Garante per la protezione dei dati personali (Italy) - 9909907

Garante per la protezione dei dati personali - 9909907

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5 GDPR Article 12 GDPR Article 32 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	28.07.2021
Decided:	08.06.2023
Published:
Fine:	300,000 EUR
Parties:	Rinascente
National Case Number/Name:	9909907
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	Bernardo Armentano

The Italian DPA fined La Rinascente €300,000 for failing to ensure a secure processing of personal data, for not having carried out a DPIA before profiling its customers and for not adequately informing the data retention period.

English Summary

Facts

The data subject was a client of La Rinascente store, the controller, and had a loyalty card, the "Rinascentecard". In July 2021, she visited a store and had an argument with an employee. Later on that same day, she received an e-mail notifying her of the successful activation of a new loyalty card. The new card, that she never requested, had her personal details modified and her name was changed to "Donzella Svampita" (approximately, "Ditzy damsel"). Then, she contacted the Customer Service, which informed her that the Rinascentecard, activated years ago, had been canceled and replaced by the new one, with the new name indicated above. She felt offended and filed a complaint with the Italian DPA. The DPA first requested some information form the controller about the possible data breach. Later, it decided to further investigate the facts and carry out an on-site inspection.

In this inspection, the DPA identified other issues, namely: a) the lack of information regarding the transfer of personal data of website visitors to Facebook-Meta for advertising and profiling purposes; b) the lack of a DPIA performed prior to profiling activities; c) the lack of information regarding the storage period of personal data from clients registered in the loyalty program.

In its defense, the controller argued that as soon as it learned about the activation of the new card, it opened an investigation and find out that an employee acted in violation of the company's procedures and modified the name and surname of the data subject without authorization. According to the controller, there was no further processing of her personal data, nor any data loss. Moreover, the controller stated that the name of the data subject was corrected in its systems. On the other hand, when presenting its defense, the controller admitted that it had detected another personal data breach caused by a misalignment of its systems. In this second data breach, 5 customers erroneously received communications relating to the orders of 70 other users. However, the controller considered that this breach represented a low risk for the rights and freedoms of the data subjects and decided not to notify the DPA.

With regard to the lack of information about its marketing activities, the controller argued that it has a contract with Facebook, according to which, the latter is a processor for “Custom Audience CRM campaigns”, while for “Standard Campaigns” they act as joint controllers. It further clarified that these targeting campaigns are carried out either through prospecting (search for new users potentially interested in Rinascente products) or retargeting (contact of users who have already visited the Rinascente site). However, it claimed that the lists of data subjects registered in Rinascente's CRM are not used, but only the lists of Meta users. The controller also provided a copy of the Rinascentecard privacy policy, as well as the consent acquisition formula for marketing and/or profiling activities. It also informed that currently it shares 1,398.563 encrypted e-mail addresses with Meta for marketing purposes.

As for the lack of a DPIA, the controller stated that its a marketing activities were carried out on the basis of raw and unprocessed data, without any deductive or inferential analysis of behavior or identification of correlations with respect to general behavioral clusters. In its view, a DPIA was not required in this context.

Finally, the controller stated that personal data for marketing activities are kept for a maximum term of 7 years.

Holding

The DPA concluded that the data breach attributable to the employee should be archived as it was a result of their autonomous decision to violate the controller's instructions. However, it considered the controller was responsible for second data breach, which was admitted in its response. According to the DPA, the controller failed to implement sufficient organizational and technical measures to ensure an adequate level of confidentiality in this case. Therefore, it found a violation of Articles 5(1)(f) and 32(1)(b) and (d) GDPR.

With regard to the marketing activities, the DPA considered that the updated version of the privacy policy provided by the controller clarified the role of the latter in the campaigns. In particular, the DPA found that there was sufficient information about profiling cookies used for retargeting (including that of Facebook) in the new cookie policy and that valid consent was collected through the new cookie banner present on the controller's website. In addition, the DPA noted that users can access more detailed information on the individual cookies via the links available therein. As for the prospecting of new customers, the DPA stressed that information related to "Custom Audience CRM Campaigns" should be provided only by La Rinascente, as the exclusive controller of its customers' data. In this case, the DPA highlighted that Meta was not able to process the customers' personal data as they are subjected to a hashing procedure. Therefore, the DPA decided to archive the dispute in this regard.

On the other hand, the DPA stated that the controller carried out profiling activities because, as described in its memorandum, these activities consist of "assessing consumption habits and carrying out market analysis and research in order to improve its commercial offers and sending customers promotions and invitations suited to their preferences". The DPA recalled that if two or more of the criteria established by the EDPB Guidelines on DPIA are present, the controller must carry out the assessment. In the present case, the DPA noted the presence of two of these criteria, namely: the analysis of consumer behavior for profiling and the large-scale processing of personal data. Therefore, it held that the controller should have performed a DPIA, which did not occur. For this reason, the DPA found a violation of Article 35(1) GDPR.

Finally, as for the retention of data, the DPA emphasized that, pursuant to the principle of storage limitation, the period that personal data can be stored must be limited to the minimum necessary. In the case at hand, it considered the indistinct 7-year data retention term as excessive and incongruent. The DPA reinforced that, especially with regard to an intrusive processing of personal data, such as profiling, the retention period should be clearly determined. However, the information provided by the controller refers to the fulfillment of generic "legal obligations" and to indistinct series of "provisions of the Garante", references that inevitably force the user/customer to try to find these sources, which is a difficult task. While acknowledging that the controller has taken steps to improve this information, making explicit the retention period of 7 years, the DPA held that it was still necessary to establish and apply differentiated storage periods for product categories, distinguishing marketing processing activities from those for profiling purposes, as well as clarifying if after the term the data is deleted or anonymized. Therefore, the DPA found a violation of Article 5(1)(a), (b), (c), and (e) and Article 12(1) GDPR.

For the reasons above, the DPA imposed a fine of €300,000 on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9909907]

Provision of 8 June 2023

Register of measures
no. 253 of 8 June 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Geneva Cerrina Feroni;

WHEREAS

1. The notification received (fasc. n. 169175).

With a report dated 28 July 2021, Ms XX complained that, after an altercation with a Rinascente store employee on 24 July 2021, she received an e-mail on the same date in which she was communicated by the said Company the successful activation - never requested - of a new fidelity card, bearing its personal details modified with respect to the real ones, and in particular made out to "Donzella Svampita". The same interested party added that, by contacting Customer Service, she was informed that the Rinascentecard, activated years ago, had been canceled and replaced on 24.07.2021 by the new one, with the new personal details indicated above. In his opinion, therefore, he believed that an unsolicited access to the customer file had been made, to introduce the new heading - obviously offensive - and asked the Guarantor to evaluate what happened, in order, if necessary, to issue the measures referred to to art. 58 of the Regulation.

2. Preliminary investigation relating to the report and its results.

In the response provided on October 30, 2021 to the request for information sent by the Office on October 12, 2021 (here to be understood as fully referenced and reproduced), the Company represented that: -"as soon as it learned of what had occurred ..., it promptly provided acknowledgment, confirming that he had forwarded the communication received, for some checks..." and that, "given the peculiarity of the story represented, it took a few days to internally ascertain the facts and verify the necessary conditions to follow up on the request for reinstatement of the Rinascentecard … advanced by the interested party through her lawyer, full restoration which took place on August 5, 2021…”, as communicated to the interested party; - to have contacted the reporting agent's lawyer by telephone "in order to provide further confirmation of the activities undertaken by the Company itself to restore the situation quo ante and to confirm the full availability of all the personal data of his client..."; - “the event that occurred did not lead to any processing of personal data by Rinascente staff in a manner different from what was represented to the interested party in the information provided when activating the Card, with the exception of the act performed by the employee of the store in violation of the procedures and instructions given to it by the Company;" -"... this act has in any case involved a processing of data confined exclusively to the modification of the "name" and "surname" of the interested party without authorization from the same, without further treatments; …. that there has been no loss of Ms XX's personal data. In fact, with the support of the IT service, the situation prior to the event was fully restored without any consequences".

Furthermore, the Company represented that all workers, "at the time of hiring, are given the Rinascente company policy on the protection of personal data and specific instructions for the correct processing of data pursuant to art. 29 of the GDPR” and that both theoretical and practical training of the personnel is taken care of. According to La Rinascente: "In the light of the above, and the results of internal audits, ... the actions taken by the employee .... against Mrs. XX ... they totally deviate from the procedures adopted by Rinascente in relation to the management of the Cards as well as from the instructions that the Company itself provides to its employees ...", also highlighting that they have applied a disciplinary sanction to the worker in question.

3. Inspection assessment conducted by the Special Privacy Unit (fasc. n. 175437) with regard to processing for marketing and profiling purposes.

The Special Unit for Privacy and Technological Frauds, on the basis of the memorandum of understanding with the Guarantor, in the period between 30 November and 2 December 2021, conducted an inspection at the Company's headquarters. From the analysis of the inspection reports, the following critical points emerged.

Based on the examination of the information released (see in particular that relating to the fidelity card called "friendscard": see annex 9 to the said minutes), it was found that, in the event of consent to processing for marketing purposes (p 2, letter c) and analysis of consumer habits (p. 2, letter b), "the personal data related to the use of the Card are kept for the maximum period permitted by law and established by the provisions of the Guarantor for protection of personal data." (see also the report of 2 December 2021), without however indicating any reference necessary to make the interested parties understand how many and which time limits are applied by the Company, also in relation to the type of data and the purposes of the processing.

In the information produced by the Company (att.9, cit.), the processing activity carried out through Facebook-Meta is not indicated, also with regard to the forwarding of the email addresses of La Rinascente customers to the American company. Furthermore, the registration procedure at the stores was clarified (see annex 10 to the minutes), relating to the acquisition of a single expression of will both for the terms of service and for having read the information for the treatment . Similarly, as part of the e-commerce procedure on the corporate website - without prejudice to the request for separate consents for the user who has previously registered - for the unregistered user, the following wording emerged: "Proceeding with the purchase, I declare that I have read and accepted Rinascente's terms and conditions of sale and that I have read the privacy policy” (see annex 8).

Moreover, despite carrying out a wide-ranging profiling activity, it did not appear that La Rinascente had defined the impact assessment procedure, having in fact declared that the documentation of this procedure, at the date of the assessment, was still a draft, which required modifications and additions to then be submitted for approval by the administrative body (see report of 1 December 2021). Finally, it has been ascertained (minutes of 2 December 2021, cit.) that the personal data of the interested parties, even in the case of "generic" promotional campaigns, are kept for 7 years.

4. Preliminary supplement - request for information and documents dated 10 March 2022

In order to clarify some aspects and to acquire quantitative elements regarding the relevant treatments, the Office sent the Company a timely request. With a note dated March 30, to the attachments of which reference is made for further details, La Rinascente provided a reply, stating that:

a) "since 25 May 2018 ... has detected and recorded only one personal data breach which it was decided not to notify ... having considered it unlikely that said breach could present risks for the rights and freedoms of the data subjects". In particular, "during a production release of a technical development ..., due to a misalignment 5 e-commerce customers erroneously received communications relating to the orders of 70 users", specifying that she had intervened to immediately block the flow of emails and to notify recipient customers of the incident, inviting them to cancel the e-mails received.

b) as at 27 March 2022, 2,503,105 customers had requested the fidelity card at the stores; instead, those who requested the fidelity card on the company website were 327,830.

c) with "regarding the targeting activity carried out through Facebook", a) "... the current contractual arrangement of the services used for the "Custom Audience CRM Campaigns" ... offered by Meta Platforms Ireland Limited (hereinafter "Meta") provides a classification of the social media service provider, as responsible for the processing of personal data of which the Company remains the owner …. As regards, however, the additional targeting services …. as part of the … “Standard Campaigns” according to the current document structure, Meta and the Company act as joint data controllers... To date, the number of e-mail addresses shared, in encrypted form, with Meta … is equal to 1,398 .563”;

d) with particular regard to information and consent, the Company has produced a copy of the Rinascentecard information on the processing of personal data, updated to October 2021, as well as the consent acquisition formula for marketing and/or profiling activities, updated to 2022 (attachment 7), highlighting that "... will publish an update of the information ... including the most up-to-date classification of privacy roles related to targeting services via Facebook.";

e) with particular regard to the methods and number of promotional communications made in the last 2 years, via Facebook, the Company communicated that: "The campaigns from the Facebook "Business Manager" tool can be of two types: 1. Standard Campaign and 2. Custom Audience CRM. … It is possible to identify two types of targeting for these campaigns: - prospecting (= search for new users potentially interested in Rinascente products) and - retargeting (= contact on Meta properties - such as social network users - relating to users who have already visited the Rinascente site). In the case of a "prospecting" campaign, the latter will be aimed at audience segments potentially interested in the promoted products. … In the case of a retargeting campaign, it will be aimed at users who, for example, have already visited the Rinascente website, added products to their cart but have not yet made any purchases. In both hypotheses, lists of data subjects registered in Rinascente's CRM are not used, but lists of Meta users. The number of "Standard Campaigns" carried out and published on Facebook from January 2020 to March 2022 is equal to 157. Instead, with regard to the management of 'Custom Audience CRM Campaigns', and therefore with its own database, it makes use of a 'special agency, whose operators, in "uploading marketing campaigns to be published on Facebook ..., have only visibility of the presence of the audience segment to which the marketing campaign is intended or not ..."; the number of this different type of campaigns, from March 2021 (start date of this activity) to March 2022, is equal to 30;

f) with regard to data retention times, the Company represented "that the data provided for purposes related in general to marketing activities", since they concern "purchases relating to 'high-end' products and ... the average annual frequency of purchase ... is spaced out over time, are currently kept for a maximum term of 7 years, in line with previous provisions issued for similar cases by this Authority, this time frame having been considered congruous and proportionate both to the purposes ... and to the type of personal data object of treatment."

5. Overall results of the preliminary investigation and notification of the alleged violations pursuant to art. 166, paragraph 5, of the Code.

In this case, in the light of the results of the overall assessment carried out by the Special Privacy Unit and by the Office, the following was found.

The Authority, in particular, deemed configurable no. 2 cases of possible 'data breach' (the one concerning the reporting company XX and the misalignment admitted by the Company in the memorandum of 30 March 2022). In particular, in the first case the Company did not appear to have been able to "... ensure on a permanent basis ... the integrity" of the data of the whistleblower, "modified" in fact without any prior consent from the data subject; in the second case (where the data of e-commerce customers are unduly communicated to other customers), it does not appear to have guaranteed "a procedure for regularly testing, verifying and evaluating the effectiveness of the technical and organizational measures in order to guarantee the security of the treatment."

Therefore, the conditions for the violation of the principles of 'integrity' and 'confidentiality', pursuant to art. 5, par.1, lett. f), of the EU General Regulation n. 679/2016 (hereinafter: "Regulation") as well as the related art. 32, par. 1, letters b) and d), and par. 2, of the Regulation. Furthermore, with reference to the undesired modification of the data subject's personal details, moreover with an epithet not compatible with the right to identity and reputation, the violation of the principles of 'correctness' and 'lawfulness', sanctioned by the art. 5, par. 1, lit. a), of the Regulation, also through the violation of art. 1, legislative decree n. 196/2003 (hereinafter: “Code”), on the basis of which: “The processing of personal data takes place in accordance with the rules of the … «Regulations» and of this Code, with respect for human dignity, fundamental rights and freedoms of the person".

Furthermore, it did not appear that the Company had provided proof of having issued the disclosure relating to data processing to the reporting party - concerned at the time of activation of the original fidelity card (in November 2016). More generally, with regard to both the card activation procedure at the stores, as confirmed by the wording of the e-mail sent to the whistleblower (at the time -19 November 2016- of the original card activation), and the e-mail procedure -commerce (attachment 8 to the aforementioned minutes), a single manifestation of the data subject's will was acquired, with reference to both the contractual regulation and the acknowledgment of the information notice which involved multiple treatments for various purposes, including promotional ones carried out with varied methods, including automated ones ("mail, telephone or electronic communications, eg sms, email, etc.") and those of profiling. Although it was noted that the Company collected two specific and distinct consents, respectively for marketing and profiling purposes, the information fulfillment (in common with the contractual one), therefore, did not appear to be set up correctly and appropriately to guarantee the effective awareness of the interested party regarding the various numerous information elements, such as storage times, methods of promotional activity or the rights that can be exercised pursuant to the Regulation. The above therefore appeared to be in contrast with the principles of 'correctness' and 'transparency' (articles 5, paragraph 1, letter a, and 12, paragraph 1), as well as with art. 13 of the Regulation. Furthermore, as of 27 March 2022, this alleged violation concerned 2,503,105 customers who activated the fidelity card in the stores and 327,830 customers who proceeded to activate it through the company website.

With regard to the text of the disclosure (website; activation of Rinascente and Friendscard fidelity cards: see annex 9 to the aforementioned minutes), the indication "personal data related to the use of the Card are kept for the maximum period permitted by law and provided for by the provisions of the Guarantor for the protection of personal data." it turned out to be excessively generic and indeterminate, not allowing the interested parties a direct and easy awareness of such timing, also for the purpose of evaluating whether and which data to release or possibly whether to unsubscribe from the loyalty program.

The conditions for the violation of the principle of transparency have therefore been identified (articles 5, paragraph 1, letter a) and 12, paragraph 1, of the Regulation). Moreover, this was also in contrast with the Guidelines of the European Data Protection Board on transparency pursuant to the Regulation (wp260rev.01, in www.edpb.europa.eu) which, in line with the aforementioned legislation, expressly enhance the information fulfillment in terms of simplicity, clarity and immediate intelligibility, also taking into account the most vulnerable categories of interested parties, and in particular characterized by a lower capacity for discernment.

With respect to the fulfillment of information, the following additional possible critical profiles were found: in terms of incompleteness and overall unsuitability of the information, when activating the fidelity card, identified above, where there is no indication of the specific processing activities carried out jointly to Facebook-Meta, with particular reference to the 'Custom Audience CRM' campaigns aimed at 1,398,563 customers of La Rinascente; or also in terms of failure by the Company to issue its own information regarding the two types of campaigns (prospecting and retargeting).

For both profiles), from the above, therefore, the conditions have emerged for contesting the possible violation of art. 13 of the Regulation. In the light of the aforementioned information gaps, the possible violation of articles also emerged 6-7 of the Regulation, with limited regard to the management of (157) 'Standard Campaigns' aimed at non-customers, as La Rinascente has not acquired any specific consent either for marketing or for the underlying profiling.

With limited reference to the 'Custom Audience CRM Campaigns', since the appointment as data processor of the media agency does not appear in the documents, whose operators "access Business Manager to upload marketing campaigns to be published on Facebook on behalf of Rinascente", with "visibility of the presence of the audience segment to which the marketing campaign is to be targeted or not", the violation of art. 28 of the Regulation.

Furthermore, it emerged that the Company - while carrying out profiling activities - had not yet defined the impact assessment procedure, which must be carried out before the start of such invasive processing activity. Therefore, the conditions for the possible violation of art. 35, par. 1, and 3, lett. a), of the Regulation.

Finally, the retention time (7 years) of the "data provided for purposes related in general to marketing activities", was probable in contrast with the principles of 'purpose, minimization and limitation of retention', pursuant to art. . 5, par.1, lett. b), c), and e) of the Regulation. The aforementioned term, even assuming that it was identified by the Company in the exercise of its accountability, seemed in any case excessively extended. In fact, the analogous term used as a reference by company-brands belonging to the luxury sector (invoked, as a term of comparison, by the Company in its defense brief) was identified, moreover in a now dated time frame (2013), by this Authority following a specific request for prior checking and a complex investigation. Furthermore, as far as the records are concerned, it does not appear that the type of products offered for sale by La Rinascente can be considered to be comparable to that marketed by such other companies (such as: Bulgari, Ferragamo; see provision of 30 May 2013, web doc. no. .2547834).

On the basis of the foregoing, also taking into account the systematic nature of the relevant processing operations, the Company was notified, on 7 July 2022, of the alleged violation of the following provisions of the Regulation

- art. 5, par.1, lett. a), b), c), e) and f), also in relation to art. 1 of the Code;

- art. 6;

- art. 7;

- art. 12, par.1;

- art. 13;

- art. 28;

- art. 32, par.1, letters b) and d), and par.2;

- art. 35, par. 1, and 3, lett. to).

6. The Company's defense brief.

In a memorandum dated August 5, 2022, the Company opposed the alleged alleged violations, representing, for each one, the following:

6.1.Data Breach

With reference to the data breach relating to the data of the whistleblower (data breach n.1), the Company represented that: a) the store personnel access the Store Portal application from a tablet (provided by the Company) via personal and named user , based on an authentication procedure based on username (name.surname) and password (for which some enhanced security requirements are envisaged). Rinascente's policy states that the password must be changed every 90 days; 2. The Store Portal, which is used by store personnel, is designed to allow, inter alia, access to and management of Rinascentecards according to the procedures defined and the instructions given by Rinascente. Furthermore, b) shop staff may not, under any circumstances, download customer information; c) at the time of each access to the Store Portal, an informative pop-up is displayed, aimed at making the user aware of the confidentiality of the information accessed and highlighting the operating instructions; d) the conservation of the log files of the operations carried out by the staff, which made it possible to immediately trace the user who had carried out the related modification operations and, in this way, mitigate the consequences. La Rinascente then added that there was no disclosure of the data subject's personal data outside the limited circle of employees of the Company who necessarily had to manage the case in Rinascente (see in particular the IT Department which proceeded to restore of the data on the Rinascentecard of the interested party); and that a series of technical actions were immediately launched to remedy the incident, guaranteeing the full recovery of the customer's personal data.

With reference to the 2nd case of data breach (sending 70 orders to the e-mail addresses of 5 e-commerce customers), la Rinascente highlighted that: • it immediately managed the incident, implementing further process improvements and techniques referred to in the 'all. 1 of the reply of 30 March 2022 to avoid the recurrence of the same cases; • the incident involved a limited number of personal data, not included in the categories of particular data, "and in any case some basic data relating to a purchase, lacking information relating to the means of payment or susceptible to a greater degree of attention" ; • the incident involved a limited number of interested parties; • the human error that caused the accident was "unpredictable, and therefore not attributable to negligent or willful behavior by the Company". In addition, the Company, in proposing the possible technical cause, pointed out that it had adopted some technical measures to avoid the recurrence of the cases.

6.2. Information provided to the interested party

With reference to the information provided to the interested party, the Company represented that, "to further strengthen compliance with the information obligation towards the interested party, it should be noted that in June 2018, following the successful update of the privacy information on the basis of the GDPR, an information campaign was carried out for all interested parties, including Rinascentecard holders (including the reporting party), who were invited to read the new privacy information by accessing the Website; this disclosure contains “all the information elements required by art. 13 of the Regulation, reported in a clear and distinct way"; was “formulated in simple and clear language, and in a concise way to allow for a more immediate understanding of the related treatments in accordance with the requirements of art. 12, par. 1, of the GDPR"; is “easily accessible, as provided for by the same art. 12, as it is (already) available during the registration/activation phase".

6.3. The request for a single expression of will by contract and acknowledgment of the privacy policy

La Rinascente clarified that it merely requested a mere "acknowledgement" of the information on the processing of personal data (without any scope of approval or determination of will) without this implying any acceptance of the treatments listed in the information itself, such as marketing and profiling (also considering that consents to marketing and profiling are distinct and separate); moreover, the Rinascentecard disclosure is clearly separated, both graphically and conceptually, from the contractual regulation.

6.4. Description of the Company's promotional campaigns

The Company represented the performance - including some peculiarities with respect to what was described in the response dated 30 March 2022 - of the various types of promotional campaigns.

With reference to the "Custom Audience CRM Campaigns", sharing with Facebook takes place by accessing the Rinascente Facebook Business Manager account "by the Company's internal personnel who upload the list, excluding any access to, or processing of, said lists by the media agency that supports the Company in managing these campaigns; (c) the list of e-mail addresses is uploaded, after applying the hashing procedure in the context of the upload to the Business Manager Facebook account, which uses this information to match it with the information in its possession and to include or not that individual in the audience to which the campaign is targeted.” The Company has also provided a copy of the appointment as data controller of the agency in question (Annex 20).

La Rinascente highlighted that, with reference to the "Standard" Campaigns, unlike the first, there is no sharing of lists by the Company, the data is instead collected exclusively through tracking solutions:

a) for retargeting campaigns (aimed at recontacting those who have already visited the Site, but have not yet made any purchases and who are also users of the social network at the same time), the main relevant data collection tool is the Facebook pixel of retargeting, released on the Site and accepted through the cookie management mechanisms;

b) for prospecting campaigns (aimed at finding new users potentially interested in Rinascente products, to whom they can view the campaigns that Rinascente commissions from Meta, such as, for example, a campaign that intends to promote products for the home, for which Facebook identifies users interested in furniture and design) is Meta which, based on the account settings of its users which allow the use of their data for targeting purposes in third-party advertiser campaigns, identifies users attributable to the reference public, intended to view the contents of the Company's campaign.

6.5. The role of Meta in the management of promotional campaigns

The Company has specified the role of Meta in relation to the processing of e-mail addresses in hash format (the only data shared with Meta itself) of Rinascentecard holders for the creation of the audience for the various campaigns. The e-mail addresses are provided to Meta with the primary and sole purpose of defining the Facebook user base to which to address the specific Custom Audience CRM campaign, in line with the provisions of the contract (Conditions for Facebook Business tools, point 2. a.i.1). The activity is carried out solely in the interest of Rinascente, Meta being contractually prohibited from using the shared e-mail lists for purposes other than the combination necessary for defining the public to which to direct the advertisements requested by Rinascente, and Meta committing to delete the data at the end of the audience definition process. In this sense, therefore, in the opinion of the Company, Meta acts as data controller (in this sense, see conditions for Facebook Business tools, point 5.10).

With reference to prospecting and retargeting campaigns, according to la Rinascente, Meta should instead be considered, respectively, data controller, since it concerns data relating to its users and data controller (or joint controller), depending on whether it was the American company alone, on its own platform, or even La Rinascente, through its own cookie banner.

6.6. The fulfillment of the information obligation and the consent obligation with respect to the promotional campaigns attributable to La Rinascente spa.

With reference to the "Custom Audience CRM" campaigns, la Rinascente clarified that the information obligation in the context of digital campaigns is fulfilled by the same not only through the Rinascentecard Information, but also the Privacy Policy (see Annex 6 to Inspection reports). Both of the documents mentioned above contain, in the section "2. Purposes and legal basis of the processing of personal data", in the section entitled "Marketing", an explicit reference to the fact that Rinascente processes the data of the interested parties in order to send them, via the various channels listed in the text, promotional material. Among the channels listed there are also social ones, including Facebook. The user receiving such campaigns can therefore understand that he is a Facebook user and that his profile is set up to allow him to receive advertisements on the social network, including those of La Rinascente through Meta. The interested parties are thus informed, also with regard to the legal basis identified in the consent.

With reference to the retargeting campaigns, as represented by the Company, these are directed towards users who are not logged in as Rinascentecard customers, but who have navigated the Site as simple visitors, "Because they are based on the use of Facebook cookies, and as activities carried out on the Site, Rinascente relies on the Banner and Cookie Policy: the banner allows interested parties to accept or refuse profiling cookies, such as Facebook retargeting cookies, or other similar trackers. The same informs the visitor, among other things, about the use of profiling cookies, offering him various choices in relation to the installation or not of all or part of the cookies, and contains a link to the cookie policy" ( Attachment 16 to the brief). The Cookie Policy describes the different types of cookies used, both by Rinascente and by third parties (such as Facebook), and contains a specific section on profiling cookies which also expressly mentions the purposes of retargeting.

With reference to prospecting campaigns, la Rinascente - premising that they are aimed at subjects with whom it has no relationship - has highlighted that it considers itself exempt from the information and consent acquisition obligations. As mentioned, in fact, the campaigns are conducted by Meta on its user base, based on audience parameters that are selected by Rinascente for each campaign. Meta, on the basis of these parameters, therefore identifies among its users – whose privacy settings and preferences management allow the display of third-party advertisements on the Facebook platform – those to which to show Rinascente advertisements. “It is Meta's responsibility, therefore, to inform users, in the context of its services, about the processing that it may carry out for the purpose of displaying third party advertisements, such as Rinascente…. A Facebook user can know the identity of the advertisers for whom he displays advertising messages and how he can manage the list (Annex 18 in memory)."

With reference to the aforementioned promotional campaigns, the Company therefore denied having integrated the disputed violations (disclosure and consent obligations: articles 6-7 and 13 of the Regulation, as well as the appointment of the data controller, pursuant to art. 28 of the Regulation).

6.7. The impact assessment pursuant to art. 35 of the Regulation.

As for the lack of an impact assessment carried out prior to the start of the profiling activities, la Rinascente objected that it would carry out a marketing activity on the basis of mere and simple parameters for extracting the recipients of the campaigns from its databases based exclusively on data raw and unprocessed, such as, for example, the geographical area of reference (province/region/city), gender and/or age range, and/or purchases made in Rinascente and/or on the basis of the interest expressly expressed by the interested party on the occasion of your registration with the Rinascentecard. This activity would not consist "in any (re)processing of the data in the context of a deductive or inferential analysis with respect to the behavioral parameters of the individual user, nor in the identification of correlations with respect to general behavioral clusters".

The Company has highlighted how "the treatments in question were conducted not only having correctly fulfilled the information obligations and collected a suitable consent, but also on the basis of an initial overall picture which (would have shown) a limited risk for the rights and freedom of the interested parties". In attaching a copy of the final impact assessment document, the Company highlighted that, in its opinion, there would be no conditions for the obligation to comply with this requirement, and therefore not even for the related sanction.

6.8. Conclusions formulated by La Rinascente SpA.

For the purpose of applying any administrative fine, La Rinascente asked the Authority to take into account the collaboration provided as well as the measures put in place, pointing out that it had recorded operating losses of over 30.6 million euros in the for the year 2020, almost 22 million euros in the year 2021 and 10 million euros expected at the end of the current year, as can be seen from the attached financial statements (Annex 24 to the memory). The Company, in the light of what exhibited in the brief, he requested the dismissal of the proceeding. Furthermore, highlighting the offender's interest in not suffering "disproportionate" negative effects, because they exceed those inherent in the publication of the provision itself, he requested the Authority not to apply the ancillary administrative sanction provided for by art. 166, paragraph 7, of the Code or, alternatively, the publication of any sanctions in anonymous form.

7. Juridical assessments.

With reference to the factual profiles highlighted above, also on the basis of the statements of the Company as well as the documentation produced by the same, which is liable pursuant to art. 168 of the Code, the following legal assessments are formulated.

7.1. Data breaches

Based on what is illustrated and documented by the Company, data breach no. 1 (relating to the whistleblower), despite the constant number of measures adopted, seems to be attributable to the carelessness of an employee who violated the instructions received as well as, more generally, a predefined protocol, and therefore can be archived. The data breach no. 2, however, for which the Company has declared that it has successively implemented several measures aimed at avoiding the repetition of the violation, it appears to imply an inadequate original level of measures such as to prevent the violation, therefore the dispute referred to in the art. 5, par.1, lett. f) and art. 32, par. 1, lit. b) and d), of the Regulation, "since the confidentiality of the data has not been ensured on a permanent basis.".

7.2. Information given to the whistleblower

With regard to the information provided to the interested party, in the light of the overall clarifications, and of the sending of the updated text in 2018, it can be said that the release to the interested party of the same has been proven. It is therefore deemed necessary to file the relative dispute (Article 13 of the Regulation).

7.3. Acquisition of a single expression of will both for the terms of service and for having read the information for the treatment

With reference to the information text related to the fidelity cards, from the clarifications provided by the Company, it therefore follows that there is not, to the detriment of the interested parties, an effective lack of awareness with respect to the treatments, their methods and the protections provided by the law; it emerges, with greater clarity, also that, to this single expression of will, no single consent to the various treatments indicated follows and, more fundamentally, that no reverberation this manifestation of will has on the existing treatments. Moreover, it has been clarified that there is no extension of the effects of the fidelity card registration form to further processing that is not pertinent to the management of the data of Rinascentecard holders. Therefore it is deemed necessary to file the relative dispute (articles 6-7 of the Regulation).

7.4. Information and consent regarding promotional campaigns with the help of Facebook-Meta

Taking into account the elements in this regard, overall, provided by La Rinascente with reference to the various promotional campaigns carried out, the Company appears to have provided the requested clarifications. In particular, for the recipients of retargeting campaigns, the information is provided through the cookie policy and the consents acquired through the cookie banner present on the site, where -respectively- explicit reference is made to profiling cookies (including that of Facebook ) used for retargeting and a specific consent is acquired for these cookies. In addition to the information on the cookies available and on the Cookie Policy, the user can access more detailed information on the individual cookies via the links available in the profiling cookie table shown in the Cookie Policy. Furthermore, there is the Privacy Policy present on every page of the website and always containing a reference to the Cookie Policy (point 1.1 of the Privacy Policy). In this case, the information and consent obligations are fulfilled by Meta, and sometimes also by La Rinascente, so that, on the basis of an overall coherent design, Meta is, in the first case, the exclusive owner and instead, co-owner, in the second.

In relation to prospecting campaigns, these obligations -according to la Rinascente- are sharedly fulfilled directly by Meta, as the exclusive data controller, only the data of users of its social platform being highlighted. With regard to the "Custom Audience CRM Campaigns", the obligation is fulfilled only by La Rinascente, as the exclusive owner of its customers' data, without Meta being able to process the customers' personal data as they are subjected to a hashing procedure. Therefore the related dispute (articles 6-7, 12 and 13, of the Regulation) must be filed, except for what will be said below with respect to the suitability of the information, with specific reference to retention times (see par. 7.7 ).

7.5. Role of Facebook-Meta in promotional campaigns

As mentioned, the role in question, also in the light of the elements provided in the brief, was clarified by the Company. Furthermore, it appears that the Company has taken steps to update the "Standard" information, the Rinascentecard Information and the Privacy Policy, introducing - among other things - a new formulation, specifying the involvement, and the corresponding role, of Meta in marketing campaigns dealt with here (see Annexes to brief no. 13, 14 and 19).

Therefore, with reference to the aforementioned points 7.2; 7.3; 7.4; 7.5, in consideration of the elements provided by the Company and accepting the overall arguments, it is deemed necessary to file the related disputes (Articles 5; 6; 7; 12, par.1; Article 13; as well as Article 28 of the Regulation).

7.6. Lack of a prior impact assessment on fundamental rights and freedoms

The guidelines on data protection impact assessment and determination of the possibility that the processing "may present a high risk" for the purposes of Regulation (EU) 2016/679 of the Article 29 Working Party for Data Protection of the 4 April 2017, as last amended and adopted on 4 October 2017 and adopted by the European Data Protection Board on 25 May 2018 (hereinafter "WP 248, rev. 01"), have identified the following nine criteria to be followed into consideration for the purposes of identifying treatments that may present a "high risk": 1) evaluation or scoring, including profiling and forecasting, in particular in consideration of "aspects concerning professional performance, economic situation, health, personal preferences or interests, reliability or the behavior, location or movements of the interested party”; 2) automated decision-making that has legal effect or similarly significantly affects individuals; 3) systematic monitoring of data subjects; 4) sensitive data or data of a highly personal nature; 5) large-scale data processing; 6) matching or combining datasets; 7) data relating to vulnerable data subjects; 8) innovative use or application of new technological or organizational solutions; 9) when the processing itself "prevents the interested parties from exercising a right or making use of a service or contract". According to these Guidelines and according to this Authority, the occurrence of two or more of the aforementioned criteria is an indication of "processing that presents a high risk to the rights and freedoms of data subjects" and for which an impact assessment is therefore required on data protection (see WP 248, rev. 01, p. 11)

Well, in this case, the criteria indicated by the Board include both the profiling activity with assessment of the interests and preferences of the interested parties, and the large-scale processing (considering the high number of customers of the physical and online stores ), therefore, before starting the related treatments, the Company should have carried out this evaluation.

Moreover, the Company certainly carries out a profiling activity and not a simplified marketing activity, as it would seem to observe in the memory. In fact, pursuant to art. 4 of the Regulation, 'profiling' means "any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, the economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person”.

In fact, the activity described in one's memorandum must be considered profiling, also in consideration of the evaluation component, and this is what is indicated in letter b), paragraph 2, of the Rinascente Card Regulation: “b. Analysis of consumption habits To analyze your consumption habits and carry out market analysis and research in order to improve our commercial offer and send you promotions and invitations suited to you and your preferences. The legal basis of this treatment is your consent (collected when requesting the Charter and revocable at any time).”

To ascertain that the Company carries out actual profiling activities - without prejudice to what else is indicated above in the memorandum - the same, however, in the same deed, and with particular reference to cookies, states that "they collect demographic and/or information relating to pages visited, products viewed and purchases made as a result of advertising campaigns.".

It is therefore deemed necessary to confirm the alleged violation in the aforementioned terms (Article 35, paragraph 1, of the Regulation).

7.7. Data retention for marketing and profiling purposes

The issue of data retention is highlighted in two ways. From an initial point of view, first of all we must consider the excess and incongruity of the indistinct 7-year term envisaged by the Company with respect to the many advertised brands (more than 800, according to what can be viewed on the website www.rinascente.it, as of 19 December 2022), not all of the "high-end". Moreover, it does not appear to help the Company's defense to recall some previous provisions of the Guarantor (provision n. 227/2017 [web doc. n. 6495144]; provision 304/2017 [web doc. n. 6844421]; provision . n. 296/2018 [web doc. n. 8998339]), cited by the same in her brief, because they refer to companies characterized solely by a luxury brand and were hesitated by specific investigations on the issue of storage times, on the basis of the activation of the repealed institute of prior checking (art. 17 of the previous Code). They therefore fall outside the full application of the European Regulation which intended to enhance and implement rights, principles and guarantees to protect the right to data protection and the related principles of purpose and limitation of conservation (in addition to Article 5, see recital 39 of the Regulation, according to which: "the retention period of personal data (must be) limited to the minimum necessary; (e) personal data should be processed only if the purpose of the processing is not reasonably achievable with other means".

Furthermore, to aggravate the aforementioned criticality, the high mass of interested parties must be considered as subscribers of fidelity cards or mere users of the site who have accepted the marketing and profiling cookies as well as the high mass of data, however detailed, collected.

Furthermore, from a second point of view, the issue of conservation also comes into relief with respect to the failure to indicate this term in the information provided by the Company in relation to the website www.rinascente.it, since these treatments (marketing and profiling) are rather invasive for the sphere of interested parties. A term that all the more must be made explicit, or at least rendered with clear and precise reference criteria - differently from those indicated in the Rinascente disclosure (issued in physical stores and on the company website) and from those available online (cookie policy) - i.e. : the fulfillment of generic "legal obligations" and the category of the indistinct series of "provisions of the Guarantor". References that inevitably force the user/customer to try to find these sources, with difficult searches, especially considering the rapid commercial practice of subscribing to loyalty cards (necessary for access to prizes, discounts and other advantages). This criticality is all the more evident with respect to interested parties who are just of age or elderly, who, although not the priority target of La Rinascente, inevitably enter into a relationship with it, especially in the context of the online platform or in the physical dimension of the stores.

While acknowledging that the Company (see memorandum of 5 August 2022) has taken steps to modify its information, making explicit the duration of 7 years and declining the retention times more in relation to the type of data, it is still necessary to confirm the relative violations as specified in the complaint dated 7 July 2022 (article 5, paragraph 1, lett. a), b), c), and e), as well as 12, paragraph 1, of the Regulation) and order the Company to establish and apply differentiated storage times for product categories, distinguishing between marketing treatments and those relating to profiling and deleting or anonymizing data that is stored beyond the established terms.

7.8. On the request for non-publication of the decision or its "anonymization".

With reference to the request with which the Company, in relation to a possible provision adopted against it, requested, in the event of publication, the obscuring of its identification data, it is preliminarily noted that the Authority is subject to precise regulatory constraints which require the publication of measures having external relevance.

These constraints, which reside in the art. 154-bis, paragraph 3, of the Code, in art. 24 of the "Regulation on publicity and transparency obligations relating to the organization and activity of the Guarantor for the protection of personal data - 1 August 2013" (in www.garanteprivacy.it, web doc. n. 2573442) and in art. . 37 of the Regulation of the Guarantor n. 1/2019 (in www.garanteprivacy.it, web doc. n. 9107633), can be waived mainly for reasons of safeguarding the protection of personal data (which in our legal system is recognized only to natural persons) or at the request of the subject who gave impetus to the proceeding and the related measure.

The additional derogatory conditions, expressed in the aforementioned regulations, do not appear attributable to the cases represented by the Company and, in this regard, it must also be highlighted that the publication of the order-injunction has the nature of an accessory sanction, based on the provisions of art. 166, paragraph 7, of the Code and therefore is strictly related to the assessment that the Guarantor carries out on the particularity and/or seriousness of any main sanction.

8. Conclusions.

In view of the above as a whole, the responsibility of la Rinascente spa is deemed to have been established for the following violations of the Regulations:

- art. 5, par.1, lett. a), b), c), e), f);

- art. 12, par.1;

- art. 32, par.1, lett. b) and lett. d);

- art. 35, par. 1.

Once the unlawfulness of the Company's conduct described above has been ascertained, it is necessary:

- order the same, pursuant to art. 58, par. 2, lit. d) of the Regulation to establish and apply differentiated storage times for product categories, distinguishing between marketing treatments and those relating to profiling and deleting or anonymizing data that are stored beyond the established terms.

- with regard to treatments already carried out and with dissuasive purposes, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles 58, par. 2, lit. i) and 83, par. 4 and 5, of the Regulation.

9. Injunction order for the application of the pecuniary administrative sanction

The violations confirmed above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against La Rinascente spa of the pecuniary administrative sanction provided for by art. 83, para. 4 and 5, of the Regulation. However, as various provisions of the Regulation and of the Code have been infringed in relation to connected treatments carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with willful misconduct or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the least serious violations. Specifically, the aforementioned violations - also having as their object the principle of 'limitation' of conservation (art. 5 of the Regulation) - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in art. 83, par. 5, of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1), it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.

What circumstances to take into consideration in the present case must be considered, in terms of aggravating circumstances:

1) the high number of subjects involved in the disputed processing (letter a);

2) the duration of the violations, with particular reference to that relating to retention times (letter a);

3) the broad territorial scope of the violations (letter a);

4) the overall assessment of the Company's economic capacity, taking into consideration the latest available corporate turnover (relating to the tax period of 2021) (letter k).

As mitigating elements, it is considered necessary to take into account:

1) the absence of previous proceedings initiated against the Company (letter e);

2) the timely adoption of corrective measures, some of which started immediately after the conclusion of the inspections (letter f);

3) The serious socio-economic crisis underway and its effects also on the economic-financial situation of the Company (letter k).

Based on the set of elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness pursuant to art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and the freedom to do business, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to La Rinascente – taking into consideration analogous cases, such as the provision 20 October 2022, doc. web no. 9825667 - the administrative fine of the payment of a sum of 300,000 euros (three hundred thousand/00), equal to approximately 1.65% of the maximum statutory fine (18,129,491 euros) as well as approximately 0.066 of the last available turnover (euro 453.237.299, as at December 31, 2021).

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should also be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the delicacy of the subject matter of the investigation (data retention for marketing and profiling purposes; impact assessment obligation for invasive and large-scale treatments) as well as the need for non-discrimination with respect to similar cases (see provision 20 October, cit.).

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the annotation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation.

ALL THAT BEING CONSIDERED, THE GUARANTOR

a) pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the processing carried out by the company La Rinascente S.p.A., with registered and administrative office in Milan, via Giorgio Washington n. 70, tax code and VAT number 05034580968;

b) pursuant to art. 58, par. 2, lit. d), of the Regulation, orders the establishment and application of differentiated storage times for product categories, distinguishing between marketing treatments and those relating to profiling and deleting, or anonymizing, the data that are stored beyond the established terms;

c) pursuant to art. 157 of the Code, enjoins the Company to notify the Authority, within 30 days of notification of this provision, of the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5, of the Regulation;

ORDER

pursuant to art. 58, par. 2, lit. i), of the Regulations, to La Rinascente S.p.A., in the person of its legal representative, to pay the sum of Euro 300,000 (three hundred thousand/00), by way of administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 300,000.00 (three hundred thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the 'art. 27 of the law n. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and of the art. 16 of the Regulation of the Guarantor n. 1/2019, the publication on the Guarantor's website of this provision and, pursuant to art. 17 of the Regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority, provided for by art. 57, par. 1, lit. u) of the Regulation, of the violations and of the measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the processing of personal data has his residence, or, alternatively, with the court of the place of residence of the interested party. , within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 8 June 2023

PRESIDENT
station

THE SPEAKER
Cerrina Feroni

THE SECRETARY GENERAL
Matthew