Garante per la protezione dei dati personali (Italy) - 9996588: Difference between revisions

Latest revision as of 11:50, 3 April 2024

Garante per la protezione dei dati personali - 9996588

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 12(3) GDPR Article 15 GDPR Article 3 of Law No. 689/1981
Type:	Complaint
Outcome:	Upheld
Started:	06.10.2020
Decided:	08.02.2024
Published:
Fine:	5,000. EUR
Parties:	WiPlanet sas di Torri Carlo Alberto
National Case Number/Name:	9996588
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	im

The DPA fined a controller €5,000 and found that the failure to reply to an access request cannot be justified by general and vague circumstances, such as the COVID-19 pandemic emergency.

English Summary

Facts

The data subject submitted an access request pursuant to Article 15 GDPR to Wi-Planet sas di Torri Carlo Alberto (‘controller’) after the termination of a commercial contract. The controller did not provide an information on action taken on the request pursuant to Article 12(3) GDPR.

The data subject complained with the DPA which invited the controller to provide observations. The controller responded to the request and justified the failure to provide information earlier with the ongoing pandemic emergency which lead to organizational difficulties. However, in its response the controller indicated only the type of data collected without providing details.

Holding

The DPA established that the controller’s argument regarding the unfavourable pandemic situation could not be considered a valid ground for the exclusion of its liability. Firstly, such statement is very vague as its not supported by appropriate element.

Secondly, the conduct is of omissive nature. For this reason, the exemption of liability cannot apply based on good faith. Article 3 of Law No. 689/1981 suggests that such exemption can only apply when certain conditions are met. One of the conditions for good faith exemption to be applicable is the presence of a positive element leads to the infringer to believe int he lawfulness of their actions. However, it seems that this positive element is lacking in the situation under consideration.

The DPA took account of the technical and organizational measures the controller put in place to facilitate the exercise of the rights of the data subjects. However, the controller failed to inform the data subject of the specific data processing, thus preventing them from concretely verifying the correctness and accuracy of the data processed.

For these reasons, the DPA decided that the controller’s failure to respond to the access request was unlawful pursuant to Article 12(3) and 15 GDPR. The DPA found that the infringement cannot be regarded as ‘minor’ as the conduct affected the exercise of data subject§s rights. As a result, the controller was ordered to comply with the access request according to Article 15 GDPR and fined in the amount of €5,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9996588]

Provision of 8 February 2024

Register of measures
n. 64 of 8 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and Dr. Claudio Filippi, deputy general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter “Code”) as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

GIVEN the complaint presented by Mr. XX dated 06/10/2020, regularized on 21/12/2020, pursuant to art. 77 of the Regulation, with which a violation of the regulations regarding the protection of personal data by Wi-Planet Sas di Torri Carlo Alberto e C. was complained;

GIVEN the observations made by the deputy general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER prof. Pasquale Stanzione;

PREMISE

1. The complaint and the preliminary investigation.

With the complaint presented to this Authority on 06/10/2020, regularized on 21/12/2020, Mr. XX represented that it had formulated on 07/03/2020, against Wi-Planet sas di Torri Carlo Alberto and c. (hereinafter "the Company"), an application pursuant to art. 15 of the Regulation with reference to the processing of personal data collected by the Company upon the stipulation of a commercial contract.

The request, duly notified to the Company's certified email address, was not found within the deadlines set by the art. 12, par. 3 of the Regulation.

With the note dated 05/14/2021, the Office invited the Company to provide observations regarding what was represented in the complaint and to comply with the complainant's requests.

The Company, with a note dated 05/31/2021, preliminarily declared that "the email [of the complainant] actually escaped the administration of this Company, albeit due to a mere error due, despite ourselves, to the organizational difficulties caused by the ongoing pandemic emergency".

As for the data being processed, given that they had been collected on the occasion of signing a contract which, therefore, constitutes a prerequisite for the lawfulness of the processing carried out, the Company limited itself to indicating the type (i.e. name, surname, address, code tax, telephone number, e-mail and bank details), without however providing the details.

Furthermore, the purposes of the processing and the storage times were indicated, specifying that, at the end of the periods of time indicated, "the customer's data will be definitively deleted, no longer remaining available to the undersigned".

The Company also specified that the data collected were not communicated to third parties, but only to those within the company in charge of managing invoicing, payments and outstanding debts, as well as to the technical sector "for any maintenance interventions" and to the commercial sector "for the sole purpose of communicating to the customer any improvements and/or upgrades to the services already active".

2. The initiation of the proceedings.

In light of the above, the Office notified the Company of the initiation of the sanctioning proceedings, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles. 12, par. 3, and 15 of the Regulation (note dated 06/24/2021).

The Company, with the note dated 07/23/2021, sent its defense writings, pursuant to art. 18 of law no. 689/1981, with which he reiterated that "the failure of the undersigned to respond to the request pursuant to Article 15 received from the complainant, [has] occurred (...) due to a mere administrative error due to the organizational difficulties suffered due to the ongoing pandemic emergency ”.

The seriousness of the violation, assessed "together with the brevity of its duration and the involvement of only one interested party, whose data were lawfully processed, also from the point of view of proportionality, due to the existence of a contract between the parties, can be said very limited, thus strengthening the idea of Wiplanet's very slight guilt".

Finally, with reference to the "measures implemented to remedy the violation and mitigate its consequences, steps have been taken (...) to provide - immediately after becoming substantially aware of them - the widest possible feedback to the interested party, as well as to this Authority (…)”.

The Company communicated, on 11/13/2023, that it intended to waive the hearing initially requested "due to the lack of new elements in the case".

3. The outcome of the investigation.

Upon examination of the documentation produced and the declarations made by the party during the proceedings, given that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Company, in response to the request to exercise the rights made by the complainant on 03/07/2020, did not provide any feedback.

Preliminarily, it is noted that the art. 15 of the Regulation recognizes the interested party's right to obtain confirmation from the data controller that data concerning him or her is being processed and, consequently, obtain access to such data and the information listed in letters a) - h ) of the same article.

It should also be noted that the art. 12 of the Regulation provides that the data controller provides the interested party with access to their data and all the information requested pursuant to the articles. 15 et seq. of the Regulation "without unjustified delay and, in any case, at the latest within one month of receipt of the request".

Within the same period, if the data controller deems it necessary to apply the expected two-month extension due to "the complexity and number of requests", it must inform the interested party, indicating the reasons; “if the data controller does not comply with the data subject's request, he/she will inform the data subject without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and to lodge a judicial appeal".

On the basis of the provisions mentioned above, it is therefore ascertained that the Company, as data controller, did not provide feedback to the applicant's request, also regarding the reasons for non-compliance, in violation of the provision of art. 12 of the Regulation.

The Company indicated, as the main reason for non-compliance, the material error it allegedly incurred and (generic) organizational difficulties.

In this regard, it is highlighted that this argument cannot be taken as a valid reason for excluding the party's liability, not only due to the generic nature of the declaration (which is not supported by suitable elements), but also due to the omissive nature of the conduct.

In fact, the good faith exemption referred to in art. 3 of law no. 689/1981 occurs only in the presence of a positive element, extraneous to the author of the violation, such as to generate the conviction of the lawfulness of his action, in addition to the condition whereby the author has done everything possible to comply with the law and that no reproach can be leveled against him (see, among others, Civ. Sez. lav. 12 July 2010 n. 16320).

In any case, the fact that the Company has declared that it has put in place technical and organizational measures aimed at facilitating the exercise of the rights of interested parties, indicating an internal contact person responsible for managing access requests, must be positively evaluated.

It should also be noted that, in the response provided following the invitation to join, the Company failed to immediately communicate the specific data being processed, limiting itself to indicating the type of data processed (such as name and surname, address and -email and bank details, etc.), thus preventing the instant from concretely verifying the correctness and accuracy of the data being processed.

In fact, as indicated by art. 15 of the Regulation, the interested party has "the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed" and consequently, and if so, the right "to obtain the access to the data” themselves and to further information.

4. Conclusions: illegality of the treatments carried out.

In light of the previous assessments, it is noted that the declarations made by the data controller in the defense writings ˗ the truthfulness of which can be called upon to respond pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the proceedings and are insufficient to allow them to be archived, as, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019, concerning the internal procedures of the Authority with external relevance.

The processing carried out by the Company, consisting in the failure to respond to the request to exercise the complainant's rights, is unlawful in the terms set out above, in relation to the articles. 12, par. 3 and 15 of the Regulation.

The ascertained violation cannot be considered "minor", taking into account the nature of the violation which concerned the exercise of rights, the gravity and duration of the same, the degree of responsibility and the way in which the Authority became aware of of the violation (Cons. 148 of the Regulation).

For the above reasons, therefore, the complaint presented pursuant to art. is declared founded. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulation:

- the Company is ordered to respond to the request to exercise the rights formulated by the complainant, in relation to the personal data relating to him, of which he is still in possession;

- the application of a pecuniary administrative sanction is ordered pursuant to art. 83, par. 5, of the Regulation.

5. Order of injunction.

The Guarantor, pursuant to art. 58, par. 2, letter. i) of the Regulation and of the art. 166 of the Code, has the power to inflict a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data relating to the complainant, whose illegality has been ascertained, within the terms set out above.

With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (art. 83, paragraph 1 of the Regulation), it is represented that, in the specific case, the circumstances reported below were taken into consideration:

- with regard to the nature, gravity and duration of the violation, the nature of the violation which concerned the provisions relating to the exercise of the rights of the interested parties was considered relevant; as well as the fact that the violation continued for a long period of time (approximately 10 months) and that the feedback provided is still only partial;

- the absence of previous relevant violations committed by the data controller;

- the degree of cooperation provided by the Company during the procedure, the fact that the violation concerned only one interested party and the adoption of measures aimed at facilitating requests to exercise the rights of the interested parties.

In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (art. 83, paragraph 1, of the Regulation) which the Authority must comply with in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2020.

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 5,000.00 (five thousand) euros for the violation of the articles. 12 and 15 of the Regulation.

In this context, also in consideration of the type of violation ascertained, which affected the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, this provision must be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THE WHEREAS, THE GUARANTOR

declares, pursuant to articles. 57, par. 1, letter. f) and 83 of the Regulation, the illegality of the processing carried out, within the terms set out in the motivation, for the violation of the articles. 12, par. 3. and 15 of the Regulation;

ORDER

pursuant to art. 58, par. 2, letter. i), of the Regulations to WiPlanet sas di Torri Carlo Alberto, in the person of the legal representative pro tempore, with registered office in Viterbo, via della Chimica snc, P.I. 02017450566, to pay the sum of 5,000.00 (five thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

pursuant to art. 58, par. 2, letter. c), of the Regulation to WiPlanet sas di Torri Carlo Alberto, to satisfy the request to exercise the right of access by the interested party to the data still in possession of the company, within 30 days of receipt of this provision;

ORDERS

to the same Company to pay the sum of 5,000.00 (five thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

We represent that pursuant to art. 166, paragraph 8 of the Code, the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the deadline referred to in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of regulation no. 1/2019.

Requires the company to communicate the initiatives undertaken to implement the provisions of this provision and to provide adequately documented feedback, pursuant to art. 157 of the Code, within 40 days from the date of notification of this provision; any failure to respond may result in the application of the administrative sanction provided for by the art. 83, par. 5, letter. e), of the Regulation.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 8 February 2024

PRESIDENT
Stantion

THE SPEAKER

THE DEPUTY SECRETARY GENERAL
Philippi