Garante per la protezione dei dati personali (Italy) - 9856345: Difference between revisions

Garante per la protezione dei dati personali - 9856345
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 5(2) GDPR Article 6 GDPR Article 7 GDPR Article 12(1) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 21(2) GDPR Article 24(1) GDPR Article 24(2) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	07-02-2022
Decided:	15-12-2022
Published:	21-02-2023
Fine:	4,900,000 EUR
Parties:	Edison Energia
National Case Number/Name:	9856345
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	n/a

The Italian DPA fined Edison Energia, an Italian Energy provider, €4,900,000 for multiple GDPR violations concerning a marketing operation. Among other violations, the controller did not obtain valid consent to carry out such activities.

English Summary

Facts

The controller in this the decision was Edison Energia, an Italian energy company. At a certain point, in the context of a marketing campaign, the controller started calling customers and prospective customers with the help of call centres. On 7, 8 and 9 February 2022, several data subjects filed complaints at the Italian DPA, all focused the above-mentioned marketing operation.

During the investigation of the DPA, it became clear that the controller was working with another company (Company XX) which provided the former with a contact list. However, some of the data subjects were also registered in a 'no call' list held by the controller itself. This, however, did not prevent the controller from contacting them. It would later become clear that this 'no call' list was ineffective. It was also not possible to correctly reconstruct the manner and timing when the consent from the data subjects was obtained and when it was ultimately revoked.

The DPA also investigated the consent asked by the controller itself when the data subject wanted to register at the controller's website or application. Such consent was not specific as it allowed processing for 4 different purposes, namely, marketing and profiling by Edison and by a third party that might receive the personal data.

In its privacy policy, the controller mentioned that it processed personal data for marketing and profiling purposes. However, during the investigation of the DPA, the controller provided contradictory evidence affirming that no profiling nor data sharing with third parties for marketing purposes would take place. This was an obvious information discrepancy.

The investigation service of the Italian DPA determined several GDPR violations after being provided access to the controllers' computer systems.

Holding

First, the DPA determined that the controller received lists of personal data from the company XX. This fact alone constituted a violation, since the controller should have obtained new consent for its promotional activities. Also, the fact that the controller asked for a single consent for 4 different purposes itself (marketing and profiling by both the controller and a potential third party) was in violation with the requirement for free and specific consent. Additionally, the DPA noted that the controller had taken insufficient steps to verify compliance with the GDPR, since it had not checked if the third party from which it received its calling list was acting in a GDPR complaint manner. Therefore, the controller violated Articles 5(2), 24, 6 and 7 GDPR, as well as Article 130 of the code.

Second, the DPA determined that the controller was liable for the fact that no sample checks were carried out with respect to the contact details on the lists provided by company XX, despite the fact that the controller had entrusted another third party to do this for the controller. Pursuant to Article 5(2) GDPR, it was the controller's responsibility to make sure that measures were adopted to ensure GDPR compliance, which was not the case here, since people who had objected to marketing were still contacted. This resulted in a violation of Articles 5(2), 24(1), 24(2) and 25(1) GDPR.

Third, the DPA determined that the controller did not provide an easy way to object to the marketing campaign. The DPA confirmed that the data subject would have to contact both the controller, and Company XX to be excluded from the processing. The data subject would have to object to the controller against the processing for the marketing campaign, which would last for around 3 months. However, to prevent from being targeted again, the data subject would also have to object to the transfer of data between the controller and company XX. This resulted in a violation of Articles 12(2), 12(3) and 21(2) GDPR.

Fourth, the DPA held that there was a discrepancy between the processing being conducted by the controller and the information provided on its website and in its mobile application. The controller admitted that it was not sharing data with third parties and was not individually profiling data subjects. This resulted in a mismatch between the information provided by the controller and reality. It was likely to result in reasonable doubts as to what processing was actually carried out by the controller. This resulted in a violation of of Articles 12 and 5(1)(a) GDPR.

Lastly, the DPA held that the controller failed to obtain free and specific consent for various processing activities, but in particular failed to obtain consent for marketing and profiling purposes. This resulted in violations of Articles 6, 7 and 12(1) GDPR, as well as Article 130 of the code.

After considering several aggravating and mitigating circumstances, the Italian DPA fined the controller €4,900,000 pursuant to Article 58(2)(i) GDPR. The controller was also ordered to make its several processing operations GDPR-compliant.

Comment

The DPA also investigated two other potential violations: the alleged unclarity of the relationship between company XX and the controller and the prolonged storage of former clients of the controller. For both, the Italian DPA determined no violation and held that the controller was GDPR-compliant.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO: Newsletter of February 21, 2023



[doc. web no. 9856345]

Injunction, prescriptive and sanctioning measure against Edison Energia S.p.A. - December 15, 2022

Register of measures
no. 431 of 15 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. THE INVESTIGATION ACTIVITY

On February 7, 8 and 9, 2022, having received several complaints and reports from this Authority, with which promotional communications made in the interest of Edison Energia S.p.A. (hereinafter "Edison" or "Company"), an inspection was carried out at the registered office of the latter to verify, even more widely, the processing of personal data implemented by the Company for marketing and profiling.

With reference to the specific complaints received by the Authority, access was made to the Company's IT systems and documentary elements were acquired. As a result of the checks, the following emerged.

From the analysis of some grievances (files nos. 170029, 156738, 174827, 158850, 158736, 168114) it emerged that the calling number reported is not recorded in the Register of Communication Operators (so-called ROC), nor, therefore, is it be immediately attributable to the sales network of the Company which has complained, however, of the undue use of the name "Edison" by unidentified subjects, in the context of unfair commercial practices. In this regard, the Company also represented that it had filed a complaint with the Judicial Authority in order to protect its good name, abusively used by third parties who, through fraudulent conduct, attempt to obtain an economic advantage and undermine its commercial reputation.

It has been verified that some users have been legitimately included in the Company's contact list on the basis of specific consents for marketing and communication of data to third parties (including Edison) acquired from other subjects, such as independent data controllers, on the occasion the compilation by the interested parties of data collection forms when registering on websites or participating in online prize competitions. Furthermore, the users thus acquired were not found on the corporate black list (the so-called "non-contactable list") (files nos. 175773, 174566, 166401).

In two cases (files nos. 152043 and 148318) the Company declared that one of the calling numbers indicated in the reports (no. 09818421192) is attributable to the XX call center (hereinafter «XX») which it uses , as data controller, for marketing activities. From the XX communication of February 10, 2022, produced upon release of the reserves of February 8, 2022, it is clear that this numbering would have been used “in the name and on behalf of Edison Energia S.p.A. from 22 June 2020 to 18 January 2021”. The contacts, complained of in the two reports in question, would have taken place precisely in the period indicated above and precisely on 25 June 2020, at 10.06 am and on 15 July 2020, at 1.34 pm. Furthermore, one of the two whistleblowers (XX) complained of receiving an unwanted promotional phone call made in the interest of Edison through the aforementioned user on March 11, 2020 at 7.50 pm, therefore in a period prior to the assignment of the number to XX.

In one case (file no. 165162) the contact complained of was the result of an incorrect conduct - according to the Company - of the telephone operator employed at an Edison (XX) call center.

With regard to file no. 170981 (report XX), it emerged that the interested party was contacted by the aforementioned XX (also appointed data processor) - to whom the calling number complained of in the complaint and registered in the Register of Communication Operators (so-called ROC) is attributable. This contact would have taken place on the basis of two separate consents to marketing and the transfer to third parties for their own promotional purposes given by the interested party on 10 February 2020 when registering on the XX website. From the documentation provided by the Company, upon release of the reservations dated 8 February 2022, it emerged that the website in question, owned by XX based in the Slovak Republic, would then be transferred, together with the related consents acquired, to XX (of hereinafter «XX») which, due to the will expressed at the time by the interested party, would have included the latter's user name in the contact list, expiring on 27 November 2021, used for the promotional campaign from which the report in question. The user, on the date of acquisition of his data by XX, would have received a new information (with indication of the new owner), "without prejudice to the consents originally given to the previous owner". In the information that XX allegedly provided to interested parties registered on the XX website, Edison is indicated among the third party assignees of the data. Following the denial expressed by the whistleblower, the recipient number of the complained contacts was entered in the "non-contactable list" and recorded in Edison's Watson company system.

With reference to file no. 174167, from the documentation produced to release the reservations of February 8, 2022, it emerged that the complainant would have been contacted by an Edison call center (XX, as data processor), based on two specific consents to marketing and communication to third parties provided by the interested party on 21 May 2020 on the occasion of the registration of the same on the XX website managed by XX (hereinafter «XX») as independent data controller. In the information found on the aforementioned website, Edison was included in the list of third-party companies to which the data is communicated, accessible via a specific link.

In the present case, it emerged that the contact details of the complainant would have been communicated, on December 23, 2020, to Edison by XX (hereinafter «XX»), of which, however, it does not appear to have been defined, nor documented, the role in the processing in question: in particular, Edison would therefore have become the data controller "only for the period contractually envisaged by the user license granted by the company XX [...]" (from December 29, 2020 for 3 months). In this sense, in the communication of December 23, 2021, in response to the request for information from the interested party, Edison, while ensuring that it had removed the recipient number of the contacts complained of from the contact list, indicated the contact details of XX for the exercise of rights pursuant to articles 15 – 22 of the Regulation.

With reference to the promotional campaigns carried out for prospective users (not customers), the Company declared that it did not carry out sample checks of the numbers present in the lists acquired from its partners (list providers), specifying that it carried out accurate checks of the websites used for the collection of data, of the information provided by the supplier and of the consent for communication to third parties for direct marketing purposes (report of 7 February 2022, pp. 4 and 5).

Furthermore, the users of the prospective subjects who have expressed the wish not to be contacted again converge on a "non-contactable list" entered manually and made up, at the time of the assessment, of 29,872 numbers of which approximately 1400 attributable to fixed users. The list does not contain an indication of the date of the refusal, nor of the inclusion in the list, nor of the identity of the interested party, not allowing to ascertain the legitimacy of the promotional contacts and the correct management of the opposition made by the interested parties (report of 8 February 2022, p. 3).

It turned out that the Company - contrary to its policy (see Annex 15, to the supplementary acknowledgment dated 21 February 2022, sent to release the reservations) - currently keeps in the CRM, in the absence of a justification and in particular for the purpose of treatment currently carried out, the data of some customers who ceased working for over 11 years and who have not been subject to the anonymisation process, in particular: 6,087, of which 5,836 SMEs and 251 natural persons.

With reference to the refusal expressed by prospective users during promotional calls, the Company has provided conflicting feedback, in particular stating, initially, that this opposition is registered only for the current campaign (usually lasting three months) ( minutes February 7, 2022 p. 5) to then declare to include the utilities - to which the refusal refers - in the "non-contactable list", in order to be able to exclude them from all subsequent campaigns (minutes February 8, 2022 p. 7) .

An analysis of the documentation produced by the Company revealed that users contacted during the promotional campaign who express their wish not to receive further advertising calls are marked with the wording "Ref. Privacy law" which excludes any further contacts exclusively in relation to the campaign in progress, but also does not include "the withdrawal of privacy consent (the customer must express in writing the will to withdraw consent to the references that the operator will indicate by telephone via the sales script associated with the list supplier)" (Annex 4 to the minutes of February 8, 2022 - Watson Manual, Privacy outcome). Given this, if the interested party intends not to be contacted even for subsequent promotional campaigns, he must send a communication to the appropriate Company e-mail box or contact the list provider who acquired the personal data, as per the product call script at release of reserves.

During the assessment, by simulating the access and navigation procedure on the website www.edisonenergia.it and in the MyEdison App (which, moreover, has the same configuration as the Edison MySun App, released on the market in January 2022 and at the time of assessment not yet used), it was found that personal data of the interested parties are required (name, surname, tax code, mobile phone number and e-mail address), and that consent is acquired to the processing of personal data "for the purposes referred to under letters A and B” of the privacy information, referring jointly to promotional and profiling purposes; in particular, with this method, the consent to the profiling of 50,050 customers present in the CRM system was acquired (see Annex 13 "Customers permitted for profiling" to dissolve the reservation of 9 February 2022). The Company represented that the consent requested during registration on the website actually concerns exclusively the purposes related to the use of the service and not marketing or individual profiling activities (from which, however, prospect subjects are totally excluded) . The Company has therefore specified that the described formulation of the acquisition of consent is the result of a typo, having instead to refer exclusively to the activities referred to in point C of the aforementioned privacy information, entitled "Purpose of registration and access to the Reserved Area of the site".

It was then noted that, if the contract is signed via the website, the privacy information is provided which identifies, among the purposes of the processing, marketing, profiling and communication of data to third parties. In this contractual context, for these purposes, the relative optional consents are required from the interested party, even though the Company has declared, also pursuant to art. 168 of the Code, not to currently carry out profiling or communication activities to third parties for marketing purposes. In particular, he specified that consent to profiling is, in reality, aimed at carrying out general internal analyzes or segmentation by macro-criteria (geographical, age, available contacts) of the company CRM, in order to avoid mass promotional mailings ( see minutes February 9, 2022, page 3; Annex 3 "Marketing criteria" to the said minutes), also because Edison does not have a sufficient number of customers and data referring to customers to carry out individual profiling.

Furthermore, to complete the registration on the website and on the MyEdison App, as mentioned above, it is necessary to provide consent "for the purposes referred to in letters A and B" of the privacy information, referring to promotional and profiling purposes. Therefore, the user's registration would appear to be conditional on the simultaneous release of a single consent for marketing and profiling purposes, even if the latter has not yet been carried out by the Company.

2. DISPUTING INFRINGEMENTS

With a note dated May 13, 2022 (ref. prot. n. 26377/22) the Company was notified of the start of the proceeding, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures pursuant to art. 58, par. 2, of the Regulation, with which, on the basis of the elements acquired during the inspection activity and the subsequent additions received upon release of the reserves, Edison was charged with a possible violation of the following provisions of the Regulation:

2.1. (with regard to file no. 165162): articles 6, 7 and 13 of the Regulation as well as 130 of the Code as the contact was made in the absence of the interested party's informed consent;

2.2. (with regard to file no. 170981): articles 5, par. 2, 24, 14, 6 and 7 of the Regulation as well as 130 of the Code as personal data were acquired from a third party (XX), in turn already a transferee from XX, in the absence of suitable consent from the interested parties;

2.3. (with reference to file no. 174167): articles 5, par. 2, 24, para. 1, 14 and 28 of the Regulation, since the privacy role of XX (independent data controller or data processor) has not been defined in the context of the relationship with Edison and since the latter has not released its own information to the interested party;

2.4. articles 5, par. 2, 24, par. 1 and 2 and 25, par. 1 of the Regulations for having carried out promotional campaigns for prospective users without carrying out sample checks with respect to the individual numbers and, therefore, without implementing obligations regarding the protection of personal data (such as: information; consent; accuracy and quality of data), in contrast to the principles of privacy by design and accountability; these violations are also confirmed in relation to the incorrect management of the opposition made by prospective users included in a "non-contactable list" devoid of detailed elements (date of denial, inclusion in the list, identity of the interested party) which they do not allow for the correct reconstruction of methods and times for acquiring and withdrawing consent;

2.5. art. 5, par. 1, lit. b) and e) of the Regulation for having kept in the CRM the data of customers who ceased working for over 11 years and who have not been subject to the anonymization process, in possible contrast with the principles of purpose and limitation of retention;

2.6. art. 12 para. 2 and 3, 21, para. 2 of the Regulation for not having provided for direct and simplified procedures to allow the interested party to immediately exercise their right to object to the processing carried out for promotional purposes";

2.7. articles 12, par. 1, and 5, par. 1 lit. a) of the Regulation as some of the processing activities described in the information on the website www.edisonenergia.it and the MyEdison App (in particular, communication to third parties for direct marketing and profiling purposes) were not actually carried out by the Company, in possible violation of the obligation to provide transparent information that is effectively suitable for making interested parties aware of what is being done with their data;

2.8. articles 6 and 7 of the Regulation and 130 of the Code since the user's registration on the website www.edisonenergia.it and on the MyEdison App was subject to the simultaneous release of a single consent for marketing and profiling purposes; this consent, which is neither specific nor free, does not constitute an appropriate legal basis for the aforementioned treatments.

Furthermore, with the same communication dated May 13, 2022, the Company was asked to provide a copy of the complaint to the Judicial Authority against those subjects who allegedly used the Edison name illegally for their own promotional activities (see file no. 170029 , 156738, 174827, 158850, 158736, 168114), as well as, with regard to the users contacted by the XX call-center (case numbers 152043, 148318), to produce documentation aimed at ascertaining compliance with the matter, with particular reference to origin of the personal data of the interested parties, the consent given by them and the information provided together with the call script used on the occasion of the complained contacts.

3. DEFENSIVE OBSERVATIONS AND ASSESSMENTS OF THE AUTHORITY

3.1. DEFENSIVE MEMORY

The Company, in exercising its right of defence, sent a brief on 13 June 2022 in which it replied to the findings raised by the Authority with the notice of dispute.

3.1.1. Edison initially claimed that it had taken legal action to defend its commercial, economic and image interests. This is due to an abusive use of its name by third parties who, through fraudulent conduct, attempt to obtain an economic advantage and undermine its consolidated reputation. In this sense, Edison, "as the party injured by such conduct, has not only set up its own internal working group, in order to monitor and deal with the problem", but has also initiated various lawsuits before the judicial authorities, both civil and criminal type, of which he provided documentation to the Guarantor "already on 9 February 2022" and which are understood to be referred to in full here. With the brief in question, the Company supplemented the documentation previously produced with the complaint filed with the Judicial Authority on July 27, 2018, against XX for illegitimate use of the Edison trademark.

3.1.2. With regard to the promotional contacts made by the XX call-center, in its capacity as data controller, the Company represented the impossibility of providing the evidence requested by the Authority (with reference to the origin of the data of the interested parties, the consent given by them , to the information provided) since, "in line with the Data Retention Policy, the personal data of prospective users who have exceeded the overall retention period of 15 months have been deleted from all company systems". He added that the contact involving Mr. XX (file no. 148318) cannot be attributed to Edison as it was carried out by a third party unrelated to the Company's official sales network.

With reference to the telephone contact that took place in the absence of the interested party's consent (see point 2.1 of the dispute), the Company confirmed the unlawful conduct perpetrated by a third party (specifically an employee of the XX call center, responsible for the treatment) " apart from any delegation and/or instruction given to it by Edison and/or by XX itself". In particular, he specified that this employee, who was "immediately fired", would have used, for the contact complained of, "tools completely unrelated to those provided by Edison [...] including his own personal telephone number (provided for re-contacting subjects callers)". In any case, added Edison, it would not have been possible to activate any contracts deriving from so-called contacts. "off the list" as strictly inhibited by the technical system called Watson, available to all call centers operating on its behalf.

3.1.3. With reference to the personal data acquired from third party transferees of databases in the absence of suitable consent from the interested parties (see point 2.2 of the dispute), the Company, in referring to provision no. 460 issued by the Authority on 9 November 2017, invoked the exemption of this legal basis as the XX website, as well as the personal data collected therein, "were the subject of a business transfer from XX to XX and, therefore , the articles apply. 2558, 2559 and 2560 of the Civil Code, the buyer taking over the position of the transferor by law connected to the management of the company sold, without the need for any specific consent". The communication to Edison of the data by XX, therefore, appears to be a legitimate communication due to the acquired consent to the transfer of personal data to third parties indicated in the disclosure of the XX site "both as issued by XX and as subsequently provided, in total continuity of ends and modalities, from the successor XX".

3.1.4. With reference to the dispute referred to in point 2.3, the Company described the activity of aggregation of lists, coming from different suppliers, carried out by XX which, on February 27, 2020, was designated by Edison as external manager of the processing of personal data (of which a formal act of appointment was produced). This provision, in the perspective outlined by the Company, would have explained the transfer of data from XX (owner of the XX website from which the two distinct consents to marketing and communication to third parties would have been acquired) to Edison through XX. In particular, the Company clarified that "the aggregation activity is therefore carried out on the indication and mandate of Edison, which receives [...] from XX the comprehensive and cleaned list [of duplications] to carry out its marketing activities".

3.1.5. The Company, in response to the complaint referred to in point 2.4, confirmed the contents expressed during the inspection, declaring that it carries out punctual checks of the websites from which it acquires personal data, with particular reference to the privacy information released by the supplier and to the "correctness of the consents, in order to ascertain the legitimate transfer", but not to carry out random checks of the numbers present in the lists provided by its partners. With regard to this last profile, while reiterating that he did not put in place "specific internal formal procedures for random checking of the data being acquired", he specified that he had contractually appointed, as early as December 2021, a third party company to carry out activities of this type, "with a view to greater control and accountability". In confirmation of this, it attached the relative contractual documentation to the defense brief.

3.1.6. With regard to the management of the denial expressed by prospective users during promotional contacts (point 2.6 of the dispute), the Company represented the following:

"Where the interested party signals the desire not to be contacted by Edison for commercial purposes, the related telephone number [...] is reported on the Watson system as "Ref to the Privacy Law". This activity means that the telephone number reported will no longer be the object of contact for the campaign in progress". However, in order to exclude the user concerned also from subsequent promotional campaigns, the Company, "starting from mid-September 2021", has planned to extract from the company system the list of telephone numbers identified with the term "Ref Privacy Law" and make it merge into the "non-contactable list" "used for the deduplication of the lists acquired and aimed at subsequent campaigns". Furthermore, the Company, by not registering any prospect data on its corporate system, intended to ensure the complete exercise of the right to the interested parties ("assuming that the subject [...], at the time of the refusal not only does not intend to be contacted during the single campaign but generally does not intend to receive further commercial communications from Edison"). Finally, the "non-contactable list" - which, with the indication of the telephone number only, guarantees the principle of data minimization - will be fed with information suitable for limiting denials, thanks to an additional system, currently in an experimental phase which will replace the current one.

3.1.7. With reference to the dispute referred to in point 2.5, the Company clarified the reasons, mostly of a contentious nature, underlying the retention in the CRM of the data of customers terminated for over 11 years, specifying that only 8 of them will be subject to anonymization in June 2022 , having resolved its debt situation.

3.1.8. In response to the disputed findings in points 2.7 and 2.8, Edison reiterated that the consent required during registration on the website www.edisonenergia.it and the MyEdison App regards contractual purposes, connected to the use of the service, and that the indication , in its formulation, of "purposes referred to in letters A and B" of the privacy information, attributable to promotional and profiling activities, would be the result of a "mere typo". He highlighted that the text of the consent was promptly corrected following the verification carried out during the inspection. Moreover, "the incorrect wording was present for a limited period of time, from September 2021 to February 2022". In any case, the release of consent, by affixing the flag at the end of the registration procedure, did not produce any results in the company CRM.

Furthermore, the Company confirmed that profiling would not currently be carried out, in consideration of the scarcity of data and consents collected, and would essentially consist of a "basic analysis activity, segmenting customers by macro category". However, any increase in data and marketing consents would allow Edison "to carry out more specific and precise analyses" in order "to send advertising material [...] more in line with customer preferences and needs". This setting can also be extended to the communication of data to third parties for direct marketing purposes of the Company since, although "commercial partnership activity" is not currently feasible given "the extent of consents collected up to now", "[Edison's] objective is to establish a numerically sufficient base of consents to transfer" for this purpose. Therefore, there is no discrepancy between the formal plan, relating to the treatments declared in the information on the site and the App, and the factual one that the Authority has decided to contest.

3.2. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the Company's statements, for which the declarant is liable pursuant to art. 168 of the Code, the following legal assessments are formulated.

The main argument presented by the Company in defense of its position through the reference to an undue use of its name (see point 3.1.1), is supported by the documentation accompanied by the memorandum dated June 13, 2022, which shows the implementation of misconduct by third parties to deprive Edison's customers. In the circumstances reported, the users contacted were given false and misleading information to the detriment of Edison in order to encourage switching to another electricity supplier, with consequent economic repercussions on the Company, in addition to "the irreparable damage to its image and brands and distinctive signs.

We acknowledge what Edison declared and documented in relation to telephone contacts made from numbers not attributable to the official sales network. Indeed, the technical system known as "Watson" described by the Company appears suitable for curbing the phenomenon of illicit contacts and unwanted promotional calls from parties outside Edison's commercial network. This system, "made available to all call centers operating for Edison, [...] does not allow the contracting of parties deriving from so-called calls. off the list". Ultimately, the centralization of contracts appears, at least abstractly, suitable for establishing an operational and logical connection between the promotional phase and the subsequent contract registration phase and, therefore, for excluding that promotional contacts made outside the sales network of the Companies may derive contracts then recorded in Edison's databases (see provision Sky Italia S.r.l., September 16, 2021, n. 332, web doc. n. 9706389).

With reference to the contacts made by the XX call center (see point 3.1.2), it should be noted that the Company's lack of material availability of documentation suitable for proving the obligations regarding the protection of personal data, given the cancellation from the databases of all the personal data that have exceeded a retention period of 15 months, did not allow this Authority to ascertain the legal basis that would have legitimized the unwanted promotional telephone calls complained of in the reports. Therefore, in the light of what is in the documents, it is not possible to attribute objective and subjective responsibility with certainty for the conduct complained of in the reports relating to the lawfulness of the processing in question.

We believe we can take note of what was declared by the Company regarding the telephone contact that took place in the absence of the consent of the interested party and the result of an independent initiative perpetrated by a third party (point 3.1.2 of the defense briefs), noting that this conduct concerned an isolated case and that the Company itself has provided suitable assurances on the impossibility that such cases could recur. having implemented a system of inhibition of any contracts with the so-called "off the list" in the terms described in the defensive arguments which allows the contested critical issues to be overcome.

With reference to point 3.1.3 of the defense brief, based on the analysis of the documentation produced with specific regard to the "XX" website of the Slovak company, XX, later allegedly acquired by XX, the following is highlighted:

a) with regard to the fulfillment of the information, to be issued pursuant to art. 14 of the Regulation - on the basis of the telephone script provided by Edison, complete with references to the origin of the data, the purposes of the processing, the methods of exercising the rights, pursuant to articles 15 - 22 of the Regulation, as well as to the corporate website where the complete information can be found - it is deemed necessary to file the relative dispute;

b) in relation to the fulfillment of the consent, in the first box proposed to the user in the relevant registration form, a single expression of will is required for the contractual conditions and, without distinction, for all the various consents to the processing of personal data ("I accept the conditions referred to in the Regulation and all the consents referred to in the privacy policy"). This formulation obviously forces the interested party, in order to participate in the gift certificate initiative, to also accept the treatments for as many as four different purposes (marketing of the Company that owns the site; profiling by the same; communication to third parties for their promotional purposes; profiling by the same third parties), for a total of five consents, including the first single consent. The configuration in question, therefore, determines an illegitimate acquisition of data due to the violation of the obligation of a free and specific consent, not detecting the collection of separate consents carried out through the boxes below and in any case resulting in conflict with the first form of collection;

c) the log file that the Company has produced in support of the defense briefs does not allow for a reconstruction of the consents such as to overcome the criticality highlighted in the previous point;

d) however, the defect of such consents, including that relating to the communication of data to third parties - originally acquired by the company XX. – also affects the validity of the treatments implemented by XX, as transferee of the company, as well as of the treatments carried out by Edison, as transferee of the data. Given this, the picture outlined by Edison is without foundation and the disputed violation must be confirmed.

Therefore, in the present case, it is represented that the use, by the Company, of lists of personal data obtained from a third party, in turn transferee of such personal data on the basis of a flawed consent issued to the initial data controller , would have made it necessary for Edison to request and acquire a new consent to its promotional activity (see: Guidelines on promotional activity and the fight against spam - provision July 4, 2013, web doc. n. 2542348 ; provision 22 May 2018, web doc. n. 8995274; provision 11 December 2019, web doc. n. 9244365; provision 12 November 2020, web doc. n. 94856801; provision 13 May 2021, web doc. n. 9670025; provision 16 September 2021, web doc. n. 9706389).

Furthermore, it should be noted that Edison's conduct, as already mentioned in the dispute, is in conflict with the principle of accountability since the Company does not appear to have taken care, as necessary, of verifying the actual compliance with the legislation of the consents acquired from the supplier .

In light of the above, it is confirmed that Edison Energia S.p.A. has violated articles 5, par. 2, 24, 6 and 7 of the Regulation, as well as 130 of the Code; violation which, moreover, involved a significant number of users (amounting to 66,771).

With reference to point 3.1.4 of the brief, it should be noted that the arguments put forward by the Company are mainly based on the role played by XX, as external manager of the processing of personal data, in the relationship with Edison. In particular, XX, in its role as list aggregator on behalf of Edison, would act as a mere intermediary in the process of transmitting data from the various list providers to the Company. In the deed of appointment as data processor, produced in support of the defense brief, it emerged that the subjects of the transfer to Edison were the personal data acquired from the databases of third-party companies with which XX allegedly stipulated regular contracts, of which, however, no produced evidence. In order to go beyond the formal data and concretely qualify the roles and responsibilities of the subjects involved, not being able to have the contracts signed by XX with the various list providers, the position taken by the parties in the processing in question must be considered sufficiently clarified: the communication of data to Edison, legitimized by the legal basis of the consent of the interested parties, is carried out by XX, as independent data controller, through XX (as manager designated by Edison). Furthermore, in the information found on the XX website, managed by XX, Edison is included in the list of third-party companies to which the data is communicated.

This means that the transfer of the lists from XX to Edison, through the mediation of XX, would appear to avoid the so-called "double passage" from one owner to another, which in the context of the dispute it was considered necessary to censure. Therefore, Edison's arguments regarding the exercise of the right of defense are accepted, which lead to the dismissal of the dispute regarding the violation of articles 5, par. 2, 24, para. 1, 14 and 28 of the Regulation.

With regard to point 3.1.5 of the defense brief concerning the activity of verifying the numbers present in the lists acquired from the partners, entrusted by Edison to a third party company, from the reading of the relative contract, concerning, in particular, "the provision of services support to the control activities on Teleselling suppliers", it emerged that the verifications of the contactable numbers provided by the partners would concern "5% of the estimated contracts concluded through teleselling operations (about 9000), equal to a maximum of 450 contracts, divided equally among the Suppliers". It can be deduced that the control over the users to be contacted for marketing purposes is carried out only after the telephone contact has been made and the contracts concluded through teleselling operations have been signed.

Therefore, the absence of preventive sample checks - with respect to the individual numbers - contested in point 2.4 of this provision is confirmed. The lack of this fulfillment and of the related checks on the consent acquired by the supplier, not only appears to be an inappropriate setting to guarantee an adequate level of compliance with the relevant legislation, in particular according to the principles of privacy by design and accountability, but raises doubts also with regard to the management of all additional utilities acquired from suppliers and used in the Company's promotional activity. Indeed, it must be considered that the anomalies and violations as identified above do not concern episodic conduct but "system" settings that are replicated on the occasion of the numerous contacts made by the Company, in particular operated through the acquisition of personal data lists from third parties and carried out , therefore, in violation of the provisions on consent, accountability and privacy by design.

The verification of the websites from which the data is collected - which the Company claims to carry out constantly before each promotional campaign - while potentially useful for preventing the undue circulation of personal data, cannot however replace the absence of checks on the numbers provided by the partners, and therefore cannot be considered sufficient to consider the conduct of the Company non-reproachable. Edison's responsibility must therefore be confirmed for the violation pursuant to articles 5, par. 2, 24, par. 1 and 2 and 25, par. 1, of the Regulation.

In its defense briefs (see point 3.1.6) the Company has expressed its commitment to implement some corrective measures, such as for example activating a system, currently in the testing phase, which allows for inclusion in the "non-contactable list" , in addition to the telephone number, all the additional information elements suitable for correctly reconstructing the will of the interested parties. The list currently made up of the indication of only the "non-contactable" telephone number does not appear to be an adequate solution for managing the right of opposition of the interested parties and does not allow us to understand when and how the interested party has given consent and when and how he has given it. revoked. The circumstance outlined by the Company of being able in any case to trace the date of inclusion of the personal data in the list in question, by cross-referencing the communications (e-mail) exchanged with the interested parties, in addition to representing a considerable distraction of time and resources (considering, moreover, the 29,872 registered numbers), is in contrast with the aforementioned principles of accountability and privacy by design, also with reference to the requests of the interested parties, pursuant to articles 15 - 22 of the Regulation, and/or the investigations carried out by this Authority.

It has been highlighted several times that the new principles dictated by the Regulation frame the competences of the data controller in an accountability perspective and impose proactive and coherent behaviors on all those involved in the processing of personal data with the aim of proving, at every stage the lawfulness of the same treatments. It is therefore up to the holder to adopt measures of particular guarantee in order to demonstrate that the contracts and activations registered in their systems originate from contacts made in full compliance with the provisions on the protection of personal data (see provision n. 143 of 9 July 2020, web doc. n. 9435753; "Provision on electoral propaganda and political communication", 18 April 2019 web doc. n. 9105201; provision. n. 363, 22 May 2018, web doc. n. 8995274; provision . gen. spamming, 29 May 2003, web doc. n. 29840). Similarly, the owner is obliged to demonstrate that he has adequately recorded and contextualized the refusals expressed by the interested parties to receive further promotional communications; circumstance, this, which does not apply in the present case.

In the light of the above, the violation of articles 5, par. 2, 24, par. 1 and 2 and 25, par. 1, of the Regulation.

The method described in point 3.1.6 of the defense brief, with which the opposition of the interested parties to being contacted also for future promotional campaigns is definitively recorded, does not appear regulated in any of the documents produced by the Company, both in inspection phase, and subsequently in the defence. The documentation provided during the inspection - which is summarized below, subject, however, to the full and complete reference to what has already been reported in point 1 of the provision - outlines a different picture than what was later stated by the Company in the defense brief : the name "Ref to the Privacy Law", which identifies the users associated with the denials expressed, deploys its effects only for the duration of the promotional campaign in progress, since the interested party can also oppose subsequent campaigns by sending a specific communication to Edison and the owner who has acquired the personal data, as confirmed by the call scripts produced to resolve the reservations. This - by not making the data subject's request for cancellation unequivocal to a specific data controller and in this sense requiring a double pass to Edison and the list provider to see this request definitively satisfied - does not allow for an easy and rapid exercise of the right to opposition, as prescribed by art. 21, par. 2, of the Regulation. Furthermore, the fact that the users identified with the name "Ref of the Privacy Law" are included in the "non-contactable list" to be excluded from subsequent promotional campaigns is part of a defensive discourse devoid of evidential evidence and which does not allow overcoming the critical issues that have emerged in the deed of contestation also because this operation renders the proposed original approach redundant and substantially useless.

Therefore, having acquired full proof of Edison's responsibility for the disputed charges, the violation, referred to in point 2.6, of art. 12, par. 2 and 3, as well as art. 21, par. 2, of the Regulation.

With reference to the objection referred to in point 2.5, relating to the prolonged retention of data of customers who have ceased for more than 11 years, Edison's arguments are accepted within the scope of the exercise of the right of defense and the filing proceeds with regard to the violation of the art. 5, par. 1, lit. b) and e) of the Regulation.

The Company has provided conflicting feedback regarding the processing of personal data carried out through the website www.edisonenergia.it and the MyEdison App (point 3.1.8 of the defense brief). In particular, Edison has declared, also pursuant to art. 168 of the Code, that the consents to marketing and profiling, acquired during registration on the site, do not generate any results in the company CRM. This circumstance is contradicted both by the statements made during the inspection and by the documentation produced upon release of the reservations. In fact, during the inspection, an employee of Edison for the "Digital Channels" sector clearly stated that "for non-customers, the site does not collect consent for marketing and profiling activities. On the other hand, these consents are collected for the company's customers" with respect to which "the valuation of the consents is automatically reported in the CRM" (for more complete information, please refer to the report of operations carried out on 9 February 2022). In addition, the "number of customer users present on the CRM system who have given their consent to profiling" amounts to 50,050 (see attachment no. 13 "Customers permitted for profiling", resolving the reservation of 9 February 2022), however, the circumstance being unacceptable described by the Company regarding the scarcity of the data and consents collected. Furthermore, based on the declarations made in the defense brief, this purpose is potentially pursued only in the face of a greater availability of data accompanied by specific consents. In other words, therefore, at present, the data collected by Edison for profiling purposes are used to carry out general internal analyzes and, only in the future, constitute useful material for profiled marketing, provided that there is an increase in adhesions.

Similarly, the communication of data to third parties for direct marketing purposes, for which specific consent is required when signing the contract via the website, while configuring an objective of the Company, is not currently carried out due to the extent of the consents collected to date.

Therefore, since, upon explicit admission by the Company, the purposes of individual profiling and communication of data to third parties are not pursued, the disconnect between the formal plan - relating to the information on the site and the App as well as those issued with the signing of supply contracts - and the factual plan of activities, is capable of generating reasonable doubts as to what the actual treatments carried out by Edison are.

In this regard, the Guarantor has repeatedly declined the principle of transparency, as an easy understanding of the information message with specific regard to the methods and purposes of the processing corresponding not only with the consents requested but, even before that, with the purposes actually pursued. There is a need for correspondence between information pursuant to art. 13 of the Regulation and effectiveness of the treatments put in place, in order to fully implement also the art. 12 of the Regulation, namely precisely the principle of transparency, which arises as a fundamental and innovative criterion of legitimacy of the processing itself (see provision n. 7 of 15 January 2020, web doc. n. 9256486).

Furthermore, it must be reiterated that the provisions of the Regulation (art. 4, point 11 and recital no. 32), in line with the previous regulatory framework, configure consent as a complex case in which the element of the expression of the will of the interested party it must necessarily be related to the completeness of the information on the treatment provided by the owner. It follows that in the absence of suitable information on the treatment, as in the present case noted in paragraphs 2.7 and 2.8, also the expression of will of the interested parties is irreparably flawed and unsuitable to constitute a condition of lawfulness for the treatment itself. Furthermore, the violation of the freedom of the interested parties is even more aggravated by the fact that the user's registration on the website and the MyEdison App is subject to the release of a single consent for marketing and profiling purposes (same configuration for the Edison App MySun, not yet in use but released on the market in January 2022). This operation involved the acquisition of a large number of personal data merged into the company CRM (related to 50,050 users who have given their consent for profiling purposes).

It should be reiterated here that the users' capacity for self-determination is not respected when the effective and conscious freedom of choice regarding the processing of their data is not ensured and this defect of legitimacy is relevant for the purposes of the applicability of violations of the legislation on the matter of data protection (in particular that relating to free and specific consent), regardless of whether or not the proposed processing activities are carried out (see provision "Online services: request for "obligatory" consent for promotional purposes" - 27 October 2016, web doc. n. 5687770; provision 12 June 2019, web doc. n. 9120218).

It should also be noted that even the mere retention of personal data constitutes a complete processing operation, therefore, once consent has been acquired for marketing and profiling purposes and the related data has been collected, the processing must be considered fully implemented even in the event only conservation of the same pending that new circumstances make possible the further operations aimed at marketing and profiling.

In the light of the above, the existence of the disputed violation of articles is confirmed 12, par. 1 and 5, par. 1, lit. a) of the Regulation.

It is also considered integrated the violation of the articles 6, 7 and 12, par. 1, of the Regulation, as well as of the art. 130 of the Code for not having acquired a free and specific consent of the interested parties for the various processing activities (in particular marketing and profiling).

4. CONCLUSIONS

In view of the above, Edison's responsibility for the following violations of the Regulations is deemed to have been established

- art. 5, par. 1, lit. a) and 2;

- articles 6 and 7;

- art. 12, par. 1, 2 and 3;

- art. 21, par. 2;

- art. 24, par. 1 and 2;

- art. 25, par. 1,

and the violation of the art. 130 of the Code.

Once the unlawfulness of the Company's conduct described above has been ascertained, it is necessary:

- pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibit any further processing for promotional purposes carried out through lists of personal data of third parties who have not acquired from the interested parties a free, specific and informed consent to the communication of their data to Edison, pursuant to articles 6 and 7 of the Regulation as well as 130 of the Code;

- pursuant to art. 58, par. 2, lit. d), of the Regulation, to enjoin the Company, if it intends in the future to direct the promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, also by means of adequate sample checks, that the personal data are processed in the full compliance with the provisions on the subject (preventive acquisition of a free, specific, unequivocal, documented, as well as informed, consent of the interested parties for the sending of commercial communications), pursuant to articles 6, 7 and 13 of the Regulation as well as 130 of the Code;

- pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoin Edison to facilitate the exercise of the rights established by the legislation on the protection of personal data and to satisfy, without unjustified delay, the related requests, including the right to object which can be advanced "at any time ” by the interested party; to clearly indicate, already in the call script, the owner to whom the request for deletion of personal data must be addressed and who will definitively do so, pursuant to articles 6, 7 and 13 of the Regulation as well as 130 of the Code;

- pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibit the processing of personal data collected without the necessary prior informed, free and specific consent of the interested parties in relation to the marketing and profiling activity, pursuant to articles 6, 7 and 12 of the Regulation as well as 130 of the Code;

- pursuant to art. 58, par. 2, lit. d) of the Regulation, to order that interested parties be provided with suitable information which indicates the processing operations actually carried out by Edison (articles 12 and 13 of the Regulation);

- with regard to treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83, par. 4 and 5, of the Regulation.

5. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

The violations confirmed above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Edison Energia of the pecuniary administrative sanction provided for by art. 83, para. 4 and 5, of the Regulation. However, as various provisions of the Regulation and of the Code have been infringed in relation to connected treatments carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the least serious violations. Specifically, the aforementioned violations - also having as object the exercise of the rights of the interested parties (articles 12 and 13 of the Regulation) - are to be attributed, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in art. 83, par. 5, of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1), it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.

What circumstances to take into consideration in the present case must be considered, in terms of aggravating circumstances:

1. the high number of subjects involved in the disputed processing (letter a): 66,771 (users registered on the XX website for whom specific consent has not been acquired for the communication of data from XX to Edison); 50,050 (customers present in the CRM for which a single consent has been acquired for marketing and profiling purposes, even if the latter is not actually carried out); 29,872 (the utilities of prospective subjects included in the "non-contactable list" without suitable elements to substantiate the will of the interested parties and, therefore, to ascertain the legitimacy of the promotional contacts);

2. the seriousness of the violations detected (letter a) with particular reference to the absence of sample checks of the contact numbers provided by the partners, the inadequate management of the right of opposition of the interested parties, as well as the unsuitability of the information provided on the site internet and on the MyEdison App;

3. the negligent nature of the conduct (letter b), given that the Company's presence on the market for many years should have allowed it to acquire sufficient experience and expertise to adopt basic choices more compliant with the regulatory provisions;

4. the non-conformity of the Company's conduct with respect to the consistent regulatory activity of the Authority in the field of marketing (letter k), with particular reference to information and consent;

5. the overall assessment of the Company's economic capacity, taking into consideration the latest available corporate turnover (4,900,439,466 euros, as resulting from the 2022 VAT return relating to the 2021 tax period) (letter k).

As mitigating elements, it is considered necessary to take into account:

1. the absence of previous proceedings initiated against the Company (letter e);

2. the fact that the Company promptly took action with the judicial authorities to counter the phenomenon of abusive telemarketing by third parties (letter k);

3. the timely adoption of corrective measures, some of which started immediately after the conclusion of the inspections (letter f);

4. the adoption, even before the inspection, of measures aimed at avoiding "off-list" contacts with the centralization of contracts through the "Watson" system (letter k);

5. the high degree of cooperation in interaction with the Supervisory Authority (letter f), such as to make it easier, despite the size of the Company and the complexity of the processing, to carry out the investigation activities, especially in the delicate period of emergency;

6. of the serious socio-economic crisis and its effects on the trend of employment (letter k).

Based on the set of elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness pursuant to art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and the freedom to conduct a business, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Edison - also taking into consideration other similar cases - the administrative sanction of the payment of a sum of Euro 4,900,000.00 (four million nine hundred thousand), equal to 0.1% of the last available turnover.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the preliminary investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers and on which the attention of the 'user.

Please note that pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e) of the Regulation.

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THAT BEING CONSIDERED, THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing carried out by Edison Energia S.p.A., with registered office in Via Foro Buonaparte 31, 2012 Milan, VAT no. 08526440154;

b) pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibits any further processing for promotional purposes carried out through lists of personal data of third parties who have not acquired from the interested parties a free, specific and informed consent to the communication of their data to Edison, pursuant to articles 6 and 7 of the Regulation as well as 130 of the Code;

c) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins the Company, if it intends in the future to direct the promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, also by means of adequate sample checks, that personal data are processed in full compliance with the provisions on the subject (preventive acquisition of a free, specific, unequivocal, documented, as well as informed, consent of the interested parties for the sending of commercial communications), pursuant to articles 6, 7 and 13 of the Regulation as well as 130 of the Code;

d) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins Edison to facilitate the exercise of the rights established by the legislation on the protection of personal data and to satisfy, without unjustified delay, the related requests, including the right to object which can be advanced "at any time ” by the interested party; to clearly indicate, already in the call script, the owner to whom the request for deletion of personal data must be addressed and who will definitively do so, pursuant to articles 6, 7 and 13 of the Regulation as well as 130 of the Code;

e) pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibits the processing of personal data collected without the necessary prior informed, free and specific consent of the interested parties in relation to the marketing and profiling activity, pursuant to articles 6, 7 and 12 of the Regulation as well as 130 of the Code;

f) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins that interested parties be provided with suitable information which indicates the processing operations actually carried out by Edison (articles 12 and 13 of the Regulation);

g) pursuant to art. 157 of the Code, enjoins the Company to notify the Authority, within 45 days of notification of this provision, of the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulation, to Edison Energia S.p.A., in the person of its legal representative, to pay the sum of euro 4,900,000.00 (four million nine hundred thousand), by way of administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of EUR 4,900,000.00 (four million nine hundred thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to of the art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 15 December 2022

PRESIDENT
station

THE SPEAKER
station

THE SECRETARY GENERAL
Matthew



SEE ALSO: Newsletter of February 21, 2023



[doc. web no. 9856345]

Injunction, prescriptive and sanctioning measure against Edison Energia S.p.A. - December 15, 2022

Register of measures
no. 431 of 15 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. THE INVESTIGATION ACTIVITY

On February 7, 8 and 9, 2022, having received several complaints and reports from this Authority, with which promotional communications made in the interest of Edison Energia S.p.A. (hereinafter "Edison" or "Company"), an inspection was carried out at the registered office of the latter to verify, even more widely, the processing of personal data implemented by the Company for marketing and profiling.

With reference to the specific complaints received by the Authority, access was made to the Company's IT systems and documentary elements were acquired. As a result of the checks, the following emerged.

From the analysis of some grievances (files nos. 170029, 156738, 174827, 158850, 158736, 168114) it emerged that the calling number reported is not recorded in the Register of Communication Operators (so-called ROC), nor, therefore, is it be immediately attributable to the sales network of the Company which has complained, however, of the undue use of the name "Edison" by unidentified subjects, in the context of unfair commercial practices. In this regard, the Company also represented that it had filed a complaint with the Judicial Authority in order to protect its good name, abusively used by third parties who, through fraudulent conduct, attempt to obtain an economic advantage and undermine its commercial reputation.

It has been verified that some users have been legitimately included in the Company's contact list on the basis of specific consents for marketing and communication of data to third parties (including Edison) acquired from other subjects, such as independent data controllers, on the occasion the compilation by the interested parties of data collection forms when registering on websites or participating in online prize competitions. Furthermore, the users thus acquired were not found on the corporate black list (the so-called "non-contactable list") (files nos. 175773, 174566, 166401).

In two cases (files nos. 152043 and 148318) the Company declared that one of the calling numbers indicated in the reports (no. 09818421192) is attributable to the XX call center (hereinafter «XX») which it uses , as data controller, for marketing activities. From the XX communication of February 10, 2022, produced upon release of the reserves of February 8, 2022, it is clear that this numbering would have been used “in the name and on behalf of Edison Energia S.p.A. from 22 June 2020 to 18 January 2021”. The contacts, complained of in the two reports in question, would have taken place precisely in the period indicated above and precisely on 25 June 2020, at 10.06 am and on 15 July 2020, at 1.34 pm. Furthermore, one of the two whistleblowers (XX) complained of receiving an unwanted promotional phone call made in the interest of Edison through the aforementioned user on March 11, 2020 at 7.50 pm, therefore in a period prior to the assignment of the number to XX.

In one case (file no. 165162) the contact complained of was the result of an incorrect conduct - according to the Company - of the telephone operator employed at an Edison (XX) call center.

With regard to file no. 170981 (report XX), it emerged that the interested party was contacted by the aforementioned XX (also appointed data processor) - to whom the calling number complained of in the complaint and registered in the Register of Communication Operators (so-called ROC) is attributable. This contact would have taken place on the basis of two separate consents to marketing and the transfer to third parties for their own promotional purposes given by the interested party on 10 February 2020 when registering on the XX website. From the documentation provided by the Company, upon release of the reservations dated 8 February 2022, it emerged that the website in question, owned by XX based in the Slovak Republic, would then be transferred, together with the related consents acquired, to XX (of hereinafter «XX») which, due to the will expressed at the time by the interested party, would have included the latter's user name in the contact list, expiring on 27 November 2021, used for the promotional campaign from which the report in question. The user, on the date of acquisition of his data by XX, would have received a new information (with indication of the new owner), "without prejudice to the consents originally given to the previous owner". In the information that XX allegedly provided to interested parties registered on the XX website, Edison is indicated among the third party assignees of the data. Following the denial expressed by the whistleblower, the recipient number of the complained contacts was entered in the "non-contactable list" and recorded in Edison's Watson company system.

With reference to file no. 174167, from the documentation produced to release the reservations of February 8, 2022, it emerged that the complainant would have been contacted by an Edison call center (XX, as data processor), based on two specific consents to marketing and communication to third parties provided by the interested party on 21 May 2020 on the occasion of the registration of the same on the XX website managed by XX (hereinafter «XX») as independent data controller. In the information found on the aforementioned website, Edison was included in the list of third-party companies to which the data is communicated, accessible through a specific link.

In the present case, it emerged that the contact details of the complainant would have been communicated, on December 23, 2020, to Edison by XX (hereinafter «XX»), of which, however, it does not appear to have been defined, nor documented, the role in the processing in question: in particular, Edison would therefore have become the data controller "only for the period contractually envisaged by the user license granted by the company XX [...]" (from December 29, 2020 for 3 months). In this sense, in the communication of December 23, 2021, in response to the request for information from the interested party, Edison, while ensuring that it had removed the recipient number of the contacts complained of from the contact list, indicated the contact details of XX for the exercise of rights pursuant to articles 15 – 22 of the Regulation.

With reference to the promotional campaigns carried out for prospective users (not customers), the Company declared that it did not carry out sample checks of the numbers present in the lists acquired from its partners (list providers), specifying that it carried out accurate checks of the websites used for the collection of data, of the information provided by the supplier and of the consent for communication to third parties for direct marketing purposes (report of 7 February 2022, pp. 4 and 5).

Furthermore, the users of the prospective subjects who have expressed the wish not to be contacted again converge on a "non-contactable list" entered manually and made up, at the time of the assessment, of 29,872 numbers of which approximately 1400 attributable to fixed users. The list does not contain the indication of the date of the refusal, nor of the inclusion in the list, nor of the identity of the interested party, not allowing to ascertain the legitimacy of the promotional contacts and the correct management of the opposition made by the interested parties (report of 8 February 2022, p. 3).

It turned out that the Company - contrary to its policy (see Annex 15, to the supplementary acknowledgment dated 21 February 2022, sent to release the reservations) - currently keeps in the CRM, in the absence of a justification and in particular for the purpose of treatment currently carried out, the data of some customers who ceased working for over 11 years and who have not been subject to the anonymisation process, in particular: 6,087, of which 5,836 SMEs and 251 natural persons.

With reference to the refusal expressed by prospective users during promotional calls, the Company has provided conflicting feedback, in particular stating, initially, that this opposition is registered only for the current campaign (usually lasting three months) ( minutes February 7, 2022 p. 5) to then declare to include the utilities - to which the refusal refers - in the "non-contactable list", in order to be able to exclude them from all subsequent campaigns (minutes February 8, 2022 p. 7) .

An analysis of the documentation produced by the Company revealed that users contacted during the promotional campaign who express their wish not to receive further advertising calls are marked with the wording "Ref. Privacy law" which excludes any further contacts exclusively in relation to the campaign in progress, but also does not include "the withdrawal of privacy consent (the customer must express in writing the will to withdraw consent to the references that the operator will indicate by telephone via the sales script associated with the list supplier)" (Annex 4 to the minutes of February 8, 2022 - Watson Manual, Privacy outcome). Given this, if the interested party intends not to be contacted even for subsequent promotional campaigns, he must send a communication to the appropriate Company e-mail box or contact the list provider who acquired the personal data, as per the product call script at release of reserves.

During the assessment, by simulating the access and navigation procedure on the website www.edisonenergia.it and in the MyEdison App (which, moreover, has the same configuration as the Edison MySun App, released on the market in January 2022 and at the time of assessment not yet used), it was found that personal data of the interested parties are required (name, surname, tax code, mobile phone number and e-mail address), and that consent is acquired to the processing of personal data "for the purposes referred to under letters A and B” of the privacy information, referring jointly to promotional and profiling purposes; in particular, with this method, the consent to the profiling of 50,050 customers present in the CRM system was acquired (see Annex 13 "Customers permitted for profiling" to dissolve the reservation of 9 February 2022). The Company represented that the consent requested during registration on the website actually concerns exclusively the purposes related to the use of the service and not marketing or individual profiling activities (from which, however, prospect subjects are totally excluded) . The Company has therefore specified that the described formulation of the acquisition of consent is the result of a typo, having instead to refer exclusively to the activities referred to in point C of the aforementioned privacy information, entitled "Purpose of registration and access to the Reserved Area of the site".

It was then noted that, if the contract is signed via the website, the privacy information is provided which identifies, among the purposes of the processing, marketing, profiling and communication of data to third parties. In this contractual context, for these purposes, the relative optional consents are required from the interested party, even though the Company has declared, also pursuant to art. 168 of the Code, not to currently carry out profiling or communication activities to third parties for marketing purposes. In particular, he specified that consent to profiling is, in reality, aimed at carrying out general internal analyzes or segmentation by macro-criteria (geographical, age, available contacts) of the company CRM, in order to avoid mass promotional mailings ( see minutes February 9, 2022, page 3; Annex 3 "Marketing criteria" to the said minutes), also because Edison does not have a sufficient number of customers and data referring to customers to carry out individual profiling.

Furthermore, to complete the registration on the website and on the MyEdison App, as mentioned above, it is necessary to provide consent "for the purposes referred to in letters A and B" of the privacy information, referring to promotional and profiling purposes. Therefore, the user's registration would appear to be conditional on the simultaneous release of a single consent for marketing and profiling purposes, even if the latter has not yet been carried out by the Company.

2. DISPUTING INFRINGEMENTS

With a note dated May 13, 2022 (ref. prot. n. 26377/22) the Company was notified of the start of the proceeding, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures pursuant to art. 58, par. 2, of the Regulation, with which, on the basis of the elements acquired during the inspection activity and the subsequent additions received upon release of the reserves, Edison was charged with a possible violation of the following provisions of the Regulation:

2.1. (with regard to file no. 165162): articles 6, 7 and 13 of the Regulation as well as 130 of the Code as the contact was made in the absence of the interested party's informed consent;

2.2. (with regard to file no. 170981): articles 5, par. 2, 24, 14, 6 and 7 of the Regulation as well as 130 of the Code as personal data were acquired from a third party (XX), in turn already a transferee from XX, in the absence of suitable consent from the interested parties;

2.3. (with reference to file no. 174167): articles 5, par. 2, 24, para. 1, 14 and 28 of the Regulation, since the privacy role of XX (independent data controller or data processor) has not been defined in the context of the relationship with Edison and since the latter has not released its own information to the interested party;

2.4. articles 5, par. 2, 24, par. 1 and 2 and 25, par. 1 of the Regulations for having carried out promotional campaigns for prospective users without carrying out sample checks with respect to the individual numbers and, therefore, without implementing obligations regarding the protection of personal data (such as: information; consent; accuracy and quality of data), in contrast to the principles of privacy by design and accountability; these violations are also confirmed in relation to the incorrect management of the opposition made by prospective users included in a "non-contactable list" devoid of detailed elements (date of denial, inclusion in the list, identity of the interested party) which they do not allow for the correct reconstruction of methods and times for acquiring and withdrawing consent;

2.5. art. 5, par. 1, lit. b) and e) of the Regulation for having kept in the CRM the data of customers who ceased working for over 11 years and who have not been subject to the anonymization process, in possible contrast with the principles of purpose and limitation of retention;

2.6. art. 12 para. 2 and 3, 21, para. 2 of the Regulation for not having provided for direct and simplified procedures to allow the interested party to immediately exercise their right to object to the processing carried out for promotional purposes";

2.7. articles 12, par. 1, and 5, par. 1 lit. a) of the Regulation as some of the processing activities described in the information on the website www.edisonenergia.it and the MyEdison App (in particular, communication to third parties for direct marketing and profiling purposes) were not actually carried out by the Company, in possible violation of the obligation to provide transparent information that is effectively suitable for making interested parties aware of what is being done with their data;

2.8. articles 6 and 7 of the Regulation and 130 of the Code since the user's registration on the website www.edisonenergia.it and on the MyEdison App was subject to the simultaneous release of a single consent for marketing and profiling purposes; this consent, which is neither specific nor free, does not constitute an appropriate legal basis for the aforementioned treatments.

Furthermore, with the same communication dated May 13, 2022, the Company was asked to provide a copy of the complaint to the Judicial Authority against those subjects who allegedly used the Edison name illegally for their own promotional activities (see file no. 170029 , 156738, 174827, 158850, 158736, 168114), as well as, with regard to the users contacted by the XX call-center (case numbers 152043, 148318), to produce documentation aimed at ascertaining compliance with the matter, with particular reference to origin of the personal data of the interested parties, the consent given by them and the information provided together with the call script used on the occasion of the complained contacts.

3. DEFENSIVE OBSERVATIONS AND ASSESSMENTS OF THE AUTHORITY

3.1. DEFENSIVE MEMORY

The Company, in exercising its right of defence, sent a brief on 13 June 2022 in which it replied to the findings raised by the Authority with the notice of dispute.

3.1.1. Edison initially claimed that it had taken legal action to defend its commercial, economic and image interests. This is due to an abusive use of its name by third parties who, through fraudulent conduct, attempt to obtain an economic advantage and undermine its consolidated reputation. In this sense, Edison, "as the party injured by such conduct, has not only set up its own internal working group, in order to monitor and deal with the problem", but has also initiated various lawsuits before the judicial authorities, both civil and criminal type, of which he provided documentation to the Guarantor "already on 9 February 2022" and which are understood to be referred to in full here. With the brief in question, the Company supplemented the documentation previously produced with the complaint filed with the Judicial Authority on July 27, 2018, against XX for illegitimate use of the Edison trademark.

3.1.2. With regard to the promotional contacts made by the XX call-center, in its capacity as data controller, the Company represented the impossibility of providing the evidence requested by the Authority (with reference to the origin of the data of the interested parties, the consent given by them , to the information provided) since, "in line with the Data Retention Policy, the personal data of prospective users who have exceeded the overall retention period of 15 months have been deleted from all company systems". He added that the contact involving Mr. XX (file no. 148318) cannot be attributed to Edison as it was carried out by a third party unrelated to the Company's official sales network.

With reference to the telephone contact that took place in the absence of the interested party's consent (see point 2.1 of the dispute), the Company confirmed the unlawful conduct perpetrated by a third party (specifically an employee of the XX call center, responsible for the treatment) " apart from any delegation and/or instruction given to it by Edison and/or by XX itself". In particular, he specified that this employee, who was "immediately fired", would have used, for the contact complained of, "tools completely unrelated to those provided by Edison [...] including his own personal telephone number (provided for re-contacting subjects callers)”. In any case, added Edison, it would not have been possible to activate any contracts deriving from so-called contacts. "off the list" as strictly inhibited by the technical system called Watson, available to all call centers operating on its behalf.

3.1.3. With reference to the personal data acquired from third party transferees of databases in the absence of suitable consent from the interested parties (see point 2.2 of the dispute), the Company, in referring to provision no. 460 issued by the Authority on 9 November 2017, invoked the exemption of this legal basis as the XX website, as well as the personal data collected therein, "were the subject of a business transfer from XX to XX and, therefore , the articles apply. 2558, 2559 and 2560 of the Civil Code, the buyer taking over the position of the transferor by law connected to the management of the company sold, without the need for any specific consent". The communication to Edison of the data by XX, therefore, appears to be a legitimate communication due to the acquired consent to the transfer of personal data to third parties indicated in the disclosure of the XX site "both as issued by XX and as subsequently provided, in total continuity of ends and modalities, from the successor XX".

3.1.4. With reference to the dispute referred to in point 2.3, the Company described the activity of aggregation of lists, coming from different suppliers, carried out by XX which, on February 27, 2020, was designated by Edison as external manager of the processing of personal data (of which a formal act of appointment was produced). This provision, in the perspective outlined by the Company, would have explained the transfer of data from XX (owner of the XX website from which the two distinct consents to marketing and communication to third parties would have been acquired) to Edison through XX. In particular, the Company clarified that "the aggregation activity is therefore carried out on the indication and mandate of Edison, which receives [...] from XX the comprehensive and cleaned list [of duplications] to carry out its marketing activities".

3.1.5. The Company, in response to the complaint referred to in point 2.4, confirmed the contents expressed during the inspection, declaring that it carries out punctual checks of the websites from which it acquires personal data, with particular reference to the privacy information released by the supplier and to the "correctness of the consents, in order to ascertain the legitimate transfer", but not to carry out random checks of the numbers present in the lists provided by its partners. With regard to this last profile, while reiterating that he did not put in place "specific internal formal procedures for random checking of the data being acquired", he specified that he had contractually appointed, as early as December 2021, a third party company to carry out activities of this type, "with a view to greater control and accountability". In confirmation of this, it attached the relative contractual documentation to the defense brief.

3.1.6. With regard to the management of the denial expressed by prospective users during promotional contacts (point 2.6 of the dispute), the Company represented the following:

"Where the interested party signals the desire not to be contacted by Edison for commercial purposes, the related telephone number [...] is reported on the Watson system as "Ref to the Privacy Law". This activity means that the telephone number reported will no longer be the object of contact for the campaign in progress". However, in order to exclude the user concerned also from subsequent promotional campaigns, the Company, "starting from mid-September 2021", has planned to extract from the company system the list of telephone numbers identified with the term "Ref Privacy Law" and make it merge into the "non-contactable list" "used for the deduplication of the lists acquired and aimed at subsequent campaigns". Furthermore, the Company, by not registering any prospect data on its corporate system, intended to ensure the complete exercise of the right to the interested parties ("assuming that the subject [...], at the time of the refusal not only does not intend to be contacted during the single campaign but generally does not intend to receive further commercial communications from Edison"). Finally, the "non-contactable list" - which, with the indication of the telephone number only, guarantees the principle of data minimization - will be fed with information suitable for limiting denials, thanks to an additional system, currently in an experimental phase which will replace the current one.

3.1.7. With reference to the dispute referred to in point 2.5, the Company clarified the reasons, mostly of a contentious nature, underlying the retention in the CRM of the data of customers terminated for over 11 years, specifying that only 8 of them will be subject to anonymization in June 2022 , having resolved its debt situation.

3.1.8. In response to the disputed findings in points 2.7 and 2.8, Edison reiterated that the consent required during registration on the website www.edisonenergia.it and the MyEdison App regards contractual purposes, connected to the use of the service, and that the indication , in its formulation, of "purposes referred to in letters A and B" of the privacy information, attributable to promotional and profiling activities, would be the result of a "mere typo". He highlighted that the text of the consent was promptly corrected following the verification carried out during the inspection. Moreover, "the incorrect wording was present for a limited period of time, from September 2021 to February 2022". In any case, the release of consent, by affixing the flag at the end of the registration procedure, did not produce any results in the company CRM.

Furthermore, the Company confirmed that profiling would not currently be carried out, in consideration of the scarcity of data and consents collected, and would essentially consist of a "basic analysis activity, segmenting customers by macro category". However, any increase in data and marketing consents would allow Edison "to carry out more specific and precise analyses" in order "to send advertising material [...] more in line with customer preferences and needs". This setting can also be extended to the communication of data to third parties for direct marketing purposes of the Company since, although "commercial partnership activity" is not currently feasible given "the extent of consents collected up to now", "[Edison's] objective is to establish a numerically sufficient base of consents to transfer" for this purpose. Therefore, there is no discrepancy between the formal plan, relating to the treatments declared in the information on the site and the App, and the factual one that the Authority has decided to contest.

3.2. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the Company's statements, for which the declarant is liable pursuant to art. 168 of the Code, the following legal assessments are formulated.

The main argument presented by the Company in defense of its position through the reference to an undue use of its name (see point 3.1.1), is supported by the documentation accompanied by the memorandum dated June 13, 2022, which shows the implementation of misconduct by third parties to deprive Edison's customers. In the circumstances reported, the users contacted were given false and misleading information to the detriment of Edison in order to encourage switching to another electricity supplier, with consequent economic repercussions on the Company, in addition to "the irreparable damage to its image and brands and distinctive signs.

We acknowledge what Edison declared and documented in relation to telephone contacts made from numbers not attributable to the official sales network. Indeed, the technical system known as "Watson" described by the Company appears suitable for curbing the phenomenon of illicit contacts and unwanted promotional calls from parties outside Edison's commercial network. This system, "made available to all call centers operating for Edison, [...] does not allow the contracting of parties deriving from so-called calls. off the list". Ultimately, the centralization of contracts appears, at least abstractly, suitable for establishing an operational and logical connection between the promotional phase and the subsequent contract registration phase and, therefore, for excluding that promotional contacts made outside the sales network of the Companies may derive contracts then recorded in Edison's databases (see provision Sky Italia S.r.l., September 16, 2021, n. 332, web doc. n. 9706389).

With reference to the contacts made by the XX call center (see point 3.1.2), it should be noted that the Company's lack of material availability of documentation suitable for proving the obligations regarding the protection of personal data, given the cancellation from the databases of all the personal data that have exceeded a retention period of 15 months, did not allow this Authority to ascertain the legal basis that would have legitimized the unwanted promotional telephone calls complained of in the reports. Therefore, in the light of what is in the documents, it is not possible to attribute objective and subjective responsibility with certainty for the conduct complained of in the reports relating to the lawfulness of the processing in question.

We believe we can take note of what was declared by the Company regarding the telephone contact that took place in the absence of the consent of the interested party and the result of an independent initiative perpetrated by a third party (point 3.1.2 of the defense briefs), noting that this conduct concerned an isolated case and that the Company itself has provided suitable assurances on the impossibility that such cases could recur. having implemented a system of inhibition of any contracts with the so-called "off the list" in the terms described in the defensive arguments which allows the contested critical issues to be overcome.

With reference to point 3.1.3 of the defense brief, based on the analysis of the documentation produced with specific regard to the "XX" website of the Slovak company, XX, later allegedly acquired by XX, the following is highlighted:

a) with regard to the fulfillment of the information, to be issued pursuant to art. 14 of the Regulation - on the basis of the telephone script provided by Edison, complete with references to the origin of the data, the purposes of the processing, the methods of exercising the rights, pursuant to articles 15 - 22 of the Regulation, as well as to the corporate website where the complete information can be found - it is deemed necessary to file the relative dispute;

b) in relation to the fulfillment of the consent, in the first box proposed to the user in the relevant registration form, a single expression of will is required for the contractual conditions and, without distinction, for all the various consents to the processing of personal data ("I accept the conditions referred to in the Regulation and all the consents referred to in the privacy policy"). This formulation obviously forces the interested party, in order to participate in the gift certificate initiative, to also accept the treatments for as many as four different purposes (marketing of the Company that owns the site; profiling by the same; communication to third parties for their promotional purposes; profiling by the same third parties), for a total of five consents, including the first single consent. The configuration in question, therefore, determines an illegitimate acquisition of data due to the violation of the obligation of a free and specific consent, not detecting the collection of separate consents carried out through the boxes below and in any case resulting in conflict with the first form of collection;

c) the log file that the Company has produced in support of the defense briefs does not allow for a reconstruction of the consents such as to overcome the criticality highlighted in the previous point;

d) however, the defect of such consents, including that relating to the communication of data to third parties - originally acquired by the company XX. – also affects the validity of the treatments implemented by XX, as transferee of the company, as well as of the treatments carried out by Edison, as transferee of the data. Given this, the picture outlined by Edison is without foundation and the disputed violation must be confirmed.

Therefore, in the present case, it is represented that the use, by the Company, of lists of personal data obtained from a third party, in turn transferee of such personal data on the basis of a flawed consent issued to the initial data controller , would have made it necessary for Edison to request and acquire a new consent to its promotional activity (see: Guidelines on promotional activity and the fight against spam - provision July 4, 2013, web doc. n. 2542348 ; provision 22 May 2018, web doc. n. 8995274; provision 11 December 2019, web doc. n. 9244365; provision 12 November 2020, web doc. n. 94856801; provision 13 May 2021, web doc. n. 9670025; provision 16 September 2021, web doc. n. 9706389).

Furthermore, it should be noted that Edison's conduct, as already mentioned in the dispute, is in conflict with the principle of accountability since the Company does not appear to have taken care, as necessary, of verifying the actual compliance with the legislation of the consents acquired from the supplier .

In light of the above, it is confirmed that Edison Energia S.p.A. has violated articles 5, par. 2, 24, 6 and 7 of the Regulation, as well as 130 of the Code; violation which, moreover, involved a significant number of users (amounting to 66,771).

With reference to point 3.1.4 of the brief, it should be noted that the arguments put forward by the Company are mainly based on the role played by XX, as external manager of the processing of personal data, in the relationship with Edison. In particular, XX, in its role as list aggregator on behalf of Edison, would act as a mere intermediary in the process of transmitting data from the various list providers to the Company. In the deed of appointment as data processor, produced in support of the defense brief, it emerged that the subjects of the transfer to Edison were the personal data acquired from the databases of third-party companies with which XX allegedly stipulated regular contracts, of which, however, no produced evidence. In order to go beyond the formal data and concretely qualify the roles and responsibilities of the subjects involved, not being able to have the contracts signed by XX with the various list providers, the position taken by the parties in the processing in question must be considered sufficiently clarified: the communication of data to Edison, legitimized by the legal basis of the consent of the interested parties, is carried out by XX, as independent data controller, through XX (as manager designated by Edison). Furthermore, in the information found on the XX website, managed by XX, Edison is included in the list of third-party companies to which the data is communicated.

This means that the transfer of the lists from XX to Edison, through the mediation of XX, would appear to avoid the so-called "double passage" from one owner to another, which in the context of the dispute it was considered necessary to censure. Therefore, Edison's arguments regarding the exercise of the right of defense are accepted, which lead to the dismissal of the dispute regarding the violation of articles 5, par. 2, 24, para. 1, 14 and 28 of the Regulation.

With regard to point 3.1.5 of the defense brief concerning the activity of verifying the numbers present in the lists acquired from the partners, entrusted by Edison to a third party company, from the reading of the relative contract, concerning, in particular, "the provision of services support to the control activities on Teleselling suppliers", it emerged that the verifications of the contactable numbers provided by the partners would concern "5% of the estimated contracts concluded through teleselling operations (about 9000), equal to a maximum of 450 contracts, divided equally among the Suppliers". It can be deduced that the control over the users to be contacted for marketing purposes is carried out only after the telephone contact has been made and the contracts concluded through teleselling operations have been signed.

Therefore, the absence of preventive sample checks - with respect to the individual numbers - contested in point 2.4 of this provision is confirmed. The lack of this fulfillment and of the related checks on the consent acquired by the supplier, not only appears to be an inappropriate setting to guarantee an adequate level of compliance with the relevant legislation, in particular according to the principles of privacy by design and accountability, but raises doubts also with regard to the management of all additional utilities acquired from suppliers and used in the Company's promotional activity. Indeed, it must be considered that the anomalies and violations as identified above do not concern episodic conduct but "system" settings that are replicated on the occasion of the numerous contacts made by the Company, in particular operated through the acquisition of personal data lists from third parties and made , therefore, in violation of the provisions on consent, accountability and privacy by design.

The verification of the websites from which the data is collected - which the Company claims to carry out constantly before each promotional campaign - while potentially useful for preventing the undue circulation of personal data, cannot however replace the absence of checks on the numbers provided by the partners, and therefore cannot be considered sufficient to consider the conduct of the Company non-reproachable. Edison's responsibility must therefore be confirmed for the violation pursuant to articles 5, par. 2, 24, par. 1 and 2 and 25, par. 1, of the Regulation.

In its defense briefs (see point 3.1.6) the Company has expressed its commitment to implement some corrective measures, such as for example activating a system, currently in the testing phase, which allows for inclusion in the "non-contactable list" , in addition to the telephone number, all the additional information elements suitable for correctly reconstructing the will of the interested parties. The list currently made up of the indication of only the "non-contactable" telephone number does not appear to be an adequate solution for managing the right of opposition of the interested parties and does not allow us to understand when and how the interested party has given consent and when and how he has given it. revoked. The circumstance outlined by the Company of being able in any case to trace the date of inclusion of the personal data in the list in question, by cross-referencing the communications (e-mail) exchanged with the interested parties, in addition to representing a considerable distraction of time and resources (considering, moreover, the 29,872 registered numbers), is in contrast with the aforementioned principles of accountability and privacy by design, also with reference to the requests of the interested parties, pursuant to articles 15 - 22 of the Regulation, and/or the investigations carried out by this Authority.

It has been highlighted several times that the new principles dictated by the Regulation frame the competences of the data controller in an accountability perspective and impose proactive and coherent behaviors on all those involved in the processing of personal data with the aim of proving, at every stage the lawfulness of the same treatments. It is therefore up to the holder to adopt measures of particular guarantee in order to demonstrate that the contracts and activations registered in their systems originate from contacts made in full compliance with the provisions on the protection of personal data (see provision n. 143 of 9 July 2020, web doc. n. 9435753; "Provision on electoral propaganda and political communication", 18 April 2019 web doc. n. 9105201; provision. n. 363, 22 May 2018, web doc. n. 8995274; provision . gen. spamming, 29 May 2003, web doc. n. 29840). Similarly, the owner is obliged to demonstrate that he has adequately recorded and contextualized the refusals expressed by the interested parties to receive further promotional communications; circumstance, this, which does not apply in the present case.

In the light of the above, the violation of articles 5, par. 2, 24, par. 1 and 2 and 25, par. 1, of the Regulation.

The method described in point 3.1.6 of the defense brief, with which the opposition of the interested parties to being contacted also for future promotional campaigns is definitively recorded, does not appear regulated in any of the documents produced by the Company, both in inspection phase, and subsequently in the defence. The documentation provided during the inspection - which is summarized below, subject, however, to the full and complete reference to what has already been reported in point 1 of the provision - outlines a different picture than what was later stated by the Company in the defense brief : the name "Ref to the Privacy Law", which identifies the users associated with the denials expressed, deploys its effects only for the duration of the promotional campaign in progress, since the interested party can also oppose subsequent campaigns by sending a specific communication to Edison and the owner who has acquired the personal data, as confirmed by the call scripts produced to resolve the reservations. This - by not making the data subject's request for cancellation unequivocal to a specific data controller and in this sense requiring a double pass to Edison and the list provider to see this request definitively satisfied - does not allow for an easy and rapid exercise of the right to opposition, as prescribed by art. 21, par. 2, of the Regulation. Furthermore, the fact that the users identified with the name "Ref of the Privacy Law" are included in the "non-contactable list" to be excluded from subsequent promotional campaigns is part of a defensive discourse devoid of evidential evidence and which does not allow overcoming the critical issues that have emerged in the deed of contestation also because this operation renders the proposed original approach redundant and substantially useless.

Therefore, having acquired full proof of Edison's responsibility for the disputed charges, the violation, referred to in point 2.6, of art. 12, par. 2 and 3, as well as art. 21, par. 2, of the Regulation.

With reference to the objection referred to in point 2.5, relating to the prolonged retention of data of customers who have ceased for more than 11 years, Edison's arguments are accepted within the scope of the exercise of the right of defense and the filing proceeds with regard to the violation of the art. 5, par. 1, lit. b) and e) of the Regulation.

The Company has provided conflicting feedback regarding the processing of personal data carried out through the website www.edisonenergia.it and the MyEdison App (point 3.1.8 of the defense brief). In particular, Edison has declared, also pursuant to art. 168 of the Code, that the consents to marketing and profiling, acquired during registration on the site, do not generate any results in the company CRM. This circumstance is contradicted both by the statements made during the inspection and by the documentation produced upon release of the reservations. In fact, during the inspection, an employee of Edison for the "Digital Channels" sector clearly stated that "for non-customers, the site does not collect consent for marketing and profiling activities. On the other hand, these consents are collected for the company's customers" with respect to which "the valuation of the consents is automatically reported in the CRM" (for more complete information, please refer to the report of operations carried out on 9 February 2022). In addition, the "number of customer users present on the CRM system who have given their consent to profiling" amounts to 50,050 (see attachment no. 13 "Customers permitted for profiling", resolving the reservation of 9 February 2022), however, the circumstance being unacceptable described by the Company regarding the scarcity of the data and consents collected. Furthermore, based on the declarations made in the defense brief, this purpose is potentially pursued only in the face of a greater availability of data accompanied by specific consents. In other words, therefore, at present, the data collected by Edison for profiling purposes are used to carry out general internal analyzes and, only in the future, constitute useful material for profiled marketing, provided that there is an increase in adhesions.

Similarly, the communication of data to third parties for direct marketing purposes, for which specific consent is required when signing the contract via the website, while configuring an objective of the Company, is not currently carried out due to the extent of the consents collected to date.

Therefore, since, upon explicit admission by the Company, the purposes of individual profiling and communication of data to third parties are not pursued, the disconnect between the formal plan - relating to the information on the site and the App as well as those issued with the signing of supply contracts - and the factual plan of activities, is capable of generating reasonable doubts as to what the actual treatments carried out by Edison are.

In this regard, the Guarantor has repeatedly declined the principle of transparency, as an easy understanding of the information message with specific regard to the methods and purposes of the processing corresponding not only with the consents requested but, even before that, with the purposes actually pursued. There is a need for correspondence between information pursuant to art. 13 of the Regulation and effectiveness of the treatments put in place, in order to fully implement also the art. 12 of the Regulation, namely precisely the principle of transparency, which arises as a fundamental and innovative criterion of legitimacy of the processing itself (see provision n. 7 of 15 January 2020, web doc. n. 9256486).

Furthermore, it must be reiterated that the provisions of the Regulation (art. 4, point 11 and recital no. 32), in line with the previous regulatory framework, configure consent as a complex case in which the element of the expression of the will of the interested party it must necessarily be related to the completeness of the information on the treatment provided by the owner. It follows that in the absence of suitable information on the treatment, as in the present case noted in paragraphs 2.7 and 2.8, also the expression of will of the interested parties is irreparably flawed and unsuitable to constitute a condition of lawfulness for the treatment itself. Furthermore, the violation of the freedom of the interested parties is even more aggravated by the fact that the user's registration on the website and the MyEdison App is subject to the release of a single consent for marketing and profiling purposes (same configuration for the Edison App MySun, not yet in use but released on the market in January 2022). This operation involved the acquisition of a large number of personal data merged into the company CRM (related to 50,050 users who have given their consent for profiling purposes).

It should be reiterated here that the users' capacity for self-determination is not respected when the effective and conscious freedom of choice regarding the processing of their data is not ensured and this defect of legitimacy is relevant for the purposes of the applicability of violations of the legislation on the matter of data protection (in particular that relating to free and specific consent), regardless of whether or not the proposed processing activities are carried out (see provision "Online services: request for "obligatory" consent for promotional purposes" - 27 October 2016, web doc. n. 5687770; provision 12 June 2019, web doc. n. 9120218).

It should also be noted that even the mere retention of personal data constitutes a complete processing operation, therefore, once consent has been acquired for marketing and profiling purposes and the related data has been collected, the processing must be considered fully implemented even in the event only conservation of the same pending that new circumstances make possible the further operations aimed at marketing and profiling.

In the light of the above, the existence of the disputed violation of articles is confirmed 12, par. 1 and 5, par. 1, lit. a) of the Regulation.

It is also considered integrated the violation of the articles 6, 7 and 12, par. 1, of the Regulation, as well as of the art. 130 of the Code for not having acquired a free and specific consent of the interested parties for the various processing activities (in particular marketing and profiling).

4. CONCLUSIONS

In view of the above, Edison's responsibility for the following violations of the Regulations is deemed to have been established

- art. 5, par. 1, lit. a) and 2;

- articles 6 and 7;

- art. 12, par. 1, 2 and 3;

- art. 21, par. 2;

- art. 24, par. 1 and 2;

- art. 25, par. 1,

and the violation of the art. 130 of the Code.

Once the unlawfulness of the Company's conduct described above has been ascertained, it is necessary:

- pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibit any further processing for promotional purposes carried out through lists of personal data of third parties who have not acquired from the interested parties a free, specific and informed consent to the communication of their data to Edison, pursuant to articles 6 and 7 of the Regulation as well as 130 of the Code;

- pursuant to art. 58, par. 2, lit. d), of the Regulation, to enjoin the Company, if it intends in the future to direct the promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, also by means of adequate sample checks, that the personal data are processed in the full compliance with the provisions on the subject (preventive acquisition of a free, specific, unequivocal, documented, as well as informed, consent of the interested parties for the sending of commercial communications), pursuant to articles 6, 7 and 13 of the Regulation as well as 130 of the Code;

- pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoin Edison to facilitate the exercise of the rights established by the legislation on the protection of personal data and to satisfy, without unjustified delay, the related requests, including the right to object which can be advanced "at any time ” by the interested party; to clearly indicate, already in the call script, the owner to whom the request for deletion of personal data must be addressed and who will definitively do so, pursuant to articles 6, 7 and 13 of the Regulation as well as 130 of the Code;

- pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibit the processing of personal data collected without the necessary prior informed, free and specific consent of the interested parties in relation to the marketing and profiling activity, pursuant to articles 6, 7 and 12 of the Regulation as well as 130 of the Code;

- pursuant to art. 58, par. 2, lit. d) of the Regulation, to order that interested parties be provided with suitable information which indicates the processing operations actually carried out by Edison (articles 12 and 13 of the Regulation);

- with regard to treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83, par. 4 and 5, of the Regulation.

5. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

The violations confirmed above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Edison Energia of the pecuniary administrative sanction provided for by art. 83, para. 4 and 5, of the Regulation. However, as various provisions of the Regulation and of the Code have been infringed in relation to connected treatments carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the least serious violations. Specifically, the aforementioned violations - also having as object the exercise of the rights of the interested parties (articles 12 and 13 of the Regulation) - are to be attributed, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in art. 83, par. 5, of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1), it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.

What circumstances to take into consideration in the present case must be considered, in terms of aggravating circumstances:

1. the high number of subjects involved in the disputed processing (letter a): 66,771 (users registered on the XX website for whom specific consent has not been acquired for the communication of data from XX to Edison); 50,050 (customers present in the CRM for which a single consent has been acquired for marketing and profiling purposes, even if the latter is not actually carried out); 29,872 (the utilities of prospective subjects included in the "non-contactable list" without suitable elements to substantiate the will of the interested parties and, therefore, to ascertain the legitimacy of the promotional contacts);

2. the seriousness of the violations detected (letter a) with particular reference to the absence of sample checks of the contact numbers provided by the partners, the inadequate management of the right of opposition of the interested parties, as well as the unsuitability of the information provided on the site internet and on the MyEdison App;

3. the negligent nature of the conduct (letter b), given that the Company's presence on the market for many years should have allowed it to acquire sufficient experience and expertise to adopt basic choices more compliant with the regulatory provisions;

4. the non-conformity of the Company's conduct with respect to the consistent regulatory activity of the Authority in the field of marketing (letter k), with particular reference to information and consent;

5. the overall assessment of the Company's economic capacity, taking into consideration the latest available corporate turnover (4,900,439,466 euros, as resulting from the 2022 VAT return relating to the 2021 tax period) (letter k).

As mitigating elements, it is considered necessary to take into account:

1. the absence of previous proceedings initiated against the Company (letter e);

2. the fact that the Company promptly took action with the judicial authorities to counter the phenomenon of abusive telemarketing by third parties (letter k);

3. the timely adoption of corrective measures, some of which started immediately after the conclusion of the inspections (letter f);

4. the adoption, even before the inspection, of measures aimed at avoiding "off-list" contacts with the centralization of contracts through the "Watson" system (letter k);

5. the high degree of cooperation in interaction with the Supervisory Authority (letter f), such as to make it easier, despite the size of the Company and the complexity of the processing, to carry out the investigation activities, especially in the delicate period of emergency;

6. of the serious socio-economic crisis and its effects on the trend of employment (letter k).

Based on the set of elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness pursuant to art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and the freedom to conduct a business, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Edison - also taking into consideration other similar cases - the administrative sanction of the payment of a sum of Euro 4,900,000.00 (four million nine hundred thousand), equal to 0.1% of the last available turnover.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the preliminary investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers and on which the attention of the 'user.

Please note that pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e) of the Regulation.

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THAT BEING CONSIDERED, THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing carried out by Edison Energia S.p.A., with registered office in Via Foro Buonaparte 31, 2012 Milan, VAT no. 08526440154;

b) pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibits any further processing for promotional purposes carried out through lists of personal data of third parties who have not acquired from the interested parties a free, specific and informed consent to the communication of their data to Edison, pursuant to articles 6 and 7 of the Regulation as well as 130 of the Code;

c) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins the Company, if it intends in the future to direct the promotional activity towards telephone numbers provided by third parties, to adopt suitable procedures aimed at constantly verifying, also through adequate sample checks, that personal data are processed in full compliance with the provisions on the subject (preventive acquisition of a free, specific, unequivocal, documented, as well as informed, consent of the interested parties for the sending of commercial communications), pursuant to articles 6, 7 and 13 of the Regulation as well as 130 of the Code;

d) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins Edison to facilitate the exercise of the rights established by the legislation on the protection of personal data and to satisfy, without unjustified delay, the related requests, including the right to object which can be advanced "at any time ” by the interested party; to clearly indicate, already in the call script, the owner to whom the request for deletion of personal data must be addressed and who will definitively do so, pursuant to articles 6, 7 and 13 of the Regulation as well as 130 of the Code;

e) pursuant to art. 58, par. 2, lit. f) of the Regulation, prohibits the processing of personal data collected without the necessary prior informed, free and specific consent of the interested parties in relation to the marketing and profiling activity, pursuant to articles 6, 7 and 12 of the Regulation as well as 130 of the Code;

f) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins that interested parties be provided with suitable information which indicates the processing operations actually carried out by Edison (articles 12 and 13 of the Regulation);

g) pursuant to art. 157 of the Code, enjoins the Company to notify the Authority, within 45 days of notification of this provision, of the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulation, to Edison Energia S.p.A., in the person of its legal representative, to pay the sum of euro 4,900,000.00 (four million nine hundred thousand), by way of administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of EUR 4,900,000.00 (four million nine hundred thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to of the art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 15 December 2022

PRESIDENT
station

THE SPEAKER
Station

THE SECRETARY GENERAL
Matthew