Garante per la protezione dei dati personali (Italy) - 9996609: Difference between revisions

Garante per la protezione dei dati personali - 9996609
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 4(11) GDPR Article 5 GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Article 28 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	23.08.2021
Decided:	08.02.2023
Published:
Fine:	n/a
Parties:	Maggioli S.p.A.
National Case Number/Name:	9996609
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante Per La Protezione Dei Dati Personali (in IT)
Initial Contributor:	lm

The DPA found that a controller violated transparency and processing oversight obligations in using cookies on several websites, and determined that using an ‘X’ rather than a 'reject' button is permissible when it is discussed in the cookie banner.

English Summary

Facts

In August 2021, several data subjects represented by noyb (European Centre for Digital Rights) filed complaints against Maggioli S.p.A. (controller) concerning its use of cookies and other tracking tools. The complaint alleged several violations across a number of the controller’s webpages, including the absence of a reject button at the first layer of the cookie banner, the use of pre-ticked boxes at the second layer, and the improper reliance on legitimate interest as a legal basis for processing via cookies.

The Italian DPA (Garante) carried out an investigation. During its investigation, it noted that the controller contracted with OneTrust (processor), a service that classified cookies and reported them in the controller’s cookie banner and cookie policy. Notably, only the processor could directly modify the cookie banner and cookie policy. The Garante also observed that the controller used only technical, non-tracking cookies. The processor, however, had erroneously attributed third parties’ tracking cookies that were on the controller’s webpage to the controller.

On 30 May 2023, the DPA notified the controller of the alleged violations and that it was initiating the procedure pursuant to Article 166(5) of the Code on Protection of Personal Data. On 29 June 2023, the controller replied with a defensive brief. It noted that, upon discovering the processor’s erroneous cookie categorizations, the controller requested that the error be corrected. When the processor failed to do so in breach of their contract, the controller withdrew from the contract and entered into an agreement with a new supplier to alter the cookie banner. The controller also argued that the failure to inform users about the meaning of the X had not resulted in any violation because the controller only used technical non-tracking cookies.

Holding

The Garante found that the controller’s conduct breached Articles 4(11), 5, 7, 12, 13, 24, 25, and 28 GDPR as well as Article 122 of the Code. The DPA focused on three core issues with the controller’s processing.

First, the controller failed to indicate the meaning of the command marked by the ‘X’ graphic in the cookie banner. The Garante considered this a violation of Articles 5(1)(a), 12 and 13 GDPR because it failed to provide data subjects the fullest possible awareness regarding the processing of their personal data and choices they are entitled to make under the law.

Second, the Garante found that the controller violated Articles 4(11) and 7 GDPR by erroneously citing legitimate interest as its legal basis for processing via cookies when such processing requires consent as a legal basis. The Garante noted, however, that the controller only actually relied on legitimate interest as a legal basis for its own use of cookies, which were technical and non-tracking. As technical cookies do not require user consent, the Garante found that despite qualifying the incorrect legal basis in the cookie banner, its own processing in fact complied with rules and did not harm data subjects. Nonetheless, the erroneous naming of legitimate interest as the legal basis in the cookie banner was unlawful under Articles 5(1)(a), 12 and 13 GDPR because it misled consumers.

Finally, the Garante noted that the relationship between the controller and processor, and namely the controller’s inability to modify the cookie banner and cookie policy, resulted in violations of Articles 24, 25, and 28 GDPR. It emphasized that Articles 24 and 25 GDPR impose a responsibility on the controller to oversee processing and guarantee that processor activities comply with the GDPR.

In light of these violations, the Garante issued a warning, deciding not to impose a fine. It took into account the controller’s changes to banners following receipt of noyb’s complaints, lack of harm to users’ data since the controller itself only used technical cookies, lack of fraudulent intent, and withdrawal from the contract with its supplier after it failed to comply with the controller’s requests, cooperation with the DPA, and the lack of further complaints.

Comment

‘X’ button: The Garante concluded that the ‘X’ function was sufficient where the cookie banner defined the effect of clicking ‘X.’ The issue thus was not the use of the ‘X’ (as opposed to something like a ‘reject’ button), but rather the lack of explanation within the cookie banner. In coming to this conclusion, the Garante rejected the data subjects’ arguments that a mere ‘X’ somewhere on the cookie banner was insufficient and a ‘reject’ button was required.

Cookie usage: The Garante noted that the controller did not itself use profiling cookies. As a result, it found that the controller itself only resorted to the legal basis of legitimate interests in relation to this use of technical cookies, which is a proper legal basis for such cookies, and thus did not harm consumers. Notably, third parties do use tracking cookies to carry out profiling on the controller’s webpage. By concluding that the controller itself processed data in compliance with the Garante’s Guidelines, the DPA implicitly determined that the controller is not responsible for third party cookies that are used on its webpage.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

decisions taken regarding the point subject to reservation. The company provided you with
communication sent to the Guarantor on 30 January 2023.
2.2. The Company's business model and related treatments, including in conversation
with the complaining association.
The Maggioli group was born in the field of traditional publishing (print and
volume marketing), but in the last fifteen years or so it has expanded its business
orienting itself more, for a predominant part of its operations, towards the sector
ICT, with the main objective of providing skills and solutions necessary for the transition
public sector digital. The Company is divided into three main areas: ICT (business unit
IT), Digital Publishing and Central Staff Services. The latter are further divided into 9
areas (administrative, commercial, compliance, privacy, etc.). The Company currently owns
47 Internet domains, some of which are also accessible by authenticated users as well as by users who
they do not have accounts and login credentials. In recent months, about a dozen sites are
been discontinued or, in some cases, merged due to specific entrepreneurial choices: they were
so about 60 more than a year ago.
In May 2021, ten of them were the subject of discussions with association no
Austrian profit company Noyb, which sent individual complaints via email relating to alleged illegalities
in the implementation, by the company, of the provisions regarding the use of cookies and
other tracking tools.
The company responded to the findings through the dedicated platform set up by Noyb itself,
carried out some of the requested changes and produced the document for the present proceedings
proof of this conversation.
In particular: the first of them involved the implementation of a mechanism of
acquisition of consent to receive third-party profiling cookies compliant with the
Guidelines of the Guarantor, already known at that time because they were put out for public consultation. AND
a solution was therefore prepared which, in compliance with the principle of privacy by default,
allows the user to simply close the banner by selecting the "X", without paying the
consent and therefore maintaining the basic settings, which do not allow the installation of
cookies other than technical ones.
This change, however, was not made explicit in the information provided to the user, either in short form
and in the extended form positioned on the second level, with the exception of the two sites www.maggioli.it and
www.maggiolieditore.it. The chosen solution, in line with what is contained in the Guidelines
of the Guarantor, is different from that desired by Noyb, which required the implementation, in the banner,
of a “reject” button or similar. For this reason, and differently from what happened with
reference to other complaints, the modification made on this specific point was not
object of communication of compliance with Noyb's requests. Following this
interlocution, no further contacts took place with Noyb, nor did the Company receive any complaints or
similar reports from other interested parties.
At the time of the checks carried out by the Office, the Company used, in relation to all the sites,
its ownership, as intermediary, of the developed consensus management platform
from OneTrust. The relationships with this platform were contractually governed by the agreement of 4
August 2020 and subsequent annual renewals.
2.3. The checks carried out
With reference to the sites subject to Noyb's complaints, it should first of all be specified that,
as already indicated and as recognized by the Association itself, the majority of
complaints raised were resolved by the company before the complaints were lodged
Guarantor. Furthermore, the entry into force of the Guidelines on cookies and other tracking tools,
following the submission of the complaints, it required the owner to adopt measures and methods
suitable to conform the processing of user data carried out through cookies to
indications contained therein, and it is therefore above all in light of these indications that the Authority
conducted the assessment regarding the lawfulness of the processing in question.
It has been ascertained in this regard that, in addition to technical cookies that are essential for their
operation, the Company does not use first-party profiling cookies, nor does it carry out data processing
profiling of users on their sites using third-party cookies: on the contrary, they are third parties
parties that make use of their own cookies, i.e. those of the same third parties, conveyed through the sites
Maggioli, to carry out profiling treatments referable to the third parties themselves. During
of the overall preliminary investigation it was also ascertained that the storage of third-party cookies
on users' devices occurs on 8 of the 10 sites investigated, therefore excluding the sites
www.maggioli.it and www.maggiolieditore.it.
In fact, for the creation of its online promotional campaigns, the company uses
exclusively from the Google Adwords tool, based on the use of keywords
and which therefore does not require the use of cookies. As for sending newsletters, it
occurs following the completion of a specific form by the interested parties
receive it and therefore, also in this case, no cookies are used.
It was also clarified that, already at the time of the audit, one of the ten sites in question,
in particular www.ingegneri.cc, was no longer active, as it was merged with another site
(www.ediltecnico.it).
It was also verified that the OneTrust platform also provided a classification service
of the cookies used by the individual site on the basis of a database called cookiepedia, which
"reads" the cookies used by the domain and interprets them in light of a pre-existing nomenclature,
giving them a name that is as uniform as possible, or at least common at least between
the framework's associates.
This classification was determined and imposed by OneTrust and is divided into 4 categories, moreover
reported in the cookie policy published on the group's sites: strictly necessary cookies, of
functionality, used for targeted advertising, performance cookies. However, it is possible to modify them
although each of them is generated through a OneTrust script. The cookies used on the sites
of Maggioli were detected and interpreted by OneTrust through comparison with its own
pre-existing database (Cookiepedia), so that they can subsequently be classified as
belonging to one or the other of the four categories mentioned. Just in case
OneTrust was not able to carry out this comparison and therefore identify a cookie
since it was not present in Cookiepedia, it attributed it by default to the owner Maggioli, labeling it
as a cookie first part of the company.
This procedure could therefore cause errors since all third-party cookies were not registered
previously on cookiepedia they could be classified as directly referring to the Company.
The latter became aware of this inconvenience, for example, with reference to a non-cookie
technical attributable to Facebook, therefore a third-party profiling cookie, which however it was
been classified by OneTrust as a first-party cookie from Maggioli itself. The error therefore has
concerned not the functional qualification of the cookie, but rather its imputability to a subject
place of another and was subsequently remedied.
During the inspection it was ascertained that in the information then available on the company's websites
company, of which the relevant comprehensive screenshots were also acquired, site by site
of the information as it appeared on 31 May 2021 at the time of receipt of the disputes
of Noyb (Annex 3 to the minutes of operations completed on 3 August 2022), it was stated "We and our
partners we store and/or access information on a device, such as unique IDs in
cookies for the processing of personal data. You can accept or manage your choices
by clicking below, including your right to object where legitimate interest is used."
It was also verified that both the short information contained in the banner and the cookie
extended policies present in the second level were prepared and managed by OneTrust according to
a pro-forma model and that a part of the information, in particular the one reported above, does not
it was editable directly and independently by Maggioli from the control panel (see in this regard
the screenshots, sub all. 4 in the report of operations carried out).
However, this rigidity of the framework could generally be overcome by requesting
formulated to OneTrust, of opening a specific ticket, in order to modify the information
making it conform to the factual situation as represented.
It turned out that the company made use of the legal basis of legitimate interest, mentioned
in the information, exclusively for the use of first-party technical cookies. This legal basis
it was not reported in the extended privacy policy, but was clearly indicated in the short info contained
in the banner.
Following the entry into force of the Guarantor's Guidelines on the use of cookies, the Company has
implemented a series of measures, among which, in addition to the already mentioned X mechanism, placed
already in existence prior to the expiry of the deadline granted by the Authority for the
implementation of the indicated measures and in any case further improved after January 2022
by making a chromatic change that made the relevant command more visible, è
The icon relating to the status of consent has been introduced on all sites on which it was not yet available
present; a color upgrade of the buttons has been carried out; changes have been adopted
usability, for example regarding the reiteration of the banner, to make the configurations adopted
more in line with the Guarantor's indications.
During the audit, specific checks were carried out through access to the systems
computer scientists, as a result of which no critical issues were found regarding the methods of
registration of consents obtained or revocation of those obtained previously.
3. CHANGES MADE FOLLOWING THE INSPECTION ASSESSMENT AND REQUEST FOR
ACCESS TO DOCUMENTS
With communication dated 5 September 2022, upon dissolution of the reservations made, Maggioli S.p.A. has
declared:
- to have modified and updated the cookie policies of the sites subject to
dispute (as per attachments 14, 15, 16, 17, 18, 19, 20, 21, 22 and 23 to the communication
of 5 September 2022); this change resulted in the reduction of the four categories to two
of cookies described (now divided into technical and profiling), "in order to provide information
complete and more understandable for users”;
- to have made some changes relating to the classification of third-party cookies,
incorrectly classified by the OneTrust automatic tool as first-party cookies
part;
- to have implemented the addition of a section within the privacy policy of the sites
dedicated to cookies with the link to the respective cookie policy (attachments 24, 25, 26, 27, 28, 29, 30,
31, 32 and 33 to the communication of 5 September 2022).
Lastly, the company declared that it had requested OneTrust, by opening a specification
ticket, the modification of the text of the first level cookie banner relating to 8 of the 10 sites in question
(see annexes 34 and 35 of the communication of 5 September 2022).
However, and "despite Maggioli's insistence, the supplier did not take action, considering the text
of the banner not compliant with the IAB framework". What led to the dispute of
breach of contract by the company to OneTrust, to which it was therefore forwarded
formal notice of withdrawal from the contract, with simultaneous search for a new supplier (annex 36
of the communication to the Guarantor dated 5 September 2022). The company is based on the results of this research
once again reserved the right to keep the Authority updated.
On November 10, 2022, the Company then proposed a request for access to the documents to obtain
copy of the complaints and related attachments subject to the investigative activities in question. At that instance it is
a reply was received on November 21st, with the simultaneous forwarding of the requested documents.
Subsequently, on the specific point on which Maggioli S.p.A. had assumed reserve, in
absence of more detailed indications and the Authority continuing to remain in a state of waiting
indications, the Guarantor sent, on 23 December 2022, a request for information pursuant to
of art. 157 of the Code, to which Maggioli S.p.A. responded within the established deadline (January 30th
2023).
With the same communication dated January 30th, the Company then, with regard to the disputes
of the complaining association, has among other things clarified that it has carried out, as early as the 30th
June 2021, the following changes:
- regarding the dispute regarding the alleged misleading design of the link: the company has
replaced the “manage preferences” hypertext link with a specific button;
- regarding the dispute regarding the adoption of misleading button colors: the company has
took steps to standardize the colors of the banner buttons, which appear in blue - done
exception for the “X” - in line with the company colours;
- regarding the complaint relating to the misleading contrast of the buttons: the company has
took steps to define the same dimensions for the banner buttons;
- regarding the dispute regarding the implementation of a revocation mechanism of
consent not easy: the company has installed the icon that allows users to return to the
banner to modify the choices expressed; this icon can be reached from all site pages
subject of complaint.
4. NOTIFICATION OF VIOLATION PURSUANT TO ART. 166, PARAGRAPH 5, OF THE IN CODE
MATTER OF PERSONAL DATA PROTECTION
Based on what was possible to ascertain on site and following the examination of the documentation
also produced during the supplementary preliminary investigation, with communication dated May 30th
2023, the Authority formally notified the Company of the communication launching the
proceedings pursuant to art. 166, paragraph 5, of the Code, which is understood here in its entirety
recalled and reproduced, contesting the violations illustrated below.
First of all, it was contested that, with reference to eight of the ten websites in the ownership of the
Company, any indication relating to the meaning to be attributed to the selection of the
command marked with an X, placed inside the banner; resulting in violation of
principle of lawfulness, correctness and transparency referred to in art. 5, par. 1, letter. a) as well as articles. 12 pm
13 of the Regulation.
Even the short information made available was misleading and erroneous, as it mentioned,
for profiling treatments carried out through cookies, the use of the legal basis of
legitimate interest and the related right of opposition, which are actually inconfigurable in this case, from
given that the use of cookies other than technical ones imposes the obligation to acquire the
prior informed consent of the user pursuant to the special regulations referred to
to the art. 122 of the Code. The configuration of the websites in question was then found to be illegal
as in violation of the principle of lawfulness, correctness and transparency of the processing referred to in the art.
5, par. 1, letter. a), and the provisions of the articles. 12 and 13 of the Regulation, as well as of the same
art. 122 of the Code which imposes, in fact, the obligation to obtain consent excluding the
use of the legal basis of legitimate interest; as well as the articles. 4, point 11 and 7 of
Regulations that define the characteristics and conditions of that consent.
In the capacity of owner, by publishing a banner on its sites that does not comply with the rules,
prepared by the One Trust supplier, Maggioli S.p.A. has violated the articles. 5, par. 2, 24 and 25 and, in
reference to the selection of a technological partner, as responsible, which did not guarantee the
conformity of the data processing carried out with the applicable regulations, also art. 28 of
Regulation.
In conclusion, in light of the above, Maggioli S.p.A. was accused of that the conduct of
company, also in contrast with the indications contained in the Cookie Guidelines, has established a
violation of the provisions of the articles. 4 point 11; 5; 7; 12; 13; 24; 25 and 28 of the Regulations e
of the art. 122 of the Code.
5. THE DEFENSE MEMORIES OF MAGGIOLI S.P.A.
The Company responded with a memorandum dated June 29, 2023, stating the following:
a) to have stipulated a contract with a new CMP supplier, Iubenda S.r.l., on 11
May 2023, under which a “solution that allows
the provision of information on cookies (short and extended) to users, as expected
by current legislation, for all 7 sites covered by this investigation file"; to about,
However, he underlined that “while waiting for the change of supplier... he already had
proceeded to change - before the notification of the start of the procedure - the text of the banner
briefly visible on the sites in question, eliminating the reference to the legal basis of the legitimate
interest in the processing relating to cookies";
b) that the failure to inform users about the meaning to be attributed to the selection of
command marked with X placed inside the banner did not result in any
violation, since it is now known to web users that the command in question
involves the continuation of navigation in the absence of tracking cookies;
c) with reference to the mention of legitimate interest as the legal basis of the processing,
already during the inspection the Company worked towards the change in
question, with the effect that "at the time of notification of the opening of the proceeding, such
indication was no longer present”; provided, however, that in fact and in terms
concrete the legal basis actually used for the installation of cookies other than
technicians whom Maggioli S.p.A. has always been the user's consent; every
good thing, the transition to the new supplier did not involve "any migration activity
of the consent already acquired for the installation of profiling cookies from the moment they are introduced
presented new banners to users”;
d) that “NOYB's objections arise from what - clearly - can be
considered an abuse of law", since "Maggioli immediately took action after the
original complaints... Among other things, from reading the complaints, the Company verified that the
content appeared to be the same as the complaints initially formulated
by the complaining association, despite the fact that important actions had already been carried out
improvement, specifically reported within the required times on the Noyb platform (e
declared during the inspection)”.
Finally, the Company requested the scheduling of a specific hearing pursuant to art. 166, paragraph 6, Legislative Decree.
lgs. 196/2003. The Authority did so by communicating, on 18 October 2023, that the hearing will take place
it would be held the following October 26th. On the established date, however, the Company - without communicating
no impediment in this regard - she did not appear, as per the minutes drawn up on the same date and attached
in the documents of the proceedings.
6. THE AUTHORITY'S ASSESSMENTS
With reference to the factual and legal profiles highlighted, also based on the statements made by the
Company under investigation, for which the declarant is liable pursuant to art. 168 of the Code, yes
formulate the following legal assessments.
First of all, it must be clarified that the arguments put forward by the Company do not appear suitable
to completely exclude its liability in relation to the disputed conduct.
At the time of the checks, following the receipt of Noyb complaints as well as upon entry into
force of the indications and clarifications made in the Guarantor's Guidelines regarding cookies and
other tracking tools, eight of the ten sites covered by this investigation, and in particular
https://www.leggioggi.it; https://www.theplan.it; https://www.lagazzettadeglienti locali.it;
https://www.diritto.it; https://www.comuni.it (now www.servizidemografici.it); https:/
/www.ingegneri.cc/ (then www.ediltecno.it, now decommissioned); https://www. ufficiocommercio.it e
https://www.ilpersonale.it, did not contain any indication in the banner regarding the possibility for
the user to use the command represented by the "X", placed inside it, to continue the process
navigation leaving the default settings unchanged which do not imply acceptance of
profiling cookies.
In this regard, it should be underlined that the art. 5, par. 1 of the Regulation identifies the principles
fundamentals applicable to any processing of personal data. Pursuant to this provision, i
personal data must be, among other things, (i) processed in a lawful, correct and transparent manner (principle
of lawfulness, correctness and transparency); (ii) processed for specific, explicit and legitimate purposes and (iii)
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
(minimization principle).
In particular, the principle of transparency translates into the obligation, which weighs on the owner of the
processing, to provide the interested party with all information relating to the processing of personal data
that concern him in an accessible and understandable way, making him aware, among other things, of the
information indicated in the articles 12 and 13 of the Regulation, in order to achieve the broadest, fullest
awareness of the interested party regarding the processing of his personal information
personal and in relation to the choices that are available to him pursuant to the law.
As for the principle of correctness, it first of all implies that the owner adopts a conduct
always rigorously respectful of the regulatory provisions as well as oriented towards the maximum protection of
rights and freedoms of the interested parties.
In the present case, the absence of a clear indication regarding the possibility of continuing the
Browsing without accepting to be profiled does not ensure full user awareness
on the choices in his availability.
Having failed to inform the user about the meaning to be attributed to the selection of the command
marked with an "X" therefore violates the principle of lawfulness, correctness and transparency referred to in the art.
5, par. 1, letter. a) as well as the articles. 12 and 13 of the Regulation.
Inside the banner there was also a short information sheet of the following, literal wording:
“We and our partners store and/or access information on a device, such as IDs
unique in cookies for the processing of personal data. You can accept or manage yours
choices by clicking below, including your right to object where interest is used
legitimate ..." (see annex no. 3 to the report of operations carried out dated 2 August 2022).
This wording, and first of all the mention of legitimate interest as the legal basis applicable to
processing of user data carried out through cookies other than technical ones is incorrect and
misleading, therefore illicit as it violates the principle of lawfulness, correctness and transparency
of the processing referred to in the art. 5, par. 1, letter. a), and the provisions of the articles. 12 and 13 of
Regulation, as well as the same art. 122 of the Code which imposes, in this case, the obligation to
acquisition of consent excluding the use of the legal basis of legitimate interest; as
as well as the articles. 4, point 11 and 7 of the Regulation which define the characteristics and conditions
of the consent that must be given by the interested party.
In fact, on the basis of these provisions, any consent acquired on the basis of
misleading indications cannot be considered valid.
It is acknowledged that the company, already during the inspection assessment, but above all in the phase
following, it became aware of the non-compliance of its conduct with the obligations incumbent on the
owner pursuant to the aforementioned regulations, working to obtain the modification of the information in
question (a possible text more in line with the regulatory provisions was, in fact,
already prepared during the inspection by the company and attached under doc. 5 in the minutes of
operations completed on 2 August 2022). It is also acknowledged that this critical issue has now been remedied.
In fact, given OneTrust's denial of requests to change the indications
subject to publication on its sites, the Company has exercised the right of withdrawal from the contract in
force, although limiting itself to declaring, in this regard, initially that it had started a research activity
a new supplier and subsequently, in the communication of 30 January 2023, to list
several potential suppliers, remaining "waiting to receive the latest feedback from the suppliers consulted".
Only on a later date, i.e. upon receipt of the communication of start of the
proceedings, with the briefs dated 29 June 2023, Maggioli S.p.A. communicated the incident
rotation of suppliers and the replacement of one's technological partner with a new one,
different entity who implemented a different type of banner.
However, also at the outcome of the supplementary investigation it must be noted, in this regard, that pursuant to the
articles 24 and 25 of the Regulation it is up to the owner, as defined in the art. 4, par. 1, point 7) of
Regulation, not only the determination of the purposes and means of processing, but also
the identification of all the most appropriate measures to achieve the dual objective of compliance
of the rules and the protection of the rights and freedoms of the interested parties. On this subject, based on art.
5, par. 2 of the Regulation, also entails the obligation to respect all the principles of data protection and privacy
prove it.
The owner company, by publishing a banner on its sites that does not comply with the rules, has therefore
in any case violated articles 5, par. 2, 24 and 25 of the Regulation.
Again in light of a provision of the Regulation, and in particular of its art. 28, is
necessary to interpret the relationships between Maggioli S.p.A. and OneTrust, a supplier who, in the agreement in
being at the time of the facts, held the position of data controller in the ownership
of society. In fact, the art. 1.2 of "Annex 1 - addendum on data processing" at
General contract conditions attached to the contract signed between the parties in August 2020, e
subsequently subjected to continuous annual renewals, entitled “Reports
between the parties", that "The Customer (the data controller) designates OneTrust as responsible for the
processing of the personal data described in the contract (the “Data”) for the purposes indicated in the Contract (or as
otherwise agreed in writing by the parties) (the “Permitted Purpose”). Each party must
comply with obligations under applicable data protection legislation…”.
It follows that, having defined the interrelationship between the Company and OneTrust in this way, it must
recognize that the owner is responsible for the management of the processing carried out by the
manager who has appointed, the owner having to rely, to fill this role, on subjects who
present sufficient guarantees in terms of specialist knowledge, reliability and resources. That
that is, they guarantee that the owner can, also through them, implement the technical measures
and organizational that meet the requirements of the Regulation (see recital 81 of the Regulation),
and make decisions that comply with the law. The specific task of the owner is, in fact, to evaluate the
risk of the processing carried out by those responsible, under penalty of imputability to them
culpa in eligendo as well as culpa in vigilando, both recurring in the present case. The having
identified a manager who has prepared a banner that does not comply with applicable regulations,
not having been aware of the crime, therefore not having adopted the technical and organizational measures
adequate, qualifies the company's conduct as illicit since it is in violation of the articles. 24, 25 and
28 of the Regulation.
However, it is necessary to take into consideration, in this regard, that the Company has resorted to the basis
legal interest of legitimate interest only in relation to the use of technical and non-technical cookies
profiling - as technical cookies, pursuant to the Guidelines, are exempt from the obligation
of the prior acquisition of the user's consent - and therefore, without prejudice to what is indicated with
regarding the information, despite having erroneously qualified the legal basis, the Company in fact
has, in this respect, processed the data in compliance with the regulations.
It follows that, the mention of the legitimate interest of the owner is classified as incorrect and therefore
the information provided in this regard is misleading and incorrect, it must however be taken into account that such
conduct did not cause damage to the interested parties.
In conclusion, in light of the above, the conduct of Maggioli S.p.A., which also differs from the
indications contained in the Cookie Guidelines, therefore constitutes a violation of
provisions referred to in the articles. 4 point 11; 5; 7; 12; 13; 24; 25 and 28 of the Regulation and art. 122 of
Code.
7. Final evaluations
For the above, the liability of the company Maggioli S.p.A. is considered established. in
order to the disputed violations.
However, also taking into account:
- which, following the receipt of the Noyb complaints, and on a date prior to the start of the investigation
to this Authority, the owner promptly took steps to carry out
the implementation of some of the changes requested by the complainants for the implementation
conformity of the different sites in the ownership of the Company;
- that the incorrect indication of legitimate interest as the legal basis for the processing of data
user data concerned exclusively the use of technical cookies and therefore does not have
resulted in damage to the data subjects;
- that, in the absence of fraud, the Company erroneously considered it sufficient to rely on a
technological partner, appointed responsible, which however, as proven by facts, has not
fulfilled the owner's requests aimed at bringing the sites in question into compliance;
- that in this regard Maggioli S.p.A., having realized - also following the assessment activity
inspection - of the offenses and took note of OneTrust's refusal to adopt the requested changes
to make the sites compliant with the law, has exercised the right of withdrawal from
existing contract by stipulating a new contract on 11 May 2023
with another CMP supplier, Iubenda S.r.l.;
- that following this change the consents already acquired have been canceled and the users are entitled to them
the banners were presented from scratch as a result of the changes implemented;
- that during the entire procedure, including the inspection phase, the
The Company has highlighted an attitude of availability and cooperation with the Authority
to the most effective resolution of the critical issues indicated;
- that no further reports or complaints appear to have been received either from the Authority or
directly to the owner in relation to the data processing covered by this proceeding,
it is believed that it is possible to waive the application of an administrative-pecuniary sanction and,
verified that all sites currently owned by the Company comply with the regulations
law regarding cookies and other tracking tools, pursuant to art. 58, par. 2, letter. b) of
Regulation, to issue a warning to Maggioli S.p.A. so that in relation to violations
found above of the current regulations.
ALL THE FOREGOING, THE GUARANTOR:
the illicit nature of the processing carried out by Maggioli has been ascertained, within the terms set out in the justification
S.p.A., with registered office in Santarcangelo di Romagna (RN), Via del Carpino 8, C.F.
06188330150, VAT number 02066400405, in the person of the legal representative pro tempore, to
pursuant to art. 58, par. 2, letter. b), issues a warning to Maggioli S.p.A. in relation to
following profiles of illegality specifically described in the motivation:
- the failure to indicate, in the information to interested parties, the possibility of using the
command marked by the graphic sign “X” placed inside the banner for
continue browsing in the absence of tracking;
- the incorrect mention of the legal basis of legitimate interest for data processing
of users through cookies;
- the identification of a data controller lacking the requirements imposed by the
current regulations.
HAS
pursuant to art. 17 of the Guarantor Regulation n. 1/2019, the entry in the internal register
of the Authority, provided for by art. 57, par. 1, letter. u) of the Regulation, violations and
corrective measures.
Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10
of Legislative Decree no. 150 of 1 September 2011, a proposal may be made against this provision
opposition to the ordinary judicial authority, with an appeal filed with the ordinary court of
place where the owner of the personal data processing has his residence, or, alternatively, to
court of the place of residence of the interested party, within thirty days from the date of
communication of the provision itself, or for sixty days if the appellant resides
abroad.