Garante per la protezione dei dati personali (Italy) - 9819285

From GDPRhub
Garante per la protezione dei dati personali - 9819285
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12 GDPR
Article 12(3) GDPR
Article 12(6) GDPR
Article 17 GDPR
Article 17(1) GDPR
Article 17(3) GDPR
Article 21 GDPR
Article 58(2)(b) GDPR
Article 157 Codice in materia di protezione dei dati personali
Type: Complaint
Outcome: Upheld
Started: 15.09.2022
Decided:
Published: 15.09.2022
Fine: n/a
Parties: n/a
Empower Sports AG (controller) / Eleven Sports Italia S.r.l. (the controller's representative in the EU)
National Case Number/Name: 9819285
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA issued a warning against Empower Sports AG for sending a data subject numerous unwanted e-mails, after the latter expressly opposed to receiving them together with multiple erasure requests, in breach of Article 12 GDPR.

English Summary

Facts

The data subject started a monthly subscription to Empower Sports AG (the controller), which provides TV streaming services of sports events via the Eleven Sports app. However, after requesting the erasure of his data and withdrawing his consent to the reception of the controller’s newsletter, he still received numerous unsolicited e-mails. Therefore, the data subject filed a complaint with the Italian DPA on 13 January 2022.

Following a request for information from the DPA, the controller merely stated that to stop the communications, it was necessary to click on 'unsubscribe' at the bottom of the last received email. The DPA then opened an investigation due to the lack of justifications from the controller and notified it of the alleged infringements of Article 12, 17 and 21 GDPR.

On 20 June 2022, the controller provided the DPA with additional clarifications regarding the complaint. The data subject had two subscriptions (monthly and seasonal) connected to different email addresses. After discontinuing the monthly subscription, the data subject requested the deletion of his personal data with the email address connected to the (still activated) seasonal subscription. Subsequently, writing from a third email address, the data subject requested not to receive any further commercial communications. However, it did not specify which email addresses he was referring to. This, therefore, slowed down the process. Moreover, the data subject sent his requests - some of them of an administrative-contractual nature, others referring to the processing of personal data - to the same e-mail address without distinguishing them by subject. These messages, thus, were not correctly sent to the competent departments.

In any case, the controller assured that it facilitated the unsubscription process from the newsletter and erased the data related to the data subject which was no longer necessary for the controller’s processing purposes pursuant to Article 17(3) GDPR.

Holding

First, the DPA took into account that it was difficult for the controller to identify the data subject, due to the fact that the data subject’s used multiple e-mail addresses that did not always correspond to the connected subscriptions. In addition, the fact that all the data subject's subsequent requests concerning the deletion of his data never mentioned which email addresses were to be deleted. Moreover, it must be acknowledged that the controller fulfilled the data subject's request to no longer receive the newsletter within the 30-day period indicated in Article 12(3) GDPR. Consequently, the Italian DPA did not find a breach of Article 21 GDPR.

Second, the DPA held that considering that the data relating to the data subject was necessary for the controller’s fulfilment of his contractual obligations, it was not currently possible to fulfil the erasure request. Therefore, no violation of Article 17 GDPR was found.

However, the DPA found that the controller could have replied to the data subject's requests sooner. For example, to notify the data subject on the difficulties with identifying him, accompanied by a request for additional information, as provided for in Article 12(6). Or to clarify that the deletion of certain data was not possible, but that it was possible to unsubscribe from the newsletters.

The DPA also stated that it is the duty of the data controller (especially for a company the size of Empower Sports) to take organisational measures to identify, as far as possible, the requests received and to address them to the competent offices. Regardless of how they were qualified by the data subjects. In response to this statement, the controller declared that it took measures to remedy the issue presented by the DPA.

For these reasons, and in the absence of similar claims against the controller, the Italian DPA issued a warning to the controller pursuant to Article 58(2)(b), concerning a breach of Article 12 GDPR. The DPA recalled the importance of adopting appropriate technical and organisational measures to provide an adequate response to the requests of the data subjects.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9819285]

Provision of September 15, 2022

Record of measures
n. 306 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Attorney Guido Scorza;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

With a complaint of January 13, 2022, lawyer XX complained of receiving numerous unwanted e-mails after having requested the deletion of their data several times and having expressly opposed receiving newsletters, according to him without ever receiving feedback. The messages were sent by Empower Sports AG (hereinafter "Empower Sports" or "owner") which provides TV streaming services of sporting events through the Eleven Sports app.

The Company is based in Switzerland and has appointed a representative for Europe, pursuant to art. 27 of the Regulations, identified in Eleven Sports Italia S.r.l. based in Milan (hereinafter "Eleven Sports" or "representative").

On March 16, 2022, the Office sent the owner, at the aforementioned representative, a request for information pursuant to art. 157 of the Code to which Eleven Sports replied with an e-mail, addressed to the complainant and for information to the Guarantor, in which it only reported that to stop communications "... it is necessary to unsubscribe from the newsletter. To delete it, just click on 'Unsubscribe' on the last communication received (at the bottom of the email) ".

Therefore, taking into account what is represented in the documents and the lack of justifications regarding the omissive conduct of the owner even after the request for information from the Office, it was necessary to notify the Company of an act to initiate the procedure pursuant to art. 166, paragraph 5, of the Code, contesting the violation of the provisions contained in art. 12, 17 and 21 of the Regulations due to the failure to reply to the interested party, who had requested the deletion of the data, and the failure to acknowledge the opposition to the processing of data for the receipt of further newsletters.

On 20 June 2022, the representative sent a defense brief in which he provided more clarification regarding the complaints of the interested party.

In particular, the same clarified that the lawyer XX had signed up for a monthly subscription providing XX as an email address. Subsequently, the same has additionally subscribed to a season pass using a different email address (XX). In both cases he had given his consent to receive promotional messages.

After interrupting the monthly subscription (linked to account XX), the interested party requested the deletion of personal data by writing from address XX, an address not attributable to the interrupted subscription but instead related to the seasonal subscription still in progress.

Subsequently, writing from a third address, XX, the lawyer XX requested to stop receiving commercial communications without specifying which email addresses he referred to. Eleven Sports specified that only the email address and no other data are required to activate the subscriptions, therefore "... it would not have been possible to trace the identity of the complainant by crossing other data in the possession of the Company".

As it was difficult to understand that the various requests were made by the same interested party, the blacklisting process was slowed down.

Furthermore, the representative added that the complainant sent his requests - some of an administrative-contractual nature, others referring to the processing of personal data - to the same e-mail address without distinguishing them by subject matter and "for technical-administrative reasons, related to a reorganization process of the Company, such messages were not correctly routed to the competent offices ". For these reasons, the interested party's requests "were met, and never ignored, but not how they could - and should - be treated".

Eleven Sports has in any case ensured that the organizational problems have been resolved and has undertaken to take measures to facilitate the unsubscription of users from the newsletters and to delete the personal data of the complainant that it is not necessary to keep pursuant to art. 17, paragraph 3 of the Regulations.

2. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also based on the statements of Eleven Sports for which the declarant responds pursuant to art. 168 of the Code, the following assessments are formulated in relation to the profiles concerning the regulations on the subject of personal data protection.

According to what was contained in the complaint, the owner would never have provided feedback to the numerous requests for the exercise of rights by continuing to send unsolicited e-mails. On the basis of this assumption, the act of initiating the procedure was formulated, recalling that, pursuant to art. 12, par. 2 of the Regulations, the owner must facilitate the exercise of rights and, according to the following par. 3, must give feedback to the interested party within a reasonable time and, at the latest, within 30 days.

The representative - only in the defensive phase - declared that he had always provided timely feedback to the complainant, albeit in an imprecise manner, as he did not convey the requests to the appropriate functions. No copy was provided of these findings, nor was any information provided regarding the content, date and address to which they would be sent. However, it is noted that the complainant himself, in the copious correspondence attached to the complaint, writes "avoid replying to me again by ordinary e-mail" (see Annex 15 to the complaint), thus suggesting that such feedback has actually been sent to the interested party.

It must also be acknowledged that the complainant's requests to the Company were received from different e-mail addresses, making identification difficult, and were sent to two Company addresses that do not correspond to the address indicated in the privacy policy.

In fact, from the numerous attachments to the complaint, excluding the request of November 27, 2021 which concerned contractual issues, it appears that the first opposition request was sent on November 29, 2021 from address XX (address which, moreover, does not have any reference to the complainant's name) and was sent for information to the address XX (attaching the e-mail received to the same address). All subsequent requests from the lawyer XX concerned the deletion of data "on my two e-mail accounts" without ever mentioning which addresses were to be deleted (and in particular without ever referring to address XX).

Even if there is no reply from the Company in the records, it should be noted that the receipt of e-mails at address XX has been interrupted since December 20, 2021 and further unwanted e-mails have continued to arrive only at address XX. However, the lawyer XX continued to send requests, aimed at requesting cancellation, coming from address XX and directed for information to address XX, without ever indicating which was the address (XX) at which it continued to receive unwanted emails (see all . 22 and following).

Furthermore, the complainant's requests originated from contractual issues - which are not relevant here - in the context of which an improper request for deletion of personal data was added. In fact, it should be remembered that, pursuant to art. 17 of the Regulation, the right to delete data operates only if one of the reasons indicated in par. 1 of the same article without prejudice to the right / duty of the owner to keep data for reasonable reasons and without prejudice to the right of the interested party to obtain, even if only partially, the deletion of data that is no longer necessary.

The complainant's request should then be more correctly framed in the right to object to the receipt of further newsletters, reception which, as far as we know, could also have been interrupted by clicking on the link at the bottom of the e-mails received (it does not appear that the complainant made use of of this faculty but indeed he has always replied arguing that "I am not the one who has to take initiatives").

That said, the liability framework in the present case needs to be assessed differently in the light of the elements provided by the representative.

With regard to the alleged violation of the right of opposition, it must be recognized that the Company could not have complied with the request to stop sending e-mails to address XX since this address was never indicated by the complainant as the object of the opposition. With regard to the receipt of messages to the address XX, in response to a request of 29 November 2021, formulated in the aforementioned manner and coming from an address unknown to the holder, it must be acknowledged that the complainant has no longer received emails to the address XX after 20 December 2021 (see annexes to the complaint). Therefore, in fact, your request is satisfied in compliance with the 30-day term indicated in art. 12 of the Regulation and consequently there is no violation of art. 21 of the Regulation.

Even with regard to the alleged failure to comply with the right to delete data, having learned that the data had been acquired in the context of a contractual relationship, it is not possible, at the moment, to request its cancellation as the owner is required to keep them until this results. necessary to fulfill legal obligations. Therefore, the violation of art. 17 of the Regulation.

However, the fact remains that the response to the requests of the interested party could have been more timely, even if only to represent the difficulty of identifying the applicant and requesting additional elements, as required by art. 12, par. 6, of the Regulations, or to clarify that the deletion of some data was not possible but you could instead oppose the processing for sending newsletters. Similar considerations can be made regarding the communication channels: while it is true that the complainant did not contact the e-mail address indicated in the privacy policy, it should be the responsibility of the owner (especially for a company of the size of Empower Sports ) adopt organizational measures such as to identify, as far as possible, the requests received by directing them to the competent functions, regardless of how they have been qualified by the interested parties.

In any case, the representative stated that corrective measures have been introduced, which also include training sessions for staff, to comply more precisely with the requests of the interested parties, undertaking to adopt solutions aimed at facilitating the opposition to receiving newsletters.

For these reasons, in the absence of requests of a similar nature against the holder, it is believed to be able to suspend the application of a pecuniary sanction and to be able to issue, as a proportionate and dissuasive measure, a warning to the holder, pursuant to art. 58, par. 2, lett. b) of the Regulations, regarding the violation of art. 12 of the Regulations, recalling the importance of adopting adequate technical and organizational measures to provide adequate feedback to the requests of the interested parties.

Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.

WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, lett. f) and art. 58, par. 2, lett. b) of the Regulations, towards Empower Sports AG, with registered office in Controva AG, Hoeschgasse 25, 8008 Zurich, Switzerland, at its representative for Europe Empower Sports Italia S.r.l., with registered office in via Pietro Giannone 9, 20154, Milan , issues a warning regarding the violation of art. 12 of the Regulations, recalling the importance of adopting adequate technical and organizational measures to provide adequate feedback to the requests of the interested parties;

HAS

pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, September 15, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Peel

THE SECRETARY GENERAL
Mattei



[doc. web n. 9819285]

Provision of September 15, 2022

Record of measures
n. 306 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");

GIVEN the documentation in the deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Attorney Guido Scorza;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

With a complaint of January 13, 2022, lawyer XX complained of receiving numerous unwanted e-mails after having requested the deletion of their data several times and having expressly opposed receiving newsletters, according to him without ever receiving feedback. The messages were sent by Empower Sports AG (hereinafter "Empower Sports" or "owner") which provides TV streaming services of sporting events through the Eleven Sports app.

The Company is based in Switzerland and has appointed a representative for Europe, pursuant to art. 27 of the Regulations, identified in Eleven Sports Italia S.r.l. based in Milan (hereinafter "Eleven Sports" or "representative").

On March 16, 2022, the Office sent the owner, at the aforementioned representative, a request for information pursuant to art. 157 of the Code to which Eleven Sports replied with an e-mail, addressed to the complainant and for information to the Guarantor, in which it only reported that to stop communications "... it is necessary to unsubscribe from the newsletter. To delete it, just click on 'Unsubscribe' on the last communication received (at the bottom of the email) ".

Therefore, taking into account what is represented in the documents and the lack of justifications regarding the omissive conduct of the owner even after the request for information from the Office, it was necessary to notify the Company of an act to initiate the procedure pursuant to art. 166, paragraph 5, of the Code, contesting the violation of the provisions contained in art. 12, 17 and 21 of the Regulations due to the failure to reply to the interested party, who had requested the deletion of the data, and the failure to acknowledge the opposition to the processing of data for the receipt of further newsletters.

On 20 June 2022, the representative sent a defense brief in which he provided more clarification regarding the complaints of the interested party.

In particular, the same clarified that the lawyer XX had signed up for a monthly subscription providing XX as an email address. Subsequently, the same has additionally subscribed to a season pass using a different email address (XX). In both cases he had given his consent to receive promotional messages.

After interrupting the monthly subscription (linked to account XX), the interested party requested the deletion of personal data by writing from address XX, an address not attributable to the interrupted subscription but instead related to the seasonal subscription still in progress.

Subsequently, writing from a third address, XX, the lawyer XX requested to stop receiving commercial communications without specifying which email addresses he referred to. Eleven Sports specified that only the email address and no other data are required to activate the subscriptions, therefore "... it would not have been possible to trace the identity of the complainant by crossing other data in the possession of the Company".

As it was difficult to understand that the various requests were made by the same interested party, the blacklisting process was slowed down.

Furthermore, the representative added that the complainant sent his requests - some of an administrative-contractual nature, others referring to the processing of personal data - to the same e-mail address without distinguishing them by subject matter and "for technical-administrative reasons, related to a reorganization process of the Company, such messages were not correctly routed to the competent offices ". For these reasons, the interested party's requests "were met, and never ignored, but not how they could - and should - be treated".

Eleven Sports has in any case ensured that the organizational problems have been resolved and has undertaken to take measures to facilitate the unsubscription of users from the newsletters and to delete the personal data of the complainant that it is not necessary to keep pursuant to art. 17, paragraph 3 of the Regulations.

2. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also based on the statements of Eleven Sports for which the declarant responds pursuant to art. 168 of the Code, the following assessments are formulated in relation to the profiles concerning the regulations on the subject of personal data protection.

According to what was contained in the complaint, the owner would never have provided feedback to the numerous requests for the exercise of rights by continuing to send unsolicited e-mails. On the basis of this assumption, the act of initiating the procedure was formulated, recalling that, pursuant to art. 12, par. 2 of the Regulations, the owner must facilitate the exercise of rights and, according to the following par. 3, must give feedback to the interested party within a reasonable time and, at the latest, within 30 days.

The representative - only in the defensive phase - declared that he had always provided timely feedback to the complainant, albeit in an imprecise manner, as he did not convey the requests to the appropriate functions. No copy was provided of these findings, nor was any information provided regarding the content, date and address to which they would be sent. However, it is noted that the complainant himself, in the copious correspondence attached to the complaint, writes "avoid replying to me again by ordinary e-mail" (see Annex 15 to the complaint), thus suggesting that such feedback has actually been sent to the interested party.

It must also be acknowledged that the complainant's requests to the Company were received from different e-mail addresses, making identification difficult, and were sent to two Company addresses that do not correspond to the address indicated in the privacy policy.

In fact, from the numerous attachments to the complaint, excluding the request of November 27, 2021 which concerned contractual issues, it appears that the first opposition request was sent on November 29, 2021 from address XX (address which, moreover, does not have any reference to the complainant's name) and was sent for information to the address XX (attaching the e-mail received to the same address). All subsequent requests from the lawyer XX concerned the deletion of data "on my two e-mail accounts" without ever mentioning which addresses were to be deleted (and in particular without ever referring to address XX).

Even if there is no reply from the Company in the records, it should be noted that the receipt of e-mails at address XX has been interrupted since December 20, 2021 and further unwanted e-mails have continued to arrive only at address XX. However, the lawyer XX continued to send requests, aimed at requesting cancellation, coming from address XX and directed for information to address XX, without ever indicating which was the address (XX) at which it continued to receive unwanted emails (see all . 22 and following).

Furthermore, the complainant's requests originated from contractual issues - which are not relevant here - in the context of which an improper request for deletion of personal data was added. In fact, it should be noted that, pursuant to art. 17 of the Regulation, the right to delete data operates only if one of the reasons indicated in par. 1 of the same article without prejudice to the right / duty of the owner to keep data for reasonable reasons and without prejudice to the right of the interested party to obtain, even if only partially, the deletion of data that is no longer necessary.

The complainant's request should then be more correctly framed in the right to object to the receipt of further newsletters, reception which, as far as we know, could also have been interrupted by clicking on the link at the bottom of the e-mails received (it does not appear that the complainant made use of of this faculty but indeed he has always replied arguing that "I am not the one who has to take initiatives").

That said, the liability framework in the present case needs to be assessed differently in the light of the elements provided by the representative.

With regard to the alleged violation of the right of opposition, it must be recognized that the Company could not have complied with the request to stop sending e-mails to address XX since this address was never indicated by the complainant as the object of the opposition. With regard to the receipt of messages to the address XX, in response to a request of 29 November 2021, formulated in the aforementioned manner and coming from an address unknown to the holder, it must be acknowledged that the complainant has no longer received emails to the address XX after 20 December 2021 (see annexes to the complaint). Therefore, in fact, your request is satisfied in compliance with the 30-day term indicated in art. 12 of the Regulation and consequently there is no violation of art. 21 of the Regulation.

Even with regard to the alleged failure to comply with the right to delete data, having learned that the data had been acquired in the context of a contractual relationship, it is not possible, at the moment, to request its cancellation as the owner is required to keep them until this results. necessary to fulfill legal obligations. Therefore, the violation of art. 17 of the Regulation.

However, the fact remains that the response to the requests of the interested party could have been more timely, even if only to represent the difficulty of identifying the applicant and requesting additional elements, as required by art. 12, par. 6, of the Regulations, or to clarify that the deletion of some data was not possible but you could instead oppose the processing for sending newsletters. Similar considerations can be made regarding the communication channels: while it is true that the complainant did not contact the e-mail address indicated in the privacy policy, it should be the responsibility of the owner (especially for a company of the size of Empower Sports ) adopt organizational measures such as to identify, as far as possible, the requests received by directing them to the competent functions, regardless of how they have been qualified by the interested parties.

In any case, the representative stated that corrective measures have been introduced, which also include training sessions for staff, to comply more precisely with the requests of the interested parties, undertaking to adopt solutions aimed at facilitating the opposition to receiving newsletters.

For these reasons, in the absence of requests of a similar nature against the holder, it is believed to be able to suspend the application of a pecuniary sanction and to be able to issue, as a proportionate and dissuasive measure, a warning to the holder, pursuant to art. 58, par. 2, lett. b) of the Regulations, regarding the violation of art. 12 of the Regulations, recalling the importance of adopting adequate technical and organizational measures to provide adequate feedback to the requests of the interested parties.

Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations found here in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations.

WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, lett. f) and art. 58, par. 2, lett. b) of the Regulations, towards Empower Sports AG, with registered office in Controva AG, Hoeschgasse 25, 8008 Zurich, Switzerland, at its representative for Europe Empower Sports Italia S.r.l., with registered office in via Pietro Giannone 9, 20154, Milan , issues a warning regarding the violation of art. 12 of the Regulations, recalling the importance of adopting adequate technical and organizational measures to provide adequate feedback to the requests of the interested parties;

HAS

pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lett. u) of the Regulations, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, an opposition to this provision may be proposed to the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, to the court of the place of residence of the person concerned. , within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, September 15, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Peel

THE SECRETARY GENERAL
Mattei