Garante per la protezione dei dati personali (Italy) - 9815947

From GDPRhub
Garante per la protezione dei dati personali - 9815947
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12 GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started: 15.09.2022
Decided:
Published: 15.09.2022
Fine: 10,000 EUR
Parties: XX (the data subject)
Bper Banca S.p.A. (the controller)
National Case Number/Name: 9815947
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Italian DPA website (in IT)
Initial Contributor: n/a

The Italian DPA imposed a €10,000 fine on Bper Banca S.p.A. for failing to reply adequately and timely (4 months late) to a data subject’s erasure request.

English Summary

Facts

On 12 January 2019, the data subject emailed Bper Banca S.p.A. (the controller) requesting to erase his professional profile. The controller answered a few days later, asking the data subject to submit his ID card and some additional documentation to enable his identification. The data subject complied and sent the requested documentation. However, the controller took no further action after it received these documents.

On 18 April 2019, the data subject submitted a registered letter with acknowledgement of receipt to the controller through his lawyer. He asked the controller "to proceed to the immediate deletion of his personal data present in any database managed by the controller." On 21 May 2019, given the lack of any response from the controller, he submitted a reminder. Only on 17 June 2019 (4 months after the legal deadline), the controller responded to the request for erasure.

Therefore, the data subject filed a complaint with the Italian DPA against the controller for the lack of an adequate and timely response to his erasure request.

During the investigation, the controller argued that it could not reply to the first request due to an internal misunderstanding. Moreover, given the different roles the data subject had within the controller’s entity (as a job applicant, client and employee) the coordination of the request was complex. Finally, the switch of its electronic mail system generated some disruptions in the flow of communication. This led to the failure to request for an extension to handle the request and ultimately to a late reply to the data subject.

Holding

The DPA noted that the controller merely responded to the data subject's request for erasure. It found that the controller only finalized the requests four months after the expiry of the legal deadline pursuant to Article 12(3) GDPR, violating the obligation to respond without undue delay and in any event within one month of receipt of the request from said Article.

Moreover, the DPA stated that in view of the complexity and number of requests, the controller could have taken advantage of the two-month extension of the deadline as laid down in Article 12(3). However, the controller failed to do so. The controller also did not inform the data subject about his right to lodge a complaint with a supervisory authority and to seek a judicial remedy pursuant to Article 12(4). In addition, the DPA found that the controller insufficiently informed the data subject about the necessity to continue storing certain data relating to the data subject.

The DPA concluded that the controller's late and inadequate response to the request for erasure submitted by the data subject was unlawful, violating Article 12 in connection with Article 17.

The DPA held that, with reference to Recital 148 GDPR, the infringement cannot be regarded as 'minor'. Having regard to the nature, seriousness and duration of the infringement, the degree of responsibility, and the manner in which the DPA became aware of the infringement, the DPA fined the controller €10,000 for the aforementioned violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9815947]

Injunction order against Bper Banca S.p.A. - September 15, 2022

Record of measures
n. 305 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint submitted pursuant to art. 77 of the Regulation on 22 August 2019 by Dr. XX towards Bper Banca S.p.A. and regularized, in part, on 8 November 2019 and, finally, on 27 May 2020;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

RAPPORTEUR prof. Pasquale Stanzione;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint filed on 22 August 2019, then regularized, following invitations to regularize, in part on 8 November 2019 and, finally, on 27 May 2020, Dr. XX complained about alleged violations of the Regulation by Bper Banca S.p.A. (hereinafter, the Company), with reference to the late and unsuitable response to the requests for cancellation pursuant to art. 17 of the Regulations presented by the complainant with reference to his related data processed by the Company.

The Company, in responding to the Office's request of 10 July 2020, with a note of 17 August 2020 stated that:

to. "On 12 January 2019, the [complainant] asked, by email to serviziopersonale@pber.it, what was the procedure for deleting his professional profile and personal data from the database relating to the applications [...]. This email was acknowledged on January 15, 2019 by the institution, asking to send the request accompanied by identity documents, so as to uniquely recognize the applicant. On January 16, 2019, the institution, at the same email address, received the identity document and tax code of the [complainant]. However, this last communication was not followed by any effective action by the function in charge (HR planning and development service), following an internal misunderstanding "(see note cit., P. 1);

b. "On April 18, 2019 the [complainant], through his lawyer, sent a registered letter to this institution with a registered letter. presenting alleged pecuniary and non-pecuniary damage due to the non-cancellation [...] of the users generated by them [...]. This communication, even if it contained an explicit request for "cancellation of the personal data of the [complainant] present in every database managed by Bper Banca Spa", was analyzed as a complaint […];

c. "The profile referring to the [complainant] and the data entered by him were removed on 6 May 2019 from the front end of the" Work with us "section. Following this intervention, the system no longer allowed the recognition of the account / profile generated by the latter with the chosen "user and password" combination. From that date, access to the system through users proposed an error message, no longer finding the data referable to the account created by the candidate and therefore inhibiting access to any other information "(see note 17.8.2020 cit. , p. 1);

d. "On May 29, 2019 the username was permanently deleted by the system administrator" (see note cited, p. 1);

And. "Following the definitive cancellation of the user [...], the [complainant] was acknowledged, through his lawyer, on 17 June 2019" (see note cit., P. 1).

Following the invitation to provide further clarifications sent by this Authority, with notes dated February 18, 2021, the Company stated that "considering the content of the letters [of April 18, 2019 and May 21, 2019] they were initially classified as a complaint. However, the institute has assessed not to proceed in this sense, providing exclusively for the deletion of the profile and the consequent feedback. At the same time, the e-mail application migration activities were underway, scheduled for the period from 20 to 31 May for the structure responsible for responding. This intervention resulted in a partial misalignment, modifying the starting date of the response times for the letter dated 21 May 2019 "(see note 18 February 2021 cit., P. 1).

On 15 April 2021, the Company also declared that the specific personal data concerning the complainant it currently processes include: personal and identification data, contact data (address, telephone number, e-mail), photographic images on a copy of the document employee identity, information relating to professional skills and career path (studies, self-assessment of skills, training courses), information relating to employment relationships with the Company (registration number, type of relationship, reason for hiring , reason for termination, employment status, salary level, type of contract, offices and organizational roles covered, places of work). With reference to such data, he specified to process them for the purpose of "administrative, accounting, operational and organizational management of the employment relationship" and to keep them for "ten years from the conclusion of the employment relationship". With reference, then, to personal and identification data, contact data and data relating to attendance, he specified to treat them for the purpose of "managing the obligations connected with the payment of salaries" for "ten years from the generation of the document relating to the payment , with the exception of the data transposed into the single labor book, kept for the time limits applicable by law ".

The Company also declared that it “applies [re] a retention rule for relevant data in line with the statutory statutory limitation period of rights, as well as with the terms for publicistic investigations (for example tax, criminal, etc.). [...] in the event of litigation and / or administrative / judicial proceedings, the bank may keep the data for a period beyond that indicated above to exercise its right of defense and / or comply with the requests of the authority. It is understood that, once the litigation and / or proceeding has ceased, the ordinary terms of conservation will return to apply ".

2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.

On August 16, 2021, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulations found, with reference to Articles 12 and 17 of the Regulation.

In defensive writings, sent on 13 September 2021, the Company stated that:

to. "With an e-mail dated 12 January 2019, the [complainant] requested Bper Banca S.p.A. [...] what was the procedure for deleting your personal profile and personal data at the time contained in the "Work with us" section of the Company's website [...]. Having received the elements necessary to identify the interested party (identity documents and tax code), due to a technical problem, no effective feedback was provided "(note 13.9.2021 cit., P. 1);

b. "On April 18, 2019 the [complainant], through his lawyer, sent a registered letter highlighting unspecified" pecuniary and non-pecuniary damage "caused by failure to respond to the first request [...]. Considering the presence within the second request also of elements of dispute and claim not related to privacy issues, the Privacy and Data Protection Office has started, in line with the operational practices of management of the so-called "non-technical / mixed" requests / complaints, the involvement of the Legal Department and the Human Resources Department, as well as the offices responsible for managing personal data and the branch where the banking relationships in the name of the [complainant] were based; these initiatives with the aim of evaluating any possible impact and protection action, as well as preventing a coordinated response concerning i) the request for deletion of data; ii) any legal aspects related to the blackmailing tone of the request; iii) the methods of acquiring the personal data of candidates for recruitment; iv) the more comprehensive management of data referring to the banking relationships of the interested party as a customer and to the employment relationships of the same (taking into account that the interested party had also been employed by the Institute for certain periods of time) " (see cit. note, p. 2);

c. "With particular reference to the request for the cancellation of personal data, the Company has proceeded with progressive actions functional to the protection of the right exercised; in particular, on 6 May 2019 (or 18 days after the second request) the Human Resources Department physically deleted the data of the interested party from the database tables below the "Work with us" section of the site and subsequently, on May 29, 2019, deleted the user and password of the account, stored in a different table of the said database. Due to the cancellation of the data of the interested party, immediately the system no longer allowed the association of the account / profile created by the interested party with the data uploaded by the same, thus generating the error message " (see cit. note, p. 2, 3);

d. "On June 17, 2019, the Bank formally verified the second request of the interested party, acknowledging [...] that the right to cancellation had in substance already been accepted - within the limits of the provisions of art. 17 of the [Regulations] - through [the] interventions of May 6 and May 29, 2019 "(see cit. Note, p. 3);

And. on the culpable nature of the violations it is stated “how the affair involving the [complainant] constitutes an isolated and unhappy episode in a general operational context characterized by systematic and timely responses regarding the feedback to the requests for exercise of the rights of the interested parties. In support of this assertion, it is reported that the Company receives on average about 20 requests from interested parties per month, which are not followed up, in almost all cases, by further requests or disputes. In terms of timing, it should also be noted that over 80% of requests obtain a response within 20 days of receipt and the remainder, in any case, within the regulatory term of one month "(see note cited, p. 4);

f. "With specific reference to the first request, it should be pointed out that even in the presence of consolidated operating practices relating to the feedback to the exercise requests of the interested parties, the Function in charge did not, at the time, act and operate as requested due to the failure to take charge of fulfillment. With reference to the second request, the deletion of the data of the interested party, despite having been correctly taken over and satisfied under the substantial aspect on May 6, 2019 (deletion of personal data from the database) and May 29, 2019 (deletion of users and password), was formally found late on June 17 due to contextual and pre-eminent requests from the interested party. These elements of dispute and claim have in fact created the need for the involvement of various functions for the management of the second request, with a consequent increase in operating times in order to arrive at an assessment that includes all the most appropriate initiatives (also possibly legal protection). for a complete and coordinated feedback. [...] the Company tries to find single "non-technical / mixed" messages / complaints through a single reply, collecting the contributions from the various functions that are called upon to provide their opinion for various reasons (eg Legal Department, Human Resources Department, etc. .); this coordination of functions was, in the specific case, complex due to the presence of multiple elements of claim and the different roles that the interested party had at the company (candidate for recruitment, employee, customer). In this context, as a further element of difficulty, the migration of the Company's e-mail system […] took place in the second half of May 2019, generating some problems in the communication flows between the various corporate functions. This concatenation of situations led both to the failure to activate, pursuant to the legislation, the right to extend the terms, and ultimately to a late reply to the interested party "(see note cit., P. 5);

g. the Company "capitalized the events [which occurred] as part of a process of progressive strengthening of the practices and processes underlying the protection of the rights of the interested parties themselves. In fact, in addition to a more effective coordination of the various company functions from time to time involved in the management of "non-technical / mixed" requests, the owner of which has been identified in the Privacy and Data Protection Office (located within the Compliance Department) and a more stringent monitoring, based on the register of requests, of the processing times has resulted in a progressive strengthening of the staff of this function which, starting from n. 5 resources in the workforce in 2018, currently consists of n. 6 resources with a target of n. 8 "(see cit. Note, p. 6);

h. on the degree of responsibility of the owner taking into account the technical and organizational measures implemented pursuant to art. 25 and 32 "in the presence of" non-technical / mixed "requests, the functions involved (normally the Privacy and Data Protection Office, Complaints and Misunderstandings Office, Legal Department) promptly confront each other to qualify the nature of the request and the competence of the reply. […] The analysis of the contents of the requests are systematically carried out in such a way as to be able to be completed within the ordinarily foreseen term of one month from their receipt ”(see note cit., P. 6, 7);

the. on the nature, severity of the violation, the number of data subjects involved, the categories of data processed and the measures to mitigate the damage to the data subjects "the company has merely delayed the fulfillment of its obligations pursuant to Articles 12 and 17 of the Regulations against the interested party, whose legitimate claims then naturally found full satisfaction. For this reason [...] it is believed that the violations committed can only be considered as "minor" violations [...] also taking into account the impact generated on a single data subject and on the common nature of the personal data processed "(see note cit ., p. 7);

j. on the degree of cooperation "the company has always promptly adhered to the information requests [of the] Authority" (see note cit., p. 8);

k. on the losses avoided as a result of the violation "given the delay in the acknowledgment, it is represented as the company has not achieved any benefit or advantage, nor avoided losses, in committing the alleged violations" (see note cit., p. 8).

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

Upon examination of the declarations made to the Authority during the procedure as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which do not comply with the regulations on the matter for the protection of personal data, in particular with reference to the late and unsuitable response to requests for the exercise of rights.

In this regard, it should be noted that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".

The data controller, based on the provisions of art. 12 of the Regulation "facilitates the exercise of the rights of the data subject pursuant to articles 15 to 22" and "provides the data subject with information relating to the action taken regarding a request pursuant to articles 15 to 22 without undue delay and, in any case, at the latest within one month of receipt of the request. This deadline can be extended by two months, if necessary, taking into account the complexity and number of requests ".

The same article 12, par. 4, of the Regulation specifies that in the event that he does not comply with the requests for exercising the rights "the data controller informs the data subject without delay and at the latest within one month of receiving the request, of the reasons for the non-compliance and the possibility of to lodge a complaint with a supervisory authority and to propose a judicial appeal ".

Art. 17 of the Regulation recognizes that the data subject "has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay, if [between the other] the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed ".

From the elements acquired during the investigation it emerged that the Company gave a merely formal reply to the request for cancellation "from the [...] site [of Bber Banca S.p.A.] [of] the professional profile [and of the] personal data from [bank's] candidacy database ”submitted on 12 January 2019 by the complainant.

It is indeed ascertained that on January 15, 2019 the Company informed the interested party that "to proceed with the removal of his account, [...] technical support needs to scan the identity card and tax code attached to the cancellation request" but, despite the fact that the following day the complainant sent the requested documentation (identity document and tax code), due to a "technical problem", he then did not provide effective feedback to the request.

This conduct violates art. 12 with reference to art. 17 of the Regulation, taking into account that, once the (lawful) need of the Company to verify the identity of the interested party requesting the exercise of the right to cancellation has been satisfied, the same has not followed up the request for a not better defined "technical inconvenience" caused by the "failure to take charge of the fulfillment", forcing the interested party, through his lawyer, to request the exercise of the right to cancel with a new request.

The complainant, in fact, having not received any response to his request, through his lawyer, on 18 April 2019 requested, among other things, "to proceed with the immediate cancellation of the personal data of the [complainant] present in every database managed by Bper Banca S.p.A. " and on 21 May 2019, given the lack of any response from the Company, it presented a reminder to the requests already formulated previously.

Only on 17 June 2019, or four months after the expiry of the law, did the Company give an effective response to the requests for cancellation presented by the complainant.

In this regard, the Company, during the investigation, specified that it had "formally [...] late" the request of 18 April 2019 reiterated on 21 May 2019, in particular on 17 June 2019, "due to contextual and pre-eminent requests of the interested party "which" in fact created the need to involve various functions ", but to have substantially fulfilled what was requested prior to the formal response, in particular by deleting the personal data relating to the complainant's candidacy from its database in date 6 May 2019 and deleting the user id and password relating to the aforementioned account on 29 May 2019.

The Company also specified that "the migration of the Company's e-mail system [...] occurred in the second half of May 2019, generating some problems in the communication flows between the various corporate functions" contributed to generating the delay in feedback.

However, the Company's conduct is in contrast with the obligation to provide feedback "without undue delay" to the interested party and in any case within one month of receipt of the request pursuant to art. 12 of the Regulation.

Taking into account the complexity and number of requests, the owner can take advantage of the two-month extension, but, by express legislative provision, he must in any case inform the interested party of the extension and the reasons for the delay, within one month of receiving the request. .

If, in fact, the effective removal of the data provided for the application in the "Work with us" section of the Company's website was put in place on 6 May, in part, and then definitively on 29 May 2019, the communication to the interested party of the actions taken to satisfy the exercised right was carried out only on June 17, 2019.

What previously noted therefore configures the violation of art. 12 in relation to art. 17 of the Regulation.

With reference instead to the failure to delete the data referring to the complainant (other than those communicated for the purposes of selection for a job) relating to previous employment relationships between the complainant and the Company itself and to banking relationships within the terms and for the purposes indicated in the course of the investigation, we agree with what the Company represents regarding the lawfulness of further conservation of the same.

In this regard, however, it is ascertained that in relation to the aforementioned need to retain certain data, the Company, in violation of the provisions of art. 12 par. 4 of the Regulation, in declaring its (lawful) impossibility of cancellation, did not indicate to the complainant the possibility of proposing a complaint to the supervisory authority or judicial appeal. This aspect denotes the unsuitability of the response as regards the persistent - albeit, as specified, lawful - need to keep certain data referring to the complainant.

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the aforementioned reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and that they are therefore unsuitable. to allow the filing of this proceeding, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The late and unsuitable response of the Company to the cancellation request presented by the complainant is in fact illegal, in the terms set out above, in relation to art. 12 in relation to art. 17 of the Regulation.

The violation ascertained in the terms set out in the motivation cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the way in which the supervisory authority has become aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation provides for the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).

At the outcome of the procedure, it appears that Bper Banca S.p.A. has violated art. 12 in relation to art. 17 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. a) and b) of the Regulations, through the adoption of an injunction order (Article 18, Law 11/24/1981, n. 689).

Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", the total amount of the sanction is calculated in such a way as not to exceed the legal maximum provided for by the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2 of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), it is stated that , in the present case, the following circumstances were considered:

a) in relation to the nature, severity and duration of the violation, the nature of the violation which concerned the information, communications and methods for exercising the rights of the interested party was considered relevant;

b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same have been taken into consideration, which has not complied with the regulations on data protection with reference to the 'art. 12 in relation to art. 17 of the Regulation;

c) in favor of the Company, the relevant cooperation with the Supervisory Authority was taken into account for the purpose of defining the complaint and the circumstance that the ascertained violation concerned only the complainant, constituting an isolated case.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation) , firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2021. Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments made, it is considered, in this case, to apply the administrative sanction of payment of a sum equal to Euro 10,000 (ten thousand) to Bper Banca S.p.A.

In this context, it is also believed, in consideration of the type of violations ascertained that concerned the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

WHEREAS, THE GUARANTOR

detects the unlawfulness of the processing carried out by Bper Banca S.p.A., in the person of its legal representative, with registered office in Via San Carlo 8/20, Modena (MO), Tax Code 01153230360, pursuant to art. 143 of the Code, for the violation of art. 12 in relation to art. 17 of the Regulation;

ORDER

pursuant to art. 58, par. 2, lett. i) of the Regulations to Bper Banca S.p.A., to pay the sum of € 10,000 (ten thousand) as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

therefore to the same Company to pay the aforementioned sum of € 10,000 (ten thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of d. lgs. n. 150 of 1.9.2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, September 15, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei

[doc. web n. 9815947]

Injunction order against Bper Banca S.p.A. - September 15, 2022

Record of measures
n. 305 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint submitted pursuant to art. 77 of the Regulation on 22 August 2019 by Dr. XX towards Bper Banca S.p.A. and regularized, in part, on 8 November 2019 and, finally, on 27 May 2020;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

RAPPORTEUR prof. Pasquale Stanzione;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint filed on 22 August 2019, then regularized, following invitations to regularize, in part on 8 November 2019 and, finally, on 27 May 2020, Dr. XX complained about alleged violations of the Regulation by Bper Banca S.p.A. (hereinafter, the Company), with reference to the late and unsuitable response to the requests for cancellation pursuant to art. 17 of the Regulations presented by the complainant with reference to his related data processed by the Company.

The Company, in responding to the Office's request of 10 July 2020, with a note of 17 August 2020 stated that:

to. "On 12 January 2019, the [complainant] asked, by email to serviziopersonale@pber.it, what was the procedure for deleting his professional profile and personal data from the database relating to the applications [...]. This email was acknowledged on January 15, 2019 by the institution, asking to send the request accompanied by identity documents, so as to uniquely recognize the applicant. On January 16, 2019, the institution, at the same email address, received the identity document and tax code of the [complainant]. However, this last communication was not followed by any effective action by the function in charge (HR planning and development service), following an internal misunderstanding "(see note cit., P. 1);

b. "On April 18, 2019 the [complainant], through his lawyer, sent a registered letter to this institution with a registered letter. presenting alleged pecuniary and non-pecuniary damage due to the non-cancellation [...] of the users generated by them [...]. This communication, even if it contained an explicit request for "cancellation of the personal data of the [complainant] present in every database managed by Bper Banca Spa", was analyzed as a complaint […];

c. "The profile referring to the [complainant] and the data entered by him were removed on 6 May 2019 from the front end of the" Work with us "section. Following this intervention, the system no longer allowed the recognition of the account / profile generated by the latter with the chosen "user and password" combination. From that date, access to the system through users proposed an error message, no longer finding the data referable to the account created by the candidate and therefore inhibiting access to any other information "(see note 17.8.2020 cit. , p. 1);

d. "On May 29, 2019 the username was permanently deleted by the system administrator" (see note cited, p. 1);

And. "Following the definitive cancellation of the user [...], the [complainant] was acknowledged, through his lawyer, on 17 June 2019" (see note cit., P. 1).

Following the invitation to provide further clarifications sent by this Authority, with notes dated February 18, 2021, the Company stated that "considering the content of the letters [of April 18, 2019 and May 21, 2019] they were initially classified as a complaint. However, the institute has assessed not to proceed in this sense, providing exclusively for the deletion of the profile and the consequent feedback. At the same time, the e-mail application migration activities were underway, scheduled for the period from 20 to 31 May for the structure responsible for responding. This intervention resulted in a partial misalignment, modifying the starting date of the response times for the letter dated 21 May 2019 "(see note 18 February 2021 cit., P. 1).

On 15 April 2021, the Company also declared that the specific personal data concerning the complainant it currently processes include: personal and identification data, contact data (address, telephone number, e-mail), photographic images on a copy of the document employee identity, information relating to professional skills and career path (studies, self-assessment of skills, training courses), information relating to employment relationships with the Company (registration number, type of relationship, reason for hiring , reason for termination, employment status, salary level, type of contract, offices and organizational roles covered, places of work). With reference to such data, he specified to process them for the purpose of "administrative, accounting, operational and organizational management of the employment relationship" and to keep them for "ten years from the conclusion of the employment relationship". With reference, then, to personal and identification data, contact data and data relating to attendance, he specified to treat them for the purpose of "managing the obligations connected with the payment of salaries" for "ten years from the generation of the document relating to the payment , with the exception of the data transposed into the single labor book, kept for the time limits applicable by law ".

The Company also declared that it “applies [re] a retention rule for relevant data in line with the statutory statutory limitation period of rights, as well as with the terms for publicistic investigations (for example tax, criminal, etc.). [...] in the event of litigation and / or administrative / judicial proceedings, the bank may keep the data for a period beyond that indicated above to exercise its right of defense and / or comply with the requests of the authority. It is understood that, once the litigation and / or proceeding has ceased, the ordinary terms of conservation will return to apply ".

2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.

On August 16, 2021, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulations found, with reference to Articles 12 and 17 of the Regulation.

In defensive writings, sent on 13 September 2021, the Company stated that:

to. "With an e-mail dated 12 January 2019, the [complainant] requested Bper Banca S.p.A. [...] what was the procedure for deleting your personal profile and personal data at the time contained in the "Work with us" section of the Company's website [...]. Having received the elements necessary to identify the interested party (identity documents and tax code), due to a technical problem, no effective feedback was provided "(note 13.9.2021 cit., P. 1);

b. "On April 18, 2019 the [complainant], through his lawyer, sent a registered letter highlighting unspecified" pecuniary and non-pecuniary damage "caused by failure to respond to the first request [...]. Considering the presence within the second request also of elements of dispute and claim not related to privacy issues, the Privacy and Data Protection Office has started, in line with the operational practices of management of the so-called "non-technical / mixed" requests / complaints, the involvement of the Legal Department and the Human Resources Department, as well as the offices responsible for managing personal data and the branch where the banking relationships in the name of the [complainant] were based; these initiatives with the aim of evaluating any possible impact and protection action, as well as preventing a coordinated response concerning i) the request for deletion of data; ii) any legal aspects related to the blackmailing tone of the request; iii) the methods of acquiring the personal data of candidates for recruitment; iv) the more comprehensive management of data referring to the banking relationships of the interested party as a customer and to the employment relationships of the same (taking into account that the interested party had also been employed by the Institute for certain periods of time) " (see cit. note, p. 2);

c. "With particular reference to the request for the cancellation of personal data, the Company has proceeded with progressive actions functional to the protection of the right exercised; in particular, on 6 May 2019 (or 18 days after the second request) the Human Resources Department physically deleted the data of the interested party from the database tables below the "Work with us" section of the site and subsequently, on May 29, 2019, deleted the user and password of the account, stored in a different table of the said database. Due to the cancellation of the data of the interested party, immediately the system no longer allowed the association of the account / profile created by the interested party with the data uploaded by the same, thus generating the error message " (see cit. note, p. 2, 3);

d. "On June 17, 2019, the Bank formally verified the second request of the interested party, acknowledging [...] that the right to cancellation had in substance already been accepted - within the limits of the provisions of art. 17 of the [Regulation] - through [the] interventions of May 6 and May 29, 2019 "(see cit. Note, p. 3);

And. on the culpable nature of the violations it is stated “how the affair involving the [complainant] constitutes an isolated and unhappy episode in a general operational context characterized by systematic and timely responses regarding the feedback to the requests for exercise of the rights of the interested parties. In support of this assertion, it is reported that the Company receives on average about 20 requests from interested parties per month, which are not followed up, in almost all cases, by further requests or disputes. In terms of timing, it should also be noted that over 80% of requests obtain a response within 20 days of receipt and the remainder, in any case, within the regulatory term of one month "(see note cited, p. 4);

f. "With specific reference to the first request, it should be pointed out that even in the presence of consolidated operating practices relating to the feedback to the exercise requests of the interested parties, the Function in charge did not, at the time, act and operate as requested due to the failure to take charge of fulfillment. With reference to the second request, the deletion of the data of the interested party, despite having been correctly taken over and satisfied under the substantial aspect on May 6, 2019 (deletion of personal data from the database) and May 29, 2019 (deletion of users and password), was formally found late on June 17 due to contextual and pre-eminent requests from the interested party. These elements of dispute and claim have in fact created the need for the involvement of various functions for the management of the second request, with a consequent increase in operating times in order to arrive at an assessment that includes all the most appropriate initiatives (also possibly legal protection). for a complete and coordinated feedback. [...] the Company tries to find single "non-technical / mixed" messages / complaints through a single reply, collecting the contributions from the various functions that are called upon to provide their opinion for various reasons (eg Legal Department, Human Resources Department, etc. .); this coordination of functions was, in the specific case, complex due to the presence of multiple elements of claim and the different roles that the interested party had at the company (candidate for recruitment, employee, customer). In this context, as a further element of difficulty, the migration of the Company's e-mail system […] took place in the second half of May 2019, generating some problems in the communication flows between the various corporate functions. This concatenation of situations led both to the failure to activate, pursuant to the legislation, the right to extend the terms, and ultimately to a late reply to the interested party "(see note cit., P. 5);

g. the Company "capitalized the events [which occurred] as part of a process of progressive strengthening of the practices and processes underlying the protection of the rights of the interested parties themselves. In fact, in addition to a more effective coordination of the various company functions from time to time involved in the management of "non-technical / mixed" requests, the owner of which has been identified in the Privacy and Data Protection Office (located within the Compliance Department) and a more stringent monitoring, based on the register of requests, of the processing times has resulted in a progressive strengthening of the staff of this function which, starting from n. 5 resources in the workforce in 2018, currently consists of n. 6 resources with a target of n. 8 "(see cit. Note, p. 6);

h. on the degree of responsibility of the owner taking into account the technical and organizational measures implemented pursuant to art. 25 and 32 "in the presence of" non-technical / mixed "requests, the functions involved (normally the Privacy and Data Protection Office, Complaints and Misunderstandings Office, Legal Department) promptly confront each other to qualify the nature of the request and the competence of the reply. […] The analysis of the contents of the requests are systematically carried out in such a way as to be able to be completed within the ordinarily foreseen term of one month from their receipt ”(see note cit., P. 6, 7);

the. on the nature, severity of the violation, the number of data subjects involved, the categories of data processed and the measures to mitigate the damage to the data subjects "the company has merely delayed the fulfillment of its obligations pursuant to Articles 12 and 17 of the Regulations against the interested party, whose legitimate claims then naturally found full satisfaction. For this reason [...] it is believed that the violations committed can only be considered as "minor" violations [...] also taking into account the impact generated on a single data subject and on the common nature of the personal data processed "(see note cit ., p. 7);

j. on the degree of cooperation "the company has always promptly adhered to the information requests [of the] Authority" (see note cit., p. 8);

k. on the losses avoided as a result of the violation "given the delay in the acknowledgment, it is represented as the company has not achieved any benefit or advantage, nor avoided losses, in committing the alleged violations" (see note cit., p. 8).

3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.

Upon examination of the declarations made to the Authority during the procedure as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which do not comply with the regulations on the matter for the protection of personal data, in particular with reference to the late and unsuitable response to requests for the exercise of rights.

In this regard, it should be noted that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".

The data controller, based on the provisions of art. 12 of the Regulation "facilitates the exercise of the rights of the data subject pursuant to articles 15 to 22" and "provides the data subject with information relating to the action taken regarding a request pursuant to articles 15 to 22 without undue delay and, in any case, at the latest within one month of receipt of the request. This deadline can be extended by two months, if necessary, taking into account the complexity and number of requests ".

The same article 12, par. 4, of the Regulation specifies that in the event that he does not comply with the requests for exercising the rights "the data controller informs the data subject without delay and at the latest within one month of receiving the request, of the reasons for the non-compliance and the possibility of to lodge a complaint with a supervisory authority and to propose a judicial appeal ".

Art. 17 of the Regulation recognizes that the data subject "has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay, if [between the other] the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed ".

From the elements acquired during the investigation it emerged that the Company gave a merely formal reply to the request for cancellation "from the [...] site [of Bber Banca S.p.A.] [of] the professional profile [and of the] personal data from [bank's] candidacy database ”submitted on 12 January 2019 by the complainant.

It is indeed ascertained that on January 15, 2019 the Company informed the interested party that "to proceed with the removal of his account, [...] technical support needs to scan the identity card and tax code attached to the cancellation request" but, despite the fact that the following day the complainant sent the requested documentation (identity document and tax code), due to a "technical problem", he then did not provide effective feedback to the request.

This conduct violates art. 12 with reference to art. 17 of the Regulation, taking into account that, once the (lawful) need of the Company to verify the identity of the interested party requesting the exercise of the right to cancellation has been satisfied, the same has not followed up the request for a not better defined "technical inconvenience" caused by the "failure to take charge of the fulfillment", forcing the interested party, through his lawyer, to request the exercise of the right to cancel with a new request.

The complainant, in fact, having not received any response to his request, through his lawyer, on 18 April 2019 requested, among other things, "to proceed with the immediate cancellation of the personal data of the [complainant] present in every database managed by Bper Banca S.p.A. " and on 21 May 2019, given the lack of any response from the Company, it presented a reminder to the requests already formulated previously.

Only on 17 June 2019, or four months after the expiry of the legal term, did the Company give an effective response to the requests for cancellation presented by the complainant.

In this regard, the Company, during the investigation, specified that it had "formally [...] late" the request of 18 April 2019 reiterated on 21 May 2019, in particular on 17 June 2019, "due to contextual and pre-eminent requests of the interested party "which" in fact created the need to involve various functions ", but to have substantially fulfilled what was requested prior to the formal response, in particular by deleting the personal data relating to the complainant's candidacy from its database in date 6 May 2019 and deleting the user id and password relating to the aforementioned account on 29 May 2019.

The Company also specified that "the migration of the Company's e-mail system [...] occurred in the second half of May 2019, generating some problems in the communication flows between the various corporate functions" contributed to generating the delay in feedback.

However, the Company's conduct is in contrast with the obligation to provide feedback "without undue delay" to the interested party and in any case within one month of receipt of the request pursuant to art. 12 of the Regulation.

Taking into account the complexity and number of requests, the owner can take advantage of the two-month extension, but, by express legislative provision, he must in any case inform the interested party of the extension and the reasons for the delay, within one month of receiving the request. .

If, in fact, the effective removal of the data provided for the application in the "Work with us" section of the Company's website was put in place on 6 May, in part, and then definitively on 29 May 2019, the communication to the interested party of the actions taken to satisfy the exercised right was carried out only on June 17, 2019.

What previously noted therefore configures the violation of art. 12 in relation to art. 17 of the Regulation.

With reference instead to the failure to delete the data referring to the complainant (other than those communicated for the purposes of selection for a job) relating to previous employment relationships between the complainant and the Company itself and to banking relationships within the terms and for the purposes indicated in the course of the investigation, we agree with what the Company represents regarding the lawfulness of further conservation of the same.

In this regard, however, it is ascertained that in relation to the aforementioned need to retain certain data, the Company, in violation of the provisions of art. 12 par. 4 of the Regulation, in declaring its (lawful) impossibility of cancellation, did not indicate to the complainant the possibility of proposing a complaint to the supervisory authority or judicial appeal. This aspect denotes the unsuitability of the response as regards the persistent - albeit, as specified, lawful - need to keep certain data referring to the complainant.

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulations.

For the aforementioned reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and that they are therefore unsuitable. to allow the filing of this proceeding, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The late and unsuitable response of the Company to the cancellation request presented by the complainant is in fact illegal, in the terms set out above, in relation to art. 12 in relation to art. 17 of the Regulation.

The violation ascertained in the terms set out in the motivation cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the way in which the supervisory authority has become aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation provides for the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).

At the outcome of the procedure, it appears that Bper Banca S.p.A. has violated art. 12 in relation to art. 17 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. a) and b) of the Regulations, through the adoption of an injunction order (Article 18, Law 11/24/1981, n. 689).

Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", the total amount of the sanction is calculated in such a way as not to exceed the legal maximum provided for by the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2 of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), it is stated that , in the present case, the following circumstances were considered:

a) in relation to the nature, severity and duration of the violation, the nature of the violation which concerned the information, communications and methods for exercising the rights of the interested party was considered relevant;

b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same have been taken into consideration, which has not complied with the regulations on data protection with reference to the 'art. 12 in relation to art. 17 of the Regulation;

c) in favor of the Company, the relevant cooperation with the Supervisory Authority was taken into account for the purpose of defining the complaint and the circumstance that the ascertained violation concerned only the complainant, constituting an isolated case.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation) , firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2021. Lastly, the extent of the sanctions imposed in similar cases is taken into account.

In light of the elements indicated above and the assessments made, it is considered, in this case, to apply the administrative sanction of payment of a sum equal to Euro 10,000 (ten thousand) to Bper Banca S.p.A.

In this context, it is also believed, in consideration of the type of violations ascertained that concerned the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.

WHEREAS, THE GUARANTOR

detects the unlawfulness of the processing carried out by Bper Banca S.p.A., in the person of its legal representative, with registered office in Via San Carlo 8/20, Modena (MO), Tax Code 01153230360, pursuant to art. 143 of the Code, for the violation of art. 12 in relation to art. 17 of the Regulation;

ORDER

pursuant to art. 58, par. 2, lett. i) of the Regulations to Bper Banca S.p.A., to pay the sum of € 10,000 (ten thousand) as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

therefore to the same Company to pay the aforementioned sum of € 10,000 (ten thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of d. lgs. n. 150 of 1.9.2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, September 15, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei