Garante per la protezione dei dati personali (Italy) - 9925674

Garante per la protezione dei dati personali - 9925674

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 12(2) GDPR Article 12(3) GDPR Article 15 GDPR Article 17 GDPR Article 21(2) GDPR Article 24 GDPR Article 25 GDPR Article 58 GDPR Article 83 GDPR Article 157 Codice Privacy
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	18.07.2023
Published:
Fine:	5,000 EUR
Parties:	Maximum International Corp. S.r.l.
National Case Number/Name:	9925674
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor:	ar

The Italian DPA fined a company €5,000 for not complying with their obligation to facilitate the exercise of the rights of the complainant and to comply, without delay, with the relevant requests. It further found that to submit a complaint in the company's online form, users had to consent to marketing and profiling purposes.

English Summary

Facts

On 9 January 2023, the complainant submitted to the Italian DPA a complaint for receiving over the years promotional calls on behalf of Maximum International Corp. S.r.l. (the company) without specific marketing consent and even after expressing objection during the unsolicited contacts.

In response to the DPA’s request for information of 19 January 2023 pursuant to Article 157 of the Italian Privacy Code, the data controller, in a communication dated 16 February 2023, stated that it did not sell directly to private individuals and that it made use, for the performance of the promotional activity, of independent concessionary agencies, each with its own legal nature. Therefore, it could not answer as to the commercial organisation of each of them.

On 7 April 2023, the complainant complained about receiving another unsolicited promotional telephone call on behalf of the company.

Hence, on 19 April 2023, the company was informed of the commencement of the proceedings over the aforementioned and for having processed personal data collected through their website without an appropriate legal basis. In this regard, the DPA found that to request on-line assistance, it was mandatory to consent to the processing of personal data for direct marketing and profiling purposes.

Holding

Even though the company claimed to not be the data controller as it did not hold the personal data of the complainant and the number used for marketing purposes was not ‘owned’ by them, nor it could exercise a directive and sanctioning power over companies operating privately to sell their products, the DPA decided against this statement.

The DPA stated that the company must be held responsible for the processing operations in question and be held liable for personal data protection violations. Indeed, there was no doubt that the phone calls received by the complainant were made in the name of and in the interest of the company, to the point of making the complainant believe to be contacted directly by them. Moreover, the third-party companies were linked by a commercial relationship with the company, thus not relieving the latter from liability in terms of processing personal data. Hence, because the company was unable to effectively control the chain of partners carrying out promotional activities for its benefit, not even after the DPA requested information or the commencement of the proceedings, the DPA confirmed the violation of Article 5(2) GDPR, Article 24 GDPR and Article 25 GDPR.

Additionally, phone calls were continued even after the complainant showed opposition to receiving them, meaning that the company did not act promptly and consistently with the data controller's obligation to facilitate the exercise of the rights of the data subject and to comply, without delay, with the relevant requests, including the right to object, constituting a breach of Article 12(2) GDPR and Article 12(3) GDPR, as well as Article 15 GDPR, Article 17 GDPR and Article 21(2) GDPR. Thus, the calls carried out after the opposition by the complainant were also without the legal basis of consent, leading to a violation of Article 6(1)(a) GDPR and Article 7 GDPR.

Concerning the company's website, the company stated to collect personal data using an online form to respond to reports and complaints relating to technical and functional problems. However, an e-mail from the company’s DPO revealed that the personal data collected through the website were also processed for promotional purposes subject to the consent of the data subjects. But the acquisition of consent for marketing and profiling resulted in a necessary condition for proceeding with the request for assistance through the online form, inevitably affecting the free will of the data subjects. Therefore, breaching Article 5(1)(a) GDPR, Article 6(1)(a) GDPR and Article 7 GDPR. And due to the incorrect approach to the processing operations, also of Article 25(1) GDPR.

Hence, the Italian DPA under Article 58(2)(d) GDPR, ordered the data controller to delete the data without delay - and if the company intended to continue these processing activities, to put in place all measures necessary to ensure that they comply with the provisions on the protection of personal data, and it fined the company €5,000 under Article 58(2)(i) GDPR, Article 83(4) GDPR and Article 83(5) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9925674]

Provision of 18 July 2023

Register of measures
n. 323 of 18 July 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

PREMISE

1. THE INVESTIGATORY ACTIVITY

With the complaint dated 9 January 2023, presented to this Authority pursuant to art. 77 of the Regulation, Ms. XX complained about receiving, "over the years", and most recently on 1 December 2022, promotional calls on behalf of Maximum International Corp. S.r.l. (hereinafter also «Maximum» or «Company») in the absence of specific consent to marketing and even after the opposition expressed during unwanted contacts. Furthermore, the complainant represented that she had not obtained a response to the request to exercise the rights of access and deletion of personal data (referred to in articles 15 and 17 of the Regulation) made on 2 December 2022.

In response to the request for information of 19 January 2023, formulated by the Authority pursuant to art. 157 of the Code (prot. no. 08991/23), the Company, with communication dated 16 February 2023, declared that it does not "sell directly to private individuals" and that it uses "licensed agencies" to carry out promotional activities independent, each with its own legal nature", therefore not being able to "answer regarding the commercial organization of each of them".

On 7 April 2023, the complainant complained about receiving a further unwanted promotional phone call on behalf of the Company.

2. DISPUTE OF VIOLATIONS

With a note dated 19 April 2023 (protocol no. 65417/23), the Company was informed of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation, recognizing, first of all, Maximum's role as data controller, with consequent attribution of responsibility for the alleged violations of the following provisions of the Regulation:

2.1. articles 5, par. 2, 24 and 25 of the Regulation for not having adopted adequate organizational measures aimed at keeping track of processing activities within the supply chain and proving compliance with the rules;

2.2. articles 12, par. 2 and 3, 15, 17 and 21, par. 2, of the Regulation for not having found the request to exercise the rights formulated by the interested party and for not having promptly registered the relevant opposition;

2.3. articles 6, par. 1, letter. a), 7 of the Regulation and art. 130 of the Code, for having made promotional telephone calls without the informed consent of the interested party;

2.4. articles 5, par. 1, letter. a), 6, par. 1, letter. a) and 7 of the Regulation for having processed personal data collected through the website - https://www.maximumsrl.com/- in the absence of an appropriate legal basis; in this regard, in fact, the Authority has had the opportunity to note that the procedure for finalizing the request for online assistance/consultancy through the data collection form found at the link https://www.maximumsrl.com/contatti is subordinate to acquisition of consent to the processing of personal data for direct marketing and profiling purposes. In other words, the user is precluded from accessing the assistance/consultancy services offered by the Company without first having necessarily accepted the processing of data for the various marketing and profiling purposes, thus determining a coercion of the will of the interested party;

2.5. art. 25, par. 1, of the Regulation due to the inadequate setting of the processing due to the mismatch between the activities described in the privacy information (sending of newsletters) and the consents to be acquired (in this case not requested by the Company). In particular, while envisaging the use of the data acquired during registration on the website (https://www.maximumsrl.com/) for the sending of newsletters (as emerges from the privacy information available at the link https:// www.iubenda.com/privacy-policy/86441273), a specific consent for this purpose was not found, nor was the legal basis that would justify its pursuit clarified, generating reasonable doubt as to what the actual treatments carried out by Maximum are and what means were used to this end.

3. DEFENSIVE OBSERVATIONS AND EVALUATIONS OF THE AUTHORITY

3.1. defensive memory

The Company, in exercising its right of defence, sent a memorandum dated 18 May 2023 in which it requested the dismissal of the proceedings initiated against it as it was unrelated to the conduct complained of.

In particular, it reiterated that it did not hold the complainant's personal data, nor, therefore, that it had contacted her for marketing purposes. Furthermore, the calling number used for this purpose was not found to be "owned" by the Company which "has no intermediaries authorized to call on behalf of Maximum". In this regard, he specified that "many Call Centers improperly use [...] the Maximum brand" and then sell different products.

The Company operates in the sale of its products exclusively to "completely independent" private companies [...] with a collection of data and records to which [Maximum] is [...] extraneous". Therefore, the role of data controller cannot be ascribed to the Company, nor, therefore, can it exercise "directive and sanctioning" power against companies that operate privately with the aim of selling Maximum products. The opposition expressed by the complainant was also erroneously advanced against the Company, as the latter was not responsible for the processing in question.

With reference to the website, the Company stated that it collects personal data via online forms exclusively to respond to reports and complaints relating to technical-functional problems of Maximum brand devices and not for commercial activities. In support of this, in the response to the Authority an excerpt from the email sent by Maximum's DPO (with the relevant copy attached) was reported on the Company's processing policy from which it emerges that the same "does not carry out any newsletter activity and that the data collected is promptly deleted for requests sent after 90 days". Finally, "an initial check shows 22 registry details from the last 90 days from the website www.maximumsrl.con to be of a welfare nature".

3.2. Legal assessments

With reference to the factual profiles highlighted above, also based on the Company's statements, for which the declarant is responsible pursuant to art. 168 of the Code, the following legal assessments are formulated.

3.2.1. On ownership and accountability

First of all, the ownership of the processing in question and, consequently, the responsibility for violations regarding the protection of personal data must be attributed to Maximum. While claiming no involvement in the treatment complained of, there is no doubt that the telephone calls received by the complainant were made in the name and in the interests of the Company, to the point of giving rise to the interested party's belief that she had been contacted directly by Maximum. In fact, the complainant initially turned to the Company on the basis of this legitimate expectation, thus excluding any charges of liability to other parties (see, in this regard, provision dated 15 June 2011, web doc. no. 1821257).

The same third-party companies, linked by a commercial relationship with the Company, even if "independent" and "with their own legal nature", would fall within a single overall economic plan aimed at increasing the sale of Maximum products and services, therefore not raising the latter has responsibilities related to the processing of personal data.

It cannot be ruled out that this sales activity, parallel and external to Maximum and apparently characterized by a certain systematic nature, may derive advantages for the latter in terms of brand promotion, with consequent activation of services or signing of new contracts. Furthermore, the use of calling numbers not attributable to the Company does not allow the described critical issues to be overcome since, as repeatedly stated by the Authority, telephone calls not coming from the company's official sales force or for which it is not possible to trace to identify the owner, they could be carried out, as often happens, by disguising the sending user through the adoption of CLI masking techniques, such as telephone spoofing.

In light of the above, the Company, data controller, has acknowledged the lack of adequate technical and organizational measures, regulated by art. 24 of the Regulation, with particular regard to the inability to effectively control the supply chain of partners who carry out promotional activities to its advantage. Furthermore, there are no initiatives or corrective actions in this sense on the part of the Company even after the request for information from the Office and not even after the initiation of the procedure, as the complainant complained of receiving further unwanted telephone calls, on a "weekly" basis, for the promotion of Maximum services (as reported in a note dated 26 June 2023). Nor, from the context represented, is there evidence of the adoption of suitable and decisive concrete initiatives against any abusive subjects who would fuel the illicit market through the undue spending of the Maximum name (reports to the competent authorities, or the adoption of technical measures and organizational ones worthy of appreciation).

It is therefore believed that it is necessary to confirm the violation of the articles. 5, par. 2, 24 and 25 of the Regulation, which frame the owner's skills with a view to necessary valorisation of the principle of responsibility (accountability) aimed at proving compliance with the rules on the protection of personal data.

3.2.2. On the exercise of rights

As described in point 1 of this provision, the promotional phone calls in the interest of Maximum continued even after the opposition expressed by the complainant during the complained contacts. Therefore, not only does the Company appear to have failed to register this opposition in a timely manner but it does not even appear to have encountered the request to exercise the rights referred to in the articles. 15 and 17 of the Regulation within the terms established by art. 12, par. 3, of the same. The Company responded, albeit evasively, only after being requested to do so by the Authority with the request for information dated 19 January 2023 and, with the memo dated 18 May 2023, considered that the complainant's opposition had been wrongly made against him without considering himself responsible for the contacts complained of.

What emerges, therefore, is conduct that is not consistent with the owner's obligation to facilitate, with appropriate measures, the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without delay, the relevant requests, including the right of opposition which can be advanced "at any time" (see provision no. 431 of 15 December 2022, web doc. no. 9856345), integrating the violation of the art. 12 par. 2 and 3, as well as articles. 15, 17 and 21, par. 2, of the Regulation.

3.2.3. On consensus

The complainant declared that she had never given her consent to receive promotional communications from the Company and that she had requested the deletion of her personal data several times (including during the phone calls complained of as described above). In this regard, it should be highlighted that dissent or opposition to further processing expressed during the unwanted phone call always prevails over any consent originally expressed.

However, it is clear that the phone calls made following the complainant's refusal were found to lack the legal basis of consent, nor did the Company ever mention the presence of an original consent that authorized at least the first promotional call.

Therefore, since the acquisition of suitable consent from the interested party to receive promotional telephone calls has not been proven, it is deemed necessary to confirm the violation of the articles. 6, par.1, letter. a) and 7 of the Regulation and art. 130 of the Code.

3.2.4. On the processing of personal data via online forms in the absence of a suitable legal basis

The circumstance represented by the Company of not processing personal data collected through online forms for commercial purposes is not confirmed by the email that Maximum's DPO sent in support of the defense arguments. In the brief in question, the Company has eluded some information reported in the aforementioned email (a copy of which, however, has been attached) which would reveal a different picture than that outlined by Maximum. In fact, it is noted that the "22 records of the last 90 days from the site www.maximumsrl.com [have] a welfare and promotional nature" and that they are used "only in the case of contacts that have explicitly given specific [...] consent for marketing purposes". Furthermore, "the company has adopted measures to centralize consents for marketing purposes, from contacts coming from the official website [...] in order to ensure the validity of consents and guarantee that all marketing activities comply with privacy legislation".

It follows that the personal data collected via the website were also processed for promotional purposes, as confirmed in the aforementioned email, subject to the consent of the interested parties. However, the acquisition of consent to marketing and profiling was found to be obligatory and a necessary condition to proceed with the request for assistance/consultancy via online forms, inevitably invalidating the free will of the interested parties.

Therefore, emerging from the above findings the absence of suitable consent, not only in relation to the case referred to in the complaint but in the overall processing carried out by Maximum, it is deemed necessary to confirm the violation of the articles. 5, par.1, letter. a), 6, par. 1, letter. a) and 7 of the Regulation.
Finally, the circumstance described by the Company of not carrying out "any newsletter activity" does not allow the critical issues referred to in point 2.5 to be overcome. to which full reference is made, confirming a disconnect between the formal plan (pursued purposes described in the privacy policy, including the sending of newsletters) and the factual plan of the processing (the concrete activities carried out by the Company). This denotes an incorrect and adequate setting of the relevant processing, with the consequent violation of the art. 25, par. 1, of the Regulation.

4. CONCLUSIONS

For the above, Maximum's responsibility for the following violations of the Regulation is deemed to be established:

- art. 5, par. 1, letter. a) and 2;

- art. 6;

- art. 7;

- art. 12, par. 2 and 3;

- art. 15;

- art. 17;

- art. 21, par. 2;

- art. 24;

- art. 25;

as well as the art. 130 of the Code. Having ascertained the illegality of the above-described conduct of the Company, it is necessary:

- pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibit the processing of personal data collected via the website in the absence of suitable consent of the interested parties in the marketing and profiling activity, pursuant to articles. 6, 7 and 12 of the Regulation, as well as 130 of the Code;

- pursuant to art. 58, par. 2, letter. d) of the Regulation, order Maximum to delete said data without delay, without prejudice to that which is necessary to keep for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free, specific, documented and unambiguous consent from the interested party;

- in the event that the Company intends to continue with the aforementioned processing activities, prescribe, pursuant to art. 58, par. 2, letter. d), of the Regulation, to implement all the necessary measures to ensure that they comply with the provisions on the protection of personal data, i.e., among others:

a) provide interested parties with suitable information pursuant to articles. 12 and 13 of the Regulation, in relation to the individual processing of personal data;

b) identify a suitable legal basis for the processing in question which, at present, appears to be feasible in the acquisition of informed, free, specific, documented and unequivocal consent for each of the purposes concretely pursued (articles 6 and 7 of the Regulation) ;

c) implement all necessary organizational measures in order to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the relevant requests, including the right of opposition that may be advanced " at any time” by the interested party (art. 21, par. 2, of the Regulation);

d) suitable procedures aimed at keeping track of processing activities within the supply chain and proving compliance with the rules on the protection of personal data, with particular reference to those applicable to the sending of commercial communications (articles 6, 7, 13, 14 of the Regulation and 130 of the Code);

- with regard to the processing already carried out, it is believed that the conditions exist for the application of a pecuniary administrative sanction pursuant to articles. 58, par. 2, letter. i) and 83, pars. 4 and 5 of the Regulation.

5. ORDER INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations confirmed above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Maximum of the pecuniary administrative sanction provided for by the art. 83, par. 4 and 5 of the Regulation. However, since various provisions of the Regulation and the Code have been violated in relation to related processing carried out by the Company for marketing purposes, art. 83, par. 3, of the Regulation, according to which, "if, in relation to the same treatment or related treatments, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, thus absorbing the less serious violations. Specifically, the aforementioned violations - also having as their object the exercise of the rights of the interested parties - are to be traced back, pursuant to art. 83, par. 3, of the same Regulation, in the context of the most serious violation, with consequent application of the sanction provided for in the art. 83, par. 5, of the Regulation.

To determine the amount of the sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1), it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation.

Which circumstances to take into consideration in the specific case must be considered, from the point of view of aggravating circumstances:

1. the seriousness of the violations detected with particular reference to the inadequate management of the interested party's right to object, confirmed by the receipt by the latter of further numerous unwanted telephone calls for the promotion of Maximum services, even after the start of the proceedings by the Authority, and which are added to the contacts registered over the years by the complainant (art. 83, par. 2, letter a);

2. the subjective dimension of the conduct, to be considered seriously negligent, with particular reference to the inadequacy of control over the processing chain (art. 83, par. 2, letters b and d);

3. the discrepancy in the Company's conduct with respect to the consistent regulatory activity of the Guarantor in the field of telemarketing with particular reference to information and consent, data retention and management of ownership of processing (art. 83, par. 2 letter k ).

As mitigating elements, it is believed that the following should be taken into account:

1. the nature of the data processed, of a common type (art. 83, par. 2, letter a, g);

2. the absence of previous proceedings initiated against the Company (art. 83, par. 2 letter e);

3. the degree of cooperation in interaction with the Supervisory Authority such as to facilitate the carrying out of investigation activities (art. 83, par. 2, letter f);

4. of the overall assessment of the economic capacity of the Company, taking into consideration the latest available company turnover (art. 83, par. 2 letter k).

Based on all the elements indicated above, in application of the aforementioned principles of effectiveness, proportionality and dissuasiveness referred to in art. 83, par. 1 of the Regulation, also taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company, it is believed that it should apply to Maximum - also taking into consideration other similar cases - the administrative sanction of the payment of a sum of 5,000.00 (five thousand/00) euros, equal to 0.025% of the statutory maximum.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should also be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the matter under investigation, i.e. the phenomenon of unwanted marketing, with respect to which this Authority has adopted numerous provisions both of a general nature and directed at certain data controllers and on which the attention of the 'user.

Please remember that pursuant to art. 170 of the Code, anyone who, being obliged, does not comply with this provision prohibiting processing is punished with imprisonment from three months to two years and that, in case of non-compliance with the same provision, the sanction referred to in to the art. 83, par. 5, letter. e) of the Regulation.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, for the notation of the violations detected here in the internal register of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation.

ALL THE WHEREAS, THE GUARANTOR

pursuant to art. 57, par. 1, letter. f), of the Regulation, declares unlawful, in the terms set out in the justification, the processing carried out by Maximum International Corp. S.r.l., with registered office in Contrada Zachia, 90038 Zachia (Palermo), VAT number 04434710820, and consequently:

a) pursuant to art. 58, par. 2, letter. f) of the Regulation, prohibits the processing of personal data collected via the website in the absence of suitable consent of the interested parties in the marketing and profiling activity, pursuant to articles. 6, 7 and 12 of the Regulation, as well as 130 of the Code;

b) pursuant to art. 58, par. 2, letter. d) of the Regulation, orders Maximum International Corp. S.r.l. to proceed without delay with the deletion of said data, without prejudice to that which is necessary to retain for the fulfillment of a legal obligation or for the defense of a right in court as well as for any other purpose that does not require informed, free consent, specific, documented and unambiguous of the interested party;

c) in the event that the Company intends to continue with the aforementioned processing activities, prescribes, pursuant to art. 58, par. 2, letter. d) of the Regulation, to implement all the necessary measures so that they comply with the provisions on the protection of personal data, i.e., among others:

- provide interested parties with suitable information pursuant to articles. 12 and 13 of the Regulation, in relation to the individual processing of personal data;

- identify a suitable legal basis for the processing in question which, at present, appears to be feasible in the acquisition of informed, free, specific, documented and unequivocal consent for each of the purposes concretely pursued (articles 6 and 7 of the Regulation);

- implement all necessary organizational measures in order to facilitate the exercise of the rights provided for by the legislation on the protection of personal data and to satisfy, without unjustified delay, the relevant requests, including the right of opposition which can be advanced "in any time” by the interested party (art. 21, par. 2, of the Regulation);

- adopt suitable procedures aimed at keeping track of processing activities within the supply chain and proving compliance with the rules on the protection of personal data, with particular reference to those applicable to the sending of commercial communications (articles 6, 7, 13, 14 of the Regulation and 130 of the Code);

d) pursuant to art. 157 of the Code, orders the Company to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation.

ORDER

pursuant to art. 58, par. 2, letter. i), of the Regulation, to Maximum International Corp. S.r.l., in the person of its legal representative, to pay the sum of 5,000.00 (five thousand/00) euros, as a pecuniary administrative sanction for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €5,000.00 (five thousand/00) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981;

HAS

as an accessory sanction, pursuant to art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website and, pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the annotation in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u) of the Regulation, violations and measures adopted.

Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the owner of the personal data processing has his residence, or, alternatively, with the court of the place of residence of the interested party. , within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 18 July 2023

PRESIDENT
Stanzione

THE SPEAKER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei

[doc. web no. 9925674]

Provision of 18 July 2023

Register of measures
n. 323 of 18 July 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

PREMISE

1. THE INVESTIGATORY ACTIVITY

With the complaint dated 9 January 2023, presented to this Authority pursuant to art. 77 of the Regulation, Ms. XX complained about receiving, "over the years", and most recently on 1 December 2022, promotional calls on behalf of Maximum International Corp. S.r.l. (hereinafter also «Maximum» or «Company») in the absence of specific consent to marketing and even after the opposition expressed during unwanted contacts. Furthermore, the complainant represented that she had not obtained a response to the request to exercise the rights of access and deletion of personal data (referred to in articles 15 and 17 of the Regulation) made on 2 December 2022.

In response to the request for information of 19 January 2023, formulated by the Authority pursuant to art. 157 of the Code (prot. no. 08991/23), the Company, with communication dated 16 February 2023, declared that it does not "sell directly to private individuals" and that it uses "licensed agencies" to carry out promotional activities independent, each with its own legal nature", therefore not being able to "answer regarding the commercial organization of each of them".

On 7 April 2023, the complainant complained about receiving a further unwanted promotional phone call on behalf of the Company.

2. DISPUTE OF VIOLATIONS

With note dated 19 April 2023 (prot. n. 65417/23) the Company was notified of the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of any measures referred to in art. 58, par. 2, of the Regulation, recognizing, first of all, Maximum's role as data controller, with consequent attribution of responsibility for the alleged violations of the following provisions of the Regulation: