Garante per la protezione dei dati personali (Italy) - 9825667

From GDPRhub
Garante per la protezione dei dati personali - 9825667
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(b) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 13(2)(a) GDPR
Article 24 GDPR
Article 25(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 05.11.2020
Decided: 20.10.2022
Published: 20.10.2022
Fine: 1.400.000 EUR
Parties: Douglas Italia S.p.a.
National Case Number/Name: 9825667
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: sabrina_salmeri

The Italian DPA fined Douglas for a total of €1,400,000 for several GDPR violations, including unlawful data processing, lack of transparency, and long periods of data retention.

English Summary

Facts

The data subject submitted a request pursuant to Articles 15 to 22 GDPR with Douglas Italia S.p.a (the controller). However, she did not receive a response. Therefore, she submitted a complaint with the Italian DPA, asking it to assess what happened. The DPA contacted the controller, requesting further information on the matter. The controller replied that the legal basis for processing was the data subject's membership in its loyalty programme. The controller held that the data subject gave free and specific consent for the processing, and that any refusal to processing would not have prevented her from obtaining the loyalty card. The controller also stated that it had not received the data subject's request, but confirmed that her revocation of consent and cancellation was now handled. The DPA was not satisfied with this response, and initiated an inspection at the controller's headquarters.

Prior to the inspection, the controller highlighted that it was formed in 2019 as a result of the merging of three companies (Limoni Spa, La Gardenia Beauty Spa and Profumerie Douglas Spa) and that it was subject to the management and supervision of its German parent company, Douglas GMBH.

Management of requests to exercise data subject rights

During the on-site inspection, the controller showed the DPA how they normally manage data subject's requests. The DPA concluded that the failure to respond to the data subject's request was a one-time occurrence, compared to the management of other requests, which, as a rule, were handled correctly and timely (within 2-3 days). The DPA therefore decided not pursue an investigation into the possible violation of Article 12(3) GDPR.

Data collection through the Douglas app

The DPA also tested the data collection through the controller's app. The DPA tested the app, and found that the during registration, the user was invited to accept the general terms and conditions, privacy policy, cookie policy and more with a single button ('Ok, I understand, I agree'). Later, when creating the account, the app asked for an e-mail address and date of birth.

The processing of customer data acquired through the merger

During the inspection, the DPA also asked the controller to provide some examples of separate marketing disclosures and consents, for the three companies, before the merger. However, the controller was not able to provide any proof or information regarding the latter. It justified this by stating that it was no longer possible due to the creation of a single database after the merger.

Retention of data relating to customer who have not renewed their loyalty card

The DPA also found that the data of 3,288,170 customers of the three pre-existing companies, who did not activate or renew the loyalty card, were stored on the servers of the German parent company.

The information given to customers

Additionally, the DPA discovered that the information provided to customers on purposes of processing and the legal basis was incomplete and inadequate. The privacy policy informed interested parties that their data would be processed for a variety of purposes on the basis of consent. However, no information was provided on how data collected separately by the three companies was processed after the merger.

Telemarketing carried out by the stores

Regarding the controller's telemarketing activities, the DPA found that customers who consented only to receive promotional SMS notifications, could in reality also receive promotional phone calls, and vice versa. Moreover, the controller admitted to having no scripts prepared for how to conduct the promotional phone calls with respect to protecting the rights and freedoms of data subjects.

Data processing via blogs

Last, the DPA found that there was no information about data processing when interacting with the controller's blog in its privacy policy. The DPA asked the controller to provide the quantitative data of data subjects who had interacted with the blog, as well as the most recent data relating to the registered comments and information on their registration, storage, and the methods and purposes for which they are used. The controller was not able to provide this information.

Holding

Data collection through the Douglas app

The DPA held that the app's configuration was unclear and ambiguous regarding the real object of the consent requested from the user. The DPA stated that without adequate information provided by the controller, consent cannot be a valid legal basis for the processing pursuant to Recital 32 and Article 4(11) GDPR. Information relating to the purposes of processing must also be easily accessible pursuant to Article 12(1) GDPR, in the broader context of the principle of transparency.  Therefore, the DPA found that the controller violated Article 7 GDPR, as consent was neither freely given nor specific. Consequently, the processing activities had no legal basis, in violation of Article 6 GDPR.

In addition, the DPA pointed out that the controller did not yet adapt the management of cookies to the indications provided for in the 'Cookies and other tracking tools guidelines' of 10 June 2021. This breach aggravated the unlawfulness of the situation. Therefore, the DPA held that the controller violated Article 12(1) GDPR for failing to take all measures necessary to provide the data subjects with adequate information on the processing operations carried out.

The processing of customer data acquired through the merger

With regard to the failure to produce documentation relating to the three merged companies, the DPA considered it appropriate to not establish a violation, since the controller finally provided, although very late, the requested information, in compliance with the principle of accountability (Articles 5(2) and 24 GDPR).

Retention of data relating to customers who have not renewed their loyalty card

During the investigation, the DPA established that vast amount of personal data relating to customers who never activated or renewed their loyalty card was persistently stored in the controller's database. The DPA held that this practice violated the principle of purpose limitation (Article 5(1)(b) GDPR) and the principle of storage limitation (Article 5(1)(e) GDPR).

The information given to customers

As established during the investigation, the privacy notice of the controller did not provide complete information to interested parties. Specifically, there was no information as to how personal data acquired through the merger would be processed. Hence, the DPA found a violation of Article 13(2)(a) GDPR.

Telemarketing carried out by the stores

The DPA held that the discrepancy between what kind of promotional content customers consented to (SMS, phone calls or both), and what they could receive in practice (both SMS and phone calls), as well as the lack of scripts for marketing calls, violated Articles 5(2), 24 and 25(1) GDPR.

Data processing via blogs

At last, the DPA established a violation of Article 5(2), Article 24 and Article 13 GDPR, for failing to provide evidence of the purposes and criteria for the storage of personal data processed through the blog and for the blog's lack of privacy notice.

Conclusion

In light of these violations, the DPA adopted a series of corrective measures against the controller under Article 58(2) GDPR with the aim of bringing its processing activities in line with the provisions of the GDPR. The controller had to update its privacy and cookie policy, delete personal data collected more than 10 years ago (except for ongoing disputes) and delete or pseudonymise more recently collected personal data. Finally, the controller had to adopt adequate organisational and technical measures aimed at ensuring the correct conservation of its customers' data to comply with the principles of purpose and storage limitation as well as data minimisation.

In conclusion, the DPA also imposed a €1,400,000 fine one the controller for the violation of multiple GDPR provisions.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 28 November 2022



[doc. web no. 9825667]

Injunction against Douglas Italia S.p.A. - October 20, 2022

Register of measures
no. 348 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

1. THE COMPLAINT

On November 5, 2020, a complaint was received in which Ms XX complained that, on August 3, 2020, she had presented an application to Douglas Italia S.p.a. (hereinafter: "Douglas" or "Company"), pursuant to articles 15-22 of the Regulation, without however having received any response; the same therefore asked the Authority to evaluate what happened, in order, if necessary, to issue the measures envisaged by current legislation.

2. FIRST INVESTIGATIONS AND INSPECTIVE ASSESSMENTS

Douglas, in its reply of 24 February 2021 to the request for information sent on 16 February 2021 by the Office, represented:

- that the processing of the complainant's personal data "... finds (is) its legal basis in the adhesion of the same (interested) to the c.d. Douglas loyalty program”;

-  to have requested the same free and specific consent for purposes other than contractual and para-contractual ones (i.e. in particular: direct marketing; profiling; marketing by partner companies), specifying that in setting up this data collection the Any refusal by the interested party for such purposes would not have precluded "the activation of the Douglas Card and participation in the initiatives related to it, in particular also producing the 'Form for updating the authorization and consent to the processing of personal data for the' use of the Douglas Card', signed by the complainant on 05 August 2019 at a Douglas Perfumery, "on the occasion of the card exchange operation or transition from the old Limoni S.p.A. fidelity card (Douglas Group) to the new Douglas card”;

-  to have "promptly acted to exercise the data subject's rights following receipt of the complaint", as conveyed by the Guarantor, on the same date (16.02.21), "not having, in fact, received the previous communication from Mrs .ra …. dated 08/03/2020", confirming, also in documents, "both the revocation of consent and the simultaneous cancellation of the data of the interested party from the Douglas management systems".

In the light of this finding, the alleged conduct was not clarified and the need arose to verify the management methods, by the Company, of the requests of the interested parties and, more generally, the treatments for marketing and profiling purposes .

To this end and in order to obtain a better information framework with respect to data processing for marketing and profiling purposes, the Authority, on the dates 29 November - 1 December 2021, conducted an inspection at the company headquarters, then resumed in the day of December 14, 2021 to be completed on the following 16th. From the analysis of the inspection reports, the following emerged.

Preliminarily, the Company highlighted that it is subject to the management and coordination of the parent company Douglas GMBH; that it was established in 2019 from the merger with the companies Limoni Spa, La Gardenia Beauty Spa and the Profumerie Douglas Spa and that it currently has around 400 points of sale operating throughout the country. The same is the owner of the processing of data acquired from customers and in the overall company CRM there are around 10 million customer master data, created through the incorporation of the databases of the three aforementioned companies starting from the beginning of 2019 (minutes 29/11 /2021).

Various specific aspects on the processing of personal data have also been highlighted, which are summarized below.

A) Management of requests to exercise rights pursuant to art. 15-22 of the Regulation.

With specific reference to what was complained by the complainant, failure to reply to the same turned out to be an episodic case, in the face of a management of the requests of the interested parties, which, as a rule, can be defined as correct and timely. In particular, the management of some of the requests in question was shown, in particular of cancellation and opposition to processing for promotional purposes, noting that they are processed within two to three days, implementing the request and, at the same time, informing the interested in the successful management. The Company has activated three channels for receiving applications: 1) via email; 2) through customer service, on the single number of Douglas which receives all customer requests including those relating to privacy; 3) at the Stores. Furthermore, the same, "through the Dpo, has devised a gradual and specific management of these requests, providing for specific outcomes ... in accordance with the requests of the interested parties and, where appropriate, promptly asking the same to clarify his actual will" ( minutes 12/14/2021). In the light of the above, it was decided not to dispute the violation of art. 12, paragraph 3, of the Regulation.

B) Data collection through the company app.

Among the methods of collecting personal data, the Douglas app was detected, of which the registration procedure via smartphone was simulated and documented (report 29/11/2021). It turned out that the system initially presents the following links (customize your cookies, general conditions of sale, personal data information and cookie policy), at the same time inviting you to accept all the aforementioned texts with the following single formula ("ok, I understand, I agree"). The 'personal data information' link refers to a web page with url (https://www.douglas.it/help/condizioni-di-vendita) including conditions of sale, a "privacy" section, a "Cookies" section , as well as a further section referred to in point 12 which reads that (Annex 2 - paper): …  "The undersigned declares to have read and understood what is reported in the Information and acknowledges that his data will be processed for the purposes referred to in point 2 letter a), b), c) and d) of the Information, or for registration on the website www.douglas.it or the Company's app, the use of the related purchase services online, the management of purchase orders for products and statistical purposes on anonymous data and also consents to the processing of personal data for the purposes referred to in point 1, lett. e) of the Information, i.e. profiling purposes, such as for example the analysis of my preferences operated with automated means for the improvement of the commercial offer; I consent to the processing of my personal data for the purposes referred to in point 2 lett. f) of the Information, i.e. the purpose of sending newsletters and commercial or promotional communications by the Company, also relating to products or services other than those already purchased; I consent to the processing of my personal data for the purposes referred to in point 1, lett. g) of the information, i.e. the purpose of sending commercial and promotional communications from other companies in the Douglas group and third-party partner companies of Douglas." In the next phase (creation of the account), the request to the interested party was obtained - in addition to the personal data - also the e-mail address and date of birth. With regard to geolocation, proximity marketing, as well as access to contacts in the address book or messaging, although indicated in the information, the Company represented "that the app. Douglas does not carry out any of these activities”, providing specific documentation.

In the light of the above, with regard to the configuration of the app, the conditions for the violation of art. 7 of the Regulation, as consent is collected, in a form that cannot be considered neither free nor specific, for various non-contractual purposes, such as the marketing of the Company, that of third parties and profiling. Consequently, in a closely related way, the proposed processing activities in question were found to have no legal basis, in violation of art. 6 of the Regulation.

C) The processing of customer data acquired by the companies merged by incorporation.

The Office asked the party to provide some examples of disclosures and separate marketing consents for the companies Limoni Spa, La Gardenia Beauty Spa and Profumerie Douglas Spa. The owner represented that he was unable to produce what was requested as, between January and May 2019, the current company, following the aforementioned mergers, concluded in July 2020, unified the 3 distinct DBs (Limoni Spa, La Gardenia Beauty Spa and Douglas Spa Profumerie) into a single corporate DB and proceeded to replace - limited to customers, of the three companies acquired, who have presented themselves and present themselves in Douglas points of sale and who have freely chosen to join the loyalty program - the fidelity cards. On these occasions, the Company provided them with the same form with the same information and consents as the one currently in use, considering any consents acquired by the pre-existing Companies no longer valid. Douglas has not demonstrated that it has any trace of such consents, like any information issued at the time to the interested parties as well as the origin and collection channel used at the time by the three companies, motivating this gap with the creation of a single database by means of a merger of the databases of the companies in question,

In the light of the above, considering that the Company has not followed up on the requests of the Authority regarding the aforementioned documentation, thus failing to prove the dynamics (starting from the methods of data collection) of the treatments carried out by the acquired Companies, together to the respective databases, nor if and how the obligations of the information and consent have been fulfilled by the same, the conditions for the violation of the articles have been recognized 5, par.2 and 24, of the Regulation (principle of accountability).

D) Retention of customer data who have not renewed their loyalty card

The data of the customers of the three pre-existing companies, who have not activated the Douglas card, are stored in an inactive state in the Douglas CRM located on the servers of the German parent company (minutes 30/11/2021). The Company stated that: "the number of customers whose cards have been replaced (old customers) as well as customers (new customers acquired) for whom new loyalty cards have been issued amounted to 5,165,839 (as of 29 November 2021); at the same time, the number of "Douglas" fidelity card holders active in the last 24 months and who have given specific consent to marketing and profiling is  equal to 2,094,373 (as of 29 November last year) and only towards these customers are marketing activities and profiled marketing of the company; no type of marketing and profiled marketing is carried out for the remaining customers (i.e. the aforementioned customers of the 3 companies, who have not activated the Douglas card), which amount to 3,288,179 (as of 11/29/2021) .”

The Company represented that the data of the aforementioned "3,288,170 customers (old customers) are kept to allow for replacement with the new Douglas card and facilitate the operations of data transfer" and that "from a corporate business point of view the company excludes customers who have not made purchases in the last 24 months from sending commercial communications; while the data (including data relating to purchases and the consents expressed by the interested parties) remain within the company database". With reference to the persistent retention of such data as well as to other strategic choices on the matter, the Company has also highlighted "that, for many aspects of data protection, Douglas Italia must first deal with the German parent company, which as a rule tends to apply the group standards to all countries.”

In the light of the foregoing, considering the considerable amount of data in question and the merely possible implementation of the substitute purpose indicated above, the Office has found the conditions for the violation of the 'principles of purpose and limitation of conservation', pursuant to the 'art. 5, par.1. lit. b) and e), of the Regulation.

E) Information provided to customers.

Based on what was declared by the party, the Office has detected an apparent discrepancy between the aforementioned practice and the information issued to the interested parties, where it is represented that: "The data possibly collected and processed with your consent for the purposes indicated in the letters e), f) and g) will be kept until the interested party revokes the consent to the receipt of commercial communications from Douglas or revokes the consent to the profiling activity of the preferences, or revokes the consent to the receipt of commercial communications by Douglas' partners or request the deletion of their data, except for the exceptional need to keep the data to defend Douglas' rights in relation to disputes existing at the time of the request, or on the indication of public authorities" (p. 8 general conditions of sale privacy information section). In the light of the above, given the incompleteness of the information in question, the violation of art. 13, par. 2, lit. a), of the Regulation, in close connection with the alleged violation referred to in point C) above.

F) Telemarketing carried out by the stores.

The inspection staff asked the Company to produce data relating to the number of customers who provided their telephone numbers and those who accepted the "telemarketing" communications. Douglas - in providing the requested quantitative data (Annex 3 to the report of 1 December: 7,432,425 "customers who have completed the telephone number field"; 5,142,445 "customers who completed the telephone number field with SMS consent /num") - he specified that "also on the basis of the analysis of the CRM field, the personal data with the consent to the sending of text messages or the receipt of promotional phone calls are treated, in reality, with both methods indicated (text messages and call with operator). Indeed, the fields specifically prepared for the individual promotional methods (text messages and telephone) follow the model established and indicated by the German parent company in a standard format for the various European countries where we are present with stores." (minutes of 1 December, cit.).

In this regard, already during the inspection, the lack of correspondence between the aforementioned model and the concrete operating practice used for marketing was detected within the overall design of the treatments; in particular, it has been ascertained that, if the interested party has given consent only to promotional text messages, in reality they could also receive promotional phone calls, and vice versa. The inspection staff asked the party if it had prepared procedures and scripts to be delivered to the stores for carrying out telemarketing activities, receiving the answer that "since it is not the core business of the company, there are no formalized procedures and scripts prepared and used for this purpose ”, nor can the standard instructions supplied to the stores be considered suitable for subrogating them. In the light of the above, the conditions for deeming the articles violated were found 5, par.2 and 24, of the Regulation (accountability) as well as, in a strictly connected way, the art. 25, par.1, of the Regulation (privacy by design).

G) Data processing through blogs.

Following the verification (launched on November 29, 2021) of the corporate blog connected to the Douglas website, a special link emerged to the dedicated "Beauty Stories" page (text articles with a supporting image, with respect to which the user can just comment: see minutes 12/15/2021). In particular, at the bottom of the page the system presents three distinct fields: 1. leave a comment, 2. name; 3. mail. “Fields no. 2 and 3, marked with an asterisk, are mandatory; however, they may also not be truthful, as there is no procedure for confirming the data entered by the interested party". All Beauty stories expressly state that: "personal data is collected, stored and used", furthermore, at the bottom there is also the "privacy policy" link which refers the user to the "general information" document present on the site and which, however, does not contain any reference to the processing of data on the blog. At the request of the Authority, the Company's staff accessed the back-end platform that manages the blog and extracted, by way of example, some email addresses of interested parties who interacted by leaving a comment on the aforementioned blog. The inspection staff asked to provide the quantitative data of the subjects who interacted via the company blog, as well as the most recent and most current data relating to the comments recorded and information regarding their registration, storage, methods and purposes for which ones are used. The Company represented that it was unable at the moment to provide information in this regard, not having the visibility and that it had to contact the Corporate to be able to provide feedback, specifying that it only had access to the company CRM and that it did not have knowledge of other databases, where the data in question is located. For these reasons, Douglas contacted its contact person in Germany, reserving the right to provide the requested information, which however, as of the date of completion of the on-site investigations (16/12/2021), had not been received. The Company also highlighted that the blog is being discontinued and that, as far as was known at the time, it had never used the data contained therein. Following the checks carried out with the German parent company, to lift the above reservation (on 10/1/2022), he sent the total number of blog users acquired by the Company (1698), increasing over time (starting from 1/13/2017) without, however, clarifying for what purposes and for how long such data are kept by the Corporate or by another company of the relevant group. In the light of the above, also in this case the conditions for the violation of articles emerged 5, par.2 and 24, as well as art. 13 of the Regulation, the latter due to the aforementioned lack of information regarding the blog.

3. NOTIFICATION OF ALLEGED VIOLATIONS AND DEFENSE OF THE OWNER OF THE TREATMENT.

Based on the above, on 04/13/2022 it was necessary to contest Douglas for the alleged violation of the following provisions of the Regulation:

- art. 5, par. 1. lit. b) and e), and par. 2,

- art. 6,

- art. 7,

- art. 13, par.2, lett. to);

- art. 24,

- art. 25, par.1;

simultaneously initiating a procedure for the possible adoption of the provisions referred to in article 58, par. 2, of the Regulation and for the possible application of the economic sanctions pursuant to art. 83, para. 4 and 5, of the Regulation.

On May 12, 2022, the Company sent a defense brief, with which it highlighted the following:

- with reference to point B) of the dispute (data collection via app), the Company represented that, in its opinion, "no violation of art. 7 of the GDPR can be challenged to the Company because, as argued and demonstrated, the consent freely given by the interested party through the "ok, I understand" button. I agree" only concerns the authorization to use cookies and does not in any way concern the various non-contractual purposes (i.e. Company marketing, marketing of third parties and profiling)." …. The Company then specified that: "the inclusion of the links which respectively refer to the 'general conditions of sale' and to the 'personal data information' is provided for mere completeness, in order to provide the user, from the first access to the 'app Douglas, all documentation of a legal nature …” ; the setting and functioning of the app are being modified and that "in fact starting from 1 October 2021 ... the German parent company ... has launched the project called 'EPR Southern Europe, which will be completed and will be live starting from 1 June 2022” (see sub doc. 4, presentation provided by Douglas GmbH9). On the basis of this project "the cookie consent banner will also be reformulated according to the indications provided by the Guarantor in the 'Cookie guidelines and other tracking tools' of 10 June 2021".

- With reference to point C (processing of customer data acquired by the companies merged by incorporation), the Company represented that: "... the only channel used by Limoni, La Gardenia and Douglas Profumerie for the collection of data from interested parties was the physical store ... the data was collected from the interested parties exclusively in the shops by completing and signing the paper application form for the fidelity card (including the regulation of the loyalty program and privacy information)", attaching the Limoni form (sub doc. 6 ), “accompanied by the privacy information drawn up pursuant to the then current art. 13 of Legislative Decree 196/2003”, the consent form and the “Experience card Limoni” regulation; the La Gardenia module (sub doc. 7) "which reflects the provisions for Limoni"; as well as the Douglas Perfumeries form (sub doc. 8.) The Company also stated that, following the first corporate operation "(and therefore starting from November 2017), the companies had set up www.limoni.it within the websites and www.lagardenia.it an automatic redirect to the www.douglas.it site managed by Douglas perfumeries. Starting from that date, therefore, the user who intended to register on the site and join the loyalty program could only register on the domain www.douglas.it, accepting the privacy policy of Douglas Profumerie and obtaining a Douglas fidelity card (cf. doc. 8 with reference to the information pursuant to article 13 of Legislative Decree 196/2003 and doc. 9 as regards the information provided after the entry into force of the GDPR). During the replacement of the old Limoni and La Gardenia fidelity cards with the new Douglas card, which took place starting from April 2019, the Company launched a campaign to refresh the consents previously given by its customers, with the simultaneous delivery to the latter of the information updated privacy. This led to the deactivation of the fidelity cards of the old card holders Limoni and La Gardenia who had not requested the conversion and replacement of their cards with the new Douglas card. Since these cardholders have not read the new conditions of the Douglas loyalty program (the only card functioning and usable on that date) and the relative privacy information, and even less having been able to give consent (if of interest to them) for marketing purposes , third party marketing and profiling, they were declared inactive in the CRM system. As part of this refresh campaign, the old consents eventually given by the cardists Limoni and La Gardenia in compliance with the privacy information in force at the time (see docs. 6 and 7 and the relative consent forms) were not considered valid by Douglas for the purposes of the processing activities covered by the new information ... Since the old cards were disabled, no marketing or profiling activity could be lawfully carried out" and the Company "has therefore never carried out any processing of the data of these customers that requires the prior consent of the interested party (i.e. profiling and/or marketing).”

- with reference to point D (conservation of data of customers who have not renewed their fidelity card), the Company pointed out "that it has demonstrated how the old customers Limoni and La Gardenia, currently inactive, have received appropriate privacy information ... from the companies data controllers at the time of the relative data collection. These disclosures ... expressly indicated - among other things - the specific purposes for which the data were collected and processed. Among these we read that the company "may use the data you provide for purposes related to the release, use and management of the "Experience Card Limoni" [...]" (see point 1 of the information Limoni pursuant to art. 13 of Legislative Decree 196/2003; a similar provision is included in point 1 of the disclosure of La Gardenia). The deactivation and replacement with a new card undoubtedly also falls within the sphere of "management". Therefore, deeming that the data of its customers have always been collected and processed for specific, explicit and legitimate purposes, Douglas believes that also from this point of view its conduct cannot be considered in violation of art. 5, par. 1, lit. b) of the GDPR. With specific reference to the conservation of the common data of the old inactive Limoni and La Gardenia customers, whose cards are deactivated, the Company keeps such data on the basis of legitimate interest for the sole purpose of promoting the renewal of the card. As also clarified during the inspection phase, it is in any case a transitional phase which will end with the definitive cancellation of the data with the implementation of the project called "EPR Southern Europe";

- with reference to point E (information provided to customers), the Company limited itself to pointing out that "the data retention terms indicated in Douglas' current privacy information cannot be applied to those customers who have never converted the old card Lemons and La Gardenia in card Douglas. In fact, these customers provided their data on the basis of the information provided at the time respectively by the companies Limoni and La Gardenia at the shops and at the same time as signing the paper application form for the loyalty program (see docs. 6 and 7) ; therefore "there would be no discrepancy between the practice adopted by the Company and the information provided to customers.";

- with regard to point F (telemarketing carried out from the stores), Douglas represented that "the interested party can freely and specifically express separate consents for the various channels of sending commercial communications. The interested party, by accessing his account on the Douglas website, can select and modify his consents as shown in the screen shown below: This selection is reflected in the CRM tool, as well as in the cashier system of the shops ... The lists created for sending marketing communications are always extracted by the Company taking into account the consents expressed by the interested party. Therefore, there are no differences between the model adopted by Douglas and the operating practice. In confirmation of what has been argued up to now, it should be noted that the Company has never received complaints from interested parties who complain about the improper use of marketing channels in violation of the consents previously given by them. The above is also timely confirmed in the statement issued by the manager of the Nola store ..., on the occasion of the inspection that took place on 16 December 2021. As in fact referred(to) "promotional phone calls are made only to users present in the lists of VIP customers present at system to which he accesses through specific personal credentials. It is, therefore, an extremely limited telemarketing activity dedicated only to customers defined as VIPs, on the basis of which it is not possible to "contact telephone numbers not present in the lists provided by the company and this, therefore, in full compliance with the consents freely expressed by the interested parties”;

- with regard to point G (data processing through the blog), the Company, recalling what was specified during the inspection, reiterated that "these are data never used by Douglas, which only had the possibility of viewing the reviews of the users and filter any spam. In any case, following the request made to Douglas GmbH, it emerged that the total number of users of the blog is equal to 1698. If we exclude the 1621 users who appear to be clearly spam (in this regard, sub doc. 13, the documents provided by Douglas upon lifting the reservation assumed on December 16, 2021), the total number of possible 'real' users of the blog is 77, corresponding to 0.00008% of the total number of the Douglas customer database, equal to approximately 10 millions. This is a number compatible with (and indeed lower than) the statistical and inevitable margin of error typical of the management of any website. Furthermore, it should be considered that the percentage of 0.00008% is also inferable if one takes into account that among the 77 blog users there are also users created by the Company itself for carrying out internal tests. The Company confirms again here that the data present on the blog have never been used by Douglas and that no profiling or marketing activity is carried out with reference to said data. Following the Authority's investigations, the possibility for users to leave comments and/or reviews and, consequently, to provide their personal data was also promptly inhibited. The Beauty Story section, as already stated during the assessment, is being completely decommissioned and will be definitively removed with the implementation of the new "EPR Southern Europe" project, effective from 1 June 2022".

Furthermore, the Company has provided various elements with specific reference to the elements pursuant to art. 83, par. 2, of the Regulation. In particular, with respect to the intentional or negligent nature of the violation, Douglas highlighted that it has "always shown particular attention to the protection of its customers, adopting all necessary measures to meet, in the shortest possible time, the requests of the interested parties. Any deviations (deemed by the undersigned Company to be entirely modest) between the practice and the documentation made available to the interested parties are mainly due to technical reasons which the Company promptly remedied already during the inspection phase". With regard to the measures adopted by the data controller or data processor to mitigate the damage suffered by the data subjects, in the opinion of the Company, "the conduct implemented by the same (and contested by the Guarantor) did not cause any damage to the data subjects"; also highlighting that it has maintained "even during inspections, a collaborative behavior with the Authority, promptly intervening and making any necessary changes requested by the latter (see, by way of example, the changes made to the blog section of the Douglas website". With regard to the degree of responsibility as owner, the Company represented that its systems, "including the site, the app and the CRM are managed - also from a technical point of view - by the German parent company; ... to have always promptly contacted and solicited Douglas GmbH, so that it would adopt any technical or organizational measure deemed appropriate and necessary by the data controller." Douglas then added that he had not committed "previous violations" and that he "never was the recipient of any pursuant to Article 58 of the GDPR";  that "the data subject to a potential violation consist of common data of inactive customers (i.e. name, surname, address, and possibly email address and/or telephone number) that the Company keeps for the sole purpose of facilitating the renewal of old cards on the basis of legitimate interest and, in any case, with the intention of deleting them definitively with the implementation of the new site, and (ii) common data (mainly email addresses) of a very small (and completely negligible) number of customers who have interacted with Douglas' blog", without having "carried out any profiling and/or marketing activity" .

In light of the above, the Company has requested the filing of the administrative procedure initiated and "in confirmation of the absolute spirit of collaboration", has declared that it is "available to implement any further and different measure that the Authority may deem necessary" .

By postponing and integrating what is already in the documents, the Company, during the hearing held on 20 May 2022, then specified that: "due to the critical issues that emerged during the inspection phase ... it immediately began to review and improve its compliance. From a more general point of view, the Company has introduced, also in agreement with the corporate, an overall modernization project of the website (already started at the end of last November), as well as the Douglas app, including the Blog section, bringing improvements from both a technological and functional point of view and in terms, clearly, of compliance with privacy legislation. In fact, with specific regard to the Blog section, the company has inhibited the insertion of new reviews, thus making those already present only still viewable. From next May 31, the blog section will be progressively removed, while leaving the possibility for the customer to express their reviews in a special tool distributed by the corporate.".

With regard to telemarketing, "already on 12 January 2022, the Company organized and carried out a training session with a focus on this treatment with reference to possible corrective actions with respect to the related treatments, aimed at the entire sales force, primarily involving the area manager and cascade store managers. This session was renewed on a monthly basis. These contents are also conveyed through a dedicated app (where various video contents are available ...) with an easily usable setting with provision for verifying the effective understanding of the training imparted ... In addition, an automatic refresh has been set by the CRM function (i.e. insertion of any refusal to marketing by the interested party who has been contacted, regardless of the campaign in progress), within the 24 hours, of the lists of data passed to the stores, which can also contact the DPO directly, without intermediate filters and cumbersome procedures. Therefore, the telemarketing procedure has been improved, it being understood that it is a residual activity and selectively dedicated to high-spending customers. ... the store manager contacted during the inspection did not properly comply with a procedure, of a basic type, which however already existed and which to date, in the opinion of the Company, is more structured and complete."

With regard to the retention of customer data of the 3 merged companies that have not signed up for the new charter, the Company reiterated that it has "never carried out marketing and profiling activities, nor does it intend (e) to do so, and that such data will soon be stored only in pseudonymized form, to make them concretely unavailable and restorable only when necessary if necessary (for example for any contractual requests of the same)." He also specified that: "in recent years (also due to the pandemic) (it has) recorded a loss of around 10 million euros compared to the turnover (turnover), which has led to a reduction in staff and stores present on the territory (155)”, with foreseeable serious repercussions also on future financial statements.

On the basis of the foregoing, the Company has therefore requested to "proceed with the archiving of the administrative proceedings in progress or, alternatively, to establish a reduction of any applicable pecuniary sanction".

4. LEGAL ASSESSMENTS.

In the light of the defenses presented by Douglas, with regard to point B) of the dispute, it is believed necessary to confirm the disputed violation (articles 6-7 of the Regulation) concerning the collection of data through the company app, because - while accepting the corporate thesis according to which the button “ 'I understand. I agree' only concerns the authorization to use cookies and does not in any way concern the various non-contractual purposes" and "the inclusion of links which respectively refer to the 'general conditions of sale' and to the 'personal data information' is provided for mere completeness", the need remains to highlight how the configuration of the app is in any case overall - also in light of the promiscuous content of the said information (in which, moreover, purposes are indicated, such as that of geolocation or proximity marketing that Douglas has claimed not to carry out) - unclear and ambiguous regarding the real object of the consent requested from the user.

Furthermore, it must be highlighted that the provisions of the Regulation (art. 4, point 11 and Recital n. 32), in line with the previous regulatory framework, configure consent as a complex case in which the element of the expression of the will of the The interested party must necessarily be correlated to a suitable information framework on the treatment provided by the owner, in the absence of which the will of the interested party is irreparably flawed and unsuitable to constitute a condition of lawfulness for the treatment. We must also take into account the need for easy accessibility and usability of the information provided for by art. 12, par.1, of the Regulation, in the broader context of the basic principle of 'transparency': in this sense also the Working Group pursuant to Article 29, in the amended version of the Guidelines on transparency adopted on 11 April 2018 (in www .garanteprivacy.it). At the same time, it should also be considered how the Company has admitted that it has not yet adapted the management of cookies to the indications provided by the Guarantor in the 'Cookies and other tracking tools' guidelines of 10 June 2021, which set a maximum term of six months for its implementation by the data controllers. This non-compliance aggravates the illegitimacy situation identified; therefore, in the light of the foregoing, the aforementioned dispute must be confirmed and it must be considered that art. 12, par.1, of the Regulation, considering that the Company has not taken all measures to provide the interested parties with suitable information regarding the treatments implemented, which therefore are not adequately transparent.

In this regard, it is also necessary to order the Company to change the setting of the Douglas app, guaranteeing a clear distinction between the privacy information and the information dedicated to cookies - and the respective consents - with respect to the contractual terms and, with particular reference to two aforementioned information, indicating only the treatments actually carried out and the purposes actually pursued.

With regard to point C) of the dispute (concerning the failure to produce the documentation relating to the three merged companies), it is instead believed to be able to proceed with the filing, having the Company produced, albeit only in the brief, the required texts of the disclosure and consent used by the three merged companies for the acquisition of customers earned by Douglas, in compliance with the principle of accountability.

With regard to point D) of the dispute (conservation of the personal data of the three incorporated companies), even if allegedly not used by the Company, it should be remembered that conservation is a processing operation, therefore in itself subject to current legislation. In this case, the aforementioned conservation is to be considered clearly and unjustifiably excessive both in terms of quality (since the types to be preserved have not been selected), and in terms of time, also taking into account the stringent terms established (12 months for data used for marketing purposes; 24 months for profiling purposes) established by the general provision "Fidelity card" and guarantees for consumers. The rules of the Guarantor for loyalty programs" - 24 February 2005, doc. web no. 1103045, also in the light of the principles of accountability and "general responsibility" (see Cons. no. 74, of the Regulation). All the more, the terms must be considered strict for the data relating to fidelity cards that the customers of the incorporated companies have not decided to renew (and, therefore, remained inactive), for which there is no valid reason to prolong retention .

Therefore, while acknowledging the corrective measures that Douglas claimed to have autonomously implemented, the violation of art. 5, par.1, lett. b) and e), of the Regulation and it is necessary pursuant to art. 58, par. 2, lit. g), of the Regulation, order an injunction against the same Company, articulated as follows in compliance with the organizational and operational freedom of the company, with which the right to the protection of personal data, where possible, must be appropriately balanced, through the measures highlighted below in par. 5 of this provision and aimed at ensuring compliance with current legislation.

A similar assessment of non-compliance (with the same aforementioned regulatory parameters) must be made, more generally, with regard to the retention times envisaged by Douglas in the information provided to its customers, as acquired in documents ("The data possibly collected and processed with your consent for the purposes indicated in letters e), f) and g) will be kept until the interested party revokes consent to receive commercial communications from Douglas or revokes consent to the activity of profiling preferences, or withdraw your consent to receive commercial communications from Douglas' partners or request the deletion of your data, except for the exceptional need to keep the data to defend Douglas' rights in relation to disputes existing at the time of the request, or on indication of the public authorities"). In fact - in the face of a consent to marketing and/or profiling, which can be considered valid until its revocation or opposition to processing for promotional purposes (see also art. 7 of the Regulation) - the Company should, however, provide to selective and limited retention (with particular regard, respectively, to the type and duration) of customer data, even more so considering that, in this case, the Company carries out promotional or profiling activities with them, and therefore does not hold them in idle mode. This should be done, regardless of the withdrawal of consent or requests from the data subject, in the exercise of his/her accountability. Also in this case it is necessary to confirm the violation of the art. 5, par.1, lett. b) and e), of the Regulation; moreover, it is necessary to enjoin the Company to adopt organizational and technical measures suitable for guaranteeing conservation correctly based on the aforementioned principles of purpose and limitation.

In relation to point E) of the objection to the apparent discrepancy between the aforementioned persistent conservation practice and the information currently issued to the interested parties ("Data possibly collected and processed with your consent for the purposes indicated in letters e), f) and g) will be kept until the Data Subject withdraws his consent to receive commercial communications from Douglas or withdraws his consent to the activity of preference profiling, or withdraws his consent to receive commercial communications from Douglas' partners or request the deletion of their data, except for the exceptional need to keep the data to defend the rights of Douglas in relation to disputes existing at the time of the request, or on indication of the public authorities", it must be noted that - if you follow the thesis of the Company according to which it would be necessary to have the information released at the time as the only reference parameter from the incorporated companies - the necessary consequence should be drawn according to which Douglas, as new data controller, has not fulfilled - towards the customers of the incorporated companies -  the information obligation pursuant to art. 14, par.1, of the Regulation, since it concerns data not acquired directly by the interested parties - with the consequent need to integrate the dispute of 13 April 2022. Therefore, it is considered necessary to confirm the assessment of unsuitability of this information with respect to the practice used by the Company with regard to data retention (Article 13, paragraph 2, letter a), of the Regulation).

With reference to point F) of the dispute (telemarketing carried out by the stores), what the Company asserted (see brief 12/5/22) i.e. that the stores cannot "contact telephone numbers not present in the lists provided by the company" ( so-called 'off-list' subjects; see provision 15 January 2020 n. 7, web doc. n. 9256486) and which, moreover, only high-spending customers are contacted does not allow exceeding what was declared by the same during the inspection, pursuant to art. 166 of the Code, and ascertained in the corporate systems, namely that: "also on the basis of the analysis of the CRM field, the personal data with the consent to send text messages or to receive promotional phone calls are treated, in reality, in both ways indicated (text message and telephone call with operator), due to the "model established and indicated by the German parent company in a standard format for the various European countries where we are present with stores." That is to say, in summary, that some high-spending customers - despite having given their consent only with regard to one of the two methods - were contacted using both methods. Furthermore, in its defense writings, the Company has expressed its awareness of the critical issues that emerged during the inspection, declaring that it has taken steps to promptly intervene to improve the relative procedure and therefore its compliance with current legislation. Therefore, even taking into account the sporadic nature of the activity in question and the measures introduced by the Company, the violation of articles must be considered confirmed 5, par.2 and 24, of the Regulation, as well as, in a strictly connected way, of the art. 25, paragraph 1, of the Regulation. In this regard - taking into account above all the residual nature of the processing activity in question as well as the measures that the Company has ensured that it has already introduced - it is not necessary to adopt any corrective prescription.

Also with reference to point G) of the dispute (processing relating to the blog), given that the arguments put forward by Douglas - regarding the insignificant number of 'real' users who appear to have released comments and the forthcoming discontinuation of the same - are not suitable for exclude liability, the violation of the combined provisions of articles must be confirmed 5, par. 2 and 24, as well as article 13 of the Regulation, but - considering the sporadic and no longer current nature of the processing activity in question - it is not considered necessary to adopt any corrective prescription.

5. OVERALL RESULTS AND CONSEQUENT MEASURES TO BE ADOPTED.

Overall, the following provisions of the Regulation must be considered infringed:

- art. 5, par. 1. lit. b) and e), and par. 2;

- art. 6;

- art. 7;

- art. 12, par.1;

- art. 13, par.2, lett. to);

- art. 24;

- art. 25, par.1.

Based on the ascertainment of such violations, it is necessary, against Douglas:

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, to declare the processing carried out unlawful, in the terms set out in the justification, and, for the effect:

b) pursuant to art. 58, par. 2, lit. d), of the Regulation, order the modification of the Douglas app setting, guaranteeing a clear distinction between the privacy information and the information dedicated to cookies - and the respective consents - with respect to the contractual terms and, with particular reference to the two mentioned information, indicating only the treatments actually carried out and the purposes actually pursued;

c) pursuant to art. 58, par. 2, lit. g), of the Regulation, order the cancellation of the personal data of the customers of the three incorporated companies, limited to those dating back to a period greater than 10 years, except in cases in which a judicial or extra-judicial dispute is still ongoing, within 15 days from the date of receipt of this provision;

d) pursuant to art. 58, par. 2, lit. g), of the Regulation, to order the cancellation, or pseudonymisation, of the personal data of the customers of the three incorporated companies dating back to a maximum period of 10 years, within 30 days from the date of receipt of this provision;

e) if the Company opts for the pseudonymisation of the data indicated in the aforementioned letter d), pursuant to art. 58, par. 2, lit. g), of the Regulation, to order you to notify - within 60 days from the date of receipt of this provision - by means of adequate advertising on the website www.douglas.it and by sending a communication pursuant to art. 130, paragraph, 4 of the Code, limited to customers whose e-mail coordinates are available in their systems and who have not objected to the processing of their data, with regard to the possibility of renewing their card within 6 months of said publication or receipt of the aforementioned communication; also informing that, in the event of non-renewal within the aforementioned term, their data will be cancelled;

f) pursuant to art. 58, par. 2, lit. g), of the Regulation, to order the deletion of the data of all customers, referred to in the aforementioned letter d), who have not renewed their card, within 15 days of the expiry of the aforementioned six-month period;

g) pursuant to art. 58, par. 2, lit. d), of the Regulation, adopt suitable organizational and technical solutions aimed at ensuring that the storage of its customers' data takes place in compliance with the principles set forth in art. 5 of the Regulation, and in particular for purposes and minimization, within 30 days from the date of receipt of this provision;

h) pursuant to art. 157 of the Code, ask to provide adequately documented feedback regarding the aforementioned measures, within 30 days from the date of receipt of this provision; recalling that failure to respond to the above requests integrates the details of the administrative offense referred to in art. 166, paragraph 2, of the Code and may therefore lead to the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation;

i) adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application of the pecuniary administrative sanctions provided for by art. 83, par. 4 and 5, of the Regulation.

6. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION.

The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Douglas Italia S.p.A. of the pecuniary administrative sanction provided for by art. 83, para. 4 and 5, of the Regulation.

As various provisions of the Regulation and of the Code have been infringed in relation to connected treatments carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the least serious violations. Specifically, the aforementioned violations - having as their object, among others, the conditions for the lawfulness of the processing pursuant to art. 6 of the Regulation - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation envisaged for the non-compliance with the aforementioned conditions of lawfulness, with consequent application of the sole sanction provided for in art. 83, par. 5, letter. a), of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1), it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.

In this case, as aggravating circumstances - pursuant to art. 83, par. 2, of the Regulation - the following must be considered:

1) the seriousness and variety of violations found (letter a);

2) the high number of interested parties and the considerable duration of the violations, with particular regard to the retention of customer data of the incorporated companies (letter a);

3) the economic importance of the Company (see turnover - "turnover" of Euro 349,596,628.00: letter k).

At the same time, numerous mitigating elements can be identified, pursuant to the same law, and, in particular, it is considered necessary to take into account:

1) the sporadic nature of the telemarketing activity that has come to light (letter a);

2) the measures envisaged to improve compliance with data protection legislation (letter c);

3) the absence of previous proceedings initiated against the Company (letter e);

4) the constant and transparent collaboration shown by the Company to the Authority during the inspections and, more generally, in the context of the investigation conducted (letter f);

5) the limited decision-making power in the overall processing strategy, due to the interference of the German parent company (letter k);

6) the pandemic emergency situation in which the assessment in question took place and, in particular, the financial losses represented by the Company, which "resulted in a reduction in personnel and in the stores present in the area (approximately 155)" (see hearing 20/5/22) (letter k).

Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1 of the Regulation, taking into account the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Douglas Italia S.p.A. the administrative sanction of the payment of a sum of Euro 1,400,000.00 (one million four hundred thousand/00), equal to approximately 0.4 of the aforementioned turnover.

In the case in question, it is believed that the ancillary sanction of publication on the website of the Guarantor of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the investigation with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers.

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation.

ALL THIS CONSIDERING THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing carried out by Douglas Italia S.p.A., C.F. 01980940835, with headquarters in Milan, via Fratelli Castiglioni, n. 8 and, as a result, with respect to the same Company:

b) pursuant to art. 58, par. 2, lit. d), of the Regulation, orders the setting of the Douglas app to be changed, guaranteeing a clear distinction between the privacy information and the information dedicated to cookies - and the respective consents - with respect to the contractual terms and, with particular reference to the two aforementioned information, indicating only the treatments actually carried out and the purposes actually pursued;

c) pursuant to art. 58, par. 2, lit. g), of the Regulation, orders the cancellation of the personal data of the customers of the three incorporated companies, limited to those dating back to a period greater than 10 years, except in cases in which a judicial or extra-judicial dispute is still ongoing, within 15 days from the date of receipt of this provision;

d) pursuant to art. 58, par. 2, lit. g), of the Regulation, orders the cancellation, or pseudonymisation, of the personal data of the customers of the three incorporated companies dating back to a maximum period of 10 years, within 30 days from the date of receipt of this provision;

e)  if the Company opts for the pseudonymisation of the data indicated in the aforementioned letter d), pursuant to art. 58, par. 2, lit. g), of the Regulation, enjoins the same Company to warn - within 60 days from the date of receipt of this provision - by means of adequate advertising on the website www.douglas.it and by sending a communication pursuant to art. 130, paragraph, 4 of the Code, limited to customers whose e-mail coordinates are available in their systems and who do not appear to have opposed the processing, with regard to the possibility of renewing their card within 6 months of said publication or receipt of the aforementioned communication; also informing that, in the event of non-renewal within the aforementioned term, their data will be cancelled;

f) pursuant to art. 58, par. 2, lit. g), of the Regulation, orders the same Company to cancel the data of all customers, referred to in the aforementioned letter d), who have not renewed their card, within 15 days of the expiry of the aforementioned six-month period;

g) pursuant to art. 58, par. 2, lit. d), of the Regulation, adopts suitable organizational and technical solutions aimed at ensuring that the storage of its customers' data takes place in compliance with the principles set out in art. 5 of the Regulation, and in particular for purposes and minimization, within 30 days from the date of receipt of this provision;

h) pursuant to art. 157 of the Code, requests the same Company to provide adequately documented feedback regarding the aforementioned measures, within 30 days from the date of receipt of this provision. Please note that failure to respond to the above requests integrates the details of the administrative offense referred to in art. 166, paragraph 2, of the Code;

ORDER

to Douglas Italia S.p.A. to pay the sum of Euro 1,400,000.00 (one million four hundred thousand/00), as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 1,400,000.00 (one million four hundred thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds rule from art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
Station

THE SPEAKER
station

THE DEPUTY SECRETARY GENERAL
Philippi



SEE ALSO Newsletter of 28 November 2022



[doc. web no. 9825667]

Injunction against Douglas Italia S.p.A. - October 20, 2022

Register of measures
no. 348 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

1. THE COMPLAINT

On November 5, 2020, a complaint was received in which Ms XX complained that, on August 3, 2020, she had presented an application to Douglas Italia S.p.a. (hereinafter: "Douglas" or "Company"), pursuant to articles 15-22 of the Regulation, without however having received any response; the same therefore asked the Authority to evaluate what happened, in order, if necessary, to issue the measures envisaged by current legislation.

2. FIRST INVESTIGATIONS AND INSPECTIVE ASSESSMENTS

Douglas, in its reply of 24 February 2021 to the request for information sent on 16 February 2021 by the Office, represented:

- that the processing of the complainant's personal data "... finds (is) its legal basis in the adhesion of the same (interested) to the c.d. Douglas loyalty program”;

-  to have requested the same free and specific consent for purposes other than contractual and para-contractual ones (i.e. in particular: direct marketing; profiling; marketing by partner companies), specifying that in setting up this data collection the Any refusal by the interested party for such purposes would not have precluded "the activation of the Douglas Card and participation in the initiatives related to it, in particular also producing the 'Form for updating the authorization and consent to the processing of personal data for the' use of the Douglas Card', signed by the claimant on 05 August 2019 at a Douglas Perfumery, "on the occasion of the card exchange operation or transition from the old Limoni S.p.A. fidelity card (Douglas Group) to the new Douglas card";

-  to have "promptly acted to exercise the data subject's rights following receipt of the complaint", as conveyed by the Guarantor, on the same date (16.02.21), "not having, in fact, received the previous communication from Mrs .ra …. dated 08/03/2020", confirming, also in documents, "both the revocation of consent and the simultaneous cancellation of the data of the interested party from the Douglas management systems".

In the light of this finding, the alleged conduct was not clarified and the need arose to verify the management methods, by the Company, of the requests of the interested parties and, more generally, the treatments for marketing and profiling purposes .

To this end and in order to obtain a better information framework with respect to data processing for marketing and profiling purposes, the Authority, on the dates 29 November - 1 December 2021, conducted an inspection at the company headquarters, then resumed in the day of December 14, 2021 to be completed on the following 16th. From the analysis of the inspection reports, the following emerged.

Preliminarily, the Company highlighted that it is subject to the management and coordination of the parent company Douglas GMBH; that it was established in 2019 from the merger with the companies Limoni Spa, La Gardenia Beauty Spa and the Profumerie Douglas Spa and that it currently has around 400 points of sale operating throughout the country. The same is the owner of the processing of data acquired from customers and in the overall company CRM there are around 10 million customer master data, created through the incorporation of the databases of the three aforementioned companies starting from the beginning of 2019 (minutes 29/11 /2021).

Various specific aspects on the processing of personal data have also been highlighted, which are summarized below.

A) Management of requests to exercise rights pursuant to art. 15-22 of the Regulation.

With specific reference to what was complained by the complainant, failure to reply to the same turned out to be an episodic case, in the face of a management of the requests of the interested parties, which, as a rule, can be defined as correct and timely. In particular, the management of some of the requests in question was shown, in particular of cancellation and opposition to processing for promotional purposes, noting that they are processed within two to three days, implementing the request and, at the same time, informing the interested in the successful management. The Company has activated three channels for receiving applications: 1) via email; 2) through customer service, on the single number of Douglas which receives all customer requests including those relating to privacy; 3) at the Stores. Furthermore, the same, "through the Dpo, has devised a gradual and specific management of these requests, providing for specific outcomes ... in accordance with the requests of the interested parties and, where appropriate, promptly asking the same to clarify his actual will" ( minutes 12/14/2021). In the light of the above, it was decided not to dispute the violation of art. 12, paragraph 3, of the Regulation.

B) Data collection through the company app.

Among the methods of collecting personal data, the Douglas app was detected, of which the registration procedure via smartphone was simulated and documented (report 29/11/2021). It turned out that the system initially presents the following links (customize your cookies, general conditions of sale, personal data information and cookie policy), at the same time inviting you to accept all the aforementioned texts with the following single formula ("ok, I understand, I agree"). The 'personal data information' link refers to a web page with url (https://www.douglas.it/help/condizioni-di-vendita) including conditions of sale, a "privacy" section, a "Cookies" section , as well as a further section referred to in point 12 which reads that (Annex 2 - paper): …  "The undersigned declares to have read and understood what is reported in the Information and acknowledges that his data will be processed for the purposes referred to in point 2 letter a), b), c) and d) of the Information, or for registration on the website www.douglas.it or the Company's app, the use of the related purchase services online, the management of purchase orders for products and statistical purposes on anonymous data and also consents to the processing of personal data for the purposes referred to in point 1, lett. e) of the Information, i.e. profiling purposes, such as for example the analysis of my preferences operated with automated means for the improvement of the commercial offer; I consent to the processing of my personal data for the purposes referred to in point 2 lett. f) of the Information, i.e. the purpose of sending newsletters and commercial or promotional communications by the Company, also relating to products or services other than those already purchased; I consent to the processing of my personal data for the purposes referred to in point 1, lett. g) of the information, i.e. the purpose of sending commercial and promotional communications from other companies in the Douglas group and third-party partner companies of Douglas." In the next phase (creation of the account), the request to the interested party was obtained - in addition to the personal data - also the e-mail address and date of birth. With regard to geolocation, proximity marketing, as well as access to contacts in the address book or messaging, although indicated in the information, the Company represented "that the app. Douglas does not carry out any of these activities”, providing specific documentation.

In the light of the above, with regard to the configuration of the app, the conditions for the violation of art. 7 of the Regulation, as consent is collected, in a form that cannot be considered neither free nor specific, for various non-contractual purposes, such as the marketing of the Company, that of third parties and profiling. Consequently, in a closely related way, the proposed processing activities in question were found to have no legal basis, in violation of art. 6 of the Regulation.

C) The processing of customer data acquired by the companies merged by incorporation.

The Office asked the party to provide some examples of disclosures and separate marketing consents for the companies Limoni Spa, La Gardenia Beauty Spa and Profumerie Douglas Spa. The owner represented that he was unable to produce what was requested as, between January and May 2019, the current company, following the aforementioned mergers, concluded in July 2020, unified the 3 distinct DBs (Limoni Spa, La Gardenia Beauty Spa and Douglas Spa Profumerie) into a single corporate DB and proceeded to replace - limited to customers, of the three companies acquired, who have presented themselves and present themselves in Douglas points of sale and who have freely chosen to join the loyalty program - the fidelity cards. On these occasions, the Company provided them with the same form with the same information and consents as the one currently in use, considering any consents acquired by the pre-existing Companies no longer valid. Douglas has not demonstrated that it has any trace of such consents, like any information issued at the time to the interested parties as well as the origin and collection channel used at the time by the three companies, motivating this gap with the creation of a single database by means of a merger of the databases of the companies in question,

In the light of the above, considering that the Company has not followed up on the requests of the Authority regarding the aforementioned documentation, thus failing to prove the dynamics (starting from the methods of data collection) of the treatments carried out by the acquired Companies, together to the respective databases, nor if and how the obligations of the information and consent have been fulfilled by the same, the conditions for the violation of the articles have been recognized 5, par.2 and 24, of the Regulation (principle of accountability).

D) Retention of customer data who have not renewed their loyalty card

The data of the customers of the three pre-existing companies, who have not activated the Douglas card, are stored in an inactive state in the Douglas CRM located on the servers of the German parent company (minutes 30/11/2021). The Company stated that: "the number of customers whose cards have been replaced (old customers) as well as customers (new customers acquired) for whom new loyalty cards have been issued amounted to 5,165,839 (as of 29 November 2021); at the same time, the number of "Douglas" fidelity card holders active in the last 24 months and who have given specific consent to marketing and profiling is  equal to 2,094,373 (as of 29 November last year) and only towards these customers are marketing activities and profiled marketing of the company; no type of marketing and profiled marketing is carried out for the remaining customers (i.e. the aforementioned customers of the 3 companies, who have not activated the Douglas card), which amount to 3,288,179 (as of 11/29/2021) .”

The Company represented that the data of the aforementioned "3,288,170 customers (old customers) are kept to allow for replacement with the new Douglas card and facilitate the transfer of personal data" and that "from a corporate business point of view the company excludes customers who have not made purchases in the last 24 months from sending commercial communications; while the data (including data relating to purchases and the consents expressed by the interested parties) remain within the company database". With reference to the persistent conservation of such data as well as to other strategic choices on the matter, the Company has also highlighted "that, for many aspects of data protection, Douglas Italia must first deal with the German parent company, which as a rule tends to apply the group standards to all countries.”

In the light of the above, considering the considerable amount of data in question and the merely possible implementation of the substitute purpose indicated above, the Office has found the conditions for the violation of the 'principles of purpose and limitation of conservation', pursuant to the 'art. 5, par.1. lit. b) and e), of the Regulation.

E) Information provided to customers.

Based on what was declared by the party, the Office has detected an apparent discrepancy between the aforementioned practice and the information issued to the interested parties, where it is represented that: "The data possibly collected and processed with your consent for the purposes indicated in the letters e), f) and g) will be kept until the interested party revokes the consent to the receipt of commercial communications from Douglas or revokes the consent to the profiling activity of the preferences, or revokes the consent to the receipt of commercial communications by Douglas' partners or request the deletion of their data, except for the exceptional need to keep the data to defend Douglas' rights in relation to disputes existing at the time of the request, or on the indication of public authorities" (p. 8 general conditions of sale privacy information section). In the light of the above, given the incompleteness of the information in question, the violation of art. 13, par. 2, lit. a), of the Regulation, in close connection with the alleged violation referred to in point C) above.

F) Telemarketing carried out by the stores.

The inspection staff asked the Company to produce data relating to the number of customers who provided their telephone numbers and those who accepted the "telemarketing" communications. Douglas - in providing the requested quantitative data (Annex 3 to the report of 1 December: 7,432,425 "customers who have completed the telephone number field"; 5,142,445 "customers who completed the telephone number field with SMS consent /num") - he specified that "also on the basis of the analysis of the CRM field, the personal data with the consent to the sending of text messages or the receipt of promotional phone calls are treated, in reality, with both methods indicated (text messages and call with operator). Indeed, the fields specifically prepared for the individual promotional methods (text messages and telephone) follow the model established and indicated by the German parent company in a standard format for the various European countries where we are present with stores." (minutes of 1 December, cit.).

In this regard, already during the inspection, the lack of correspondence between the aforementioned model and the concrete operating practice used for marketing was detected within the overall design of the treatments; in particular, it has been ascertained that, if the interested party has given consent only to promotional text messages, in reality they could also receive promotional phone calls, and vice versa. The inspection staff asked the party if it had prepared procedures and scripts to be delivered to the stores for carrying out telemarketing activities, receiving the answer that "since it is not the core business of the company, there are no formalized procedures and scripts prepared and used for this purpose ”, nor can the standard instructions supplied to the stores be considered suitable for subrogating them. In the light of the above, the conditions for deeming the articles violated were found 5, par.2 and 24, of the Regulation (accountability) as well as, in a strictly connected way, the art. 25, par.1, of the Regulation (privacy by design).

G) Data processing through blogs.

Following the verification (launched on November 29, 2021) of the corporate blog connected to the Douglas website, a special link emerged to the dedicated "Beauty Stories" page (text articles with a supporting image, with respect to which the user can just comment: see minutes 12/15/2021). In particular, at the bottom of the page the system presents three distinct fields: 1. leave a comment, 2. name; 3. mail. “Fields no. 2 and 3, marked with an asterisk, are mandatory; however, they may also not be truthful, as there is no procedure for confirming the data entered by the interested party". All Beauty stories expressly state that: "personal data is collected, stored and used", furthermore, at the bottom there is also the "privacy policy" link which refers the user to the "general information" document present on the site and which, however, does not contain any reference to the processing of data on the blog. At the request of the Authority, the Company's staff accessed the back-end platform that manages the blog and extracted, by way of example, some email addresses of interested parties who interacted by leaving a comment on the aforementioned blog. The inspection staff asked to provide the quantitative data of the subjects who interacted via the company blog, as well as the most recent and most current data relating to the comments recorded and information regarding their registration, storage, methods and purposes for which ones are used. The Company represented that it was unable at the moment to provide information in this regard, not having the visibility and that it had to contact the Corporate to be able to provide feedback, specifying that it only had access to the company CRM and that it did not have knowledge of other databases, where the data in question is located. For these reasons, Douglas contacted its contact person in Germany, reserving the right to provide the requested information, which however, as of the date of completion of the on-site investigations (16/12/2021), had not been received. The Company also highlighted that the blog is being discontinued and that, as far as was known at the time, it had never used the data contained therein. Following the checks carried out with the German parent company, to lift the above reservation (on 10/1/2022), he sent the total number of blog users acquired by the Company (1698), increasing over time (starting from 1/13/2017) without, however, clarifying for what purposes and for how long such data are kept by the Corporate or by another company of the relevant group. In the light of the above, also in this case the conditions for the violation of articles emerged 5, par.2 and 24, as well as art. 13 of the Regulation, the latter due to the aforementioned lack of information regarding the blog.

3. NOTIFICATION OF ALLEGED VIOLATIONS AND DEFENSE OF THE OWNER OF THE TREATMENT.

Based on the above, on 04/13/2022 it was necessary to contest Douglas for the alleged violation of the following provisions of the Regulation:

- art. 5, par. 1. lit. b) and e), and par. 2,

- art. 6,

- art. 7,

- art. 13, par.2, lett. to);

- art. 24,

- art. 25, par.1;

simultaneously initiating a procedure for the possible adoption of the provisions referred to in article 58, par. 2, of the Regulation and for the possible application of the economic sanctions pursuant to art. 83, para. 4 and 5, of the Regulation.

On May 12, 2022, the Company sent a defense brief, with which it highlighted the following:

- with reference to point B) of the dispute (data collection via app), the Company represented that, in its opinion, "no violation of art. 7 of the GDPR can be challenged to the Company because, as argued and demonstrated, the consent freely given by the interested party through the "ok, I understand" button. I agree" only concerns the authorization to use cookies and does not in any way concern the various non-contractual purposes (i.e. Company marketing, marketing of third parties and profiling)." …. The Company then specified that: "the inclusion of the links which respectively refer to the 'general conditions of sale' and to the 'personal data information' is provided for mere completeness, in order to provide the user, from the first access to the 'app Douglas, all documentation of a legal nature …” ; the setting and functioning of the app are being modified and that "in fact starting from 1 October 2021 ... the German parent company ... has launched the project called 'EPR Southern Europe, which will be completed and will be live starting from 1 June 2022” (see sub doc. 4, presentation provided by Douglas GmbH9). On the basis of this project "the cookie consent banner will also be reformulated according to the indications provided by the Guarantor in the 'Cookie guidelines and other tracking tools' of 10 June 2021".

- With reference to point C (processing of customer data acquired by the companies merged by incorporation), the Company represented that: "... the only channel used by Limoni, La Gardenia and Douglas Profumerie for the collection of data from interested parties was the physical store ... the data was collected from the interested parties exclusively in the shops by completing and signing the paper application form for the fidelity card (including the regulation of the loyalty program and privacy information)", attaching the Limoni form (sub doc. 6 ), “accompanied by the privacy information drawn up pursuant to the then current art. 13 of Legislative Decree 196/2003”, the consent form and the “Experience card Limoni” regulation; the La Gardenia module (sub doc. 7) "which reflects the provisions for Limoni"; as well as the Douglas Perfumeries form (sub doc. 8.) The Company also stated that, following the first corporate operation "(and therefore starting from November 2017), the companies had set up www.limoni.it within the websites and www.lagardenia.it an automatic redirect to the www.douglas.it site managed by Douglas perfumeries. Starting from that date, therefore, the user who intended to register on the site and join the loyalty program could only register on the domain www.douglas.it, accepting the privacy policy of Douglas Profumerie and obtaining a Douglas fidelity card (cf. doc. 8 with reference to the information pursuant to article 13 of Legislative Decree 196/2003 and doc. 9 as regards the information provided after the entry into force of the GDPR). During the replacement of the old Limoni and La Gardenia fidelity cards with the new Douglas card, which took place starting from April 2019, the Company launched a campaign to refresh the consents previously given by its customers, with the simultaneous delivery to the latter of the information updated privacy. This led to the deactivation of the fidelity cards of the old card holders Limoni and La Gardenia who had not requested the conversion and replacement of their cards with the new Douglas card. Since these cardholders have not read the new conditions of the Douglas loyalty program (the only card functioning and usable on that date) and the relative privacy information, and even less having been able to give consent (if of interest to them) for marketing purposes , third party marketing and profiling, they were declared inactive in the CRM system. As part of this refresh campaign, the old consents eventually given by the cardists Limoni and La Gardenia in compliance with the privacy information in force at the time (see docs. 6 and 7 and the relative consent forms) were not considered valid by Douglas for the purposes of the processing activities covered by the new information ... Since the old cards were disabled, no marketing or profiling activity could be lawfully carried out" and the Company "has therefore never carried out any processing of the data of these customers that requires the prior consent of the interested party (i.e. profiling and/or marketing).”

- with reference to point D (conservation of data of customers who have not renewed their fidelity card), the Company pointed out "that it has demonstrated how the old customers Limoni and La Gardenia, currently inactive, have received appropriate privacy information ... from the companies data controllers at the time of the relative data collection. These disclosures ... expressly indicated - among other things - the specific purposes for which the data were collected and processed. Among these we read that the company "may use the data you provide for purposes related to the release, use and management of the "Experience Card Limoni" [...]" (see point 1 of the information Limoni pursuant to art. 13 of Legislative Decree 196/2003; a similar provision is included in point 1 of the disclosure of La Gardenia). The deactivation and replacement with a new card undoubtedly also falls within the sphere of "management". Therefore, deeming that the data of its customers have always been collected and processed for specific, explicit and legitimate purposes, Douglas believes that also from this point of view its conduct cannot be considered in violation of art. 5, par. 1, lit. b) of the GDPR. With specific reference to the conservation of the common data of the old inactive Limoni and La Gardenia customers, whose cards are deactivated, the Company keeps such data on the basis of legitimate interest for the sole purpose of promoting the renewal of the card. As also clarified during the inspection phase, it is in any case a transitional phase which will end with the definitive cancellation of the data with the implementation of the project called "EPR Southern Europe";

- with reference to point E (information provided to customers), the Company limited itself to pointing out that "the data retention terms indicated in Douglas' current privacy information cannot be applied to those customers who have never converted the old card Lemons and La Gardenia in card Douglas. In fact, these customers provided their data on the basis of the information provided at the time respectively by the companies Limoni and La Gardenia at the shops and at the same time as signing the paper application form for the loyalty program (see docs. 6 and 7) ; therefore "there would be no discrepancy between the practice adopted by the Company and the information provided to customers.";

- with regard to point F (telemarketing carried out from the stores), Douglas represented that "the interested party can freely and specifically express separate consents for the various channels of sending commercial communications. The interested party, by accessing his account on the Douglas website, can select and modify his consents as shown in the screen shown below: This selection is reflected in the CRM tool, as well as in the cashier system of the shops ... The lists created for sending marketing communications are always extracted by the Company taking into account the consents expressed by the interested party. Therefore, there are no differences between the model adopted by Douglas and the operating practice. In confirmation of what has been argued up to now, it should be noted that the Company has never received complaints from interested parties who complain about the improper use of marketing channels in violation of the consents previously given by them. The above is also timely confirmed in the statement issued by the manager of the Nola store ..., on the occasion of the inspection that took place on 16 December 2021. As in fact referred(to) "promotional phone calls are made only to users present in the lists of VIP customers present at system to which he accesses through specific personal credentials. It is, therefore, an extremely limited telemarketing activity dedicated only to customers defined as VIPs, on the basis of which it is not possible to "contact telephone numbers not present in the lists provided by the company and this, therefore, in full compliance with the consents freely expressed by the interested parties”;

- with regard to point G (data processing through the blog), the Company, recalling what was specified during the inspection, reiterated that "these are data never used by Douglas, which only had the possibility of viewing the reviews of the users and filter any spam. In any case, following the request made to Douglas GmbH, it emerged that the total number of users of the blog is equal to 1698. If we exclude the 1621 users who appear to be clearly spam (in this regard, sub doc. 13, the documents provided by Douglas upon lifting the reservation assumed on December 16, 2021), the total number of possible 'real' users of the blog is 77, corresponding to 0.00008% of the total number of the Douglas customer database, equal to approximately 10 millions. This is a number compatible with (and indeed lower than) the statistical and inevitable margin of error typical of the management of any website. Furthermore, it should be considered that the percentage of 0.00008% is also inferable if one takes into account that among the 77 blog users there are also users created by the Company itself for carrying out internal tests. The Company confirms again here that the data present on the blog have never been used by Douglas and that no profiling or marketing activity is carried out with reference to said data. Following the Authority's investigations, the possibility for users to leave comments and/or reviews and, consequently, to provide their personal data was also promptly inhibited. The Beauty Story section, as already stated during the assessment, is being completely decommissioned and will be definitively removed with the implementation of the new "EPR Southern Europe" project, effective from 1 June 2022".

Furthermore, the Company has provided various elements with specific reference to the elements pursuant to art. 83, par. 2, of the Regulation. In particular, with respect to the intentional or negligent nature of the violation, Douglas highlighted that it has "always shown particular attention to the protection of its customers, adopting all necessary measures to meet, in the shortest possible time, the requests of the interested parties. Any deviations (deemed by the undersigned Company to be entirely modest) between the practice and the documentation made available to the interested parties are mainly due to technical reasons which the Company promptly remedied already during the inspection phase". With regard to the measures adopted by the data controller or data processor to mitigate the damage suffered by the data subjects, in the opinion of the Company, "the conduct implemented by the same (and contested by the Guarantor) did not cause any damage to the data subjects"; also highlighting that it has maintained "even during inspections, a collaborative behavior with the Authority, promptly intervening and making any necessary changes requested by the latter (see, by way of example, the changes made to the blog section of the Douglas website". With regard to the degree of responsibility as owner, the Company represented that its systems, "including the site, the app and the CRM are managed - also from a technical point of view - by the German parent company; ... to have always promptly contacted and solicited Douglas GmbH, so that it would adopt any technical or organizational measure deemed appropriate and necessary by the data controller." Douglas then added that he had not committed "previous violations" and that he "never was the recipient of any pursuant to Article 58 of the GDPR";  that "the data subject to a potential violation consist of common data of inactive customers (i.e. name, surname, address, and possibly email address and/or telephone number) that the Company keeps for the sole purpose of facilitating the renewal of old cards on the basis of legitimate interest and, in any case, with the intention of deleting them definitively with the implementation of the new site, and (ii) common data (mainly email addresses) of a very small (and completely negligible) number of customers who have interacted with Douglas' blog", without having "carried out any profiling and/or marketing activity" .

In light of the above, the Company has requested the filing of the administrative procedure initiated and "in confirmation of the absolute spirit of collaboration", has declared that it is "available to implement any further and different measure that the Authority may deem necessary" .

By postponing and integrating what is already in the documents, the Company, during the hearing held on 20 May 2022, then specified that: "due to the critical issues that emerged during the inspection phase ... it immediately began to review and improve its compliance. From a more general point of view, the Company has introduced, also in agreement with the corporate, an overall modernization project of the website (already started at the end of last November), as well as the Douglas app, including the Blog section, bringing improvements from both a technological and functional point of view and in terms, clearly, of compliance with privacy legislation. In fact, with specific regard to the Blog section, the company has inhibited the insertion of new reviews, thus making those already present only still viewable. From next May 31, the blog section will be progressively removed, while leaving the possibility for the customer to express their reviews in a special tool distributed by the corporate.".

With regard to telemarketing, "already on 12 January 2022, the Company organized and carried out a training session with a focus on this treatment with reference to possible corrective actions with respect to the related treatments, aimed at the entire sales force, primarily involving the area manager and cascade store managers. This session was renewed on a monthly basis. These contents are also conveyed through a dedicated app (where various video contents are available ...) with an easily usable setting with provision for verifying the effective understanding of the training imparted ... In addition, an automatic refresh has been set by the CRM function (i.e. insertion of any refusal to marketing by the interested party who has been contacted, regardless of the campaign in progress), within the 24 hours, of the lists of data passed to the stores, which can also contact the DPO directly, without intermediate filters and cumbersome procedures. Therefore, the telemarketing procedure has been improved, it being understood that it is a residual activity and selectively dedicated to high-spending customers. ... the store manager contacted during the inspection did not properly comply with a procedure, of a basic type, which however already existed and which to date, in the opinion of the Company, is more structured and complete."

With regard to the retention of customer data of the 3 merged companies that have not signed up for the new charter, the Company reiterated that it has "never carried out marketing and profiling activities, nor does it intend (e) to do so, and that such data will soon be stored only in pseudonymized form, to make them concretely unavailable and restorable only when necessary if necessary (for example for any contractual requests of the same)." He also specified that: "in recent years (also due to the pandemic) (it has) recorded a loss of around 10 million euros compared to the turnover (turnover), which has led to a reduction in staff and stores present on the territory (155)”, with foreseeable serious repercussions also on future financial statements.

On the basis of the foregoing, the Company has therefore requested to "proceed with the archiving of the administrative proceedings in progress or, alternatively, to establish a reduction of any applicable pecuniary sanction".

4. LEGAL ASSESSMENTS.

In the light of the defenses presented by Douglas, with regard to point B) of the dispute, it is believed necessary to confirm the disputed violation (articles 6-7 of the Regulation) concerning the collection of data through the company app, because - while accepting the corporate thesis according to which the button “ 'I understand. I agree' only concerns the authorization to use cookies and does not in any way concern the various non-contractual purposes" and "the inclusion of links which respectively refer to the 'general conditions of sale' and to the 'personal data information' is provided for mere completeness", the need remains to highlight how the configuration of the app is in any case overall - also in light of the promiscuous content of the said information (in which, moreover, purposes are indicated, such as that of geolocation or proximity marketing that Douglas has claimed not to carry out) - unclear and ambiguous regarding the real object of the consent requested from the user.

Furthermore, it must be highlighted that the provisions of the Regulation (art. 4, point 11 and Recital n. 32), in line with the previous regulatory framework, configure consent as a complex case in which the element of the expression of the will of the The interested party must necessarily be correlated to a suitable information framework on the treatment provided by the owner, in the absence of which the will of the interested party is irreparably flawed and unsuitable to constitute a condition of lawfulness for the treatment. We must also take into account the need for easy accessibility and usability of the information provided for by art. 12, par.1, of the Regulation, in the broader context of the basic principle of 'transparency': in this sense also the Working Group pursuant to Article 29, in the amended version of the Guidelines on transparency adopted on 11 April 2018 (in www .garanteprivacy.it). At the same time, it should also be considered how the Company has admitted that it has not yet adapted the management of cookies to the indications provided by the Guarantor in the 'Cookies and other tracking tools' guidelines of 10 June 2021, which set a maximum term of six months for its implementation by the data controllers. This non-compliance aggravates the illegitimacy situation identified; therefore, in the light of the foregoing, the aforementioned dispute must be confirmed and it must be considered that art. 12, par.1, of the Regulation, considering that the Company has not taken all measures to provide the interested parties with suitable information regarding the treatments implemented, which therefore are not adequately transparent.

In this regard, it is also necessary to order the Company to change the setting of the Douglas app, guaranteeing a clear distinction between the privacy information and the information dedicated to cookies - and the respective consents - with respect to the contractual terms and, with particular reference to two aforementioned information, indicating only the treatments actually carried out and the purposes actually pursued.

With regard to point C) of the dispute (concerning the failure to produce the documentation relating to the three merged companies), it is instead believed to be able to proceed with the filing, having the Company produced, albeit only in the brief, the required texts of the disclosure and consent used by the three merged companies for the acquisition of customers earned by Douglas, in compliance with the principle of accountability.

With regard to point D) of the dispute (conservation of the personal data of the three incorporated companies), even if allegedly not used by the Company, it should be remembered that conservation is a processing operation, therefore in itself subject to current legislation. In this case, the aforementioned conservation is to be considered clearly and unjustifiably excessive both in terms of quality (since the types to be preserved have not been selected), and in terms of time, also taking into account the stringent terms established (12 months for data used for marketing purposes; 24 months for profiling purposes) established by the general provision "Fidelity card" and guarantees for consumers. The rules of the Guarantor for loyalty programs" - 24 February 2005, doc. web no. 1103045, also in the light of the principles of accountability and "general responsibility" (see Cons. no. 74, of the Regulation). All the more, the terms must be considered strict for the data relating to fidelity cards that the customers of the incorporated companies have not decided to renew (and, therefore, remained inactive), for which there is no valid reason to prolong retention .

Therefore, while acknowledging the corrective measures that Douglas claimed to have autonomously implemented, the violation of art. 5, par.1, lett. b) and e), of the Regulation and it is necessary pursuant to art. 58, par. 2, lit. g), of the Regulation, order an injunction against the same Company, articulated as follows in compliance with the organizational and operational freedom of the company, with which the right to the protection of personal data, where possible, must be appropriately balanced, through the measures highlighted below in par. 5 of this provision and aimed at ensuring compliance with current legislation.

A similar assessment of non-compliance (with the same aforementioned regulatory parameters) must be made, more generally, with regard to the retention times envisaged by Douglas in the information provided to its customers, as acquired in documents ("The data possibly collected and processed with your consent for the purposes indicated in letters e), f) and g) will be kept until the interested party revokes consent to receive commercial communications from Douglas or revokes consent to the activity of profiling preferences, or withdraw your consent to receive commercial communications from Douglas' partners or request the deletion of your data, except for the exceptional need to keep the data to defend Douglas' rights in relation to disputes existing at the time of the request, or on indication of the public authorities"). In fact - in the face of a consent to marketing and/or profiling, which can be considered valid until its revocation or opposition to processing for promotional purposes (see also art. 7 of the Regulation) - the Company should, however, provide to selective and limited retention (with particular regard, respectively, to the type and duration) of customer data, even more so considering that, in this case, the Company carries out promotional or profiling activities with them, and therefore does not hold them in idle mode. This should be done, regardless of the withdrawal of consent or requests from the data subject, in the exercise of his/her accountability. Also in this case it is necessary to confirm the violation of the art. 5, par.1, lett. b) and e), of the Regulation; moreover, it is necessary to enjoin the Company to adopt organizational and technical measures suitable for guaranteeing conservation correctly based on the aforementioned principles of purpose and limitation.

In relation to point E) of the objection to the apparent discrepancy between the aforementioned persistent conservation practice and the information currently issued to the interested parties ("Data possibly collected and processed with your consent for the purposes indicated in letters e), f) and g) will be kept until the Data Subject withdraws his consent to receive commercial communications from Douglas or withdraws his consent to the activity of preference profiling, or withdraws his consent to receive commercial communications from Douglas' partners or request the deletion of their data, except for the exceptional need to keep the data to defend the rights of Douglas in relation to disputes existing at the time of the request, or on indication of the public authorities", it must be noted that - if you follow the thesis of the Company according to which it would be necessary to have the information released at the time as the only reference parameter from the incorporated companies - the necessary consequence should be drawn according to which Douglas, as new data controller, has not fulfilled - towards the customers of the incorporated companies -  the information obligation pursuant to art. 14, par.1, of the Regulation, since it concerns data not acquired directly by the interested parties - with the consequent need to integrate the dispute of 13 April 2022. Therefore, it is considered necessary to confirm the assessment of unsuitability of this information with respect to the practice used by the Company with regard to data retention (Article 13, paragraph 2, letter a), of the Regulation).

With reference to point F) of the dispute (telemarketing carried out by the stores), what the Company asserted (see brief 12/5/22) i.e. that the stores cannot "contact telephone numbers not present in the lists provided by the company" ( so-called 'off-list' subjects; see provision 15 January 2020 n. 7, web doc. n. 9256486) and which, moreover, only high-spending customers are contacted does not allow exceeding what was declared by the same during the inspection, pursuant to art. 166 of the Code, and ascertained in the corporate systems, namely that: "also on the basis of the analysis of the CRM field, the personal data with the consent to send text messages or to receive promotional phone calls are treated, in reality, in both ways indicated (text message and telephone call with operator), due to the "model established and indicated by the German parent company in a standard format for the various European countries where we are present with stores." That is to say, in summary, that some high-spending customers - despite having given their consent only with regard to one of the two methods - were contacted using both methods. Furthermore, in its defense writings, the Company has expressed its awareness of the critical issues that emerged during the inspection, declaring that it has taken steps to promptly intervene to improve the relative procedure and therefore its compliance with current legislation. Therefore, even taking into account the sporadic nature of the activity in question and the measures introduced by the Company, the violation of articles must be considered confirmed 5, par.2 and 24, of the Regulation, as well as, in a strictly connected way, of the art. 25, paragraph 1, of the Regulation. In this regard - taking into account above all the residual nature of the processing activity in question as well as the measures that the Company has ensured that it has already introduced - it is not necessary to adopt any corrective prescription.

Also with reference to point G) of the dispute (processing relating to the blog), given that the arguments put forward by Douglas - regarding the insignificant number of 'real' users who appear to have released comments and the forthcoming discontinuation of the same - are not suitable for exclude liability, the violation of the combined provisions of articles must be confirmed 5, par. 2 and 24, as well as article 13 of the Regulation, but - considering the sporadic and no longer current nature of the processing activity in question - it is not considered necessary to adopt any corrective prescription.

5. OVERALL RESULTS AND CONSEQUENT MEASURES TO BE ADOPTED.

Overall, the following provisions of the Regulation must be considered infringed:

- art. 5, par. 1. lit. b) and e), and par. 2;

- art. 6;

- art. 7;

- art. 12, par.1;

- art. 13, par.2, lett. to);

- art. 24;

- art. 25, par.1.

Based on the ascertainment of such violations, it is necessary, against Douglas:

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, to declare the processing carried out unlawful, in the terms set out in the justification, and, for the effect:

b) pursuant to art. 58, par. 2, lit. d), of the Regulation, order the modification of the Douglas app setting, guaranteeing a clear distinction between the privacy information and the information dedicated to cookies - and the respective consents - with respect to the contractual terms and, with particular reference to the two mentioned information, indicating only the treatments actually carried out and the purposes actually pursued;

c) pursuant to art. 58, par. 2, lit. g), of the Regulation, order the cancellation of the personal data of the customers of the three incorporated companies, limited to those dating back to a period greater than 10 years, except in cases in which a judicial or extra-judicial dispute is still ongoing, within 15 days from the date of receipt of this provision;

d) pursuant to art. 58, par. 2, lit. g), of the Regulation, to order the cancellation, or pseudonymisation, of the personal data of the customers of the three incorporated companies dating back to a maximum period of 10 years, within 30 days from the date of receipt of this provision;

e) if the Company opts for the pseudonymisation of the data indicated in the aforementioned letter d), pursuant to art. 58, par. 2, lit. g), of the Regulation, to order you to notify - within 60 days from the date of receipt of this provision - by means of adequate advertising on the website www.douglas.it and by sending a communication pursuant to art. 130, paragraph, 4 of the Code, limited to customers whose e-mail coordinates are available in their systems and who have not objected to the processing of their data, with regard to the possibility of renewing their card within 6 months of said publication or receipt of the aforementioned communication; also informing that, in the event of non-renewal within the aforementioned term, their data will be cancelled;

f) pursuant to art. 58, par. 2, lit. g), of the Regulation, to order the deletion of the data of all customers, referred to in the aforementioned letter d), who have not renewed their card, within 15 days of the expiry of the aforementioned six-month period;

g) pursuant to art. 58, par. 2, lit. d), of the Regulation, adopt suitable organizational and technical solutions aimed at ensuring that the storage of its customers' data takes place in compliance with the principles set forth in art. 5 of the Regulation, and in particular for purposes and minimization, within 30 days from the date of receipt of this provision;

h) pursuant to art. 157 of the Code, ask to provide adequately documented feedback regarding the aforementioned measures, within 30 days from the date of receipt of this provision; recalling that failure to respond to the above requests integrates the details of the administrative offense referred to in art. 166, paragraph 2, of the Code and may therefore lead to the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation;

i) adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application of the pecuniary administrative sanctions provided for by art. 83, par. 4 and 5, of the Regulation.

6. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION.

The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Douglas Italia S.p.A. of the pecuniary administrative sanction provided for by art. 83, para. 4 and 5, of the Regulation.

As various provisions of the Regulation and of the Code have been infringed in relation to connected treatments carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the least serious violations. Specifically, the aforementioned violations - having as their object, among others, the conditions for the lawfulness of the processing pursuant to art. 6 of the Regulation - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation envisaged for the non-compliance with the aforementioned conditions of lawfulness, with consequent application of the sole sanction provided for in art. 83, par. 5, letter. a), of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1), it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.

In this case, as aggravating circumstances - pursuant to art. 83, par. 2, of the Regulation - the following must be considered:

1) the seriousness and variety of violations found (letter a);

2) the high number of interested parties and the considerable duration of the violations, with particular regard to the retention of customer data of the incorporated companies (letter a);

3) the economic importance of the Company (see turnover - "turnover" of Euro 349,596,628.00: letter k).

At the same time, numerous mitigating elements can be identified, pursuant to the same law, and, in particular, it is considered necessary to take into account:

1) the sporadic nature of the telemarketing activity that has come to light (letter a);

2) the measures envisaged to improve compliance with data protection legislation (letter c);

3) the absence of previous proceedings initiated against the Company (letter e);

4) the constant and transparent collaboration shown by the Company to the Authority during the inspections and, more generally, in the context of the investigation conducted (letter f);

5) the limited decision-making power in the overall processing strategy, due to the interference of the German parent company (letter k);

6) the pandemic emergency situation in which the assessment in question took place and, in particular, the financial losses represented by the Company, which "resulted in a reduction in personnel and in the stores present in the area (approximately 155)" (see hearing 20/5/22) (letter k).

Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1 of the Regulation, taking into account the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Douglas Italia S.p.A. the administrative sanction of the payment of a sum of Euro 1,400,000.00 (one million four hundred thousand/00), equal to approximately 0.4 of the aforementioned turnover.

In the case in question, it is believed that the ancillary sanction of publication on the website of the Guarantor of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the investigation with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers.

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation.

ALL THIS CONSIDERING THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing carried out by Douglas Italia S.p.A., C.F. 01980940835, with headquarters in Milan, via Fratelli Castiglioni, n. 8 and, as a result, with respect to the same Company:

b) pursuant to art. 58, par. 2, lit. d), of the Regulation, orders the setting of the Douglas app to be changed, guaranteeing a clear distinction between the privacy information and the information dedicated to cookies - and the respective consents - with respect to the contractual terms and, with particular reference to the two aforementioned information, indicating only the treatments actually carried out and the purposes actually pursued;

c) pursuant to art. 58, par. 2, lit. g), of the Regulation, orders the cancellation of the personal data of the customers of the three incorporated companies, limited to those dating back to a period greater than 10 years, except in cases in which a judicial or extra-judicial dispute is still ongoing, within 15 days from the date of receipt of this provision;

d) pursuant to art. 58, par. 2, lit. g), of the Regulation, orders the cancellation, or pseudonymisation, of the personal data of the customers of the three incorporated companies dating back to a maximum period of 10 years, within 30 days from the date of receipt of this provision;

e)  if the Company opts for the pseudonymisation of the data indicated in the aforementioned letter d), pursuant to art. 58, par. 2, lit. g), of the Regulation, enjoins the same Company to warn - within 60 days from the date of receipt of this provision - by means of adequate advertising on the website www.douglas.it and by sending a communication pursuant to art. 130, paragraph, 4 of the Code, limited to customers whose e-mail coordinates are available in their systems and who do not appear to have opposed the processing, with regard to the possibility of renewing their card within 6 months of said publication or receipt of the aforementioned communication; also informing that, in the event of non-renewal within the aforementioned term, their data will be cancelled;

f) pursuant to art. 58, par. 2, lit. g), of the Regulation, orders the same Company to cancel the data of all customers, referred to in the aforementioned letter d), who have not renewed their card, within 15 days of the expiry of the aforementioned six-month period;

g) pursuant to art. 58, par. 2, lit. d), of the Regulation, adopts suitable organizational and technical solutions aimed at ensuring that the storage of its customers' data takes place in compliance with the principles set out in art. 5 of the Regulation, and in particular for purposes and minimization, within 30 days from the date of receipt of this provision;

h) pursuant to art. 157 of the Code, requests the same Company to provide adequately documented feedback regarding the aforementioned measures, within 30 days from the date of receipt of this provision. Please note that failure to respond to the above requests integrates the details of the administrative offense referred to in art. 166, paragraph 2, of the Code;

ORDER

to Douglas Italia S.p.A. to pay the sum of Euro 1,400,000.00 (one million four hundred thousand/00), as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 1,400,000.00 (one million four hundred thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds rule from art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
station

THE SPEAKER
Station

THE DEPUTY SECRETARY GENERAL
Philippi