Garante per la protezione dei dati personali (Italy) - 9936215

From GDPRhub
Garante per la protezione dei dati personali - 9936215
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 13 GDPR
Article 83 GDPR
Article 157 Codice Privacy
Type: Complaint
Outcome: Upheld
Started: 30.05.2023
Decided: 14.09.2023
Published: 10.10.2023
Fine: 90,000 EUR
Parties: GFB One s.r.l.
Vodafone Italia S.p.A.
National Case Number/Name: 9936215
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT) (in IT)
Initial Contributor: Luca Brocca

The Italian DPA issued a €90,000 fine against GFB One s.r.l., a sales agent for Vodafone Italia S.p.A. The company unlawfully activated two SIM cards without any authorisation from the data subject. This breached Article 5(1)(a) GDPR, Article 6 GDPR, Article 13 GDPR, and Article 157 of the Italian Privacy Code.

English Summary[edit | edit source]

Facts[edit | edit source]

GFB One s.r.l. (the company), while acting as a sales agent for Vodafone Italia S.p.A. (the controller), activated two SIM cards for the data subject without his authorisation. The data subject contacted the controller to block the new SIM cards. He also found out that the SIM cards had been associated with a non-existent bank account. Thus, the data subject lodged a complaint at the Italian DPA, which initiated an investigation.

Before making a decision, pursuant to Article 157 of the Italian Privacy Code, the DPA requested both the company and the controller to provide information relevant to the proceedings to acquire useful elements for a complete assessment of the case. While the controller complied with the request of the DPA, the company did not provide any response, even though the request set out the consequences, including those of a sanctioning nature, to which it might be subjected in the event of failure to reply.

Holding[edit | edit source]

First of all, the DPA examined the position of the controller and pointed out that its conduct did not appear to be unlawful or in conflict with the principles of the protection of personal data. In fact, as soon as it was informed of the unlawful activations, the controller blocked the SIM cards to prevent their use by unidentified persons.

Meanwhile, the DPA ascertained that the company unlawfully processed the data of the data subject. The company had allowed the activation of the SIM cards without correctly confirming the identity of the data subject, had acquired a simple paper copy of the identity document and had failed to carry out further checks on the real identity of the person concerned.

In light of the above, the company was found in breach of Article 5(1)(a) GDPR and Article 6 GDPR for processing personal data without a lawful basis, Article 13 GDPR for failing to provide necessary information to the data subject, and Article 157 of the Italian Privacy Code for non-compliance with information requests.

Thus, the DPA ordered the company to stop further processing of the data and issued a €90,000 pecuniary administrative sanction, pursuant to Article 83(5) GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE NEWSLETTER OF 10 October 2023

 

[doc. web no. 9936215]

Provision of 14 September 2023

Register of measures
n. 405 of 14 September 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and Dr. Claudio Filippi, deputy general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Dr. Agostino Ghiglia;

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

1.1. Premise

With deed of 30 May 2023, n. 85654/23 (notified on the same date by certified email), which must be understood as fully referenced and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards GFB One s.r.l., (hereinafter "GFB" or "the Company"), in the person of the legal representative pro tempore, with registered office in Pomigliano d'Arco (NA), via Passariello n. 103, c.f. 09432761212.

The proceeding originates from an investigation launched by the Authority following the receipt of a report from Mr. XX against the telephone company Vodafone Italia S.p.A.: the reporting party complained about the illicit activation in his name of two SIM cards by the telephone company's sales network, an activation which had been notified to the aforementioned person by sending two emails and an SMS message. Mr. XX, after having contacted the telephone company to block the new users, had independently carried out some checks which showed that the numbers had both been activated from a Vodafone shop located in Marano di Napoli (NA), in via Vincenzo Merola 51 and that for the related charges a non-existent current account had been indicated attributable, based on the IBAN code, to a branch of Monte dei Paschi di Siena located in Treviglio, not far from the place of residence of the reporting party.

The whistleblower also represented that he had reported the incident to the police station. of Treviglio. At the time of the complaint, he had produced the identification and activation forms for rechargeable SIMs provided, following his request, by Vodafone and relating to the disputed activations, from which it was clear that the same had been carried out at the aforementioned establishment commercial office of Marano di Napoli, by the company GFB One s.r.l.

The telephone company, after a further request from Mr. XX, confirming that it had deactivated the utilities, sent a copy of the identity document used for activation which, although barely legible, actually appeared to be the copy of the identity card in the possession of the interested party, who in the complaint had in any case case represented that he had never traveled to Naples, that he had never activated the aforementioned telephone cards and that he had never lost the availability of his document.

1.2. Requests for information formulated by the Authority

The Office proceeded to start the investigation, despite the fact that the interested party had not decided to make use of the complaint instrument pursuant to art. 77 of the Regulation, since the elements brought to the attention of the Authority appeared worthy of further investigation, and sent Vodafone a request for information pursuant to art. 157 of the Code.

In the response, Vodafone confirmed that it had provided correct information to the interested party regarding the matter as of 25 July 2022, and that it had subsequently sent him copies of the identification documents associated with the activation procedure of the two SIM cards. Vodafone represented that it had also started the sanctioning process against the GFB dealer, who had activated the unknown SIMs, and highlighted how, based on the checks carried out, the copy of the document used by the unknown activator of the SIMs reproduced the same card identity of the reporter but it had to be excluded that this copy had been acquired from a file in Vodafone's possession and relating to a 2021 file.

Also in light of the interested party's counterarguments (which highlighted the contradictory nature of the information provided by Vodafone regarding the cancellation of the interested party's personal data and the origin of the documents associated with the activation of the two SIM cards), the Office sent a new request for information from Vodafone regarding the methods of acquiring data and images of customer identification documents, as well as on the methods of verifying the maximum number of SIMs that can be activated for each customer, on the procedures for controlling the work of the dealers and on any control activities carried out against the GFB company.

A request for information pursuant to art. 157 of the Code was also sent to GFB, in order to acquire useful elements for a complete evaluation of the case, with particular reference, among other things, to the operational procedures followed by the dealer for the activation of the SIMs and the identification of the customers, the information relating to the activation of the SIMs contested by Mr. XX and the methods of acquiring the copy of the latter's identity document (since, as already observed, from the documents it appeared that the document had always remained in the availability of the reporting person who had never gone to Campania, thus highlighting that for the activation of the two SIM cards, only one copy had been shown and, moreover, by a person other than the interested party).

Vodafone provided feedback within the terms, representing that the telephone company makes online update forms available to its dealers on the procedures for SIM activation, with particular attention to the measures to implement the provisions of the so-called. “Pisanu Law” (law 31 July 2005, n.155, conversion of the decree-law of 27 July 2005, n. 144) regarding the identification of the customer for the activation or replacement of a SIM, measures which provide for the presentation of a valid identity document. Vodafone also highlighted that it had obscured the data subject's data present in its systems since 30 November 2022.

Finally, Vodafone, in representing that it has adopted a double level of monitoring for the activities of the points of sale, evaluating the correctness of the operations through performance indicators and timely analysis of individual cases, confirmed that it had sent a formal warning with the charging of a penalty of 1000 euros to the GFB company, responsible for the activation of the two SIMs in the name of Mr. XX, since the dealer did not scrupulously follow the customer identification procedures imposed by the Company.

As for GFB, the Company did not provide any response to the request for information sent by the Authority, despite the fact that it clearly highlighted the consequences, including of a sanctioning nature, which it could incur in the event of a failure to respond.

1.3. Dispute of violations

At the end of the investigation, the Office adopted the aforementioned notice of dispute no. 85654/23 against GFB.

In the document, first of all, the position of the telephone company Vodafone Italia S.p.A. was examined, highlighting that the conduct carried out by it in the case in question and in the current state of the documents did not appear illicit or in any case in conflict with the principles in question. matter of protection of personal data, given that, as soon as it became aware of the illicit activations, the telephone company blocked the SIMs, in order to prevent use by unidentified subjects. It then definitively deactivated the aforementioned SIMs and initiated procedures aimed at ascertaining and sanctioning the actions of the dealer who had physically carried out the activations. Furthermore, it emerged that Vodafone has fully guaranteed the exercise of the rights that Regulation (EU) 2016/679 (hereinafter "Regulation") attributes to interested parties since, at the request of Mr. XX, first sent to the latter the forms used for the activation of the SIMs, then the copies of the identity document attached to the forms and finally, again at the request of the interested party and compatibly with company procedures, ordered the darkening of your data also in order to prevent any further illicit use.

More generally, it must be noted that the matter brought to the attention of the Authority has not revealed "system" anomalies or in any case elements that allow us to ascribe, against the telephone company, forms of culpa in vigilando with reference to the actions of the dealers . Vodafone's conduct, therefore, both in the phase prior to the activation of the SIM cards by GFB and in the subsequent phase, does not appear to be attributable to hypotheses of liability.

As for GFB, the complaint stated how the Company activated the SIM cards which were then denied by the reporting party without having correctly ascertained the identity of the applicant, acquiring a simple paper copy of the identity document and failing to carry out further checks on the real identity of the interested party.

It was also observed that GFB did not provide any feedback to the Authority's requests for information, worsening the investigation time and preventing the interested party, Mr. XX, to acquire important elements regarding the illicit use of your identity document and personal information.

The Office, therefore, charged GFB with the following hypotheses of violation:

a) art. 5, par. 1, letter. a), and 6 of the Regulation, for having processed the personal data of the interested party in violation of the principle of lawfulness and in the absence of an appropriate legal basis;

b) art. 13 of the Regulation, for failing to provide the interested party with the necessary information provided therein;

c) art. 157 of the Code, for failing to provide the Authority with the information and documents requested with a note dated 30 December 2022, notified to the Company's digital address.

2. GFB'S DEFENSIVE MEMORY AND THE AUTHORITY'S ASSESSMENTS

With a note dated 30 June 2023, the GFB Company produced a defense statement pursuant to art. 166, paragraph 6, of the Code and art. 13 of the Internal Regulation of the Guarantor n. 1/2019, however transmitted late since the 30-day deadline indicated in the aforementioned provisions began on 29 June 2023.

For completeness of discussion, we acknowledge the arguments put forward by the Company, which are reported in full: "first of all, it should be noted that the communication that this esteemed Authority reports having sent via certified e-mail on 30-12-2022 has not been received by the undersigned: for this purpose, please verify correct receipt and notify this company. On the merits, with reference to the matter in question, it means that since the first request made by Vodafone on the basis of Mr.'s complaint. XX this company promptly initiated proceedings aimed at bringing to light the circumstances relating to the incident, informing Vodafone from time to time. In essence [...], an incorrect procedure aimed at identifying the customer occurred within one of our stores. The fact is that the POS in question has ascertained that in this case the customer was actually identified by means of a photocopy and not the original of the identity document. As a result of this verification, as promptly reported to Vodafone, this company proceeded to sanction the POS that did not comply with the protocol clearly indicated by the undersigned and, to date, followed by all the other relevant POSs. As a result of the incident, in any case, all the stores were reprimanded on the importance of complying with the provisions not only of the relevant legislation but also of the mandate signed with the esteemed Vodafone S.P.A."

The arguments put forward, albeit belatedly, by GFB are not suitable to exclude the Company's liability for the disputed violations.

From the documents, from the statements of Mr. XX and from those of Vodafone, the circumstance is fully confirmed that GFB, which operates as a sales agent for the telephone company, activated two telephone cards in the name of the reporting party, who then withheld them, without following the procedures of the data controller for correct identification of the customer.

In fact, to prove the customer's identification, GFB has attached a copy of the identity document available to Mr. to the SIM activation request forms. XX, who however also declared in the complaint to the Judicial Police that he had never lost his availability. Furthermore, Mr. XX, resident in the province of Bergamo, also declared that he had never traveled to Campania in the places where GFB carries out its commercial activity. Furthermore, GFB One reported in the above forms incorrect indications of the IBAN code (formally correct, but in reality non-existent) of the credit institution from which the SIM debits are to be made.

These circumstances confirm what is represented in the document initiating the procedure regarding the circumstance that GFB activated the SIM cards subsequently contested without having correctly ascertained the identity of the applicant, acquiring a simple paper copy of the identity document and failing to carry out further checks on the real identity of the applicant.

Regarding the identification of the role of GFB, it is necessary to recall, first of all, the general provision regarding unsolicited telephone services, adopted by the Authority on 16 February 2006 and published in the Official Gazette. n. 54 of 6 March 2006 (in www.gpdp.it, web doc. no. 1242592), in the part in which it highlights that "agents and resellers have the status of independent data controllers of the data used for the purposes of activating the services when , based on the methods of their activity, exercise real and completely autonomous decision-making power on the methods and purposes of the processing carried out in their area", and then, among others, the provision adopted against a Vodafone dealer operating in province of Brescia (provision no. 293 of 13 May 2015, in www.gpdp.it, web doc. no. 4210697), where it is stated that "with reference to operations aimed at activating telephone cards in the absence of the holder and without the acquisition of a valid document, the company carried out processing of personal data by exercising a completely autonomous decision-making power, free from the provisions that linked it to the telephone operator and the Master dealer, assuming the legal role of data controller, as outlined in the aforementioned provision of the Guarantor of 16 February 2006". This last measure was subjected to scrutiny by the First Civil Section of the Court of Cassation which, with Order no. 21234 of 23 July 2021, reiterated "that only the person who has been responsible for the processing by the "owner" and who has complied with the instructions given by the latter in explication of his decision-making power can assert the status of "data controller". ; it follows that if this does not happen, the "manager" may be recognized as the concrete "owner" of the processing, due to the decision-making and management autonomy expressed even by disregarding the provisions of the "owner"".

Therefore, having confirmed the ownership of the processing in question by GFB, the conduct of the Company as emerged from the investigation results in the violation of the provisions of the Regulation regarding information, since the Company proceeded to process the personal data of Mr. XX without having provided the necessary information pursuant to art. 13, as well as the violation of the provisions regarding the suitability of the legal basis of the processing, since the use of the identification data and personal documents of the interested party was carried out without the latter being aware of it and having expressed the desire to complete a contract for the activation of SIM cards.

What is irrelevant is what the Company stated, however belatedly, regarding the fact that the violation was physically carried out by an employee who independently deviated from the GFB provisions. In fact, the Company, in addition to not having disclosed the specific factual circumstances that led to the undue activation, has not even described the measures and precautions ordinarily implemented to guarantee that its employees correctly carry out customer identification activities under the direct authority of the Company itself, beyond the generic and undocumented statements regarding the sanctions and reprimands that would have reached the staff of the commercial establishment.

Finally, the Company failed to provide feedback to the request for information and the production of documents made by the Guarantor, resulting in an increase in the investigative obligations and a slowdown in administrative action. This circumstance emerges per tabulas, given that the Office sent the request for information specifying that a failure to respond could lead to the application of administrative sanctions.

Also in this case the late defense arguments which tend to exclude the receipt of the request for information sent by the Authority appear contradicted by the receipts of acceptance and delivery of the letter present in the documents and, in this regard, it must be reiterated that the request was sent to GFB's certified email address as resulting from the information system of the Chambers of Commerce and which the legislative decree 76/2020 (so-called "simplification decree"), converted with amendments by Law 120/2020, has qualified, in art. 37, the certified email address of the companies as a "digital domicile" valid for the purposes of electronic communications having legal value.

GFB's responsibility must therefore be confirmed in relation to the violations alleged under points a), b) and c).

3. CONCLUSIONS

For the above, GFB's responsibility for the following violations is deemed to be established:

a) art. 5, par. 1, letter. a), and 6 of the Regulation, for having processed the personal data of the interested party in violation of the principle of lawfulness and in the absence of an appropriate legal basis;

b) art. 13 of the Regulation, for failing to provide the interested party with the necessary information provided therein;

c) art. 157 of the Code, for failing to provide the Authority with the information and documents requested with a note dated 30 December 2022, notified to the Company's digital address

Having also ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to:

- impose on GFB, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the reporting person's data;

- adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Vodafone of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulation.

4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against GFB of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulations (payment of a sum of up to €20,000,000.00);

To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, as well as the conduct attributable to the overall phenomenon of illicit activation of telephone cards, potentially suitable to create further and much more alarming causes of illegality and to constitute an obstacle to the prevention and repression of crimes, including those of an associative nature;

2) as an aggravating factor, the intentional nature of the violation (art. 83, par. 2, letter b) of the Regulation), as emerged from the reconstruction of the facts and conduct carried out which exclude the merely negligent nature of the violation, given that the dealer certainly disregarded the telephone company's provisions regarding the need to identify the SIM applicant, took steps to acquire a copy not of an original document but of a simple photocopy and did not carry out further checks on all the data provided by the unknown applicant;

3) as an aggravating factor, the lack of initiatives on the part of GFB aimed at mitigating the damage suffered by the interested party (art. 83, par. 2, letter c) of the Regulation);

4) as an aggravating factor, the lack of collaboration with the Authority (art. 83, par. 2, letter f) of the Regulation);

5) as a mitigating factor to be taken into consideration to parameterize the sanction (art. 83, par. 2, letter k) of the Regulation), the data relating to the economic capacity of the Company, as obtained from the latest available financial statements (2022 ).

Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of payment should be applied to GFB of a sum of 90,000 euros, equal to 0.45% of the maximum fine imposed.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the Company's processing and conduct, as well as the elements of risk for the rights and freedoms of the interested parties.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) imposes on GFB, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the reporting person's data;

b) orders GFB, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the imposed measure; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation.

ORDER

to GFB One s.r.l., in the person of the legal representative pro tempore, with registered office in Pomigliano d'Arco (NA), via Passariello n. 103, c.f. 09432761212, to pay the sum of euro 90,000.00 (ninety thousand/00) as a pecuniary administrative sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 90,000.00 (ninety thousand/00) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the 'art. 27 of law no. 689/1981.

HAS

The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself.

Pursuant to the articles. 152 of the Code and 10 of the Legislative Decree. n. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, 14 September 2023

THE VICE PRESIDENT
Cerrina Feroni

THE SPEAKER
Zest

THE DEPUTY SECRETARY GENERAL
Philippi