Garante per la protezione dei dati personali (Italy) - 9873408

From GDPRhub
Garante per la protezione dei dati personali - 9873408
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 28 GDPR
Type: Investigation
Outcome: Violation Found
Started: 05.02.2022
Decided: 02.03.2023
Published: 02.03.2023
Fine: 1000 EUR
Parties: Razmataz Live srl
National Case Number/Name: 9873408
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian DPA (in IT)
Initial Contributor: n/a

The Italian DPA fined a marketing services provider that, acting as a processor, failed to ensure that a sub-processor complied with the fundamental principles of the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

In the context of some processing operations already subject to investigation, the Italian DPA found that some controllers outsourced marketing services to Razmataz Live s.r.l. - a company active in the field of promotion of cultural activities. Razmataz relied in turn on another company, Flowers R, for the actual sending of marketing communications.

Since Razmataz did not reply to the supervisory authority's request of information, in May 2022 the DPA notified to the company the opening of a sanctioning procedure against it.

In its submission Razmataz claimed that the company did not assume any data protection role, as the marketing communications were sent by Flowers R according to the instructions directly issued by Razmataz's clients. Razmataz merely established a connection between Flowers R and such clients. Indeed, Razmataz did not have access to the contact details of the recipients of the marketing messages.

Holding[edit | edit source]

The Italian DPA rejected the arguments of the submission. According to the materials submitted by Razmataz, the latter played a key role in ensuring the communications between its clients and Flowers R in the context of the marketing campaigns. Indeed, Razmataz considered that Flowers R could provide its customers with adequate assistance in launching promotional campaigns. Razmataz was the channel of communication between the clients - acting as data controllers - and Flowers R the company that actually processed personal data.

Therefore, Razmataz acted as data processor and did not conduct appropriate checks on the level of data protection guaranteed by the sub-processor Flowers R. This triggered a violation of Articles 5 and 28 GDPR. Since the data processor is fully liable to the controller for the performance of a sub-processor’s obligations, Razmataz was liable for the non-compliant marketing campaigns run by Flowers R. These campaigns indeed resulted in an unlawful processing of personal data and in a violation of Article 6 GDPR, as data subjects' consent was not collected in advance.

Pursuant to Article 83 GDPR, the Italian DPA fined Razmataz €1,000. In determining the amount of the fine, the authority took into account the broad scope of the processing involving a large number of data subjects; the negligence of the conduct, in not responding to the request of information sent by the DPA; and the lack of measures to mitigate or eliminate the consequences of the violation. However, the DPA also considered a number of mitigating factors, including: the absence of previous infringements; the nature of the personal data at stake (in particular the lack of special categories of data); the complex financial situation in the country following the pandemic; and the limited turnover of the company.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9873408]

Injunction against Razmataz Live S.r.l. - March 2, 2023

Register of measures
no. 61 of 2 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Prof. Pasquale Stanzione;

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Premise

As part of the investigation launched against Colosseo S.r.l., already the recipient of provision no. 297 of 5 August 2022 (in www.gpdp.it, web doc. n. 9817535), it emerged that Razmataz Live S.r.l. (hereinafter "Razmataz" or "Company") allegedly oversaw the promotion of cultural initiatives of the aforementioned company (for the Colosseum Theater) and of another client making use of a third party - who introduced himself as Flowers R, attributable to this XX - for sending material of the e-mails complained of in two complaints proposed to the Authority by Mr. XX.

1.2. The request for information formulated by the Authority and the response from Razmataz

In order to establish the operational areas pertaining to Razmataz in the framework of the processing carried out to promote the cultural events commissioned to it, the Authority, on 5 February 2022, sent a request for information and presentation of documents by certified email, pursuant to art. 157 of the Code, with particular reference to the documentation certifying the effective release of consent by the claimant for the use of personal data and the origin of the same. The communication, although duly delivered, remained unanswered.

Therefore, considering the integrated violation of art. 157 of the Code, through the Special Privacy Unit of the Guardia di Finanza, on 11 May 2022, the act of initiation of the procedure for the adoption of the sanction provided for by art. 166, paragraph 2, of the Code.

On 6 June 2022, the Company, in the context of the defensive arguments produced following the notification of the deed of initiation of the proceeding for violation of art. 157 of the Code, confirmed that it had taken care of the promotional activity described and that it had made use of Flowers R for sending the e-mails complained of in the two aforementioned complaints. He also specified that "Razmataz [...] does not know [...] and does not have access to the data (and e-mail addresses) of the recipients of the promotional e-mails which are [...] available to Flowers R" to which, in scope of an annual contractual relationship, is limited to indicating the target/characteristics of the promotional campaign. Therefore Flowers R is to be considered "the sole responsible for the processing of the data of the recipients of the promotional emails [...]".

1.3. Complaint of administrative violations

In the light of what emerged from the preliminary investigation, on the basis of the overall documentation acquired, the Office adopted the act of initiation of the administrative procedure no. 50637/22 of 22 September 2022 (notified on the same date by certified e-mail), with which it challenged Razmataz for the following hypotheses of violation:

a) art. 5, par. 1, lit. a) of the Regulations, for not having carried out any type of check on the partner to whom it has entrusted the task, depriving the processing of the requirements of lawfulness, correctness and transparency;

b) art. 28 of the Regulation, for not having taken any precautions in choosing the supplier and in entrusting the promotional service to Flowers R;

c) art. 6, par. 1, lit. a) of the Regulation and art. 130 of the Code, for having proceeded to send promotional messages in the absence of the consent of the interested party.

2. DEFENSIVE OBSERVATIONS AND ASSESSMENTS OF THE AUTHORITY

2.1. The defensive memory

The Company sent within the deadline (on 17 October 2022) a defense brief in which, in reiterating the arguments expressed in a note dated 6 June 2022, it defined the qualification of its role in the treatment in question, not attributable either to the role of owner or manager. This is because, according to him, Razmataz would not have handled the sending of the promotional e-mails nor had access to the data of the recipients of the same (in the exclusive availability of Flowers R), nor would he have established the purposes and means of the specific processing , on the other hand, by the clients. In fact, "The sending of promotional e-mails is not decided independently by Razmataz [...] but commissioned by clients who [...] know Flowers R (with whom they come into contact through Razmataz Live srl) and, at least for certain aspects, they interface directly with the latter […]”. In confirmation of this, the Company has attached to the memorandum the e-mail exchanges between the clients and Flowers R, reiterating its role of "consulting / assistance in the organization of the commissioned promotional campaign". Therefore, the further aspects challenged by the Authority and relating to the lawfulness and transparency of the processing, as well as the existence of the consent of the interested party to receive promotional communications, would be attributable to the responsibility of Flowers R which, however, for more than one year would have deleted the complainant's data.

2.2. The observations of the Authority

With reference to the factual profiles highlighted above, also on the basis of the statements of the Company, for which the declarant is liable pursuant to art. 168 of the Code, the following legal assessments are formulated.

The Company argued that it had no role in the processing in question due to the mere fact of not materially having the personal data used for the promotional campaign commissioned from it, having delegated all activities to Flowers R. This justification cannot be considered sufficient to exclude Razmataz from liability since the material availability of the data, in itself, is not a decisive requirement.

Indeed, it must be remembered that, according to art. 4 of the Regulation, the natural or legal person who, individually or together with others, determines the purposes and means of the processing is the "owner" (not noting the fact that he has the concrete availability of the data), while the "data controller" is the subject who processes personal data on behalf of the owner. Furthermore, the art. 26 of the Regulation governs any cases of co-ownership in the processing when the purposes and means are determined jointly by two or more data controllers (see provision 25 November 2021, web doc. n. 9736961; provision 25 November 2021, web doc. n. 9737185; provision 2 December 2021, web doc. n. 9731682; provision 2 December 2021, web doc. n. 9731664).

In the present case, the alleged extraneousness of Razmataz in the processing which, according to him, would have directly involved the clients of the promotional activity (data controllers) and Flowers R, is not sufficiently proven. From what emerged from the investigations initiated against said owners, however, a responsibility of Razmataz emerges in the choice of the supplier Flowers R. In fact, from an examination of the e-mails attached to Razmataz's defense brief, it can be deduced that the Company's role in activity was decisive, as the owners simply shared the proposed solution. Although Razmataz affirms that there was a direct relationship between the owners and Flowers R, the communications contained in the e-mails exchanged between the latter subjects do not acknowledge it but rather seem to be required by impromptu needs. More specifically, it is noted that in one case the holder, after receiving the contact from Flowers R through Razmataz, provided Flowers with indications on the contents of the campaign for sending approximately 7/8 thousand e- email; in the other case, the interlocution was motivated only by the need to acquire elements to provide adequate response to the request for information received from the Authority.

Therefore, even in the absence of an express qualification of the roles, on the basis of the factual dynamics that characterized the treatment and the relationship between the subjects involved in it, it is possible to assume that Razmataz acted, in fact, as data controller. This is because the same, in carrying out the activities commissioned by the owners, proceeded to select the subject on the market - with whom it had a direct contractual relationship - who would carry out the promotional campaign and conveyed to the same instructions agreed with the clients ( choice of target and channel for sending messages).

In this regard, it should be noted that the art. 28 of the Regulation establishes that the controller must only resort to data processors who present sufficient guarantees (see art. 28, paragraph 1 of the Regulation) and the processor who turns to another processor retains the entire responsibility for fulfilling the obligations of the other person in charge (cf. art. 28, paragraph 4 of the Regulation).

Razmataz has not demonstrated that it has carried out the appropriate checks before entrusting the service to Flowers R. In particular, it does not appear that Razmataz has requested from Flowers R documentation proving the existence of the requirements of lawfulness of the treatment, such as the origin of the data, the information provided and the consents acquired, nor that he has verified this in any other way.

Therefore, the processing of personal data has been deprived of the requirements of lawfulness, correctness and transparency in violation of art. 5, par. 1, lit. a) of the Regulations since Razmataz has not taken any precautions in choosing the supplier and in entrusting the promotional service to Flowers R, which would have acted in fact as a sub-manager, thus also integrating the violation of art. 28 of the Regulation.

Finally, the consent of the interested party to receive promotional messages is not documented in any way; therefore the treatment appears to be carried out in the absence of an appropriate legal basis, integrating the violation of the art. 6, par. 1, lit. a) of the Regulation and of the art. 130 of the Code.

On the basis of the above considerations, the observations made during the dispute must be confirmed and the responsibility of Razmataz in relation to the conduct described must be affirmed.

Furthermore, the Company has failed to respond to the request for information and presentation of documents formulated by the Guarantor on 5 February 2022, resulting in an aggravation of the proceeding, with the impossibility of carrying out checks during the preliminary investigation, as any evaluation has been delegated to the defense phase following the initiation of proceedings. He did not even provide explanations for the lack of response despite the timely request of the Office. Furthermore, Razmataz's certified e-mail address, as resulting from the information system of the Chambers of Commerce, appeared to be fully functional since upon sending the request for information and the subsequent notice of dispute, the system returned the acceptance and delivery certificates which completed the notification of documents. Therefore, it is believed that there is a violation of art. 157 of the Code.

In light of the above, it is necessary to order Razmataz, pursuant to art. 58, par. 2, lit. d) of the Regulation, if it intends to make use of third parties for promotional activities in the future, to adopt suitable procedures aimed at constantly verifying that personal data are processed in full compliance with the provisions on the subject and, in particular, to verify in advance the acquisition of a informed, free, specific, unequivocal and documented consent of the interested parties for the sending of commercial communications.

Finally, with regard to the treatments already carried out and with dissuasive purposes, and taking into account the failure to respond to the request for information pursuant to art. 157 of the Code, the prerequisites for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83, par. 4 and 5, of the Regulation.

It should be noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

3. ORDER-INJUNCTION FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Razmataz, for which it is necessary to apply the art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or to related treatments, a data controller or processor violates, with malice or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the only sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5 of the Regulation, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, hypothesized, on the basis of the economic information available, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 of the Regulation and therefore quantified at 20 million euros as the maximum statutory amount applicable, the following aggravating circumstances must be considered:

1) the number of subjects involved since the sending of commercial communications, despite having been complained of only by Mr. XX, would not have been limited to the latter considering that the promotional campaign in question, also on the basis of expectations tives connected to the ordinary knowledge of the sector which generally involves a large number of recipients, would have concerned about "7/800 thousand emails" (art. 83, paragraph 2, letter a of the Regulation);

2) the grossly negligent nature of the conduct, since the Company did not take into account the consequences that could derive from failure to respond to the Guarantor's request, also in terms of the complete instruction of the complaint procedure, nor did it provide explanations regarding its silence (Article 83, paragraph 2, letter b of the Regulation);

3) the failure to adopt measures aimed at mitigating or eliminating the consequences of the violation, since, even following the initiation of the sanctioning procedure, Razmataz has not undertaken any initiative also with reference to the relationship with Flowers R (art. 83, par. 2, letter c of the Regulation).

As mitigating elements, the following must instead be considered:

1) the absence of previous proceedings initiated against the Company (Article 83, paragraph 2, letter e of the Regulation);

2) the common nature of the data processed (Article 83, paragraph 2, letter g of the Regulation);

3) the particular socio-economic situation that has affected the country in relation to the pandemic emergency (Article 83, paragraph 2, letter k of the Regulation);

4) the financial statements of the Company (article 83, paragraph 2, letter k of the Regulation).

Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1 of the Regulation, taking into account the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that the administrative sanction should be applied to Razmataz the payment of a sum of 1,000.00 (one thousand.00) euros equal to 0.005% of the maximum statutory fine of 20 million euros. The maximum statutory sanction is identified with reference to the provisions of art. 83, par. 5 of the Regulation, taking into account that 4% of Razmataz's turnover is less than 20 million euros.

In the case in question, it is believed that the ancillary sanction of publication on the website of the Guarantor of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the preliminary investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers and on which the attention of the 'user.

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THIS CONSIDERING THE GUARANTEE

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing described in the terms described in the justification carried out by Razmataz Live S.r.l., with registered office in Milan, Corso di Porta Nuova, n. 16, tax code 09714280964;

b) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins the Company, if it intends to make use of third parties for promotional activities in the future, to adopt suitable procedures aimed at constantly verifying that personal data are processed in full compliance with the provisions on the matter and, in particular, to verify in advance the acquisition of an informed, free, specific, unequivocal and documented consent of the interested parties for the sending of commercial communications;

ORDER

to Razmataz Live S.r.l., in the person of its pro-tempore legal representative, to pay the sum of 1,000.00 (one thousand/00) euros as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 1,000.00 (one thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to the 'art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within the term of thirty days from the date of communication of the provision itself .

Rome, March 2, 2023

PRESIDENT
station

THE SPEAKER
station

THE DEPUTY SECRETARY GENERAL
Philippi

[doc. web no. 9873408]

Injunction against Razmataz Live S.r.l. - March 2, 2023

Register of measures
no. 61 of 2 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Prof. Pasquale Stanzione;

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Premise

As part of the investigation launched against Colosseo S.r.l., already the recipient of provision no. 297 of 5 August 2022 (in www.gpdp.it, web doc. n. 9817535), it emerged that Razmataz Live S.r.l. (hereinafter "Razmataz" or "Company") allegedly oversaw the promotion of cultural initiatives of the aforementioned company (for the Colosseum Theater) and of another client making use of a third party - who introduced himself as Flowers R, attributable to this XX - for sending material of the e-mails complained of in two complaints proposed to the Authority by Mr. XX.

1.2. The request for information formulated by the Authority and the response from Razmataz

In order to establish the operational areas pertaining to Razmataz in the framework of the processing carried out to promote the cultural events commissioned to it, the Authority, on 5 February 2022, sent a request for information and presentation of documents by certified email, pursuant to art. 157 of the Code, with particular reference to the documentation certifying the effective release of consent by the claimant for the use of personal data and the origin of the same. The communication, although duly delivered, remained unanswered.

Therefore, considering the integrated violation of art. 157 of the Code, through the Special Privacy Unit of the Guardia di Finanza, on 11 May 2022, the act of initiation of the procedure for the adoption of the sanction provided for by art. 166, paragraph 2, of the Code.

On 6 June 2022, the Company, in the context of the defensive arguments produced following the notification of the deed of initiation of the proceeding for violation of art. 157 of the Code, confirmed that it had taken care of the promotional activity described and that it had made use of Flowers R for sending the e-mails complained of in the two aforementioned complaints. He also specified that "Razmataz [...] does not know [...] and does not have access to the data (and e-mail addresses) of the recipients of the promotional e-mails which are [...] available to Flowers R" to which, in scope of an annual contractual relationship, is limited to indicating the target/characteristics of the promotional campaign. Therefore Flowers R is to be considered "the sole responsible for the processing of the data of the recipients of the promotional emails [...]".

1.3. Complaint of administrative violations

In the light of what emerged from the preliminary investigation, on the basis of the overall documentation acquired, the Office adopted the act of initiation of the administrative procedure no. 50637/22 of 22 September 2022 (notified on the same date by certified e-mail), with which it challenged Razmataz for the following hypotheses of violation:

a)  art. 5, par. 1, lit. a) of the Regulations, for not having carried out any type of check on the partner to whom it has entrusted the task, depriving the processing of the requirements of lawfulness, correctness and transparency;

b) art. 28 of the Regulation, for not having taken any precautions in choosing the supplier and in entrusting the promotional service to Flowers R;

c) art. 6, par. 1, lit. a) of the Regulation and art. 130 of the Code, for having proceeded to send promotional messages in the absence of the consent of the interested party.

2. DEFENSIVE OBSERVATIONS AND ASSESSMENTS OF THE AUTHORITY

2.1. The defensive memory

The Company sent within the deadline (on 17 October 2022) a defense brief in which, in reiterating the arguments expressed in a note dated 6 June 2022, it defined the qualification of its role in the treatment in question, not attributable either to the role of owner or manager. This is because, according to him, Razmataz would not have handled the sending of the promotional e-mails nor had access to the data of the recipients of the same (in the exclusive availability of Flowers R), nor would he have established the purposes and means of the specific processing , on the other hand, by the clients. In fact, "The sending of promotional e-mails is not decided independently by Razmataz [...] but commissioned by clients who [...] know Flowers R (with whom they come into contact through Razmataz Live srl) and, at least for certain aspects, they interface directly with the latter […]”. In confirmation of this, the Company has attached to the memorandum the e-mail exchanges between the clients and Flowers R, reiterating its role of "consulting / assistance in the organization of the commissioned promotional campaign". Therefore, the further aspects challenged by the Authority and relating to the lawfulness and transparency of the processing, as well as the existence of the consent of the interested party to receive promotional communications, would be attributable to the responsibility of Flowers R which, however, for more than one year would have deleted the complainant's data.

2.2. The observations of the Authority

With reference to the factual profiles highlighted above, also on the basis of the statements of the Company, for which the declarant is liable pursuant to art. 168 of the Code, the following legal assessments are formulated.

The Company argued that it had no role in the processing in question due to the mere fact of not materially having the personal data used for the promotional campaign commissioned from it, having delegated all activities to Flowers R. This justification cannot be considered sufficient to exclude Razmataz from liability since the material availability of the data, in itself, is not a decisive requirement.

Indeed, it must be remembered that, according to art. 4 of the Regulation, the natural or legal person who, individually or together with others, determines the purposes and means of the processing is the "owner" (not noting the fact that he has the concrete availability of the data), while the "data controller" is the subject who processes personal data on behalf of the owner. Furthermore, the art. 26 of the Regulation governs any cases of co-ownership in the processing when the purposes and means are determined jointly by two or more data controllers (see provision 25 November 2021, web doc. n. 9736961; provision 25 November 2021, web doc. n. 9737185; provision 2 December 2021, web doc. n. 9731682; provision 2 December 2021, web doc. n. 9731664).

In the present case, the alleged extraneousness of Razmataz in the processing which, according to him, would have directly involved the clients of the promotional activity (data controllers) and Flowers R, is not sufficiently proven. From what emerged from the investigations initiated against said owners, however, a responsibility of Razmataz emerges in the choice of the supplier Flowers R. In fact, from an examination of the e-mails attached to Razmataz's defense brief, it can be deduced that the Company's role in activity was decisive, as the owners simply shared the proposed solution. Although Razmataz affirms that there was a direct relationship between the owners and Flowers R, the communications contained in the e-mails exchanged between the latter subjects do not acknowledge it but rather seem to be required by impromptu needs. More specifically, it is noted that in one case the holder, after receiving the contact from Flowers R through Razmataz, provided Flowers with indications on the contents of the campaign for sending approximately 7/8 thousand e- email; in the other case, the interlocution was motivated only by the need to acquire elements to provide adequate response to the request for information received from the Authority.

Therefore, even in the absence of an express qualification of the roles, on the basis of the factual dynamics that characterized the treatment and the relationship between the subjects involved in it, it is possible to assume that Razmataz acted, in fact, as data controller. This is because the same, in carrying out the activities commissioned by the owners, proceeded to select the subject on the market - with whom it had a direct contractual relationship - who would carry out the promotional campaign and conveyed to the same instructions agreed with the clients ( choice of target and channel for sending messages).

In this regard, it should be noted that the art. 28 of the Regulation establishes that the controller must only resort to data processors who present sufficient guarantees (see art. 28, paragraph 1 of the Regulation) and the processor who turns to another processor retains the entire responsibility for fulfilling the obligations of the other person in charge (cf. art. 28, paragraph 4 of the Regulation).

Razmataz has not demonstrated that it has carried out the appropriate checks before entrusting the service to Flowers R. In particular, it does not appear that Razmataz has requested from Flowers R documentation proving the existence of the requirements of lawfulness of the treatment, such as the origin of the data, the information provided and the consents acquired, nor that he has verified this in any other way.

Therefore, the processing of personal data has been deprived of the requirements of lawfulness, correctness and transparency in violation of art. 5, par. 1, lit. a) of the Regulations since Razmataz has not taken any precautions in choosing the supplier and in entrusting the promotional service to Flowers R, which would have acted in fact as a sub-manager, thus also integrating the violation of art. 28 of the Regulation.

Finally, the consent of the interested party to receive promotional messages is not documented in any way; therefore the treatment appears to be carried out in the absence of an appropriate legal basis, integrating the violation of the art. 6, par. 1, lit. a) of the Regulation and of the art. 130 of the Code.

On the basis of the above considerations, the observations made during the dispute must be confirmed and the responsibility of Razmataz in relation to the conduct described must be affirmed.

Furthermore, the Company has failed to respond to the request for information and presentation of documents formulated by the Guarantor on 5 February 2022, resulting in an aggravation of the proceeding, with the impossibility of carrying out checks during the preliminary investigation, as any evaluation has been delegated to the defense phase following the initiation of proceedings. He did not even provide explanations for the lack of response despite the timely request of the Office. Furthermore, Razmataz's certified e-mail address, as resulting from the information system of the Chambers of Commerce, appeared to be fully functional since upon sending the request for information and the subsequent notice of dispute, the system returned the acceptance and delivery certificates which completed the notification of documents. Therefore, it is believed that there is a violation of art. 157 of the Code.

In light of the above, it is necessary to order Razmataz, pursuant to art. 58, par. 2, lit. d) of the Regulation, if it intends to make use of third parties for promotional activities in the future, to adopt suitable procedures aimed at constantly verifying that personal data are processed in full compliance with the provisions on the subject and, in particular, to verify in advance the acquisition of a informed, free, specific, unequivocal and documented consent of the interested parties for the sending of commercial communications.

Finally, with regard to the treatments already carried out and with dissuasive purposes, and taking into account the failure to respond to the request for information pursuant to art. 157 of the Code, the prerequisites for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83, par. 4 and 5, of the Regulation.

It should be noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

3. ORDER-INJUNCTION FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Razmataz, for which it is necessary to apply the art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or to related treatments, a data controller or processor violates, with malice or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the only sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5 of the Regulation, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, hypothesized, on the basis of the economic information available, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 of the Regulation and therefore quantified at 20 million euros as the maximum statutory amount applicable, the following aggravating circumstances must be considered:

1) the number of subjects involved since the sending of commercial communications, despite having been complained of only by Mr. XX, would not have been limited to the latter considering that the promotional campaign in question, also on the basis of expectations tives connected to the ordinary knowledge of the sector which generally involves a large number of recipients, would have concerned about "7/800 thousand emails" (art. 83, paragraph 2, letter a of the Regulation);

2) the grossly negligent nature of the conduct, since the Company did not take into account the consequences that could derive from failure to respond to the Guarantor's request, also in terms of the complete instruction of the complaint procedure, nor did it provide explanations regarding its silence (Article 83, paragraph 2, letter b of the Regulation);

3) the failure to adopt measures aimed at mitigating or eliminating the consequences of the violation, since, even following the initiation of the sanctioning procedure, Razmataz has not undertaken any initiative also with reference to the relationship with Flowers R (art. 83, par. 2, letter c of the Regulation).

As mitigating elements, the following must instead be considered:

1) the absence of previous proceedings initiated against the Company (Article 83, paragraph 2, letter e of the Regulation);

2) the common nature of the data processed (Article 83, paragraph 2, letter g of the Regulation);

3) the particular socio-economic situation that has affected the country in relation to the pandemic emergency (Article 83, paragraph 2, letter k of the Regulation);

4) the financial statements of the Company (article 83, paragraph 2, letter k of the Regulation).

Based on the set of elements indicated above, in application of the principles of effectiveness, proportionality and dissuasiveness indicated in art. 83, par. 1 of the Regulation, taking into account the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that the administrative sanction should be applied to Razmataz the payment of a sum of 1,000.00 (one thousand.00) euros equal to 0.005% of the maximum statutory fine of 20 million euros. The maximum statutory sanction is identified with reference to the provisions of art. 83, par. 5 of the Regulation, taking into account that 4% of Razmataz's turnover is less than 20 million euros.

In the case in question, it is believed that the ancillary sanction of publication on the website of the Guarantor of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the subject matter of the preliminary investigation, namely the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous measures both of a general nature and aimed at specific data controllers and on which the attention of the 'user.

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THIS CONSIDERING THE GUARANTEE

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing described in the terms described in the justification carried out by Razmataz Live S.r.l., with registered office in Milan, Corso di Porta Nuova, n. 16, tax code 09714280964;

b) pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins the Company, if it intends to make use of third parties for promotional activities in the future, to adopt suitable procedures aimed at constantly verifying that personal data are processed in full compliance with the provisions on the matter and, in particular, to verify in advance the acquisition of an informed, free, specific, unequivocal and documented consent of the interested parties for the sending of commercial communications;

ORDER

to Razmataz Live S.r.l., in the person of its pro-tempore legal representative, to pay the sum of 1,000.00 (one thousand/00) euros as an administrative fine for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 1,000.00 (one thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to the 'art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within the term of thirty days from the date of communication of the provision itself .

Rome, March 2, 2023

PRESIDENT
station

THE SPEAKER
station

THE DEPUTY SECRETARY GENERAL
Philippi