Garante per la protezione dei dati personali (Italy) - 9861289

Garante per la protezione dei dati personali - 9861289
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 9 GDPR Article 32 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	23.01.2023
Published:	26.01.2023
Fine:	5.000 EUR
Parties:	Azienda ULSS
National Case Number/Name:	9861289
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Italian DPA (in IT)
Initial Contributor:	Bernardo Armentano

The Italian DPA fined a hospital €5.000 for mistakenly disclosing the data subject’s health data to an unauthorised third party in violation of Articles 5(1)(f), 9 and 32 GDPR.

English Summary

Facts

Rovigo Hospital, the data controller, stored the data subject's medical records in another patient's folder and inadvertently disclosed their health data to the latter. Upon becoming aware of this, the data controller asked the third party to return the documents and adopted technical and organisational measures to prevent similar data breaches. The controller notified the DPA and the DPA opened an investigation. There was no dispute as to the facts.

Holding

The DPA pointed out that medical records constitute 'data relating to health' in the sense of Article 4(15) GDPR. Pursuant to Article 9 GDPR, this special category of data can only be disclosed to third parties on the basis of an appropriate legal ground or prior written authorisation by the data subject. It emphasized that the data controller must comply with the principle of "integrity and confidentiality", according to which personal data must be processed in such a way as to ensure appropriate security. This includes the protection against unauthorised or unlawful processing by appropriate technical and organisational measures (Art. 5(1)(f) GDPR). The DPA acknowledged that the controller acted immediately to minimise the damage and took measures to prevent further breaches, having cooperated with the investigations. However, it held that the disclosure of the data subject’s health data to an unauthorised third party violated Articles 5(1)(f), 9 and 32 GDPR. In view of this, it imposed a fine of €5.000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9861941]

Provision of 11 January 2023

Register of measures
no. 9 of 11 January 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. THE INVESTIGATION ACTIVITY

On 7 and 8 March 2022, inspections were carried out at the company Bakeca S.r.l. (hereinafter "Bakeca" or "Company") in order to verify the methods of collecting personal data through the classified ads site www.bakeca.it, with particular regard to the use of such data for marketing purposes also through the transfer to third parties. The investigation was initiated ex officio based on the planning of the inspection activities of the Guarantor for the first half of 2022 (Resolution of 22 December 2021, in www.garanteprivacy.it, web doc n. 9737049).

Subsequently, the Company sent the Supervisory Authority the supplementary information subject to reservation with a note dated March 18, 2022.

From these activities it emerged that the Company feeds its business mainly through the sale of services connected to the publication of classified ads (free service but with additional paid features). To a lesser extent, it uses the personal data of subjects registered on the www.bakeca.it portal and of subjects, including those who are not registered, who use the services to publish announcements or respond to them, for marketing purposes. In particular, subject to specific and informed consent, user data can be used for Bakeca marketing purposes or for transfer to third parties for independent marketing purposes.

During the investigations - also through the simulation of some registrations and the examination of the contracts - the methods of processing the data collected for promotional purposes were verified with the following results:

- the Company transfers the data to third parties for promotional purposes on the basis of a specific consent from the interested parties; in most cases, these third parties are appointed as data processors;

- the user's willingness to proceed with registration on the site is verified by sending a request for confirmation of the e-mail address and a subsequent communication to confirm registration;

- for unregistered users who use the website services to respond to classified ads, an e-mail is still required to inform the user of the activities carried out on the site (such as, for example, responding to ads) ;

- in the event of lists being transferred or rented, the Company adopts specific contractual provisions to protect the lists themselves to prevent the interested parties from being reached by an excessive number of promotional contacts and to prevent the lists from being used beyond the time allowed, in the event rental;

- the Company has adopted suitable procedures to implement requests for the exercise of rights and revocation of consent by the interested parties, allowing the presentation of requests through various channels, including management through the personal area.

Limited to what was verified, a picture emerged of overall attention to the protection of the data subject with the adoption of treatment methods appropriate to the state of the art, without prejudice to some aspects worthy of further study which are described below.

2. DISPUTING INFRINGEMENTS

Based on the results of the inspection activity, the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code.

On this occasion, the Office identified some critical issues or aspects worthy of improvement as described below.

2.1 Legal basis of processing for marketing purposes.

An examination of the text of the disclosure (see annex 9 to the report of 7 March 2022) shows that the Company may use the data collected through the website www.bakeca.it for "marketing purposes relating to similar services/products to those requested by you" on the basis of the legitimate interest of the owner using "automated contact methods (e-mail, text messages and other mass messaging tools, etc.) and traditional contact methods (for example, telephone call with an operator)".

In this regard, reference was made to the provisions of art. 130, paragraph 4, of the Code which governs the hypotheses of so-called soft spam admitting, under specific conditions, the sending of promotional communications without the consent of the interested party but exclusively through the e-mail channel. This provision, of a special nature, cannot be interpreted extensively. Therefore, any promotional communication made outside these conditions and using a channel other than e-mail, falls within the more general discipline of art. 130 of the Code, making it necessary to acquire a suitable consent even in the case of communications aimed at promoting products or services similar to those already provided to the interested party.

Taking into account that the Company, with regard to all other treatments for marketing purposes, has correctly planned to rely on the consent of the interested party, with regard to communications sent to promote similar products and services to its customers, if carried out with the aforementioned methods, the use of an unsuitable legal basis (legitimate interest) has been detected; it follows that any promotional communications already sent under conditions other than the provisions of paragraph 4 of art. 130 (through channels other than e-mail), would have been carried out in violation of the law.

For these reasons, it was considered that the violation of art. 6, par. 1, lit. a) of the Regulation and of the art. 130 of the Code.

2.2 Information on the processing of personal data

On the basis of what is represented in the previous point, the information given to the interested parties, with regard to point c) of the purposes, appeared unsuitable since it referred to an incorrect legal basis.
Furthermore, again with regard to the text of the information provided during the inspection activity, it was observed that the list of third parties to whom the data could be transmitted for promotional purposes, while indicating in detail the names of said third parties, did not report the references of the two partners communicated at the beginning of the minutes of 8 March 2022 (XX and XX Srl).

In this regard, reference was made to the provisions of art. 13, par. 1, lit. e) of the Regulation, which requires the data controller to inform the interested party about any recipients or any categories of recipients of personal data. In addition, it must be kept in mind that, if such data were used to convey promotional communications via the telephone channel, the art. 1, paragraph 8, of the law of 11 January 2018, n. 5, would require communicating to the interested parties the identification details of the subject to whom the data relating to telephone numbers will be transferred.

For these reasons, the violation of art. 13, par. 1, lit. c) and e) of the Regulation.

2.3 Roles of the subjects involved in the treatment

From the examination of the contracts provided during the inspection activity and on the basis of what was reported in the minutes, it emerged that the Company transmits the data of users, who have given specific consent, to third parties who use such data for promotional purposes. These third parties, according to the qualification chosen by Bakeca, in some cases operate as data processors according to the business model defined as "database management", through which a subject, in this case Bakeca, deals with the collection of master data with consent for marketing purposes and another subject, in this case one of Bakeca's partners, takes care of "enhancing" this data by conveying promotional messages from other clients. The Office, deeming this attribution of roles incorrect, contested the fact that the processing was in contrast with the requirements of lawfulness, correctness and transparency, in violation of art. 5, par. 1, lit. to).

2.4 Methods of acquiring consent to treatment

As observed by examining the website www.bakeca.it during the inspections (see annex 8 to the report of 7 March 2022), to register on the website or even just to publish/reply to an advertisement, the interested party is asked to express your will by ticking the following three boxes:


Only the first flag is mandatory as it refers to having read the contractual terms and the information on the processing of personal data. If, in general, this approach seemed correct because the intentions were understood, however, it was necessary to point out that the overall wording of the request was not equally correct and risked not being understood by the interested party at the time of expressing his will. In fact, the sentence "...and I consent to the processing of my data for the purposes related to the provision of the mandatory service" is contradictory since it refers to the (correct) legal basis of the execution of the contract and at the same time invokes the (incorrect) legal basis of consent, transforming a generic request to confirm acknowledgment into a sort of, not due, expression of consent to treatment.

For these reasons, the Office considered that this formulation, contrary to the principles of lawfulness, correctness and transparency, could have integrated the violation of art. 5, par. 1, lit. a) of the Regulation.

3. THE DEFENSE OF THE COMPANY

With a note dated 20 October 2022, Bakeca sent a defense brief, the contents of which are understood to be referred to in full here, in which it provided detailed clarifications regarding the objections raised by the Office, acknowledging some corrective measures already adopted with particular regard to following disputed points.

3.1. Legal basis of the processing for marketing purposes

The Company has declared that the aforementioned legal basis of legitimate interest, invoked in expression of the derogation offered by art. 130, paragraph 4, of the Code, has been used only for sending communications via e-mail concerning largely the functions of the service purchased and, in some cases, the proposal of additional services to it or of a higher level .

3.2 Information on the processing of personal data

Recalling what was clarified in the previous point, the Company considered the indication of the legal basis of the legitimate interest in the information to be correct, since the methods of treatment concerned only the sending of communications via e-mail.

Furthermore, with regard to the two partners not indicated by name in the disclosure, the Company clarified that, given the role of intermediaries held by them, it had only indicated the final recipients of the data believing in good faith that it was sufficient. Furthermore, Bakeca declared that, for company XX alone, the transmission of telephone numbers was not contractually envisaged, therefore the more stringent provision of art. 1, paragraph 8, of the law of 11 January 2018, n. 5, which requires the identification details of the person to whom the data relating to telephone numbers will be transferred to be communicated to the interested parties.

3.3 Roles of the subjects involved in the treatment

The Company has deemed that it has acted in the best way to guarantee control over the processing by inserting precise instructions in the contracts signed with the partners who, for the activities referred to as database management, are appointed as data processors.

3.4 Methods of acquiring consent to treatment

The Company confirmed that the first flag required among the formulas for expressing consent was actually intended only to confirm having read the information. In any case, by incorporating the indications contained in the act of initiation of the procedure, it has taken steps to modify the formulas for requesting consent in order to make them clearer for users.

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the declarations of the Company for which the subscriber is liable pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

4.1 Legal basis of processing for marketing purposes

Taking into account the fact that the Company has ensured that it has used the data collected without express consent (based on its legitimate interest) only to send promotional communications via e-mail relating to services already purchased by the interested parties, the violations indicated in the point 2.1 - except as indicated in the following point with regard to the information - because, despite having incorrectly qualified the legal basis, the Company has in fact processed the data in compliance with the regulations. In fact, it must be remembered that the sending of promotional communications via electronic communication tools is governed by art. 130 of the Code, in implementation of art. 13 of Directive 2002/58/EC, which constitutes a lex specialis where the only permitted legal basis is the user's consent, except in some cases, exhaustively described, of derogation. One of these exceptions is contained in the provision pursuant to art. 130, paragraph 4 of the Code which allows the sending of promotional communications exclusively by e-mail. In this case, the holder may not request the consent of the interested party, in the case of services similar to those being sold and if the interested party, adequately informed, does not refuse such use initially or on the occasion of subsequent communications.

4.2 Information on the processing of personal data

With regard to the indication of the legal basis, recalling what is described in the previous point, the mention of the legitimate interest of the owner is considered incorrect, since it is necessary to refer to the more correct provision pursuant to art. 130, paragraph 4, of the Code. However, it must be taken into account that this conduct did not cause damage to the interested parties and that the aforementioned provision, constructed as a derogation from the assumption of consent, in fact constitutes a recognition of the legitimate interest of the owner with a balance of interests carried out ex lege; therefore it is considered sufficient, pursuant to art. 58, par. 2, lit. d), order Bakeca to modify the text of the information in point c) of the purposes of the processing, indicating that the processing is carried out in compliance with art. 130, paragraph 4, of the Code provided that the interested party does not refuse such use initially or on the occasion of subsequent communications.

On the other hand, with regard to the failure to indicate the third parties to whom the data have been transmitted for marketing purposes, it is noted that the art. 13, par. 1, lit. e) of the Regulation requires the owner to indicate any recipients or categories of recipients of personal data. Furthermore, if the data processing is carried out for promotional purposes through the telephone channel, the art. 1, paragraph 8, of the law n. 5/2018 requires that, in the event of transfer of data relating to telephone numbers to third parties, the data controller must communicate to the interested parties the identification details of the subject to whom the same data are transferred.

It follows that the Company should have indicated the subjects or categories of subjects to whom the data would have been transferred for the sending of data that did not include telephone numbers; instead, he would have had the obligation to indicate the recipients "nominally" in the event of transfer of telephone numbers.

From the brief presented by Bakeca it is found that the Company had chosen to publish the names of the third party recipients of the data, having excluded two partners because they were considered intermediaries and having in fact indicated only the last subjects to whom such data would be communicated. Only in one of these two cases (XX S.r.l.) did the Company not transmit telephone numbers, therefore it could have indicated the category of the recipient and not necessarily the specific name (except for the obligation to provide the details in the event of a request from the interested parties ). In the case of partner XX instead - which in the absence of a similar clarification should have received telephone numbers - the obligation to indicate the specific denomination occurred. In general, the Regulation establishes that in the disclosure the owner must indicate the recipients or categories of recipients of the personal data, meaning all the subjects who receive the data from the transferor owner.

Therefore, the violation of art. 13, par. 1, lit. e) of the Regulations with regard to the failure to indicate the two aforementioned partners. Taking into account that the Company has in any case proceeded to name all the third parties and that, in the case of the two partners indicated - communicated by it during the inspection - it erroneously considered sufficient that it was sufficient to indicate the final recipients, in the absence of willful misconduct, it is deemed possible to postpone the application of an administrative-pecuniary sanction and, having verified that the information is currently integrated with the names of the aforementioned partners, it may be sufficient, pursuant to art. 58, par. 2, lit. b) of the Regulation, address a warning to Bakeca regarding the fact that the failure to indicate in the information to the interested parties the subjects receiving the data constitutes a violation of the Regulation since it does not allow the interested parties themselves to be aware of the treatment and, consequently, to give appropriate consent and to exercise one's rights towards those who hold one's data.

4.3 Roles of the subjects involved in the treatment

From the examination of the contracts provided during the inspection activity and on the basis of what is reported in the minutes, it is clear that the Company transmits the data of the subjects, who have given specific consent, to third parties who use such data for promotional purposes. These third parties, according to the qualification chosen by Bakeca, in some cases operate as data processors. However, this attribution of roles is not correct since it is based on the assumption that the business model commonly identified as intermediation or database management/enhancement activity allows the person who deals with this management to be assimilated to a person who works on behalf of Bakeca or, more specifically, who processes personal data on behalf of Bakeca. Instead, the third party who acquires the data will generally use them to enrich their own database and/or to carry out promotional activities on behalf of their clients, other than Bakeca. It follows that the relationship between Bakeca and these partners is probably attributable to a relationship between independent data controllers since the partner does not carry out any treatment on behalf of Bakeca but performs an activity that binds him to Bakeca only from a commercial point of view without, however, also having importance on the roles in the processing of personal data. As better clarified in the EDPB Guidelines 7/2020, regardless of the contractual qualification of the roles, the subject who determines the purposes (why) and means, i.e. the methods (how), of the treatment is the owner; on the other hand, the subject who works on behalf of the owner is to be considered responsible, executing the instructions even with a certain degree of autonomy without however being able to exercise any faculty regarding the choice of the purposes of the treatment.

In this reconstruction of the roles, the person who purchases the database from Bakeca - who, as mentioned, in the relationship with Bakeca is in fact an independent data controller - should operate as data processor for any client for whom it carries out the activity promotional. In this case, in fact, it carries out a treatment on behalf of a holder who has established the purposes. Moreover, if this were not the case, a transfer of data would take place between the purchaser of the list and the final client, which would not be assisted by any consent from the interested parties. In fact, as repeatedly clarified by the Guarantor, an initial consent for the communication of data to third parties for promotional purposes has value only towards the first holder who acquires them and cannot instead unfold its effects in an infinite chain of transfers of which the interested party is not aware at the time he grants his consent.

With regard to the qualification of the roles in the processing, in relation to the client and his service provider, the Guarantor has expressed himself several times (see provision of 25 November 2021, web doc n. 9736961 and provision of 25 November 2021, web doc n. 9737185).

Therefore, the incorrect qualification of data processor in the contractual relationships referred to as database management has resulted in the processing being in contrast with the requirements of lawfulness, correctness and transparency, in violation of art. 5, par. 1, lit. to).

However, it must be acknowledged that the Company has decided to act correctly by appointing its commercial partners as data processors because this solution appeared to be the most suitable for offering greater guarantees of control over the databases entrusted to third parties through specific instructions aimed at avoiding 'making unwanted contacts. However, this understandable need for control cannot be satisfied by incorrectly using the roles envisaged by the legislation on the protection of personal data, but can in any case find satisfaction through appropriate contractual provisions (which the Bakeca itself has put in place) which, even in a relationship between holder and holder, they can guarantee the correct use of the databases.

That said, pursuant to art. 58, par. 2, lit. d) of the Regulation, it is necessary to enjoin Bakeca to conform relations with third parties to the indications provided with this provision, providing for contractually qualifying the roles in question as relations between independent holders in the event that the subject receiving the bank data independently determines the purposes of the processing by operating on these databases to convey promotional messages on behalf of its clients.

4.4 Methods of acquiring consent to treatment

With regard to the formula for expressing the user's awareness contained in the first request for consent, as already noted in the act of initiation of the procedure, this formulation seemed generally correct because its intentions were understood, but it was necessary note that the overall formulation of the request was not equally correct and risked not being understood by the interested party at the time of expressing his will.

Taking into account the fact that the Company has declared that it has corrected the formula for requesting consent and confirming that it has read the information, it is not deemed necessary to proceed further.

Finally, it is believed that the conditions set forth in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THAT BEING CONSIDERED, THE GUARANTOR

against Bakeca S.r.l., with registered office in via Vincenzo Monti, 43/A, Turin, VAT number/tax code 09239540017,

a) pursuant to art. 58, par. 2, lit. d), enjoins Bakeca to modify the text of the information, in point c) of the purposes of the processing, indicating that the processing is carried out in compliance with art. 130, paragraph 4, of the Code provided that the interested party does not refuse such use initially or on the occasion of subsequent communications;

b) pursuant to art. 58, par. 2, lit. b), addresses a warning to Bakeca regarding the fact that failure to indicate in the information notice to data subjects the subjects who receive the data constitutes a violation of the Regulation since it does not allow the data subjects themselves to be aware of the treatment and, consequently, to provide adequate consent and to exercise one's rights towards those who hold one's data;

c) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins Bakeca to conform relations with third parties to the indications provided with this provision, providing for contractually qualifying the roles of the various subjects involved in the processing of personal data as relations between independent data controllers in the event that the person who receives the database independently determines the purposes of the treatment by operating on it to convey promotional messages for its clients.

HAS

pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 11 January 2023

PRESIDENT
station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew

[doc. web no. 9861941]

Provision of 11 January 2023

Register of measures
no. 9 of 11 January 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER the lawyer Guido Scorza;

WHEREAS

1. THE INVESTIGATION ACTIVITY

On 7 and 8 March 2022, inspections were carried out at the company Bakeca S.r.l. (hereinafter "Bakeca" or "Company") in order to verify the methods of collecting personal data through the classified ads site www.bakeca.it, with particular regard to the use of such data for marketing purposes also through the transfer to third parties. The investigation was initiated ex officio based on the planning of the inspection activities of the Guarantor for the first half of 2022 (Resolution of 22 December 2021, in www.garanteprivacy.it, web doc n. 9737049).

Subsequently, the Company sent the Supervisory Authority the supplementary information subject to reservation with a note dated March 18, 2022.

From these activities it emerged that the Company feeds its business mainly through the sale of services connected to the publication of classified ads (free service but with additional paid features). To a lesser extent, it uses the personal data of subjects registered on the www.bakeca.it portal and of subjects, including those who are not registered, who use the services to publish announcements or respond to them, for marketing purposes. In particular, subject to specific and informed consent, user data can be used for Bakeca marketing purposes or for transfer to third parties for independent marketing purposes.

During the investigations - also through the simulation of some registrations and the examination of the contracts - the methods of processing the data collected for promotional purposes were verified with the following results:

- the Company transfers the data to third parties for promotional purposes on the basis of a specific consent from the interested parties; in most cases, these third parties are appointed as data processors;

- the user's willingness to proceed with registration on the site is verified by sending a request for confirmation of the e-mail address and a subsequent communication to confirm registration;

- for unregistered users who use the website services to respond to classified ads, an e-mail is still required to inform the user of the activities carried out on the site (such as, for example, responding to ads) ;

- in the event of lists being transferred or rented, the Company adopts specific contractual provisions to protect the lists themselves to prevent the interested parties from being reached by an excessive number of promotional contacts and to prevent the lists from being used beyond the time allowed, in the event rental;

- the Company has adopted suitable procedures to implement requests for the exercise of rights and revocation of consent by the interested parties, allowing the presentation of requests through various channels, including management through the personal area.

Limited to what was verified, a picture emerged of overall attention to the protection of the data subject with the adoption of treatment methods appropriate to the state of the art, without prejudice to some aspects worthy of further study which are described below.

2. DISPUTING INFRINGEMENTS

Based on the results of the inspection activity, the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code.

On this occasion, the Office identified some critical issues or aspects worthy of improvement as described below.

2.1 Legal basis of processing for marketing purposes.

An examination of the text of the disclosure (see annex 9 to the report of 7 March 2022) shows that the Company may use the data collected through the website www.bakeca.it for "marketing purposes relating to similar services/products to those requested by you" on the basis of the legitimate interest of the owner using "automated contact methods (e-mail, text messages and other mass messaging tools, etc.) and traditional contact methods (for example, telephone call with an operator)".

In this regard, reference was made to the provisions of art. 130, paragraph 4, of the Code which governs the hypotheses of so-called soft spam admitting, under specific conditions, the sending of promotional communications without the consent of the interested party but exclusively through the e-mail channel. This provision, of a special nature, cannot be interpreted extensively. Therefore, any promotional communication made outside these conditions and using a channel other than e-mail, falls within the more general discipline of art. 130 of the Code, making it necessary to acquire a suitable consent even in the case of communications aimed at promoting products or services similar to those already provided to the interested party.

Taking into account that the Company, with regard to all other treatments for marketing purposes, has correctly planned to rely on the consent of the interested party, with regard to communications sent to promote similar products and services to its customers, if carried out with the aforementioned methods, the use of an unsuitable legal basis (legitimate interest) has been detected; it follows that any promotional communications already sent under conditions other than the provisions of paragraph 4 of art. 130 (through channels other than e-mail), would have been carried out in violation of the law.

For these reasons, it was considered that the violation of art. 6, par. 1, lit. a) of the Regulation and of the art. 130 of the Code.

2.2 Information on the processing of personal data

On the basis of what is represented in the previous point, the information given to the interested parties, with regard to point c) of the purposes, appeared unsuitable since it referred to an incorrect legal basis.
Furthermore, again with regard to the text of the information provided during the inspection activity, it was observed that the list of third parties to whom the data could be transmitted for promotional purposes, while indicating in detail the names of said third parties, did not report the references of the two partners communicated at the beginning of the minutes of 8 March 2022 (XX and XX Srl).

In this regard, reference was made to the provisions of art. 13, par. 1, lit. e) of the Regulation, which requires the data controller to inform the interested party about any recipients or any categories of recipients of personal data. In addition, it must be kept in mind that, if such data were used to convey promotional communications via the telephone channel, the art. 1, paragraph 8, of the law of 11 January 2018, n. 5, would require communicating to the interested parties the identification details of the subject to whom the data relating to telephone numbers will be transferred.

For these reasons, the violation of art. 13, par. 1, lit. c) and e) of the Regulation.

2.3 Roles of the subjects involved in the treatment

From the examination of the contracts provided during the inspection activity and on the basis of what was reported in the minutes, it emerged that the Company transmits the data of users, who have given specific consent, to third parties who use such data for promotional purposes. These third parties, according to the qualification chosen by Bakeca, in some cases operate as data processors according to the business model defined as "database management", through which a subject, in this case Bakeca, deals with the collection of master data with consent for marketing purposes and another subject, in this case one of Bakeca's partners, takes care of "enhancing" this data by conveying promotional messages from other clients. The Office, deeming this attribution of roles incorrect, contested the fact that the processing was in contrast with the requirements of lawfulness, correctness and transparency, in violation of art. 5, par. 1, lit. to).

2.4 Methods of acquiring consent to treatment

As observed by examining the website www.bakeca.it during the inspections (see annex 8 to the report of 7 March 2022), to register on the website or even just to publish/reply to an advertisement, the interested party is asked to express your will by ticking the following three boxes:


Only the first flag is mandatory as it refers to having read the contractual terms and the information on the processing of personal data. If, in general, this approach seemed correct because the intentions were understood, however, it was necessary to point out that the overall wording of the request was not equally correct and risked not being understood by the interested party at the time of expressing his will. In fact, the sentence "...and I consent to the processing of my data for the purposes related to the provision of the mandatory service" is contradictory since it refers to the (correct) legal basis of the execution of the contract and at the same time invokes the (incorrect) legal basis of consent, transforming a generic request to confirm acknowledgment into a sort of, not due, expression of consent to treatment.

For these reasons, the Office considered that this formulation, contrary to the principles of lawfulness, correctness and transparency, could have integrated the violation of art. 5, par. 1, lit. a) of the Regulation.

3. THE DEFENSE OF THE COMPANY

With a note dated 20 October 2022, Bakeca sent a defense brief, the contents of which are understood to be referred to in full here, in which it provided detailed clarifications regarding the objections raised by the Office, acknowledging some corrective measures already adopted with particular regard to following disputed points.

3.1. Legal basis of the processing for marketing purposes

The Company has declared that the aforementioned legal basis of legitimate interest, invoked in expression of the derogation offered by art. 130, paragraph 4, of the Code, has been used only for sending communications via e-mail concerning largely the functions of the service purchased and, in some cases, the proposal of additional services to it or of a higher level .

3.2 Information on the processing of personal data

Recalling what was clarified in the previous point, the Company considered the indication of the legal basis of the legitimate interest in the information to be correct, since the methods of treatment concerned only the sending of communications via e-mail.

Furthermore, with regard to the two partners not indicated by name in the disclosure, the Company clarified that, given the role of intermediaries held by them, it had only indicated the final recipients of the data believing in good faith that it was sufficient. Furthermore, Bakeca declared that, for company XX alone, the transmission of telephone numbers was not contractually envisaged, therefore the more stringent provision of art. 1, paragraph 8, of the law of 11 January 2018, n. 5, which requires the identification details of the person to whom the data relating to telephone numbers will be transferred to be communicated to the interested parties.

3.3 Roles of the subjects involved in the treatment

The Company has deemed that it has acted in the best way to guarantee control over the processing by inserting precise instructions in the contracts signed with the partners who, for the activities referred to as database management, are appointed as data processors.

3.4 Methods of acquiring consent to treatment

The Company confirmed that the first flag required among the formulas for expressing consent was actually intended only to confirm having read the information. In any case, by incorporating the indications contained in the act of initiation of the procedure, it has taken steps to modify the formulas for requesting consent in order to make them clearer for users.

4. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the declarations of the Company for which the subscriber is liable pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

4.1 Legal basis of processing for marketing purposes

Taking into account the fact that the Company has ensured that it has used the data collected without express consent (based on its legitimate interest) only to send promotional communications via e-mail relating to services already purchased by the interested parties, the violations indicated in the point 2.1 - except as indicated in the following point with regard to the information - because, despite having incorrectly qualified the legal basis, the Company has in fact processed the data in compliance with the regulations. In fact, it must be remembered that the sending of promotional communications via electronic communication tools is governed by art. 130 of the Code, in implementation of art. 13 of Directive 2002/58/EC, which constitutes a lex specialis where the only permitted legal basis is the user's consent, except in some cases, exhaustively described, of derogation. One of these exceptions is contained in the provision pursuant to art. 130, paragraph 4 of the Code which allows the sending of promotional communications exclusively by e-mail. In this case, the holder may not request the consent of the interested party, in the case of services similar to those being sold and if the interested party, adequately informed, does not refuse such use initially or on the occasion of subsequent communications.

4.2 Information on the processing of personal data

With regard to the indication of the legal basis, recalling what is described in the previous point, the mention of the legitimate interest of the owner is considered incorrect, since it is necessary to refer to the more correct provision pursuant to art. 130, paragraph 4, of the Code. However, it must be taken into account that this conduct did not cause damage to the interested parties and that the aforementioned provision, constructed as a derogation from the assumption of consent, in fact constitutes a recognition of the legitimate interest of the owner with a balance of interests carried out ex lege; therefore it is considered sufficient, pursuant to art. 58, par. 2, lit. d), order Bakeca to modify the text of the information in point c) of the purposes of the processing, indicating that the processing is carried out in compliance with art. 130, paragraph 4, of the Code provided that the interested party does not refuse such use initially or on the occasion of subsequent communications.

On the other hand, with regard to the failure to indicate the third parties to whom the data have been transmitted for marketing purposes, it is noted that the art. 13, par. 1, lit. e) of the Regulation requires the owner to indicate any recipients or categories of recipients of personal data. Furthermore, if the data processing is carried out for promotional purposes through the telephone channel, the art. 1, paragraph 8, of the law n. 5/2018 requires that, in the event of transfer of data relating to telephone numbers to third parties, the data controller must communicate to the interested parties the identification details of the subject to whom the same data are transferred.

It follows that the Company should have indicated the subjects or categories of subjects to whom the data would have been transferred for the sending of data that did not include telephone numbers; instead, he would have had the obligation to indicate the recipients "nominally" in the event of transfer of telephone numbers.

From the brief presented by Bakeca it is found that the Company had chosen to publish the names of the third party recipients of the data, having excluded two partners because they were considered intermediaries and having in fact indicated only the last subjects to whom such data would be communicated. Only in one of these two cases (XX S.r.l.) did the Company not transmit telephone numbers, therefore it could have indicated the category of the recipient and not necessarily the specific name (except for the obligation to provide the details in the event of a request from the interested parties ). In the case of partner XX instead - which in the absence of a similar clarification should have received telephone numbers - the obligation to indicate the specific denomination occurred. In general, the Regulation establishes that in the disclosure the owner must indicate the recipients or categories of recipients of the personal data, meaning all the subjects who receive the data from the transferor owner.

Therefore, the violation of art. 13, par. 1, lit. e) of the Regulations with regard to the failure to indicate the two aforementioned partners. Taking into account that the Company has in any case proceeded to name all the third parties and that, in the case of the two partners indicated - communicated by it during the inspection - it erroneously considered sufficient that it was sufficient to indicate the final recipients, in the absence of willful misconduct, it is deemed possible to postpone the application of an administrative-pecuniary sanction and, having verified that the information is currently integrated with the names of the aforementioned partners, it may be sufficient, pursuant to art. 58, par. 2, lit. b) of the Regulation, address a warning to Bakeca regarding the fact that the failure to indicate in the information to the interested parties the subjects receiving the data constitutes a violation of the Regulation since it does not allow the interested parties themselves to be aware of the treatment and, consequently, to give appropriate consent and to exercise one's rights towards those who hold one's data.

4.3 Roles of the subjects involved in the treatment

From the examination of the contracts provided during the inspection activity and on the basis of what is reported in the minutes, it is clear that the Company transmits the data of the subjects, who have given specific consent, to third parties who use such data for promotional purposes. These third parties, according to the qualification chosen by Bakeca, in some cases operate as data processors. However, this attribution of roles is not correct since it is based on the assumption that the business model commonly identified as intermediation or database management/enhancement activity allows the person who deals with this management to be assimilated to a person who works on behalf of Bakeca or, more specifically, who processes personal data on behalf of Bakeca. Instead, the third party who acquires the data will generally use them to enrich their own database and/or to carry out promotional activities on behalf of their clients, other than Bakeca. It follows that the relationship between Bakeca and these partners is probably attributable to a relationship between independent data controllers since the partner does not carry out any treatment on behalf of Bakeca but performs an activity that binds him to Bakeca only from a commercial point of view without, however, also having importance on the roles in the processing of personal data. As better clarified in the EDPB Guidelines 7/2020, regardless of the contractual qualification of the roles, the subject who determines the purposes (why) and means, i.e. the methods (how), of the treatment is the owner; on the other hand, the subject who works on behalf of the owner is to be considered responsible, executing the instructions even with a certain degree of autonomy without however being able to exercise any faculty regarding the choice of the purposes of the treatment.

In this reconstruction of the roles, the person who purchases the database from Bakeca - who, as mentioned, in the relationship with Bakeca is in fact an independent data controller - should operate as data processor for any client for whom it carries out the activity promotional. In this case, in fact, it carries out a treatment on behalf of a holder who has established the purposes. Moreover, if this were not the case, a transfer of data would take place between the purchaser of the list and the final client, which would not be assisted by any consent from the interested parties. In fact, as repeatedly clarified by the Guarantor, an initial consent for the communication of data to third parties for promotional purposes has value only towards the first holder who acquires them and cannot instead unfold its effects in an infinite chain of transfers of which the interested party is not aware at the time he grants his consent.

With regard to the qualification of the roles in the processing, in relation to the client and his service provider, the Guarantor has expressed himself several times (see provision of 25 November 2021, web doc n. 9736961 and provision of 25 November 2021, web doc n. 9737185).

Therefore, the incorrect qualification of data processor in the contractual relationships referred to as database management has resulted in the processing being in contrast with the requirements of lawfulness, correctness and transparency, in violation of art. 5, par. 1, lit. to).

However, it must be acknowledged that the Company has decided to act correctly by appointing its commercial partners as data processors because this solution appeared to be the most suitable for offering greater guarantees of control over the databases entrusted to third parties through specific instructions aimed at avoiding 'making unwanted contacts. However, this understandable need for control cannot be satisfied by incorrectly using the roles envisaged by the legislation on the protection of personal data, but can in any case find satisfaction through appropriate contractual provisions (which the Bakeca itself has put in place) which, even in a relationship between holder and holder, they can guarantee the correct use of the databases.

That said, pursuant to art. 58, par. 2, lit. d) of the Regulation, it is necessary to enjoin Bakeca to conform relations with third parties to the indications provided with this provision, providing for contractually qualifying the roles in question as relations between independent holders in the event that the subject receiving the bank data independently determines the purposes of the processing by operating on these databases to convey promotional messages on behalf of its clients.

4.4 Methods of acquiring consent to treatment

With regard to the formula for expressing the user's awareness contained in the first request for consent, as already noted in the act of initiation of the procedure, this formulation seemed generally correct because its intentions were understood, but it was necessary note that the overall formulation of the request was not equally correct and risked not being understood by the interested party at the time of expressing his will.

Taking into account the fact that the Company has declared that it has corrected the formula for requesting consent and confirming that it has read the information, it is not deemed necessary to proceed further.

Finally, it is believed that the conditions set forth in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THAT BEING CONSIDERED, THE GUARANTOR

against Bakeca S.r.l., with registered office in via Vincenzo Monti, 43/A, Turin, VAT number/tax code 09239540017,

a) pursuant to art. 58, par. 2, lit. d), enjoins Bakeca to modify the text of the information, in point c) of the purposes of the processing, indicating that the processing is carried out in compliance with art. 130, paragraph 4, of the Code provided that the interested party does not refuse such use initially or on the occasion of subsequent communications;

b) pursuant to art. 58, par. 2, lit. b), addresses a warning to Bakeca regarding the fact that failure to indicate in the information notice to data subjects the subjects who receive the data constitutes a violation of the Regulation since it does not allow the data subjects themselves to be aware of the treatment and, consequently, to provide adequate consent and to exercise one's rights towards those who hold one's data;

c) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins Bakeca to conform relations with third parties to the indications provided with this provision, providing for contractually qualifying the roles of the various subjects involved in the processing of personal data as relations between independent data controllers in the event that the person who receives the database independently determines the purposes of the treatment by operating on it to convey promotional messages for its customers.

HAS

pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 11 January 2023

PRESIDENT
Station

THE SPEAKER
Zest

THE SECRETARY GENERAL
Matthew