Garante per la protezione dei dati personali (Italy) - 9996609

From GDPRhub
Revision as of 15:01, 27 March 2024 by Lm (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9996609 |ECLI= |Original_Source_Name_1=Garante Per La Protezione Dei Dati Personali |Original_Source_Link_1=https://gdprhub.eu/images/1/1c/IT_DPA_9996009_08.02.2024.pdf |Original_Source_Language_1=Italian |Original_Source_La...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9996609
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(11) GDPR
Article 5 GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 24 GDPR
Article 25 GDPR
Article 28 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: Maggioli S.p.A.
National Case Number/Name: 9996609
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Per La Protezione Dei Dati Personali (in IT)
Initial Contributor: n/a

The DPA found that a controller violated transparency and processing oversight obligations in using cookies on several websites, and determined that using an ‘X’ rather than a 'reject' button is permissible when it is discussed in the cookie banner.

English Summary

Facts

In August 2021, several data subjects represented by noyb (European Centre for Digital Rights) filed complaints against Maggioli S.p.A. (controller) concerning its use of cookies and other tracking tools. The complaint alleged several violations across a number of the controller’s webpages, including:

• the absence of a ‘reject’ button at the first level of the cookie banner; • the use of pre-ticked boxes at the second level of the cookie banner; • the use of a cookie rejection mode that consisted of a link instead of a button (unlike the ‘accept all’ button); • the use of misleading button colors and contrasts; • the improper reliance on legitimate interest as a legal basis for cookie processing; • a procedure for revoking consent that was not easily accessible.

The Italian DPA (Garante) carried out an investigation. During its investigation, it noted that the controller contracted with OneTrust (processor), a service that classified cookies and reported them in the controller’s cookie banner and cookie policy. Notably, only the processor could directly modify the cookie banner and cookie policy. The Garante also observed that the controller used only technical, non-tracking cookies. The processor, however, had erroneously attributed third parties’ tracking cookies that were on the controller’s webpage to the controller. On 30 May 2023, the DPA notified the controller of the alleged violations and that it was initiating the procedure pursuant to Article 166(5) of the Code on Protection of Personal Data.

On 29 June 2023, the controller replied with a defensive brief. It noted that, upon discovering the processor’s erroneous cookie categorizations, the controller requested that the error be corrected. When the processor failed to do so in breach of their contract, the controller withdrew from the contract and entered into an agreement with a new supplier to alter the cookie banner. The controller also argued that the failure to inform users about the meaning of the X had not resulted in any violation because the controller only used technical non-tracking cookies.

Holding

The Garante found that the controller’s conduct breached Articles 4(11), 5, 7, 12, 13, 24, 25, and 28 GDPR as well as Article 122 of the Code. The DPA focused on three core issues with the controller’s processing.

First, the controller failed to indicate the meaning of the command marked by the ‘X’ graphic in the cookie banner. The Garante considered this a violation of Articles 5(1)(a), 12 and 13 GDPR because it failed to provide data subjects the fullest possible awareness regarding the processing of their personal data and choices they are entitled to make under the law.

Second, the Garante found that the controller violated Articles 4(11) and 7 GDPR by erroneously citing legitimate interest as its legal basis for processing via cookies when such processing requires consent as a legal basis. The Garante noted, however, that the controller only actually relied on legitimate interest as a legal basis for its own use of cookies, which were technical and non-tracking. As technical cookies do not require user consent, the Garante found that despite qualifying the incorrect legal basis in the cookie banner, its own processing in fact complied with rules and did not harm data subjects. Nonetheless, the erroneous naming of legitimate interest as the legal basis in the cookie banner was unlawful under Articles 5(1)(a), 12 and 13 GDPR because it misled consumers.

Finally, the Garante noted that the relationship between the controller and processor, and namely the controller’s inability to modify the cookie banner and cookie policy, resulted in violations of Articles 24, 25, and 28 GDPR. It emphasized that Articles 24 and 25 GDPR impose a responsibility on the controller to oversee processing and guarantee that processor activities comply with the GDPR.

In light of these violations, the Garante issued a warning, deciding not to impose a fine. It took into account the controller’s changes to banners following receipt of noyb’s complaints, lack of harm to users’ data since the controller itself only used technical cookies, lack of fraudulent intent, and withdrawal from the contract with its supplier after it failed to comply with the controller’s requests, cooperation with the DPA, and the lack of further complaints.

Comment

‘X’ button: The Garante concluded that the ‘X’ function was sufficient where the cookie banner defined the effect of clicking ‘X.’ The issue thus was not the use of the ‘X’ (as opposed to something like a ‘reject’ button), but rather the lack of explanation within the cookie banner. In coming to this conclusion, the Garante rejected the data subjects’ arguments that a mere ‘X’ somewhere on the cookie banner was insufficient and a ‘reject’ button was required.

Cookie usage: The Garante noted that the controller did not itself use profiling cookies. As a result, it found that the controller itself only resorted to the legal basis of legitimate interests in relation to this use of technical cookies, which is a proper legal basis for such cookies, and thus did not harm consumers. Notably, third parties do use tracking cookies to carry out profiling on the controller’s webpage. By concluding that the controller itself processed data in compliance with the Garante’s Guidelines, the DPA implicitly determined that the controller is not responsible for third party cookies that are used on its webpage.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9996609&oldid=40606"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki