of this procedure, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

Failure to respond to the request for information, addressed several times to the Company, in fact constitutes an unlawful conduct for violation of art. 157 (request for information and presentation of documents) in relation to art. 166, paragraph 2, of the Code.

The violation ascertained in the terms set out in the motivation cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility and the manner in which the supervisory authority has become aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulations, a pecuniary administrative sanction is applied pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).

As a result of the proceedings, it appears that Sofisticated Luxury Flats s.r.l. has violated art. 157 in relation to art. 166, paragraph 2, of the Code.

For the violation of the aforementioned provision, the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulations, by adopting an injunction order (Article 18, Law 11/24/1981, n. 689).

With reference to the elements listed in art. 83, par. 2 of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), it is stated that , in the present case, the following circumstances were considered:

a) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same were taken into consideration which, despite having received three requests to provide information relating to a report received from Authorities, regularly received on their certified e-mail account, and despite having learned the content, clearly indicated from the subject of the communications sent, did not consider providing any feedback to the Authority;

b) with reference to the degree of cooperation with the Supervisory Authority, the failure to respond to three separate requests for information was considered to the detriment of the Company, conduct which aggravated the procedure and hindered the performance of the Authority's tasks, making it necessary to delegate the carrying out of an on-site inspection to the Special Privacy Protection and Technological Fraud Unit of the Financial Police;

c) the absence of specific precedents was taken into account in favor of the Company.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2015 (latest available). Lastly, the extent of the sanctions imposed in similar cases is taken into account. As a further mitigating factor in favor of the Company, account was taken of the particular conditions in which the companies in the sector in which the company operates (hospitality businesses) found themselves operating due to the health emergency in the reference period.

In light of the elements indicated above and the assessments made, it is considered, in this case, to apply the administrative sanction of payment of a sum equal to 2,000 (two thousand) euros to Sofisticated Luxury Flats s.r.l.

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the obligation to meet requests for information and the presentation of documents by the Guarantor, which pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.

Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019.

WHEREAS, THE GUARANTOR

detects the unlawfulness of the processing carried out by Sofisticated Luxury Flats s.r.l., in the person of the legal representative, with registered office in Via delle Carrozze, 34/36, Rome (RM), P.I. 09500051009, pursuant to art. 143 of the Code, for the violation of art. 157 of the Code;

ORDER

pursuant to art. 58, par. 2, lett. i) of the Regulations to Sofisticated Luxury Flats s.r.l., to pay the sum of € 2,000 (two thousand) as a fine for the violation indicated in this provision;

INJUNCES

then to the same Company to pay the aforementioned sum of 2,000 (two thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of d. lgs. n. 150 of 1.9.2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, September 15, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroini

THE SECRETARY GENERAL
Mattei

[doc. web n. 9815931]

Injunction order against Sofisticated Luxury Flats s.r.l. - September 15, 2022

Record of measures
n. 301 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the report filed on December 17, 2019 against Sofisticated Luxury Flats s.r.l .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Prof. Ginevra Cerrina Feroni;

WHEREAS

1. Reporting to the Company and inspections at the company's registered office.

With notification dated 17 December 2019, an employee of the Royal Palace hotel in Rome, managed by Sofisticated Luxury Flats s.r.l. (hereinafter, the Company), complained about alleged violations of current legislation with reference, as far as the Authority is concerned, to the use of a biometric device for the purpose of detecting presence in service.

The Authority initiated an investigation into the case on 10 August 2020 (prot. 30317/145487), with an invitation to the Company to provide feedback on the fact that is the subject of the report. As no response was received, despite the request being regularly delivered to the company's Pec address, on January 5, 2021 the Office renewed the invitation, pursuant to art. 157 of the Code, to provide the information already requested (prot. 504.05 / 01/2021).

Since no reply was received from the Company, even to this further request (which was duly delivered), after a further reminder sent on April 29, 2021 (prot. 23845/145487), the Authority has delegated the Special Privacy Protection Unit and technological fraud by the Guardia di Finanza the carrying out of an inspection in order to acquire the information already requested and notify the Company of the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code for the failure to reply to the Authority's request for information (act of initiation of the sanctioning procedure no. 49240 of 01/10/2021).

The inspection took place on 27 October 2021 at the registered office of the Company whose legal representative stated that:

to. "In your presence, I checked the company's certified e-mail address and found the notes from the Guarantor Authority sent over time. Honestly, I did not understand the meaning of the notes received and therefore I had no knowledge of the fact that I had to respond to the Guarantor "(inspection report 20/10/2021, p. 2);

b. the device being reported "is no longer active since January or February 2020. If I remember correctly, between July and September 2018, for practical reasons [...] I purchased a device online, called" employee attendance detector ", through which it was possible to acquire the start and end times of employees by issuing their fingerprint "(minutes cit., p. 2-3);

c. "Through that device, which now I can't even say what happened to it, I think it was thrown away because it no longer works, I had the ability to detect attendance and entry and exit times of employees, who were reported to my accountant at the end of the month for the calculations due "(minutes quoted, p. 3);

d. "I have no documentary evidence that can lead us to the model of device used" (minutes cit., P. 4);

And. "I tried to look for the device in question or its documentation, but I could not find anything" (minutes quoted, p. 5).

2. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

With reference to the facts reported, no objective elements emerged from the investigation that would allow the Authority to express itself.

However, it is ascertained that the Company has failed to respond to requests for information sent by the Authority, in particular to the invitation of 10 August 2020, to the request made pursuant to art. 157 of the Code sent on January 2, 2021 (containing the express notice that "in the event of non-compliance with this request, the pecuniary administrative sanction envisaged by art. 166, paragraph 2 of the Code must be applied") and the subsequent reminder of 29 April 2021, despite all three communications from the Guarantor's offices having been duly notified and, based on what was declared by the Company, also viewed (nevertheless the data controller would not have understood that such communications - concerning, respectively, a " Invitation to provide feedback ", the" Request for information pursuant to Article 157 of Legislative Decree 196/2003 "and the" Request for information pursuant to Article 157 of Legislative Decree 196/2003 "- required to provide a reply).

According to the aforementioned article 157 of the Code "Within the scope of the powers referred to in article 58 of the Regulation, and for the performance of its duties, the Guarantor may request the owner, [...] to provide information and exhibit documents" . Art. 166, paragraph 2, of the Code establishes that the violation of art. 157 of the Code is subject to the administrative sanction referred to in Article 83, par. 5, of the Regulation.

The failure of the Company to reply to the Guarantor's request for information therefore occurred in violation of art. 157 of the Code in relation to the provisions of art. 166, paragraph 2, of the Code, with consequent application of the administrative sanction referred to in Article 83, par. 5, of the Regulation.

3. Corrective measures pursuant to art. 58, par. 2, Regulations.

The Authority believes that the statements and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and that they are therefore unsuitable for allowing the filing of this procedure, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

Failure to respond to the request for information, addressed several times to the Company, in fact constitutes an unlawful conduct for violation of art. 157 (request for information and presentation of documents) in relation to art. 166, paragraph 2, of the Code.

The violation ascertained in the terms set out in the motivation cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility and the manner in which the supervisory authority has become aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulations, a pecuniary administrative sanction is applied pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).

As a result of the proceedings, it appears that Sofisticated Luxury Flats s.r.l. has violated art. 157 in relation to art. 166, paragraph 2, of the Code.

For the violation of the aforementioned provision, the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulations, by adopting an injunction order (Article 18, Law 11/24/1981, n. 689).

With reference to the elements listed in art. 83, par. 2 of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), it is stated that , in the present case, the following circumstances were considered:

a) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same were taken into consideration which, despite having received three requests to provide information relating to a report received from Authorities, regularly received on their certified e-mail account, and despite having learned the content, clearly indicated from the subject of the communications sent, did not consider providing any feedback to the Authority;

b) with reference to the degree of cooperation with the Supervisory Authority, the failure to respond to three separate requests for information was considered to the detriment of the Company, conduct which aggravated the procedure and hindered the performance of the Authority's tasks, making it necessary to delegate the carrying out of an on-site inspection to the Special Privacy Protection and Technological Fraud Unit of the Financial Police;

c) the absence of specific precedents was taken into account in favor of the Company.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2015 (latest available). Lastly, the extent of the sanctions imposed in similar cases is taken into account. As a further mitigating factor in favor of the Company, account was taken of the particular conditions in which the companies in the sector in which the company operates (hospitality businesses) found themselves operating due to the health emergency in the reference period.

In light of the elements indicated above and the assessments made, it is considered, in this case, to apply the administrative sanction of payment of a sum equal to 2,000 (two thousand) euros to Sofisticated Luxury Flats s.r.l.

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the obligation to meet requests for information and the presentation of documents by the Guarantor, which pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.

Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019.

WHEREAS, THE GUARANTOR

detects the unlawfulness of the processing carried out by Sofisticated Luxury Flats s.r.l., in the person of the legal representative, with registered office in Via delle Carrozze, 34/36, Rome (RM), P.I. 09500051009, pursuant to art. 143 of the Code, for the violation of art. 157 of the Code;

ORDER

pursuant to art. 58, par. 2, lett. i) of the Regulations to Sofisticated Luxury Flats s.r.l., to pay the sum of € 2,000 (two thousand) as a fine for the violation indicated in this provision;

INJUNCES

then to the same Company to pay the aforementioned sum of 2,000 (two thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of d. lgs. n. 150 of 1.9.2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, September 15, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroini

THE SECRETARY GENERAL
Mattei