Garante per la protezione dei dati personali (Italy) - 9880317

From GDPRhub
Garante per la protezione dei dati personali - 9880317
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 58(2)(d) GDPR
Article 58(2)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 02.03.2023
Published:
Fine: 5,000 EUR
Parties: n/a
National Case Number/Name: 9880317
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (Italy) (in IT)
Initial Contributor: n/a

The Italian DPA fined a controller €5,000 for sending unsolicited marketing communications to email addresses created by a software through the automatic combination of data collected on the internet.

English Summary

Facts

Some data subjects complained about unsolicited marketing emails. The Italian DPA investigation revealed that behind these communications there was a company active in providing marketing services to businesses. The company – managed by a single individual – made use of a software that automatically combined data from the internet to create potentially existent email addresses. These email addresses were then used to send marketing communications to unaware data subjects.

Holding

The Italian DPA notified the controller an investigation for potential violations of Articles 5(1)(a) and 6(1)(a) GDPR.

According to the supervisory authority, the fact that email addresses were automatically generated through a software does not exempt the controller from the obligation of collecting a valid consent for the processing. In the present case, there was no attempt to collect such a consent. Therefore, processing was unlawful and violated Articles 5(1)(a) and 6(1)(a) GDPR.

The Italian DPA ordered the controller to erase personal data and stop the processing pursuant to Article 58(2)(d) and (f) GDPR. The DPA also considered it appropriate to fine the controller €5,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9880317]

Injunction order - March 2, 2023

Register of measures
no. 60 of 2 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and dr. Claudio Filippi, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Personal Data Protection Code (Legislative Decree June 30, 2003, No. 196), as amended by Legislative Decree August 10, 2018, No. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

During 2021, the Guarantor received several complaints from Mr. XX, who complained of receiving unsolicited e-mails containing promotional communications from various subjects. From the investigations conducted, and on the basis of what was subsequently integrated by the complainant, it emerged that these subjects had appointed a third party who was not immediately identifiable to carry out e-mail marketing campaigns.

In fact, from the documentation acquired in the deeds it emerged that the offers of e-mail marketing services to said clients were formulated by this "Flowers R - Digitech Group" and signed, or in any case promoted, by a person who signed himself as "Claudio Alfieri ” reporting non-existent tax data. In some cases, during the investigation, a copy of a release was also produced to the Office, signed by the self-styled Claudio Alfieri as "resp. Mailing department of the company Flowers R", with which the purchaser of the services was relieved of all "responsibilities relating to privacy and the gdpr for sending newsletters to all addresses present and sent in the list in question".

Furthermore, in the same period, a whistleblower, who had received a similar offer for the creation of promotional campaigns via e-mail, having doubts about the legitimacy of this conduct, proceeded to forward it to the Guarantor.

Once the initial investigations were carried out, the Office instructed the special privacy unit of the Guardia di Finanza to verify the identity of the person who presented himself as Claudio Alfieri/Flowers R - Digitech Group and to notify him of the request for information no. 10838 of February 17, 2022.

The Nucleus, having identified said subject in the sole proprietorship Flowers R of Malalan Mitja (hereinafter "Flowers" or "Mitja"), proceeded with the notification on April 12, 2022, acquiring at the same time the elements subject of the request.

From the statements made in the minutes by Mr. Mitja, integrated with a subsequent certified email dated 25 April 2022, it emerged first of all that the promotional activity was carried out by him in a completely autonomous way through a personal computer installed in his home in Croatia. On the basis of the invoices registered in the Revenue Agency system(1), it emerged that the provision of the service, and the related data processing, had been taking place for over a year.

With regard to the name under which the commercial offers were signed, Mr. Mitja declared that the name "Flowers R - Digitech Group" derives from the names of his previous commercial activities, now discontinued, with different corporate objects. The name "Claudio Alfieri", on the other hand, is a fantasy name, as well as the respective tax code, which Mitja would have chosen to present himself more easily to potential buyers of his services, believing that his real name was difficult to understand.

The same then added that he personally took care of the promotion of the direct mail service he offered, by sending a presentation email to the email addresses, found on the net, of subjects who could potentially be interested in his services.

On the other hand, with regard to the methods of collecting e-mail addresses to be used to convey promotional campaigns, Mitja declared that he had used software that randomly generates possible e-mail addresses, ensuring that he had stopped using them after starting the 'investigation. However, it should be noted that, in one of the feedback provided to the complainant XX (see email of 19 November 2021 sent to the complainant), Mitja had declared that he did not know exactly where his data had been acquired from but that he assumed that they could be contained in a database of addresses previously purchased online.

Finally, the same specified that at the bottom of the e-mails sent there was a link to object to the receipt of further messages; upon selecting this link, the corresponding e-mail address was inserted in a black list and, thus, excluded from subsequent promotional campaigns. In this regard, Mitja has provided a copy of this black list, consisting solely of a list of e-mail addresses (see attachment 3 to the e-mail dated April 25, 2022).

2. DISPUTING INFRINGEMENTS

The Office took steps to challenge the violations detected with the act of initiation of the procedure of 22 September 2022 prot.n. 50638/22, notified to Mitja through the special privacy unit on November 3, 2022.

Since the reasons expressed in the aforementioned deed are hereby fully referred to, Mitja was charged with violating articles 5, par. 1, lit. a), 6, para. 1, lit. a) of the Regulation and of the art. 130 of the Code, since the sending of promotional communications via e-mail was carried out without the consent of the interested parties.

3. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the statements made by Mr. Mitja during the investigation, for which the declarant is liable pursuant to art. 168 of the Code, taking into account that he did not avail himself of the possibility of presenting briefs or of being heard after notification of the dispute, the following legal assessments are formulated.

As also confirmed in the minutes, Mitja sent numerous promotional e-mails without having collected a suitable and prior consent from the recipients of the same. This applies both to the potential clients whom he declared to have contacted after finding the e-mail addresses on the Internet, and to the numerous subjects he has included in the promotional campaigns carried out on behalf of his clients and whose e-mail addresses , according to what was declared, would have been generated randomly.

In this regard, it must first be remembered that, pursuant to art. 6 of the Regulation, the processing is lawful only if carried out on the basis of a suitable legal basis. As specified by the art. 130 of the Code, the sending of promotional communications via e-mail to natural and legal persons is permitted only with the consent of the recipient. This consent, to be valid, must have been given in advance, freely and specifically after having received adequate information from the owner.

In this context, the random generation of e-mail addresses cannot therefore be considered lawful, nor can the fact that the owner guarantees (as indeed due) the right to object through inclusion in a black list be considered sufficient. Furthermore, the promotional communications sent to the complainant, in addition to the "unsubscribe" link, did not present any information attributable to Flowers and the contact details where the rights provided for by the Regulations could be exercised. In fact, Mr. XX learned of the treatment carried out by Flowers only after having consulted one of the subjects who had commissioned the promotional campaigns, but he was unable to obtain confirmation of Mr. Mitja's real identity and the origin of the data, not even after having made subsequent inquiries to own account and having initiated a direct dialogue with the individual who continued to introduce himself as Claudio Alfieri.

Therefore, the processing of personal data for marketing purposes, carried out with the use of personal data lists found on the Internet or generated randomly, was found to lack the requirements of lawfulness, correctness and transparency identified by art. 5 of the Regulation.

Furthermore, the conduct described gave rise to the sending of promotional messages without consent, pursuant to articles 6, par. 1, lit. a) of the Regulation and 130, paragraphs 1 and 2, of the Code, since Mitja himself has declared that he has never acquired prior consent.

For these reasons, pursuant to art. 58, par. 2, lit. f) of the Regulation, it is necessary to impose a ban on Malalan Mitja from processing the personal data entered in the database subject to the investigation; as a result of this prohibition, any processing of such data being unlawful, including storage, it is deemed necessary, pursuant to art. 58, par. 2, lit. d) of the Regulations, order Malalan Mitja to proceed without delay to the cancellation of said data, except for those that it is necessary to keep for the fulfillment of a legal obligation (such as, for example, the data of subjects who have purchased services) or for the defense of a right in court and without prejudice to the unusability of such data for any other purpose.

Furthermore, in consideration of the illegality of the conduct, interrupted only after the intervention of the Guarantor, it is believed that the conditions are met for the application of a pecuniary administrative sanction pursuant to art. 58, par. 2, lit. i) of the Regulation.

4. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Malalan Mitja, for which it is necessary to apply the art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sole sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, hypothesized, on the basis of the available economic information, i.e. exclusively the invoices issued for the sale of the email marketing service registered by the Revenue Agency, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 and therefore quantified at 20 million euros as the applicable statutory maximum, the following aggravating circumstances must be considered:

1. the wide range of treatments, interrupted only following the intervention of the Guarantor, which involved thousands of data subjects and lasted for over a year (art. 83, paragraph 2, letter a), of the regulation);

2. the seriousness of the violations detected, due to the fact that the data have been processed for promotional purposes, not only in the absence of consent, but in the total unawareness of the interested parties (Article 83, paragraph 2, letter a), of the Regulation);

3. the intentional desire to disguise one's identity, presenting oneself to potential customers and to the complainant with false personal details, such as to make the infringement considered to be of a malicious nature also in consideration of the fact that, by offering potential customers an indemnity for any damages caused by the treatment, Mitja has demonstrated that he has knowledge of the applicable regulatory framework and the possible consequences of a violation (Article 83, paragraph 2, letter b), of the Regulation);

4. the ways in which the Supervisory Authority became aware of the violations, following some complaints and the consequent preliminary investigations initiated against the clients of the promotional campaigns (Article 83, paragraph 2, letter h), of the regulation).

As mitigating elements, it is believed that the following can be taken into account:

1. of the registration in the black list of the subjects who had expressed their opposition to the treatment, which constitutes a measure, albeit minimal, to contain the potential damages for the interested parties (Article 83, paragraph 2, letter c) of the Regulation);

2. the absence of previous relevant violations committed by the data controller (Article 83, paragraph 2, letter e), of the Regulation);

3. the degree of cooperation in interaction with the Supervisory Authority (Article 83, paragraph 2, letter f), of the Regulation);

4. the nature of the data processed, consisting of common personal and contact data (Article 83, paragraph 2, letter g) of the Regulation);

With an overall view of the necessary balance between the rights of the interested parties and the freedom to do business, taking into account that the only economic data made available are those relating to the invoices attached to the report of 12 April 2022, in the process of first application of the pecuniary administrative sanctions envisaged by the Regulation , it is necessary to evaluate the aforementioned criteria prudently, also in order to limit the economic impact of the sanction against a natural person.

Therefore it is believed that - on the basis of all the elements indicated above - the administrative sanction of the payment of a sum of 5,000.00 (five thousand) euros equal to 0.025% of the maximum statutory sanction of 20 million euros should be applied to Malalan Mitja. The maximum statutory sanction is identified with reference to the provisions of art. 83, par. 5 of the Regulation, taking into account that 4% of Malalan Mitja's turnover, on the basis of the data registered with the Revenue Agency, is less than 20 million euros.

It should be noted that the conditions set out in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

It is also believed - in consideration of the vast scope of the violations detected - that, pursuant to art. 166, paragraph 7, of the Code, and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor, by way of ancillary sanction.

ALL THIS CONSIDERING THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f), of the Regulations, declares the treatment described in the terms described in the justification carried out by the sole proprietorship Flowers R of Malalan Mit-ja, with registered office in Trieste, XX, VAT no. XX;

b) pursuant to art. 58, par. 2, lit. f) imposes a ban on Flowers R di Malalan Mitja from processing the personal data entered in the database subject to the investigation;

c) as a result of this prohibition, pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins Flowers R of Malalan Mitja to proceed without delay with the cancellation of said data, except for those that it is necessary to keep for the fulfillment of a legal obligation (such as, for example, the data of subjects who have purchased services) or for the defense of a right in court and without prejudice to the unusability of such data for any other purpose.

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulations, to the sole proprietorship Flowers R of Malalan Mitja, in the person of its legal representative, to pay the sum of 5,000.00 (five thousand) euros as an administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned sole proprietorship, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 5,000.00 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. . 27 of the law n. 689/1981;

HAS

a) pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the Guarantor's website;

b) pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, provides for the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Please note that, pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e) of the Regulation.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, March 2, 2023

PRESIDENT
station

THE SPEAKER
station

THE DEPUTY SECRETARY GENERAL
Philippi



(1) During the operations carried out on 12 April 2022, at the request of the tax inspectors and in their presence, Mitja accessed his own reserved area of the Revenue Agency - "Considerations and invoices" where twenty-one invoices were recorded in 2021 and three in 2022, with the last invoice dated April 6, 2022.

[doc. web no. 9880317]

Injunction order - March 2, 2023

Register of measures
no. 60 of 2 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and dr. Claudio Filippi, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Personal Data Protection Code (Legislative Decree June 30, 2003, No. 196), as amended by Legislative Decree August 10, 2018, No. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. THE INVESTIGATION ACTIVITY CARRIED OUT

During 2021, the Guarantor received several complaints from Mr. XX, who complained of receiving unsolicited e-mails containing promotional communications from various subjects. From the investigations conducted, and on the basis of what was subsequently integrated by the complainant, it emerged that these subjects had appointed a third party who was not immediately identifiable to carry out e-mail marketing campaigns.

In fact, from the documentation acquired in the deeds it emerged that the offers of e-mail marketing services to said clients were formulated by this "Flowers R - Digitech Group" and signed, or in any case promoted, by a person who signed himself as "Claudio Alfieri ” reporting non-existent tax data. In some cases, during the investigation, a copy of a release was also produced to the Office, signed by the self-styled Claudio Alfieri as "resp. Mailing department of the company Flowers R", with which the purchaser of the services was relieved of all "responsibilities relating to privacy and the gdpr for sending newsletters to all addresses present and sent in the list in question".

Furthermore, in the same period, a whistleblower, who had received a similar offer for the creation of promotional campaigns via e-mail, having doubts about the legitimacy of this conduct, proceeded to forward it to the Guarantor.

Once the initial investigations were carried out, the Office instructed the special privacy unit of the Guardia di Finanza to verify the identity of the person who presented himself as Claudio Alfieri/Flowers R - Digitech Group and to notify him of the request for information no. 10838 of February 17, 2022.

The Nucleus, having identified said subject in the sole proprietorship Flowers R of Malalan Mitja (hereinafter "Flowers" or "Mitja"), proceeded with the notification on April 12, 2022, acquiring at the same time the elements subject of the request.

From the statements made in the minutes by Mr. Mitja, integrated with a subsequent certified email dated 25 April 2022, it emerged first of all that the promotional activity was carried out by him in a completely autonomous way through a personal computer installed in his home in Croatia. On the basis of the invoices registered in the Revenue Agency system(1), it emerged that the provision of the service, and the related data processing, had been taking place for over a year.

With regard to the name under which the commercial offers were signed, Mr. Mitja declared that the name "Flowers R - Digitech Group" derives from the names of his previous commercial activities, now discontinued, with different corporate objects. The name "Claudio Alfieri", on the other hand, is a fantasy name, as well as the respective tax code, which Mitja would have chosen to present himself more easily to potential buyers of his services, believing that his real name was difficult to understand.

The same then added that he personally took care of the promotion of the direct mail service he offered, by sending a presentation email to the email addresses, found on the net, of subjects who could potentially be interested in his services.

On the other hand, with regard to the methods of collecting e-mail addresses to be used to convey promotional campaigns, Mitja declared that he had used software that randomly generates possible e-mail addresses, ensuring that he had stopped using them after starting the 'investigation. However, it should be noted that, in one of the feedback provided to the complainant XX (see email of 19 November 2021 sent to the complainant), Mitja had declared that he did not know exactly where his data had been acquired from but that he assumed that they could be contained in a database of addresses previously purchased online.

Finally, the same specified that at the bottom of the e-mails sent there was a link to object to the receipt of further messages; upon selecting this link, the corresponding e-mail address was inserted in a black list and, thus, excluded from subsequent promotional campaigns. In this regard, Mitja has provided a copy of this black list, consisting solely of a list of e-mail addresses (see attachment 3 to the e-mail dated April 25, 2022).

2. DISPUTING INFRINGEMENTS

The Office took steps to challenge the violations detected with the act of initiation of the procedure of 22 September 2022 prot.n. 50638/22, notified to Mitja through the special privacy unit on November 3, 2022.

Since the reasons expressed in the aforementioned deed are hereby fully referred to, Mitja was charged with violating articles 5, par. 1, lit. a), 6, para. 1, lit. a) of the Regulation and of the art. 130 of the Code, since the sending of promotional communications via e-mail was carried out without the consent of the interested parties.

3. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the statements made by Mr. Mitja during the investigation, for which the declarant is liable pursuant to art. 168 of the Code, taking into account that he did not avail himself of the possibility of presenting briefs or of being heard after notification of the dispute, the following legal assessments are formulated.

As also confirmed in the minutes, Mitja sent numerous promotional e-mails without having collected a suitable and prior consent from the recipients of the same. This applies both to the potential clients whom he declared to have contacted after finding the e-mail addresses on the Internet, and to the numerous subjects he has included in the promotional campaigns carried out on behalf of his clients and whose e-mail addresses , according to what was declared, would have been generated randomly.

In this regard, it must first be remembered that, pursuant to art. 6 of the Regulation, the processing is lawful only if carried out on the basis of a suitable legal basis. As specified by the art. 130 of the Code, the sending of promotional communications via e-mail to natural and legal persons is permitted only with the consent of the recipient. This consent, to be valid, must have been given in advance, freely and specifically after having received adequate information from the owner.

In this context, the random generation of e-mail addresses cannot therefore be considered lawful, nor can the fact that the owner guarantees (as indeed due) the right to object through inclusion in a black list be considered sufficient. Furthermore, the promotional communications sent to the complainant, in addition to the "unsubscribe" link, did not present any information attributable to Flowers and the contact details where the rights provided for by the Regulations could be exercised. In fact, Mr. XX learned of the treatment carried out by Flowers only after having consulted one of the subjects who had commissioned the promotional campaigns, but he was unable to obtain confirmation of Mr. Mitja's real identity and the origin of the data, not even after having made subsequent inquiries to own account and having initiated a direct dialogue with the individual who continued to introduce himself as Claudio Alfieri.

Therefore, the processing of personal data for marketing purposes, carried out with the use of personal data lists found on the Internet or generated randomly, was found to lack the requirements of lawfulness, correctness and transparency identified by art. 5 of the Regulation.

Furthermore, the conduct described gave rise to the sending of promotional messages without consent, pursuant to articles 6, par. 1, lit. a) of the Regulation and 130, paragraphs 1 and 2, of the Code, since Mitja himself has declared that he has never acquired prior consent.

For these reasons, pursuant to art. 58, par. 2, lit. f) of the Regulation, it is necessary to impose a ban on Malalan Mitja from processing the personal data entered in the database subject to the investigation; as a result of this prohibition, any processing of such data being unlawful, including storage, it is deemed necessary, pursuant to art. 58, par. 2, lit. d) of the Regulations, order Malalan Mitja to proceed without delay to the cancellation of said data, except for those that it is necessary to keep for the fulfillment of a legal obligation (such as, for example, the data of subjects who have purchased services) or for the defense of a right in court and without prejudice to the unusability of such data for any other purpose.

Furthermore, in consideration of the illegality of the conduct, interrupted only after the intervention of the Guarantor, it is believed that the conditions are met for the application of a pecuniary administrative sanction pursuant to art. 58, par. 2, lit. i) of the Regulation.

4. INJUNCTION ORDER FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

On the basis of the above, various provisions of the Regulation and of the Code are violated in relation to connected treatments carried out by Malalan Mitja, for which it is necessary to apply the art. 83, par. 3, of the Regulation, on the basis of which, if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sole sanction provided for by art. 83, par. 5, of the Regulation.

For the purpose of quantifying the administrative fine, the aforementioned art. 83, par. 5, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous year where higher, specifies the methods for quantifying the aforementioned fine, which must "in any case [ be] effective, proportionate and dissuasive" (Article 83, paragraph 1, of the Regulation), identifying, for this purpose, a series of elements, listed in par. 2, to be evaluated when quantifying the relative amount.

In fulfillment of this provision, hypothesized, on the basis of the available economic information, i.e. exclusively the invoices issued for the sale of the email marketing service registered by the Revenue Agency, the occurrence of the first hypothesis envisaged by the aforementioned art. 83, par. 5 and therefore quantified at 20 million euros as the applicable statutory maximum, the following aggravating circumstances must be considered:

1. the wide range of treatments, interrupted only following the intervention of the Guarantor, which involved thousands of data subjects and lasted for over a year (art. 83, paragraph 2, letter a), of the regulation);

2. the seriousness of the violations detected, due to the fact that the data have been processed for promotional purposes, not only in the absence of consent, but in the total unawareness of the interested parties (Article 83, paragraph 2, letter a), of the Regulation);

3. the intentional desire to disguise one's identity, presenting oneself to potential customers and to the complainant with false personal details, such as to make the infringement considered to be of a malicious nature also in consideration of the fact that, by offering potential customers an indemnity for any damages caused by the treatment, Mitja has demonstrated that he has knowledge of the applicable regulatory framework and the possible consequences of a violation (Article 83, paragraph 2, letter b), of the Regulation);

4. the ways in which the Supervisory Authority became aware of the violations, following some complaints and the consequent preliminary investigations initiated against the clients of the promotional campaigns (Article 83, paragraph 2, letter h), of the regulation).

As mitigating elements, it is believed that the following can be taken into account:

1. of the registration in the black list of the subjects who had expressed their opposition to the treatment, which constitutes a measure, albeit minimal, to contain the potential damages for the interested parties (Article 83, paragraph 2, letter c) of the Regulation);

2. the absence of previous relevant violations committed by the data controller (Article 83, paragraph 2, letter e), of the Regulation);

3. the degree of cooperation in interaction with the Supervisory Authority (Article 83, paragraph 2, letter f), of the Regulation);

4. the nature of the data processed, consisting of common personal and contact data (Article 83, paragraph 2, letter g) of the Regulation);

With an overall view of the necessary balance between the rights of the interested parties and the freedom to do business, taking into account that the only economic data made available are those relating to the invoices attached to the report of 12 April 2022, in the process of first application of the pecuniary administrative sanctions envisaged by the Regulation , it is necessary to evaluate the aforementioned criteria prudently, also in order to limit the economic impact of the sanction against a natural person.

Therefore it is believed that - on the basis of all the elements indicated above - the administrative sanction of the payment of a sum of 5,000.00 (five thousand) euros equal to 0.025% of the maximum statutory sanction of 20 million euros should be applied to Malalan Mitja. The maximum statutory sanction is identified with reference to the provisions of art. 83, par. 5 of the Regulation, taking into account that 4% of Malalan Mitja's turnover, on the basis of the data registered with the Revenue Agency, is less than 20 million euros.

It should be noted that the conditions set out in art. 17 of the Regulation of the Guarantor n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

It is also believed - in consideration of the vast extent of the violations detected - that, pursuant to art. 166, paragraph 7, of the Code, and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, it is necessary to proceed with the publication of this provision on the website of the Guarantor, by way of ancillary sanction.

ALL THIS CONSIDERING THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f), of the Regulations, declares the treatment described in the terms described in the justification carried out by the sole proprietorship Flowers R of Malalan Mit-ja, with registered office in Trieste, XX, VAT no. XX;

b) pursuant to art. 58, par. 2, lit. f) imposes a ban on Flowers R di Malalan Mitja from processing the personal data entered in the database subject to the investigation;

c) as a result of this prohibition, pursuant to art. 58, par. 2, lit. d) of the Regulation, enjoins Flowers R of Malalan Mitja to proceed without delay with the cancellation of said data, except for those that it is necessary to keep for the fulfillment of a legal obligation (such as, for example, the data of subjects who have purchased services) or for the defense of a right in court and without prejudice to the unusability of such data for any other purpose.

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulations, to the sole proprietorship Flowers R of Malalan Mitja, in the person of its legal representative, to pay the sum of 5,000.00 (five thousand) euros as an administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned sole proprietorship, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 5,000.00 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. . 27 of the law n. 689/1981;

HAS

a) pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the Guarantor's website;

b) pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, provides for the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Please note that, pursuant to art. 170 of the Code, anyone who fails to comply with this provision prohibiting processing is punished with imprisonment from three months to two years and, in the event of non-compliance with the same provision, the sanction referred to in to art. 83, par. 5, letter. e) of the Regulation.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, March 2, 2023

PRESIDENT
station

THE SPEAKER
station

THE DEPUTY SECRETARY GENERAL
Philippi



(1) During the operations carried out on 12 April 2022, at the request of the tax inspectors and in their presence, Mitja accessed his own reserved area of the Revenue Agency - "Considerations and invoices" where twenty-one invoices were recorded in 2021 and three in 2022, with the last invoice dated April 6, 2022.