Garante per la protezione dei dati personali (Italy) - 9837981

From GDPRhub
Garante per la protezione dei dati personali - 9837981
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 6(1) GDPR
Article 12 GDPR
Article 17 GDPR
Article 58 GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 22.12.2020
Decided: 10.11.2022
Published: 10.01.2023
Fine: 10000 EUR
Parties: n/a
National Case Number/Name: 9837981
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: LR

The Italian DPA fined a controller €10,000 for failing to respond to a data subject’s Article 17 GDPR request for erasure of their personal data, and for the unlawful collection of this data in accordance with Article 6(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The case concerns a erasure request from an individual, the data subject, to a marketing agency (I Model s.r.l), the controller. The data subject first requested the deletion of all his personal data on 26 August 2020 and then again on 17 December 2020. While he received formal responses to these requests stating that his personal data had been deleted, he was aware that the company still retained this information, as he continued to receive SMS messages concerning job offers.

Subsequently, on 22 December 2020, the data subject filed a complaint to the Italian DPA.

The data subject argued that he has the right to obtain the erasure of his personal data contained in the company’s records. The controller’s refusal to erase the data would constitute a violation of the GDPR.

Responding to the complainant's allegations, the controller argued, firstly, that the data subject sent his request to the email address of a former employee, rather than the official address of the company. The former employee’s email domain had been deleted and, as such, the controller was not able to verify the relevant correspondence. Secondly, the controller seemingly denied having received the erasure requests. Finally, in any event the infringement would have been caused by an oversight or human error and ‘certainly not the will of the company to infringe/violate and or process abusively the complainant’s data’. It was also confirmed that the relevant personal data had been deleted.

Holding[edit | edit source]

After investigating the complaint, the Italian DPA ascertained that the controller only provided two formal replies to the requests for erasure, declaring that they had removed the data from the mailing list but, in fact, they continued to store and process the data.

Responding to the first argument of the controller (inactive email address), the DPA explained that, as the data subject had sent his requests to an email with a domain name ended in ‘@i-model.it’, he had a legitimate expectation of an effective response from the controller. In addition, Article 12(2) GDPR stipulates that the controller shall facilitate the exercise of data subject rights. Regarding the second argument (no evidence on whether the requests had been sent), the DPA´s investigation confirmed that the emails from the data subject meaning that the requests were received by the controller, and the formal responses subsequently received by the data subject. In response to the final argument (human error), the DPA pointed out that the controller failed to present any evidence of the error that allegedly led to the unlawful storage of the data subject's data.

Furthermore, and apart from the data subject’s specific requests, the DPA also found that the data subject’s consent for the processing of personal data had never been collected in the first place thus making the subsequent processing unlawful for lack of appropriate legal basis (Article 6(1) GDPR).

In light of the above, the DPA held that the controller acted in violation of the GDPR, in particular Articles 17 and 6(1) GDPR. Pursuant to its powers under Article 58(2)(i) GDPR, and in accordance with Article 83 GDPR, it imposed an administrative fine of €10,000 upon the controller.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9837981]

Injunction against the Municipality of I-Model s.r.l. - November 10, 2022

Register of measures
no. 370 of 10 November 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

CONSIDERING the complaint presented by Mr. XX on 23/12/2020, regularized on 08/03/2021, pursuant to art. 77 of the Regulations, with which the lack of response to the request to exercise the rights formulated against I-Model s.r.l. was complained;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. The initiation of proceedings.

With the complaint presented to this Authority on 12/22/2020, regularized on 03/08/2021, Mr. XX complained of unlawful processing of personal data by I-Model s.r.l. (hereinafter "the Company"), consisting of a purely formal response to the requests for cancellation of personal data, formulated against the Company on 08/26/2020 and 12/17/2020. In particular, the complainant represented that, after having received from the Company confirmation of the deletion of the personal data present in its archives, he continued to receive SMS messages concerning job offers from the same.

With the note dated 03/05/2021 (prot. n. 24545), the Company was invited to provide observations regarding the facts subject to the complaint and to adhere to the request to exercise the rights, advanced by the complainant.

The Company provided a reply with the note dated 20/05/2021, declaring that "only due to an error/mistake the data were not cancelled", also specifying that the requests for cancellation had been sent to a former employee and that it could not check the correspondence (and therefore the actual response) as "the related e-mail domain with all the correspondence connected to it has been cancelled/cancelled".

In any case, the cancellation of the complainant's personal data from its archives was confirmed, with the exception of what is necessary for the fulfillment of legal and fiscal obligations.

In the light of the above, the Office proceeded to notify the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code for the violation of art. 17, par. 1, lit. b) and of the art. 6, par. 1, lit. a) of the Regulation (prot. n. 43349 of 08/25/2021).

On 22/09/2021, the Company sent its own written defenses, pursuant to art. 18 of the law n. 689/1981, with which he declared that:

- “the company I-Model s.r.l., in the person of Ms. XX, has not had the opportunity to verify the effective sending of the requests/requests for deletion of the data which, according to what is stated in the complaint, would have been sent by Mr. XX nor the answers that the same would have received", since "the requests would have been sent to the e-mail address of a secretary (Ms XX) and the answers would have been received via this address, and not, instead, transmitted to the official address info@i-model.it”;

- the complaint would, in any case, be without merit as the complainant would not have sufficiently documented the sending of the cancellation requests nor the actual reception on their mobile phone of the messages, containing job offers, sent by the Company:

- in any case, where ascertained, the violation would have been caused by an oversight or human error and "certainly not by the will of the company I-Model s.r.l. to harm/violate and/or treat Mr.'s data abusively".

2. The outcome of the investigation.

Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it is ascertained that the Company, through one of its employees (and, in any case, using an e-mail address with the i-model.it domain), has given a purely formal reply to the requests for cancellation of personal data submitted by the complainant on two occasions, simply declaring that he had removed the data from the mailing list but, in fact, continuing to store and process the data without an appropriate legal basis.
It is also documented in documents that the requests for cancellation of personal data, dated 08/26/2020 and 12/17/2020, were sent to the e-mail address XX, and that they were received, in both circumstances, and - email confirming the cancellation (on 26/08/2020 and 18/12/2020 respectively).

The circumstance that these requests were not addressed to the e-mail box of the Company (info@i-model.it) but to that of an employee is completely irrelevant, given that this e-mail address bore the domain @i- model.it, thereby instantly creating the legitimate expectation of an effective response from the Company.

Among other things, it should be noted that, pursuant to art. 12, par. 2, of the Regulation "the owner facilitates the exercise of the rights of the interested party pursuant to articles 15 to 22" and which, based on art. 17, par. 1, of the Regulation, "the interested party has the right to obtain from the data controller the cancellation of personal data concerning him without unjustified delay and the data controller has the obligation to cancel personal data without unjustified delay if one of the [following]reasons" indicated in letters a-f of the same provision.

Given this, it is believed that in the present case the data controller should have provided an effective, and not merely formal, response to the requests for cancellation formulated by the complainant for the existence of the reasons indicated in art. 17, paragraph 1, of the Regulation.

Among other things, it should be noted that no evidence has been presented by the Company to support the error that would have led to the unlawful retention of the complainant's data.

In fact, since the interested party's consent to the processing of their personal data is lacking (as shown by the two requests presented), it follows that the processing subsequently implemented by the Company took place in an illegitimate manner, as no legal basis, among those indicated to art. 6, par. 1 of the Regulation applies in the case in question.

3. Conclusions: illegality of the treatments carried out. Corrective Actions.

In the light of the foregoing assessments, it should be noted that the statements made by the data controller in the defense writings ˗ for the truthfulness of which one may be called upon to answer pursuant to art. 168 of the Code ˗  do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow it to be dismissed, since none of the cases envisaged by art. 11 of the Guarantor's regulation n. 1/2019, concerning the internal procedures of the Authority with external relevance.

The purely formal response provided by the Company to the cancellation requests presented by the complainant is unlawful in the terms set out above, thereby determining the violation of art. 17 of the Regulation.

The treatment put in place by the Company, following the requests for cancellation, is also unlawful as it lacks an appropriate legal basis, with consequent violation of art. 6, par. 1, of the Regulation.

For the above reasons, therefore, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

4. Injunction order.

The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, the illegality of which has been ascertained, within the terms exposed above.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the related quantification, taking into account that the fine must be "in each individual case effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were taken into consideration:

- with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties; as well as the circumstance that the violation lasted for a long time;

- the absence of previous relevant violations committed by the data controller;

- the degree of cooperation provided by the Company during the proceedings.

In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) with which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2021.

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 10,000.00 (ten thousand) euros for the violation of articles 17 and 6 of the Regulation.

In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, this provision must be published on the Guarantor's website.

Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THAT BEING CONSIDERED, THE GUARANTOR

declares, pursuant to articles 57, par. 1, lit. f) and 83 of the Regulation, the illegality of the processing carried out, in the terms referred to in the justification, for the violation of the articles 17 and 6 of the Regulation;

ORDER

to I-Model s.r.l., in the person of its pro-tempore legal representative, with registered office in Thiene (VI), Via Monsignor Pertile n. 18/5, P.I. 03829050248, pursuant to art. 58, par. 2, of the Regulation, to pay the sum of 10,000.00 (ten thousand) euros as an administrative fine for the violations indicated in the justification;

ENJOYS

to the same Company to pay the sum of Euro 10,000.00 (ten thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set forth in art. 17 of regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 10 November 2022

PRESIDENT
station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew

[doc. web no. 9837981]

Injunction against the Municipality of I-Model s.r.l. - November 10, 2022

Register of measures
no. 370 of 10 November 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

CONSIDERING the complaint presented by Mr. XX on 23/12/2020, regularized on 08/03/2021, pursuant to art. 77 of the Regulations, with which the lack of response to the request to exercise the rights formulated against I-Model s.r.l. was complained;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. The initiation of proceedings.

With the complaint presented to this Authority on 12/22/2020, regularized on 03/08/2021, Mr. XX complained of unlawful processing of personal data by I-Model s.r.l. (hereinafter "the Company"), consisting of a purely formal response to the requests for cancellation of personal data, formulated against the Company on 08/26/2020 and 12/17/2020. In particular, the complainant represented that, after having received from the Company confirmation of the deletion of the personal data present in its archives, he continued to receive SMS messages concerning job offers from the same.

With the note dated 03/05/2021 (prot. n. 24545), the Company was invited to provide observations regarding the facts subject to the complaint and to adhere to the request to exercise the rights, advanced by the complainant.

The Company provided a reply with the note dated 20/05/2021, declaring that "only due to an error/mistake the data were not cancelled", also specifying that the requests for cancellation had been sent to a former employee and that it could not check the correspondence (and therefore the actual response) as "the related e-mail domain with all the correspondence connected to it has been cancelled/cancelled".

In any case, the cancellation of the complainant's personal data from its archives was confirmed, with the exception of what is necessary for the fulfillment of legal and fiscal obligations.

In the light of the above, the Office proceeded to notify the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code for the violation of art. 17, par. 1, lit. b) and of the art. 6, par. 1, lit. a) of the Regulation (prot. n. 43349 of 08/25/2021).

On 22/09/2021, the Company sent its own written defenses, pursuant to art. 18 of the law n. 689/1981, with which he declared that:

- “the company I-Model s.r.l., in the person of Ms. XX, has not had the opportunity to verify the effective sending of the requests/requests for deletion of the data which, according to what is stated in the complaint, would have been sent by Mr. XX nor the answers that the same would have received", since "the requests would have been sent to the e-mail address of a secretary (Ms XX) and the answers would have been received via this address, and not, instead, transmitted to the official address info@i-model.it”;

- the complaint would, in any case, be without merit as the complainant would not have sufficiently documented the sending of the cancellation requests nor the actual reception on their mobile phone of the messages, containing job offers, sent by the Company:

- in any case, where ascertained, the violation would have been caused by an oversight or human error and "certainly not by the will of the company I-Model s.r.l. to harm/violate and/or treat Mr.'s data abusively".

2. The outcome of the investigation.

Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it is ascertained that the Company, through one of its employees (and, in any case, using an e-mail address with the i-model.it domain), has given a purely formal reply to the requests for cancellation of personal data submitted by the complainant on two occasions, simply declaring that he had removed the data from the mailing list but, in fact, continuing to store and process the data without an appropriate legal basis.
It is also documented in documents that the requests for cancellation of personal data, dated 08/26/2020 and 12/17/2020, were sent to the e-mail address XX, and that they were received, in both circumstances, and - email confirming the cancellation (on 26/08/2020 and 18/12/2020 respectively).

The circumstance that these requests were not addressed to the e-mail box of the Company (info@i-model.it) but to that of an employee is completely irrelevant, given that this e-mail address bore the domain @i- model.it, thereby instantly creating the legitimate expectation of an effective response from the Company.

Among other things, it should be noted that, pursuant to art. 12, par. 2, of the Regulation "the owner facilitates the exercise of the rights of the interested party pursuant to articles 15 to 22" and which, based on art. 17, par. 1, of the Regulation, "the interested party has the right to obtain from the data controller the cancellation of personal data concerning him without unjustified delay and the data controller has the obligation to cancel personal data without unjustified delay if one of the [following]reasons" indicated in letters a-f of the same provision.

Given this, it is believed that in the present case the data controller should have provided an effective, and not merely formal, response to the requests for cancellation formulated by the complainant for the existence of the reasons indicated in art. 17, paragraph 1, of the Regulation.

Among other things, it should be noted that no evidence has been presented by the Company to support the error that would have led to the unlawful retention of the complainant's data.

In fact, since the interested party's consent to the processing of their personal data is lacking (as shown by the two requests presented), it follows that the processing subsequently implemented by the Company took place in an illegitimate manner, as no legal basis, among those indicated to art. 6, par. 1 of the Regulation applies in the case in question.

3. Conclusions: illegality of the treatments carried out. Corrective Actions.

In the light of the foregoing assessments, it should be noted that the statements made by the data controller in the defense writings ˗ for the truthfulness of which one may be called upon to answer pursuant to art. 168 of the Code ˗  do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow it to be dismissed, since none of the cases envisaged by art. 11 of the Guarantor's regulation n. 1/2019, concerning the internal procedures of the Authority with external relevance.

The purely formal response provided by the Company to the cancellation requests presented by the complainant is unlawful in the terms set out above, thereby determining the violation of art. 17 of the Regulation.

The treatment put in place by the Company, following the requests for cancellation, is also unlawful as it lacks an appropriate legal basis, with consequent violation of art. 6, par. 1, of the Regulation.

For the above reasons, therefore, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

4. Injunction order.

The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, the illegality of which has been ascertained, within the terms exposed above.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the related quantification, taking into account that the fine must be "in each individual case effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were taken into consideration:

- with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties; as well as the circumstance that the violation lasted for a long time;

- the absence of previous relevant violations committed by the data controller;

- the degree of cooperation provided by the Company during the proceedings.

In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) with which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2021.

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 10,000.00 (ten thousand) euros for the violation of articles 17 and 6 of the Regulation.

In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, this provision must be published on the Guarantor's website.

Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THAT BEING CONSIDERED, THE GUARANTOR

declares, pursuant to articles 57, par. 1, lit. f) and 83 of the Regulation, the illegality of the processing carried out, in the terms referred to in the justification, for the violation of the articles 17 and 6 of the Regulation;

ORDER

to I-Model s.r.l., in the person of its pro-tempore legal representative, with registered office in Thiene (VI), Via Monsignor Pertile n. 18/5, P.I. 03829050248, pursuant to art. 58, par. 2, of the Regulation, to pay the sum of 10,000.00 (ten thousand) euros as an administrative fine for the violations indicated in the justification;

ENJOYS

to the same Company to pay the sum of Euro 10,000.00 (ten thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set forth in art. 17 of regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 10 November 2022

PRESIDENT
station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew