Garante per la protezione dei dati personali (Italy) - 9817058

From GDPRhub
Garante per la protezione dei dati personali - 9817058
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 25(1) GDPR
Article 32 GDPR
Article 58(2)(i) GDPR
Article 83(3) GDPR
Type: Complaint
Outcome: Upheld
Decided: 06.10.2022
Fine: 15,000 EUR
Parties: Servizio Idrico Integrato S.c.p.a.
National Case Number/Name: 9817058
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Initial Contributor: n/a

The Italian DPA imposed a €15,000 fine on a company providing water services for the use of an insecure network protocol and the lack of encryption on its website.

English Summary


A company providing water services (the controller) used a website without secure network protocols ("http"; hypertext transfer protocol). A customer of the company (the data subject), who visited the website, complained about this fact to the Italian DPA. In particular, the data subject expressed concerns about the fact that contacts and invoices were managed without encryption. According to the data subject, such measures would be necessary considering the existing personal data authentication processes and transit of said data. Following the complaint, the DPA started an investigation into the controller.

During the investigation, the controller argued that there have never been any allegations concerning data breaches as a result of the situation under dispute made by users. In addition, the controller stated that it adjusted the security profile of the website, which was now up to recognised standards. The controller stated that the transition to a more secure protocol was already in motion long before the DPA's investigation. Moreover, the controller argued that the data that were potentially exposed to an infringement did not contain any special categories of personal data.


First, the DPA recalled that Article 5(1)(f) GDPR provides for processing of personal data to be carried out in accordance with the principle of integrity and confidentiality. Based on this principle, Article 32 GDPR states that the controller must implement suitable technical and organisational measures to ensure a level of security appropriate to the risk, including encryption. Furthermore, the controller must ensure appropriate means to effectively implement data protection principles and integrate the necessary safeguards pursuant to Article 25(1) GDPR (data protection by design).

The DPA noted that in the case at hand, the controller dedicated a website to provide online services. However, it failed to implement a network protocol that would guarantee the confidentiality and integrity of the data exchanged between the user's browser and the server hosting the controller's website. The DPA found that the lack of safeguards also did not allow users to verify the authenticity of the website displayed. The DPA held that the controller should have put appropriate technical measures (such as such the 'https' protocol) in place from the beginning. Thus, the moment of designing the website.

The DPA concluded that the lack of encryption on it's website to transfer personal data constituted a breach of Articles 5(1)(f) and 32 GDPR. Additionally, the controller violated Article 25(1) GDPR because it failed to implement a secure network protocol from the moment of designing the website. Pursuant to Articles 58(2)(i) and 83(3) GDPR, the DPA fined the controller €15,000 for the aforementioned violations. The DPA did take account of the fact that the controller swiftly adjusted its security protocol because of the investigation as a mitigating circumstance.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Order injunction against the Water Service
Integrated S.c.p.a. - 6 October 2022 [9817058]
[doc. web n. 9817058]
Order injunction against Integrated Water Service S.c.p.a. - October 6, 2022
Record of measures
n. 328 of 6 October 2022
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, the
prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza,
components, and the cons. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016,
relating to the protection of individuals with regard to the processing of personal data, as well as
to the free circulation of such data and which repeals Directive 95/46 / EC, “General Regulation on
data protection "(hereinafter," Regulation ");
GIVEN the legislative decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data,
laying down provisions for the adaptation of national law to Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
physical with regard to the processing of personal data, as well as the free circulation of such data e
which repeals Directive 95/46 / EC (hereinafter the "Code");
GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance,
aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for
protection of personal data, approved with resolution no. 98 of 4 April 2019, published in
G.U. n. 106 of 8 May 2019 and in, doc. web n. 9107633 (hereinafter "Regulation
of the Guarantor n. 1/2019 ");
GIVEN the documentation in the deeds;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Regulation of
Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for protection
of personal data, doc. web n. 1098801;
SPEAKER Attorney Guido Scorza;
1. Introduction.
With a complaint of the XX, submitted pursuant to art. 77 of the Regulations, a company user
Integrated Water Service S.c.p.a. (hereinafter, the "Company") complained that on the site
The Company's web would contain "a user area [...] where contacts and invoices are managed
[in the absence of an] encryption system (SSL certificate) [, which, as is known, is necessary as
there is authentication and personal data transit ". The complainant, who reported such
circumstance also to the Company "twice by certified e-mail on XX and previously in
date XX ", without having received a reply, believes that" Article 32 of the
[Regulation] (Security of treatment) in particular paragraph 2 ".
The use of an insecure network protocol (such as the "http" protocol) on the website in question is
been ascertained by the Guarantor's Office with service report of the twentieth century.
2. The preliminary investigation.
With a note of the XX (prot. No. XX), the Office, on the basis of the elements acquired, from the checks carried out
and of the facts that emerged as a result of the investigation, notified the Company, pursuant to art. 166,
paragraph 5 of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58,
par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lett. f), 25,
par. 1, and 32 of the Regulations, inviting the aforementioned holder to produce defensive writings to the Guarantor or
documents or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code,
as well as art. 18, paragraph 1, from l. November 24, 1981, n. 689).
With a note from the twentieth century, the Company, through its lawyer, presented a brief
defensive, declaring, in particular, that:
"Within the site there is [...] a reserved area dedicated only to users who have a contract
of service provision with the company who have previously registered with the ark itself.
Once the user has provided the necessary personal data and the data of the user concerned,
login credentials consisting of a username and password are provided.
With these codes, the user can directly, confidentially and exclusively check and monitor the
information concerning the supply connected to the user contract and can view e
print the bills issued, the service provided, the rates applied, the type of user
assigned, as well as communicate the self-reading ";
"No relief was raised about any violations of personal data that occurred as a result
of the disputed situation such as to result in actual damage to integrity, to the
confidentiality and availability of personal data processed through the site ";
“The security profile of the site itself is perfectly adequate to the current standard
recognized, as the migration under the "https" protocol (Ayper
text transfer protocol over secure socket layer) [in date XX (see Annex A to the memory)] ";
“SII immediately adjusted the security level of the site. Among other things, it is noted that i
certificates used for the transition to the "https" protocol were purchased long before the
communication from the Guarantor, this as an indication of the alignment action that the company
intended to achieve ";
"There are around 13,000 writings in the restricted area, including over 2,000 companies compared to
a catchment area represented by the inhabitants of the 32 municipalities where the service is provided that
they can be quantified in over 220,000 ";
"The dispute relates to negligent conduct since the factual circumstances exclude
no awareness and intentionality of the violation ";
"An analysis was made of the accesses that returned, with reference to the period covered by
verification, a trend without anomalies and such as to suggest that there have been no attempts
or consumed events of personal data breach [...; also] the registration passwords are
encrypted ";
"Following analyzes carried out on the personal data processing activities carried out in the company, SII
has adopted a system of technical and organizational measures suitable for risk management
for the rights and freedoms of natural persons relating to the processing activities carried out in
"The personal data potentially exposed to violation are not included among those belonging to
special categories as they consist exclusively of name, surname or company name,
tax code or VAT number, e-mail and telephone number, billing prospectuses, as well
to the SII user identifier ";
“No financial or other benefits derived to SII from the conduct subject to
dispute. From it, then, no damage has arisen to the complainant or to the person concerned
other interested parties and, with the described adjustment intervention, the risk of personal injury
physical in relation to the data circulating and transported by the site has been
knocked down in line with the probability and severity of the same, with reference to the state
of art and costs ".
At the hearing, required pursuant to art. 166, paragraph 6, of the Code and held on
XX (protocol no. XX of the XX), the Company stated, in particular, that:
"In the reserved area there is no data relating to economic transactions, as it is not possible,
for example, pay bills online or activate bank domiciles ";
"The company also acts as a monopoly and, therefore, the website has no purpose
commercial or advertising, being only aimed at providing useful information to users ";
"The company therefore promptly acknowledged the findings of the Guarantor's Office in
during the investigation, providing, in particular, to encrypt all the connections of the
users to the institutional website and to the reserved area. Even following the adoption of these measures, no
security incidents have been detected in relation to the personal data in question ".
3. Outcome of the preliminary investigation.
Pursuant to art. 5, par. 1, lett. f) of the Regulations, the processing of personal data must be
carried out in accordance with the principle of "integrity and confidentiality", according to which personal data
must be treated in a manner that ensures adequate security, including protection,
through adequate technical and organizational measures, from unauthorized or unlawful processing and from
accidental loss, destruction or damage.
Based on this principle, art. 32 of the Regulation provides that the data controller,
taking into account the state of the art and the costs of implementation, as well as the nature, object, of the
context and purposes of the processing, as well as the risk of varying probability and severity for i
rights and freedoms of individuals, must implement technical and organizational measures
adequate to ensure a level of safety appropriate to the risk, which include, among others,
where applicable, "the encryption of personal data".
Furthermore, based on the principle of "data protection by design", formalized by art. 25,
par. 1, of the Regulation, the data controller, taking into account the state of the art and the costs of
implementation, as well as the nature, scope, context and purpose of the
treatment, as well as risks with different probabilities and gravity for the rights and freedoms of
natural persons constituted by the treatment, must put in place, both at the time of determining i
means of processing both at the time of processing itself, technical and organizational measures
adequate, aimed at effectively implementing the principles of data protection and integrating into the
processing the necessary guarantees in order to meet the requirements of the Regulation and protect the
rights of interested parties. The cons. 78 of the Regulation highlights a specific responsibility of
owner, that is to constantly evaluate whether he is using the means at any time
appropriate treatment and whether the measures chosen effectively address existing vulnerabilities.
Furthermore, the owner should carry out periodic reviews of the security measures put in place
and protection of personal data.
The obligation to maintain, verify and update, where necessary, the processing also applies to
existing systems. This implies that systems designed before the entry into force of
Regulations must be subjected to checks and maintenance to ensure the application of
measures and guarantees that effectively implement the principles and rights of the data subjects (cf.
"Guidelines 4/2019 on article 25 - Data protection by design and by setting
default "adopted by the European Data Protection Board on 20 October 2020, spec. points
38 and 84).
With particular reference to the principle of "integrity and confidentiality", the owner must (see the cited
Guidelines 4/2019 on article 25, spec. point 85):
assess the risks to the security of personal data, considering the impact on rights and
freedom of interested parties, and effectively counter those identified;
protect personal data from unauthorized and accidental changes and access during their
That said, on the basis of the elements acquired and the facts that emerged as a result of the investigation,
it was ascertained that access to the Company's website dedicated to "online services" (reachable
at the address http: // ...) was done via the "http" network protocol (hypertext transfer protocol). IS
it was also ascertained that the main page of the aforementioned website contained the forms for
the insertion of the authentication credentials (username and password) of the users. Furthermore,
as emerges from the documentation on file, within the "Registry" section of the area
personal data on the website in question, the user's personal data, such as the code, can be consulted
customer, name and surname, telephone number, tax code, VAT number, if any,
the e-mail address, the residential address and the type of service provided. Inside the
"Invoices" section it is also possible to view and download the invoices issued by the Company a
in front of the services provided to the user.
In this regard, the Authority, even under the previous regulatory framework on protection
of personal data, stated that the interaction of a user with a website for the purpose of
transmission of personal data must be protected with cryptographic protocols SSL (Secure Socket
Layer), ensuring better security against the ever-present risks of identity theft
in web interaction with normal unencrypted http protocols (see, among others, provisions of 10 June 2021, no.
235, doc. web n. 9685922; 2 December 2021, n. 422, doc. web n. 9734884; 2 December 2021, n.
423, doc. web n. 9734934; January 27, 2022, n. 34, doc. web n. 9746448; 24 March 2022, n. 107,
doc. web n. 9767635; 26 May 2022, n. 201, doc. web n. 9790365).
The use of cryptographic techniques, at the state of the art, is, in fact, one of the commonly used measures
adopted to protect, in particular, the authentication credentials of the users of a
online service during their transmission on the Internet; this taking into account the high risks
presented by the processing of such data, which may derive from unauthorized access to them
or from their disclosure, also due to the habit of many users to reuse the same
password, or in any case a very similar password, for accessing various online services.
Instead, access to the website in question took place in an insecure way, using the
In this context, considering, in any case, that the conduct has exhausted its effects, given that
the Company adopted the "https" protocol on XX, the prerequisites for the adoption of are not met
further corrective measures pursuant to art. 58, par. 2, of the Regulation.
5. Adoption of the injunction order for the application of the administrative sanction
pecuniary and ancillary sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166,
paragraph 7 of the Code).
The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of
Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83,
in addition to the [other] [corrective] measures referred to in this paragraph, or in lieu of such measures, in
depending on the circumstances of each individual case "and, in this context," the Board [of the Guarantor] adopts
the injunction order, with which it also provides for the application of the sanction
administrative accessory of its publication, in whole or in excerpt, on the website of the
Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Regulation of
Guarantor n. 1/2019).
In this regard, taking into account art. 83, par. 3, of the Regulations, in this case the violation
of the aforementioned provisions is subject to the application of a pecuniary administrative sanction
provided for by art. 83, par. 5, of the Regulation.
The aforementioned administrative pecuniary sanction imposed, according to the circumstances of each
individual case, the amount must be determined taking into account the elements provided for by art.
83, par. 2, of the Regulation.
In relation to the aforementioned elements, the high number of interested parties registered in the area was taken into account
confidentiality of the Company's website, whose personal data are being processed ("in all about
13,000, including over 2,000 companies "). It was also considered that, although the complainant
had pointed out to the Company on two occasions that the security measures adopted were insufficient
on the aforementioned site, the Company did not promptly take action before the investigation was initiated by
of the Guarantor, to put an end to the violation.
On the other hand, it was taken into consideration that the Company, once it learned of the procedure started
by the Authority, promptly adopted the necessary measures to resolve the criticality of
security on its website, providing full cooperation during the investigation. Do not
finally, there are previous pertinent violations committed by the data controller or previous ones
measures referred to in art. 58 of the Regulation.
Based on the aforementioned elements, evaluated as a whole, it is believed to determine the amount
of the pecuniary sanction in the amount of € 15,000 (fifteen thousand) for the violation of Articles 5,
par. 1, lett. f), 25, par. 1, and 32 of the Regulation, as an administrative pecuniary sanction withheld,
pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.
Taking into account the high number of interested parties registered in the reserved area of the Company's website, whose
data are processed, it is also believed that the ancillary sanction of the
publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7,
of the Code and art. 16 of the Guarantor Regulation n. 1/2019.
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.
declares, pursuant to art. 57, par. 1, lett. f), of the Regulations, the unlawfulness of the processing
carried out by the Integrated Water Service S.c.p.a. for violation of articles 5, par. 1, lett. f), 25,
par. 1, and 32 of the Regulations, within the terms set out in the motivation;
to the Integrated Water Service S.c.p.a., in the person of the pro-tempore legal representative, with
registered office in Via I Maggio, 65 - 05100 Terni (TR), C.F. 01250250550, to pay the sum
of Euro 15,000 (fifteen thousand) as a pecuniary administrative sanction for violations
indicated in the motivation. It is represented that the offender, pursuant to art. 166, paragraph 8,
of the Code, has the right to settle the dispute by payment, within the term of 30
days, for an amount equal to half of the sanction imposed;
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166,
paragraph 8, of the Code, to pay the sum of 15,000 (fifteen thousand) according to the modalities
indicated in the annex, within 30 days of notification of this provision, under penalty
the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981.
pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on
website of the Guarantor, considering that the conditions set out in art. 17 of the Regulation
of the Guarantor n. 1/2019.
Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against
this provision can be used to appeal to the judicial authority
ordinary, under penalty of inadmissibility, within thirty days from the date of communication of the
provision itself or within sixty days if the applicant resides abroad.
Rome, 6 October 2022