Garante per la protezione dei dati personali (Italy) - 9995808: Difference between revisions

Latest revision as of 09:22, 30 April 2024

Garante per la protezione dei dati personali - 9995808

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 7 GDPR Article 7(3) GDPR Article 7(4) GDPR Article 12 GDPR Article 12(1) GDPR Article 13 GDPR Article 21(4) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	22.02.2024
Published:
Fine:	50,000 EUR
Parties:	Trasporto Passeggeri Emilia-Romagna S.p.A. (TPER)
National Case Number/Name:	9995808
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	im

The DPA fined a public transport service company €50,000 and ordered the controller to bring the processing operations into conformity with principle of storage limitation by setting data retention period to 24 months for marketing purposes and 12 months for data relating to profiling.

English Summary

Facts

According to a report submitted to the Italian DPA pursuant to Article 144 of the Italian Privacy Code (‘Code’) a public transport company called Trasporto Passeggeri Emilia-Romagna S.p.A. (‘TPER’ or ‘controller’) collected invalid consent in its printed form for the subscription of seasonal tickets. The form has been in force since 1 July 2016 and is still in use.

In particular, the consent in question concerned the following purposes under letters b) and c) of the form:

b) personal data collected and processed by third parties appointed by TPER, used for market research, satisfaction surveys, promotional initiatives, and information dissemination via telephone calls;

c) personal data also processed by appointed third parties for activating the SMS forwarding service, concerning information on strikes and planned changes to the service.

The form included information that a failure to give consent would make it impossible for the controller to carry out the processing and, therefore, impossible for the data subject to access the services indicated. The data subjects were not able to express specific consent for each processing purpose envisaged as the form only required a signature from the users at the bottom of the form.

Additionally, the printed form stated that providing this data was obligatory for the issuance of TPER's personal identification card. It further asserted that individuals declared that they received and read the information provided according to Article 13 GDPR by purchasing the card.

TPER admitted that the expression used in the printed form may be unclear and misleading. The form was not intended to issue a compulsory consent in order to obtain the purchase of the seasonal ticket. In relation to this, TPER added that the printed form bears the wording ‘I consent’ or ‘I do not consent’. Customer’s wish should be expressed orally and entered in the TPER’s system by an operator.

The controller also clarified that the duration of the data retention period acquired on the basis of consent in points b) and c) is 10 years after the expiry of the last season ticket. The determination of this period was influenced by the fact that the card is valid for 5 years which allows users to apply for more season tickets during this period. In addition to that, TPER is subjected to various inspections and checks by regional authorities which require a possession of documentary evidence within the 10 years’ time frame. Likewise, TPER needs to preserve the user’s personal data in case of payment recovery activities or possible litigation with users. Therefore, the controller maintained that such period is legally sounds and justified.

Following the DPA’s request for information, TPER updated the printed form for subscription and its privacy policy which now includes a reminder to data subjects that they can always revoke any consent given. The updated version also distinguishes in detail all the different types of communication that TPER might send over time.

Holding

Principle of accountability

The assessment of the DPA revealed that several infringements of data processing principles in this case are a result of the fact that TPER – a company serving a large area – failed to review and update its conformity with the GDPR by the time the Regulation came into force on 25 May 2018. TPER. Therefore, breached principle of accountability pursuant to Article 5(2) GDPR.

Information on the processing of personal data

It emerged from the preliminary investigation that the information notice on the processing of personal data did not mention several elements required by Article 13(1) GDPR. This includes contact details of the DPO, legal basis of the processing, possible recipients of personal data, data retention period, rights of interested parties, existence of the right to withdraw consent at any time and right to lodge a complaint with a DPA.

The DPA also found that the information provided is also very generic since it does not clarify the actual circumstances in which the data subjects could have received SMS. The DPA thus found the controller in breach of Article 5(1)(a), 7(3), 12(1), 13 and 21(4) GDPR.

Direct marketing purposes and SMS relating to transport service

The controller collected and processed personal data of the data subject for purposes of direct marketing and sending SMS messages concerning the status of the service. The DPA assessed that this consent was neither free, specific nor adequately informed.

Firstly, pursuant to Article 7(4) GDPR, consent is not considered freely given if a performance of a contract, including provision of a service, is made conditional on the giving of that consent that is not necessary for the performance of the contract. In the present case, the form for subscription to seasonal tickets stated that a failure to consent will hinder TPER from carrying out their services.

Secondly, from the perspective of a data subject, it is unclear whether the term ‘services’ refers to the transport services or the promotional activities referred in points b) and c). The data subject is, therefore, led to provide a single consent for different purposes conditioned by the fear that failure to do so will prevent him from using the services.

Thirdly, the consent does not provide adequate information since TPER did not clearly inform the data subjects that the processing of their personal data for marketing purposes was based on their optional consent. TPER did not state that not consenting to the processing will not prevent the data subject from obtaining the card.

With regard to the abovementioned, the DPA found a violation of Article 5(1)(a), 6(1)(a) and 7 GDPR.

Data retention period

The DPA took account of the controller’s obligation to comply with the principle of accountability under Article 5(2) GDPR justifying the retention period. However, the principle of accountability does not allow the controller to disregard other fundamental processing principles such as the principle of accuracy under Article 5(1)(d) GDPR. For example, the data processed for marketing purposes cannot be considered adequate for a period of 10 years as the controller violated Article 5(1)(e) GDPR. Consequently, the DPA ordered the controller to comply with its guidelines setting data retention period of 24 months for marketing purposes and 12 months for data relating to profiling.

For the breach of abovementioned provisions, the DPA ordered the controller to bring processing operations into conformity with the GDPR. Additionally, TPER shall pay a fine in the amount of €50,000.

Comment

Article 144 Code

1. Anyone may submit a report, which the Garante may also assess for the purposes of issuing the measures referred to in Article 58 of the Regulation.

2. The measures of the Garante referred to in Article 58 of the Regulation may also be adopted ex officio.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of March 28, 2024

[doc. web no. 9995808]

Provision of 22 February 2024

Register of measures
n. 125 of 22 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

PREMISE

1. Introduction.

With a report submitted pursuant to art. 144 of the Code, it was complained that the company Trasporto Passeggeri Emilia-Romagna S.p.A. (hereinafter, the "Company" or "TPER") would have used a form for subscribing to local public transport service subscriptions that did not comply with the regulations on the protection of personal data.

In particular, within the aforementioned form, the provision of consent for certain processing purposes (sub lett. b) and c)) was presented as mandatory, considering that "failure to consent [...] entails the impossibility for TPER S.p.A. to carry out and therefore the impossibility of accessing the services [...] indicated", as the interested parties cannot, moreover, express specific consent for each proposed processing purpose.

Furthermore, a simple signature was required by the user at the bottom of the form, not directly referable to the consent to the processing of personal data (which was understood to be given "with the purchase of the card"). In fact, the form states that "by purchasing the card you declare that you have received and have read the information provided pursuant to art. 13 (which is attached) and, for the purposes and in the manner provided therein, you authorize:

a) the use of personal data strictly necessary for the purchase of the card itself, also through collection and processing by some third parties specifically appointed by TPER Spa;

b) the use of personal data, also through collection and processing by some third parties specifically appointed by TPER SpA, for carrying out market research, satisfaction surveys of the transport service, for participation in any promotional initiatives connected to the purchase of TPER SpA personal annual subscriptions, including prize competitions, for the forwarding of information and advertising material […];

c) the use of personal data, also through collection and processing by some third parties specifically appointed by TPER SpA, for the activation of the SMS message forwarding service, pertaining to [the] service provided by TPER SpA on the telephone of the subscription holder […].

Aware that the provision of data is mandatory for TPER SpA to issue the personal identification card (letter a).
Aware that failure to consent to the processing of data for the activities indicated in letters b and c will make it impossible for TPER SpA to carry them out and therefore the impossibility of accessing the services indicated above.

Information attachment pursuant to art. 13 Legislative Decree No. 196/2003”.

2. The preliminary investigation activity.

With note dated XX (prot. n. XX), the Company, in response to a request for information from the Authority (prot. note n. XX of XX), declared, in particular, that:

“Tper is a joint-stock company with public participation which has as its object [in particular] the exercise of activities relating to the organization and management of transport systems [...]”;

“one's marketing activities are an expression of one's private form […]”;

"when the user chooses to physically go to the authorized sales points [...] the issuing of a subscription is subject to the collection of a series of personal data, reported in the form [...] and uploaded to a management system used by the Company";

“among the fields that can be filled in there are also those connected to the purposes referred to in letters b) and c) of the privacy information reported therein (respectively, “<AcconsenteDP> and <AcconsenteSMS>”). These fields are filled in taking into account the "privacy" will expressed by the customer and, more precisely, with: "agree", in case of authorization for the respective treatments, or "do not consent" in case of failure to provide the relevant consents";

“the printed form therefore contains the wording “agrees” or “does not agree” - in the variable fields above - depending on whether the customer has expressed a favorable or negative choice, in a manner absolutely consistent with the expression of will expressed orally by the interested party [...] It is specified that a copy of the form is delivered to the interested party, who will then be able to verify the compliance of his/her wishes, to confirm or rectify them in case of erroneous insertion by the Tper operator. The wishes of the customers with respect to the treatments described in letter b) and letter c) of the form are then also reflected in the Tper IT systems [...]";

"Although the expression used in the printed form [...] could be unclear and misunderstandable, it does not intend to impose and does not even in practice impose the issuing of mandatory consent to obtain the purchase of the season ticket. The Company, in fact, confirms that the card containing the subscription is issued even in the event of lack of consent to the processing described in letters b) and/or c) [...]";

“Tper has included a short information in the season ticket release form […]. Extended information is then published on the Company's website regarding the processing activities carried out in different contexts and for different services (see https://www.tper.it/cliente/note-legali-e-sulla-tutela- of personal-data) […]”;

following the Authority's request for information, "Tper has updated the form for issuing the card containing the transport season ticket and the related privacy information [...] reminding interested parties that they can always revoke any consent given and distinguishing in detail all the different types of communications (including service or institutional) that Tper could send over time";

"it is believed that the consent provided on the basis of the information in use [...] is to be considered: specific, since for each purpose based on consent Tper asks the interested party to express a specific and distinct will; free, since the interested party has the possibility to deny consent for the aforementioned purposes; this does not prevent access to the service and the issuing of the personal card containing the local public transport season ticket [...]; expressed, since the Tper ticket office operator is required to formulate the request to the interested party and to record the interested party's wishes in the systems [...]; documentable, being reported in the form issued to the interested party, as well as in the Company's IT systems";

“the form in question has been in force since 1 July 2016 and is still used. […] the Company has updated the information in the form, which will soon be made available to users".

The Company has also provided a copy of the new card request form (annex 3 to the aforementioned note), as well as a copy of the new information on the processing of personal data (annex 4 to the aforementioned note), both drawn up following the start of the investigation by the Guarantor.

In response to a subsequent request for information formulated by the Authority (prot. note n. XX of X), the Company, with note of XX (prot. n. XX) declared, in particular, that:

“the information […] is delivered directly to the customer by the ticket office operators together with the request form for the release of the identification card to be used to purchase the season ticket”;

“the form in question is to be considered the only form that the customer prepares for the request for issuance of the personal card [...] By signing this form you give your consent to the processing of your personal data. Consent is requested only when the card is issued and not after the request to activate subscriptions on it";

"the company uses the data subject to consent referred to in point b), solely [...] for carrying out a telephone interview by a "Customer Satisfaction" operator, an activity requested by the Mobility Agency as part of the assignment to TPER of the Local Public Transport service contract [...]";

starting from 1 July 2016, a total number of interested parties estimated at "approximately 2,000" were contacted for this processing purpose;

“the company has sent and sends communications via SMS to inform of any strikes or particular changes planned to the service. And the subscriber has the right to give their consent to the sending of SMS based on their preferences";

“the sending is repeated for each event […]. The mailing list is variable as it concerns only the subscribers interested in the single event [...]. On average, a mailing is made up of around 40,000 contacts."

In response to the request for further clarification addressed to it by the Authority (prot. note n. XX of XX), the Company, with note of XX (prot. n. XX), declared, in particular, that:

“the users who were given the first information notice (valid [from July XX to February XX]) is equal to a total. 169.877”;

“the users who were given the second information notice (current today) is equal to a certain number. 28.840”;

with regard to the duration of retention times of the personal data of the interested parties, acquired on the basis of express consent for the purposes referred to in letters b) and c) of the card request form, used from XX to XX, "the data of the requesting subjects the season ticket (mobile number and email address are optional data) were collected first of all for the purpose of executing the transport contract (and therefore issuing the season ticket) and to better provide the transport service (possibly notifying the subject in the event of significant events regarding the service). These data are stored for a period of 10 years following the expiry of the last subscription";

“the purpose under b) constituted an ancillary purpose […], which included customer satisfaction activities […] and marketing purposes. This purpose, therefore, pursued on a legal "consensus" basis is currently active only on customer satisfaction activities. At the moment, no marketing activities have been carried out [and] the data for these purposes are stored for the same duration as above, unless consent is withdrawn";

“[...] at the moment no marketing activity is carried out but [...] there are only processing activities aimed at customer satisfaction surveys. These activities for measuring the degree of customer satisfaction are an integral part of TPER's contractual obligations provided for in Art. 14 point 3 of the contract for the assignment of TPL services between SRM (as Mobility Agency) and TPB [, a consortium company of which TPER is a member], as they constitute part of the monitoring system on the quality of the service provided, which the manager is required to implement, use and report to the SRM contractor, in order to verify the maintenance of minimum quality standards [...]";

“[…] SRM and TPER have entered into an agreement with which SRM has undertaken to carry out all these activities, both its own and also those that TPER should have carried out on its own”;

"therefore, these activities are carried out annually by SRM, as a TPER "supplier" on a sample of approximately 400 annual subscribers".

With note dated XX (prot. n. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation:

for having provided the interested parties, in the period between XX and XX, with information on the processing of personal data lacking some of the information elements required by the legislation on the protection of personal data and characterized by poor transparency, acting in a manner that does not comply with the principle of lawfulness, correctness and transparency, in violation of the articles. 5, par. 1, letter. a), 7, par. 3, 12, par. 1, 13 and 21, par. 4 of the Regulation (see next paragraph 3.1);

for having collected and processed the personal data of the interested parties who signed the card request form between XX and XX for direct marketing purposes on the basis of a consent not validly given and, therefore, acting in a manner that does not comply with the principle of lawfulness, correctness and transparency, in violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. a) and 7 of the Regulation, as well as 130, paragraphs 2 and 3, of the Code (see paragraph 3.2 below);

for having collected and processed the personal data of interested parties who signed the card request form between XX and XX, for the purpose of sending SMS relating to the status of the service (strikes or changes to the program), on the basis of a consent not validly given and, therefore, in a manner that does not comply with the principle of lawfulness, correctness and transparency, in violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. a) and 7 of the Regulation (see next paragraph 3.3);

for having retained the personal data of the interested parties, also processed for marketing purposes, for a period of time equal to ten years from the expiry of the last subscription, excessively long and not proportionate, acting in a manner that does not comply with the principle of limitation of the conservation of data data, in violation of the art. 5, par. 1, letter. e), of the Regulation (see paragraph 3.4 below);

for not having reviewed and updated, by the effective date of the Regulation (25 May 2018), neither the information on the processing of personal data provided to interested parties and the card request and consent collection form nor its internal policies on the matter of data storage, acting in a manner that does not comply with the principle of accountability, in violation of the art. 5, par. 2 of the Regulation (see next paragraph 3.5).

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l. 24 November 1981, n. 689).

With note dated XX (prot. n. XX), the Company presented its defense statement, declaring, in particular, that:

“[the] card called “MiMuovo” [is] useful for purchasing the various travel tickets among those available, and […] is used to validate the ticket for different types of transport […]. This card is valid for 5 years at the end of which it must necessarily be replaced by users. During this period of validity of the card the user can sign up for a subscription or not; in the second case the card is inactive (there being no valid travel document associated with it) but "valid" for 5 years from its issue: this therefore allows you to subscribe to one or more season tickets in this period of time without having to request the issuance of a new “MiMuovo” card unless the 5 years have expired. [These] characteristics of the card therefore influenced the determination of the aforementioned retention time", equal to "10 years from the signing of the last subscription";

furthermore, "among the types of subscriptions offered to users, there are some that allow the customer to take advantage of favorable conditions, including variable discounts depending on the indications given in the various regional laws of reference and more in particular established by the Emilia-Romagna Region which TPER must necessarily comply with. Among the various discounts provided, there are also those for the benefit of foreigners, minors and disabled people. From this it follows that TPER is subject, among others, to controls and checks regarding compliance with the rules imposed by law (including those on the quantum of discounts applied). Added to this, by virtue of the 2021-2022 Budget Law, in the case of a public transport subscription, the expense may be deducted from the tax return with the consequence that, even in these cases, there may be checks by the Deputized authorities”;

"with respect to regulatory benefits, note how some of these can be granted by the competent bodies even with retroactive scope (for example, a contribution dedicated to hydrocarbons approved with an agreement of XX was also recognized with respect to annual season tickets purchased starting from XX) . The retroactive effectiveness of some concessions therefore prevents apparently "ordinary" records from being deleted from the systems as they could take on a different importance at a time following the issue of the season ticket";

"the above-mentioned controls and checks were necessarily taken into consideration for the purposes of defining the above-mentioned retention time, TPER having to be in possession of documentary evidence of the activities carried out as proof of compliance with the legal requirements to which it is subject as the checks by the regional authorities are subject to the limitation period of 10 years and therefore can intervene in this period of time";

“[furthermore,] […] TPER has the right to impose sanctions in the event of failure to display the title or in case of abuse in the use of the same by the user, and that, in the event of disputes or failure to display the title of the travel document, TPER can take action to recover the credit within 5 years of non-payment of the injunction order. Subsequently, if a situation of non-payment by the debtor persists, the credit is registered and the case is sent to the territorially competent Revenue Agency for the related collection, with possible subsequent litigation with the user. These credit recovery activities therefore require conservation of users' personal data even if they no longer have active subscriptions and the need for conservation may vary depending on the collection process, which could also include direct litigation in the event of contesting the sanction by the user”;

therefore, the Company "believes that the 10-year conservation term that has been identified is to be considered legally correct and, more precisely, justified by the related obligations, rights and faculties of TPER";

"however, in order to improve its level of compliance and with a view to continuous improvement, TPER is carrying out further legal investigations to understand the possibility of reducing, possibly also differentiating users in its systems, the retention time now applied" :

“As regards the lawfulness of the consents collected by TPER up to the 20th century, it must be considered that they can be considered valid and not forcibly extorted. Indeed, although the expression used in the printed form [...] and delivered to the interested parties as a summary of the choices expressed ("aware that failure to consent to the processing of data for the activities indicated in letters b and c will make it impossible for Tper Spa to carry them out and therefore the impossibility of accessing the services indicated above") could be unclear and misunderstandable, it did not intend to impose - and in fact has never imposed - the issuing of mandatory consent to obtain a subscription. So much so that the cards issued on the 20th date were not conditional on the release of marketing consent and were rightly issued also to users who had denied consent to such activities at the time of purchasing the card";

"again, that the aforementioned sentence referred to the services connected with the purpose of sending to demonstrate from the reading of the Brief Information: the reference to the services refers to those reported in letters b) and c) - otherwise an expression in the singular would have been used to recall that of letter a) - mentioned in the same sentence as describing the consequences of failure to provide [...]";

"in confirmation of the foregoing, please note that the following wording was clearly shown in the form that was printed and issued to the user: "aware that the provision of data is mandatory for TPER SpA to issue the identification card personal (letter a)", meaning that the only provision of data considered mandatory (or rather, strictly necessary) was for the issuing of the MiMuovo Card and never for the pursuit of the purposes referred to in letters b) and c ) which were not mentioned. This sentence is then inserted immediately before the one describing the consequences of failure to consent for the purposes of letters b) and c): it must therefore be considered clear that "impossibility of accessing the services indicated above" referred to marketing activities and the sending of SMS which must certainly also be understood as services offered to users, if expressly requested. You are therefore asked to read the sentence deemed ambiguous together with the one preceding it [...]";

“[...] with respect to the fulfillment of the principle of transparency, it is noted that the possibility of objecting to processing carried out for marketing purposes was already present in the Extended Information in use up to the XX and which was delivered to the customer at the time of the issue of the season ticket: this document extensively reports the rights recognized pursuant to the art. 7 of the Code in the version before the 2018 amendment (see art. 7, paragraph 4, letter b of the Code reported at the bottom of the Extended Information), including the right to object [...]";

"in light of the foregoing, it is believed that it is clear that no consent was mandatory for the purchase of the MiMuovo card or for the purchase of the season ticket. Nor could it have been otherwise as the service provided by TPER is an essential public service carried out for the benefit of the community";

"the signing of the Brief Information was intended only to confirm that the text had been read as it was issued by the ticket office staff after the compilation of the system data, thus allowing users to verify what is reported therein and, if necessary, the correction of any errors. As mentioned, the signature is not an expression of any privacy consent. The positive and negative preferences are valorised, as well as systemically, also reflected within the text of the Brief Information, in letters b) and c) [...]";

"furthermore, arguing otherwise it would not be right to find in the TPER systems manifestations of privacy of the interested parties in a negative sense [...]";

“pending the start of the […] procedure, [the Company] not only provided the new privacy information to the interested parties who signed up for the subscription by purchasing the MiMuovo card (therefore to approximately 102,033 interested parties from XX to XX), but started structuring a campaign to send the new information to customers";

"with reference to the lawfulness of the processing carried out by sending informative SMS, [...] the Company, with a view to great attention and protection of the interested party, has limited the forwarding of such messages only to those who have an active subscription, had given consent for this purpose and were actually affected by the disservice being communicated";

the Company reiterates the "optional nature of issuing this consent and [...] the possibility for the user to object, reminded the user in the text of the Extended Information [...]";

in any case, "the seriousness of the violation allegedly committed by TPER must be set at a minimum level. The Company, in fact, acted in absolute good faith, never moved by the intention of monetizing or profiting from the use of the personal data collected, but rather for the sole exclusive purpose of providing a good service to the community and of always improving itself in carrying out the same. ”;

“in order to reduce the impacts on interested parties, the Company has updated the privacy information in XX [...], and will send it to subscribers still active in possession of a MiMuovo card issued before the aforementioned update. Furthermore, TPER will not process the data of users whose consent was collected on the basis of the previous information, unless there is a privacy preference connected to the release of the new information in the system".

3. Outcome of the preliminary investigation.

3.1 Information on the processing of personal data.

In compliance with the principle of "lawfulness, correctness and transparency", the data controller must take appropriate measures to provide the interested party, before starting the processing, with all the information required by the Regulation in a concise, transparent, intelligible and easily accessible form, with simple and clear language (art. 5, par. 1, letter a), 12 and 13 of the Regulation; v. also cons. 39 and 58 of the Regulation; see Working Group Art. 29, “Guidelines on transparency pursuant to regulation 2016/679”, amended version adopted on 11 April 2018, WP260 rev.01).

From the documentation in the documents and from the declarations made during the investigation, it appears that, in this case, the card request form, used by the Company at the authorized sales points starting from XXe up to the month of XX (see annex 1 to the note prot. XX of the XX), referred to an information on data processing ("information annex pursuant to art. 13 Legislative Decree No. by the Company, "it is not [...] an attachment to the form but is referred to in it as it is delivered directly to the customer by the ticket office operators together with the form" (see annex 1 to protocol note no. XX of the XX) .

Given that, although the Regulation had already become effective on 25 May 2018, the information in question mentioned provisions of the Code (see references to articles 13 and 7) no longer applicable from that date and then formally repealed by the decree .lgs. 10 August 2018, n. 101, it is noted that, contrary to the provisions of art. 13 of the Regulation, this information:

does not indicate the contact details of the data protection officer designated by the Company (see art. 13, par. 1, letter b), of the Regulation);

does not indicate the legal basis of the processing for each processing purpose pursued (see art. 13, par. 1, letter c), of the Regulation);

does not mention "any recipients or any categories of recipients of personal data", limiting itself to reporting that "some third parties may be appointed by TPER to collect and process your data" (see art. 13, par. 1, letter . e), of the Regulation);

does not indicate the period of retention of personal data or, if this is not possible, the criteria used to determine this period (see art. 13, par. 2, letter a), of the Regulation);

does not mention the rights of interested parties referred to in the articles. 15-22 of the Regulation (see art. 13, par. 2, letter b), of the Regulation), limiting itself to reporting the text of the art. 7 of the Code, in the version prior to the amendments made by Legislative Decree 101/2018, which only partially coincide with those provided for by the Regulation, as the methods with which it is possible to exercise these rights are not indicated;

does not mention the existence of the right to revoke consent at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation (see art. 13, par. 2, letter c), of the Regulation);

does not mention the right to lodge a complaint with a supervisory authority (see articles 13, par. 2, letter d), of the Regulation).

The information in question also states that "the provision of data is mandatory for TPER SpA to issue the season ticket and/or identification card" (see also the similar wording reported in the request form of the card), without any indication regarding which specific data must necessarily be provided for the issuing of the card and the use of transport services, and which, instead, could be optionally provided in case of consent to the processing of data for other purposes of processing (see the Company's declarations regarding the fact that "mobile number and email address are optional data").

As for the statement at the bottom of the card application form, according to which "failure to consent to the processing of data for the activities indicated in letters b and c will make it impossible for TPER SpA to carry them out and therefore make it impossible to access the services indicated above", it is noted that the same appears to be unclear and misleading for the interested parties, given that, as a result of the reference to "services", it is implied that the consent to the processing of personal data for the purposes sub lett. c) and d) is necessary for obtaining the card and taking out a season ticket.

With regard to the circumstance that, as declared during the investigation, on the Company's website "extensive information was published regarding the processing activities carried out also in different contexts and for different services", the text of which was not deposited in documents during the investigation, it is noted that, in any case, this extended information was not mentioned in any way in the form in question, nor does it appear from the documents that it had been published or made available to interested parties in the premises of the authorized sales points .

Furthermore, again with regard to the fulfillment of the obligations of transparency towards the interested parties, it is noted that neither the contractual card request form nor the information on the processing of personal data made the interested party aware that the same "has the right to revoke your consent at any time" and that "the revocation of consent does not affect the lawfulness of the processing based on consent before the revocation" (art. 7, par. 3, of the Regulation).

The Company has not even brought to the attention of the interested parties, presenting it clearly and separately from any other information, the right to object to the processing for direct marketing purposes (art. 21, par. 4, of the Regulation), having limited itself to reporting the text of the art. 7 of the Code, no longer in force.

Furthermore, it is noted that in the period between the month of XX and that of XX, the Company offered subscribers the possibility of receiving, on an optional basis, SMS "relevant [to] the service provided by TPER" (see all . 1 to the note of the XX of the XX). As stated during the investigation, these SMS would be sent to "inform of any strikes or particular changes planned to the service". The information provided to the interested parties in this regard is, therefore, extremely generic, as the actual circumstances under which the interested parties could have received such SMS are not clarified, with the consequent compromise of the possibility for them to understand the purposes of the actual processing prosecuted (see art. 13, par. 1, letter c), of the Regulation).

In consideration of all of the above, it is ascertained that the Company, in the period between the month of XX and that of XX, provided interested parties with information on the processing of personal data without some of the information elements required by the relevant legislation. of protection of personal data, and characterized by lack of transparency, acting in a manner that does not comply with the principle of "lawfulness, correctness and transparency", in violation of articles. 5, par. 1, letter. a), 7, par. 3, 12, par. 1, 13 and 21, par. 4, of the Regulation.

3.2 Consent to the processing of personal data for direct marketing purposes.

In compliance with the principle of accountability (articles 5, paragraph 2, and 24 of the Regulation), the owner is required to prove that the processing carried out by him complies with the principle of "lawfulness, correctness and transparency" (article 5, paragraph 1, letter a) of the Regulation), also with regard to the existence of the conditions for validity of the consent (see articles 6, paragraph 1, letter a), and 7 of the Regulation).

With specific regard to processing carried out for direct marketing purposes, art. 130, paragraphs 1 and 2, of the Code subordinates the possibility of processing personal data "for sending advertising or direct sales material or for carrying out market research or commercial communication", through electronic communications, to obtaining the “consent of the contractor or user”.

The art. 7, par. 1 of the Regulation provides that "if the processing is based on consent, the data controller must be able to demonstrate that the interested party has given his consent to the processing of his personal data".

In order to be considered valid, the interested party's consent must, in any case, consist of a "free, specific, informed and unequivocal expression of will by the interested party, with which he or she expresses his or her assent, through an unequivocal declaration or positive action. , that the personal data concerning him are being processed” (art. 4, par. 1, n. 11) of the Regulation).

Pursuant to art. 7, par. 4, of the Regulation, "in assessing whether consent has been freely given, the utmost consideration is given to the possibility, among others, that the execution of a contract, including the provision of a service, is conditional on the provision of consent to the processing of personal data not necessary for the execution of this contract" (see cons. n. 43).

The data controller, with a view to accountability, is in any case required to respect all other principles regarding data protection, including the principle of "limitation of conservation", according to which personal data must be "kept in a form that allows the identification of interested parties for a period of time not exceeding the achievement of the purposes for which they are processed" (art. 5, par. 1, letter e), of the Regulation).

Having said this, it is noted that - even though, as declared by the Company during the investigation, it never sent communications to the interested parties for marketing purposes (i.e., as reported in the card request form, for "forwarding information material and advertising" - the methods with which the Company, in the period between the month of XX and that of XX, collected the consent of the interested parties to the processing of personal data for these purposes cannot be considered compliant with the requirements established by the legislation in matter of personal data protection.

In this regard, it must be observed that the interested party's consent (see art. 6, par. 1, letter a) of the Regulation) can be considered validly given only if it is the expression of a "free, specific, informed and unequivocal will of the interested party". interested party, with which he/she expresses his/her consent, through a declaration or unequivocal positive action, that the personal data concerning him/her be processed" (art. 4, par. 1, n. 11), of the Regulation).

In the present case, the freedom of consent is, however, vitiated by the circumstance that, as highlighted above, the form in question, with regard to the consequences envisaged in the event of failure to consent to the processing, reports in an ambiguous and not very transparent manner that "the failure to consent to the processing of data for the activities indicated in letters b) and c) will make it impossible for TPER SpA to carry them out and therefore the impossibility of accessing the services indicated above".

From the perspective of the interested party, it is therefore not clear whether the term "services" refers to the transport services provided by the Company or, improperly, to the promotional and information activities referred to in the aforementioned letters. b) and c) of the form. This ambiguous expression can consequently lead the interested party to believe that consent to processing is necessary in order to obtain the card and use transport services. On the other hand, this is a non-controversial aspect, given that the Company itself has recognized in its defense brief that the wording in question is "unclear and misunderstandable".

It is noted, in this regard, that art. 7, par. 4 of the Regulation specifically provides that "in assessing whether consent has been freely given, maximum consideration is given to the possibility, among other things, that the execution of a contract, including the provision of a service, is conditional on provision of consent to the processing of personal data not necessary for the execution of the contract". The fact that the Company has proposed the giving of the consent in question as a condition for being able to use its services does not, therefore, allow it to be considered as freely given (see provisions of 15 December 2022, no. 431, doc . web no. 9856345; 12 June 2019, no.

Nor can the Company's defense thesis be accepted, according to which in no case would it have actually denied the provision of the service to users who have not given consent to the processing of their data for the purposes sub letter. b) and c). The complaint made against the Company concerns, in fact, exclusively the conditioning suffered by users at the time of requesting consent - who may have been induced to give it due to the fear of not being able to use all or part of the transport services - and not even the actual failure to provide the service to users who have denied consent. In other words, this conditioning took place regardless of the subsequent correct fulfillment by the Company of the obligations connected to the provision of the public transport service. This is also due to the strong and early protection that must be guaranteed to the right to data protection as a fundamental human right.

Also the argument according to which the reference to the "services indicated above" in the card request form ("Aware that failure to consent to the processing of data for the activities indicated in letters b and c will make it impossible for TPER SpA to carry them out and therefore the impossibility of accessing the services indicated above") should be understood not as transport services but rather as those referred to in letters. b) and c) cannot be accepted. This is because the activities referred to in letters. b) and c) (market research, surveys, participation in promotional initiatives, forwarding of advertising material, etc.) cannot be assimilated to services rendered to the user. Therefore, from the user's perspective, the completely generic reference to the "above services", within a formulation that the Company itself defined as "unclear and misunderstandable", could only be understood as a reference to transport services rendered by the Company.

Nor can the fact that in the form in question the users were informed of the fact that "the provision of data is mandatory for TPER SpA to issue the personal identification card (letter a)" cannot be considered conclusive. This is due to the fact that, following a consent given for the purposes set out in letter. b) and c) with the conditioning deriving from the risk of not being able to access transport services, they would still have perceived as necessary the provision of all the overall data requested by the Company. Furthermore, it is reiterated, as already noted in the previous paragraph. 3.1, that neither the contractual form nor the information on processing contained any indication regarding the data whose provision would be optional (see the Company's declarations regarding the circumstance that "mobile number and email address are optional data", which is not reflected in the forms used).

As for the fact that users had been made aware of the information, provided together with the form, regarding the right to object to the processing of data "for the purposes of sending advertising material or direct sales or for carrying out market research or commercial communication", it is noted that the right of opposition can be exercised by interested parties with regard to processing already carried out by the owner (see art. 18 of the Regulation). Therefore, the defensive argument used by the Company is irrelevant with respect to the issue of evaluating the freedom of consent to the processing requested from the interested parties at the time of data collection (see art. 21, paragraph 3, of the Regulation, pursuant to which “if the interested party objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes”).

With specific regard to the purpose of processing sub lett. b) of the form, it is noted that the interested party's freedom of consent was further compromised by the fact that the expression of consent had also been ambiguously referred to the processing carried out for the purposes of "participation in any promotional initiatives linked to the purchase of personal annual subscriptions TPER SpA, including prize competitions" (sub letter b) of the form). These treatments, in the event of adhesion to the initiative by the interested party, find, however, their legal basis in the need to execute a contract of which the interested party is a party, or the terms and conditions that regulate each initiative (see art. 6, par. 1, letter), of the Regulation). The interested party could, therefore, be induced to give a single consent for different processing purposes, his will being conditioned by the fear that, by not giving the requested consent, he would not be able to participate in the promotional initiatives launched by the company, including competitions. with prizes.

The consent of the interested party cannot even be considered adequately informed, given that, based on what is stated in the previous paragraph. 3.1, the Company did not clearly inform the interested parties that the processing of personal data for marketing purposes was based on their optional consent and that in case of lack of consent the possibility of obtaining the card and signing up for the subscription would not have been compromised in any case . Furthermore, it was not made known to the interested parties that the consent could be freely revoked at any time, by opposing further processing, without this compromising the validity of the consent previously given (see articles 7, paragraphs 3, 13 , par. 2, letter), and 21, par. 2 of the Regulation).

In consideration of the above, the consent of interested parties to the processing of their personal data for marketing purposes cannot be considered valid, as it is neither free, nor specific, nor adequately informed.

Furthermore, in this regard, the fact that, as declared by the Company during the investigation, the personal data of the interested parties who have given the consent in question have to date been processed solely for the purpose of measuring the degree of satisfaction is not relevant. of customers and not also for direct marketing purposes. This is because the collection and storage of the data in question constitute in themselves processing operations which must be supported by all the safeguards provided for by the data protection regulations, also with regard to the existence of an appropriate legal basis.

For all the reasons set out above, the processing for marketing purposes of the personal data of the interested parties, who signed the card request form between XX and XX, took place on the basis of a consent not validly given and, therefore, in manner different from the principle of "lawfulness, correctness and transparency", in violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. a) and 7 of the Regulation, as well as 130, paragraphs 2 and 3, of the Code.

3.3 Consent to the processing of personal data for sending SMS relating to the transport service.

In the period between the month of XX and that of XX, the Company offered interested parties the possibility of receiving, with prior consent, SMS "relevant to the service provided by TPER" (see information on the processing of personal data referred to in annex 1 to the note of the XX of the XX, with particular reference to the purpose of processing under letter c)).

As stated during the investigation, these SMS would be sent to "inform of any strikes or particular changes planned to the service".

In this regard, it is noted that, given what was highlighted in the previous paragraphs. 3.1 and 3.2 regarding the generic nature of the information on the processing of personal data provided to interested parties regarding the specific purposes pursued by sending such SMS, as well as regarding the absence of indications on the optional nature of consent (without consequences on the possibility of obtain the card and take out the subscription), the latter cannot be considered free and informed.

Consequently, strictly related to the violation referred to in the previous paragraph. 3.2, it should be noted that also the processing of personal data of interested parties who signed the card request form between XX and XX, for the purpose of sending SMS relating to the service provided (strikes or changes to the programme), in what the Company itself proposed to the interested parties as optional processing occurred on the basis of a consent that was not validly given and, therefore, in a manner that did not comply with the principle of "lawfulness, correctness and transparency", in violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. a) and 7 of the Regulation.

3.4 The period of retention of personal data.

With regard to the personal data of users acquired on the basis of express consent for the purposes referred to in letters b) and c) of the subscription form used from XX to XX, the Company declared that "the data of the subjects requesting the subscription ( mobile number and email address are optional data) were collected first of all for the purpose of executing the transport contract (and therefore issuing the season ticket) and to better provide the transport service (possibly notifying the subject in the event of significant events concerning the service) . These data are kept for a period of 10 years following the expiry of the last subscription" (prot. note no. XX of the XX).

In particular, "the purpose under b) constituted an ancillary purpose [...], which included customer satisfaction activities [...] and marketing purposes" and, for this purpose "the data [...] are kept for the same duration as above [, i.e. ten years from the expiry date of the last subscription,] unless consent is revoked” (ibidem).

Such an extended retention period (ten years from the expiry date of the last subscription) of personal data cannot be considered proportionate.

Also in light of the principle of accountability and the "general responsibility" that rests with the data controller (see articles 5, par. 2, and 24 of the Regulation; see also cons. n. 74 of the Regulation), the In fact, the company should have defined specific and appropriate retention times also for data processed for marketing purposes, measuring the level of customer satisfaction and sending service communications, and be able to justify the choices made. In this regard, it is noted, as recently reiterated by this Authority, that "the provision of the Guarantor of 24 February 2005 "Fidelity card" and guarantees for consumers", although no longer of a binding nature, is to be considered still applicable with value of guideline and therefore so is the timescale provided for therein (24 months for data relating to marketing; 12 months for data relating to profiling). Furthermore, while valorising the principle of accountability, also with reference to the delicate matter of data retention, one certainly cannot come to the conclusion that an owner, on the basis of this principle which needs to be reconciled with the other fundamental principles envisaged by the Regulation, can deviate excessively from the aforementioned provisions, without incurring a violation of the principle of limitation of conservation (see art. 5, par.1, letter d) of the Regulation). For example, it is considered inappropriate to retain marketing data until the date of revocation of consent to processing, pursuant to art. 7 of the Regulation, also considering that the interested party could never change his will or keep it unchanged for years" (provision dated 18 July 2023, n. 321, web doc. n. 9920942; see also provisions dated 8 June 2023, web doc. no. 9909907;

The Company, however, retained all the personal data of the card holders for a single and disproportionate retention time, equal to ten from the expiry date of the last subscription, having not, moreover, adequately proven that, in relation to the data considered optional, as they are instrumental to the pursuit of the purposes sub lett. b) and c) of the card application form, there is a need to carry out such prolonged storage.

On the other hand, the Company itself has declared that "further legal investigations are underway to understand the possibility of reducing, possibly even differentiating users in its systems, the retention time now applied", from which it can be seen that this evaluation does not was adequately carried out in the past, as the Company did not establish ex ante the data retention times for each specific processing purpose and each different context.

Having defined a single and disproportionate data retention time, equal to ten from the expiry date of the last subscription, even for processing for marketing purposes, the Company acted in a manner inconsistent with the principle of "limitation of data retention data”, in violation of the art. 5, par. 1, letter. e), of the Regulation (see also art. 25, par. 2, of the Regulation).

3.5 Respect for the principle of responsibility.

In the legal framework defined by the Regulation, the data controller is responsible for ensuring compliance with the basic data protection principles and must be able to demonstrate this.

The fact that the Company, which serves a user base of significant dimensions, has not reviewed and updated, by the effective date of the Regulation (25 May 2018), nor the information on the processing of personal data provided to interested parties and the card application form and consent collection, nor its internal policies regarding data storage, with consequent violation of the principles of "lawfulness, correctness and transparency" and "limitation of storage", proves the substantial negligence of the Company in 'fulfil the obligations deriving from the Regulation and the Code, and in complying with the principle of accountability, resulting, therefore, in violation of the art. 5, par. 2 of the Regulation (also in reference to art. 24 of the Regulation).

4. Conclusions.

In light of the assessments mentioned above, it is noted that the declarations made by the data controller during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceeding and are insufficient to allow the dismissal of this proceeding, as, moreover, none of the cases envisaged by the 'art. 11 of the Guarantor Regulation n. 1/2019.

It is also stated that for the determination of the applicable rule, from a temporal point of view, the principle of legality referred to in the art. must be referred to in particular. 1, paragraph 2, of the law. n. 689/1981 which states that «the laws that provide for administrative sanctions are applied only in the cases and times considered therein». This determines the obligation to take into consideration the provisions in force at the time of the violation committed, which in the case in question - given the permanent nature of the contested offense - must be identified at the time of cessation of the illicit conduct, which occurred after the date of 25 May 2018 in which the Regulation became applicable and Legislative Decree 10 August 2018, n. 101 went into effect. In the case in question, the personal data of the interested parties, although collected before the effective date of the Regulation (25 May 2018), were still being processed by the Company on the date on which it was notified of the administrative violation. . Therefore, the provisions of the Regulation and the Code, in the text currently in force, apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Company is noted, for having processed the personal data of the interested parties in violation of the articles. 5, par. 1, letter. a) and e), and par. 2, 6, par. 1, letter. a), 7, 12, par. 1, 13 and 21, par. 4 of the Regulation, as well as 130, paragraphs 2 and 3, of the Code.

Taking into account that the multiple violation of the aforementioned provisions took place as a result of a single conduct (same treatment or related treatments), art. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in the specific case, all violations are subject to the administrative sanction provided for by the art. 83, par. 5 of the Regulation, as also referred to in art. 166, paragraph 2, of the Code, the total amount of the fine is to be quantified up to 20,000,000 euros, or for companies, up to 2% of the total annual worldwide turnover of the previous financial year, if higher. Considering that the total annual turnover of the Company in 2022 is equal to 219,377,426.00 euros, the total amount of the fine is to be quantified up to 20,000,000 euros.

5. Corrective measures (art. 58, par. 2, letters d) and f) of the Regulation).

The art. 58, par. 2 of the Regulation gives the Guarantor the power to "order the data controller or data processor to conform the processing to the provisions of this regulation, if appropriate, in a specific manner and within a specific deadline" (letter d) , to "impose a temporary or definitive limitation on processing, including a prohibition on processing" (letter f), as well as to "order the rectification, deletion of personal data or limitation of processing [...]" (letter g) .
On the basis of what emerged from the outcome of the investigation in relation to the collection and processing, in the period between the XX and XX, of the personal data of the interested parties, on the basis of a consent not validly given, it is necessary, pursuant to of the art. 58, par. 2, letter. d), f) and g), of the Regulation:

impose a ban on processing the personal data of interested parties for marketing purposes and sending communications on the status of the transport service, on the basis of consent invalidly acquired in the period between XX and XX, without prejudice to the fact that the Company may still send any other communication that is necessary to fulfill legal obligations (art. 6, par. 1, letter b) of the Regulation) or execute the subscription contract (art. 6, par. 1, letter c), of the Regulation);

order to provide interested parties with the new information on the processing of personal data prepared by the Company, making it available on its institutional website, at its headquarters and its points of sale, as well as providing the same, on an individual basis, to each interested party at the first opportunity useful contact.

Pursuant to the articles. 58, par. 1, letter. a), of the Regulation and 157 of the Code, the Company must also communicate to this Authority, providing adequately documented feedback, within thirty days of notification of this provision, the initiatives undertaken in order to implement the above ordered pursuant to the aforementioned art. 58, par. 2, letter. f), as well as any measures implemented to ensure compliance of the processing with the legislation on the protection of personal data.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account the art. 83, par. 3 of the Regulation, in this case the violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by the art. 83, par. 2, of the Regulation.

With specific regard to the nature and seriousness of the violation and the sensitivity of the data affected by the violation (art. 83, par. 2, letter a), of the Regulation), the high number of interested parties whose data were object of processing ("approximately 2,000" interested parties have been contacted since 2006 for the purpose of measuring the degree of customer satisfaction and on average SMS on the service status have been sent to "approximately 40,000 contacts" for each sending) and the extended time span (from XX to XX) in which the Company has used forms that do not comply with data protection legislation.

On the other hand, it was considered that the Company, which carries out a public service, declared, with assumption of responsibility also pursuant to art. 168 of the Code, that in any case it has never sent marketing communications to the interested parties, having only carried out activities to detect the degree of customer satisfaction, having therefore not obtained any economic advantage from the treatment implemented. Furthermore, no complaints have been received to the Authority in relation to the sending of unsolicited marketing communications by the Company.

With regard to the categories of personal data affected by the violation (art. 83, par. 2, letter g) of the Regulation), it is noted that the violation did not concern personal data belonging to particular categories (art. 9 of the Regulation) or relating to criminal convictions or crimes (art. 10 of the Regulation) despite referring to a large number of interested parties and due to the period of time spent in violation of the discipline.

In light of these circumstances, it is considered that, in the present case, the level of severity of the violation committed by the data controller is low (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Considering that, as mitigating circumstances, there are no previous relevant violations committed by the Company in the same context (art. 83, par. 2, letter e), of the Regulation) and that the same has offered a high level of cooperation during the investigation, taking prompt action to review its own forms and internal policies on the basis of the Authority's findings (art. 83, par. 2, letter f), of the Regulation), it is believed that the amount of the pecuniary sanction of 50,000 (fifty thousand) euros for the violation of the articles. 5, par. 1, letter. a) and e), and par. 2 (also in reference to art. 24), 6, par. 1, letter. a), 7, 12, par. 1, 13 and 21, par. 4, of the Regulation, as well as 130, paragraphs 2 and 3, of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Taking into account that the Company has committed the aforementioned violations despite the numerous measures adopted over time by the Authority, both with provisions of a general nature and with decisions on specific cases, with regard to the correct methods of collecting the informed consent of those interested in the processing of data personal data for marketing purposes, it is also believed that, given the large number of data processed illicitly, the additional sanction of publication of this provision on the Guarantor's website, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

declares, pursuant to art. 57, par. 1, letter. f), of the Regulation, the illegality of the processing carried out by the company Trasporto Passeggeri Emilia-Romagna S.p.A for violation of the articles. 5, par. 1, letter. a) and e), and par. 2, 6, par. 1, letter. a), 7, 12, par. 1, 13 and 21, par. 4 of the Regulation, as well as 130, paragraphs 2 and 3, of the Code, within the terms set out in the motivation;

ORDER

to the company Trasporto Passeggeri Emilia-Romagna S.p.A., in the person of the legal representative pro tempore, with registered office in Via di Saliceto, 3 - 40128 Bologna (BO), C.F. 03182161202, to pay the sum of 50,000 (fifty thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company:

to pay the sum of 50,000 (fifty thousand) euros in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the annex, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law. n. 689/1981;

pursuant to art. 58, par. 2, letter. f) and d), of the Regulation:

the prohibition on processing the personal data of interested parties for marketing purposes and sending communications on the status of the transport service, on the basis of consent invalidly acquired in the period between the XX and XX, without prejudice to the fact that the Company may in any case send any other communication that is necessary to fulfill legal obligations (art. 6, par. 1, letter b), of the Regulation) or execute the subscription contract (art. 6, par. 1, letter c), of the Regulation);

the cancellation without delay of said data, except for those that are necessary to keep for the fulfillment of a legal obligation or for any contractual reasons;

to provide all interested parties with the new information on the processing of personal data prepared by the Company, making it available on its institutional website, at its headquarters and its points of sale, as well as providing the same on an individual basis to each interested party at the first available opportunity of contact;

pursuant to art. 157 of the Code, to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor's Regulation no. 1/2019);

the annotation of this provision in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2 of the Regulation (see art. 17 of the Guarantor's Regulation no. 1/2019).

Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 22 February 2024

PRESIDENT
Stantion

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei

SEE ALSO Newsletter of 28 March 2024