Garante per la protezione dei dati personali (Italy) - 9856694

From GDPRhub
Revision as of 14:21, 22 March 2023 by Mg (talk | contribs)
Garante per la protezione dei dati personali - 9856694
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 28(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 16.02.2021
Decided: 15.12.2022
Published:
Fine: 30.000 EUR
Parties: Verizon Connect Italy S.p.A.
National Case Number/Name: 9856694
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: mg

The Italian DPA adopted a 30.000 EUR fine against a company providing geolocation services for not having concluded a controller-processor agreement in accordance with Article 28(3) GDPR.

English Summary

Facts

A data subject filed a complaint against Verizon Connect Italy S.p.A., a company providing geolocation services. The data subject claimed to have found a device in the vehicle that they used to deliver goods on behalf of a second company, Giessegi Industria Mobili. The data subject was employed by Giessegi and had no direct relationship with Verizon. Verizon provided geolocation services to Giessegi, which wanted to keep track of its vehicles. The data subject was not informed by the employer about the existence of geolocation devices installed on the vehicle.

Therefore, the data subject addressed Verizon, whose name is visible on the device, with an access request. This request did not receive any reply. After examining the defense notes provided by the company, the Italian DPA opened an administrative procedure in order to ascertain potential violations of Articles 5(1)(a), 6 and 28(3) GDPR.

During the investigation, Verizon claimed it has no controllership on the processing at issue. In the terms of services signed by Giessegi, Verizon qualified itself as a mere processor of personal data on behalf of Giessegi, which was the true controller. This is also the reason why usually Verizon does not reply to access requests from data subjects but only facilitates access indirectly by providing all relevant data to its clients. In addition, as the agreement with Giessegi expired in 2020, Verizon deactivated its devices and has no longer access to geolocation information.

However, the Italian DPA ascertained that a written agreement between Verizon and Giessegi setting up the specific obligations of the processor did not exist. This could lead to a violation of Article 28(3) GDPR. Verizon replied that the obligation to conclude a written agreement between controller and processor is not clearly stated in the GDPR. Such an obligation stems from the EDPB guidelines 07/2020 on the concepts of controller and processor in the GDPR, which were not in place at the time of the facts. Verizon also stressed that it complied with all the processor´s substantial obligations. On the other hand, no violation of Articles 5(1)(a) and 6 GDPR could be found, as these provisions apply only to controllers.

Holding

The Italian DPA rejected Verizon´s defense. In the first place, the obligation to conclude a written agreement regulating the rights and duties of the processor clearly stems from Article 28(3) GDPR itself. Besides, as far as the Italian jurisdiction is concerned, the obligation also derives from the case law of the Court of Cassation. According to the Italian DPA, there was no need of further clarifications by the EDPB guidelines. The mere fact that the terms of services between Verizon and Giessegi qualified the former as ´processor´ is not sufficient to meet the conditions established by Article 28(3) GDPR. Since such an agreement between controller and processor did not exist, Verizon was subject to the same obligations applicable to the controller, including Articles 5(1)(a) and 6 GDPR. As a matter of fact, Articles 5(1)(a) and 6 GDPR set general principles and conditions of processing which apply regardless of the qualification of the subject processing data. In this case, processing was manifestly unlawful, as it was not possible to find a legal basis applicable to the facts at issues.

Therefore, the Italian DPA found a violation of Articles 5(1)(a), 6 and 28(3) GDPR and adopted an administrative fine on the basis of Articles 58(2)(i) and 83 GDPR. The total amount of the fine took into account the long period of time in which the violation occurred (4 years) and the fact that not only the applicant, but also other Giessegi´s employees were involved. On the other hand, the Italian DPA considered that Verizon cooperated with the authority during the investigation and reduces the sanction accordingly. The final amount of the fine was set at 30.000 EUR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. 

[doc. web no. 9856694]

Injunction against Verizon Connect Italy S.p.A. - December 15, 2022

Register of measures
no. 427 of 15 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");

CONSIDERING the complaint presented pursuant to art. 77 of the Regulation dated February 16, 2021 by Mr. XX against Verizon Connect Italy S.p.A. (formerly Visirun S.p.A.);

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint dated February 16, 2021, Mr. XX complained of alleged violations of Regulation (EU) 2016/679 (hereinafter the "Regulation") by Verizon Connect Italy S.p.A. (hereinafter, the Company), with regard to the treatments carried out through the installation of a device suitable for detecting the geographical position inside the vehicle through which the complainant has carried out goods delivery activities. In particular, the complainant represented that he had "found a locator device marked Visirun no. serial number 30006717" which was active "at least on 12/09/2020". The aforesaid device would have been installed as part of the employment relationship with Giessegi Industria Mobili S.p.A. until 13 May 2019. The complaint also complained that the Company (formerly Visirun S.P.A) did not respond to a request to exercise the "right of access to the data being processed" formulated on 14 September 2020.

The Company, in responding to the Authority's request for information dated November 30, 2021, with a note dated January 14, 2022, stated that:

to. “On September 14, 2020, Verizon's management opened ticket GCR-233-12771 [...], following receipt of a certified e-mail from [complainant's] attorney. In this communication, the lawyer [...] reported that the latter (i) had found the Visirun geolocation device n. 30006717 ("Device") inside your truck; (ii) was not aware of the presence of such Device before that moment, and consequently (iii) asked Verizon to receive information on who had access to the collected data" (note 1/14/2022, p. 10);

b. “The ticket was assigned to Verizon's success account manager (SAM) team, who handled the matter directly by calling their contact in Giessegi, the data controller, reporting the request made by the [complainant]. Giessegi confirmed that the [complainant] had supported them in the past, but that there was no longer any relationship. Nevertheless, Giessegi had forgotten to recover the Device from the [complainant]. At the same time, Giessegi confirmed its intention to terminate the contractual relationship with Verizon (existing since January 2016). Following this phone call and a brief follow-up email exchange [...], the SAM team marked the ticket as closed" (cited note, p. 10);

c. “Verizon took the necessary administrative actions to conclude the contractual relationship with Giessegi (which ended at the end of 2020) and no longer received any information from either Giessegi or the [claimant's] lawyer, until November 2021. More precisely, on 30 November 2021 Giessegi contacted the Verizon sales team requesting a copy of the T&Cs governing the contractual relationship between Verizon and Giessegi for the period 2016-2020. The sales team informed Giessegi that they did not have any signed contracts to submit, as the T&Cs in effect at the time were incorporated by reference into the order confirmations submitted online to Giessegi during 2016 […]. Subsequently, on December 15, 2021, Verizon sent an email to Giessegi providing a copy of the T&Cs in force at the time of submission of the purchase orders by Giessegi” (note cit., p. 10);

d. ”the data controller with respect to the processing of personal data of employees carried out through any geolocation device (including the Device) is the customer. Verizon acts as data controller. These roles were specified in article 18 of the T&C signed by Giessegi in 2016 [...] and are even clearer from the provisions of article 17.4 of the current version of the T&C” (cit note, p. 11);

And. “The Device [Visirun n. 30006717] was sent to Giessegi in February 2016 [...] and was deactivated on November 23, 2020 following the exchanges between Visirun and Giessegi on September 24, 2020" (note cit., p. 11);

f. "to date, Verizon and Giessegi have no existing contractual relationship"; “During 2016, Giessegi submitted some online orders [...] for the rental of a total of 76 geolocation devices (including the Device) and related related services. The last order to replace a defective item took place on June 15, 2016”; "On 31 December 2020, the existing contractual relationship was terminated following the return of the geolocation devices (except for the Device and two other devices that had been lost) by Giessegi" (note cit., p. 11);

g. “Verizon is acting as a data processor with respect to the processing of personal data carried out in connection with the provision of services to customers. Therefore, the obligations referred to in Article 13 of the GDPR fell on Giessegi” (note cit., p. 11);

h. "the standard features of the Device are described below, specifying - where applicable - the additional/specific features expressly requested by Giessegi. Specifically, Giessegi had purchased the "Visirun light service", including GPS localization, route reports and continuous mapping. On the basis of this service purchased from Giessegi, the Device collected the following categories of data: Company/Name of the customer; Mailing address; Telephone number; Email address; VAT number; Public IP address; Vehicle position (lat\long)" (note cit., p. 12);

the. "the location data was kept for 12 [...] months" (note cit., p. 12);

j. “As regards the generation of the maps, the Device was set to the standard characteristics of the service. Therefore, it allowed Giessegi to check the distance traveled by each vehicle on the map, with the calculation of kilometres, travel time and average driving speed. In addition, all the routes traveled were recorded and remained available in the Visirun systems in compliance with the retention period illustrated above. As regards the localization frequency, Verizon is unfortunately unable to provide any specific information on the characteristics set by Giessegi, since these characteristics were associated with the hardware of the Device. Once disabled, Verizon has no access to this data. In its standard setting, the "Light" subscription plan [...] collects location data at regular intervals (not in real time), but the customer may have set these intervals to different values” (cit. note, p. 12 -13);

k. “Pursuant to the procedure set out in Annex 1 of the Verizon EU BCR for processors […], in the event that any Verizon company receives a request from an individual to exercise its rights under the GDPR, acting as a processor on behalf of a customer, this company is required to promptly transmit this request to the customer concerned and not to respond to the request unless authorized by the customer" (note cit., p. 14);

to. “Specifically, Verizon's SAM team treated the request as a ticket and promptly notified Giessegi of the [complainant's] attorney's communication. Subsequently, the SAM team believed in good faith that Giessegi had taken charge of the matter and that it would follow up on it by providing [...] all the information requested, especially given the direct relationship between Giessegi and the [complainant]. In order to ensure that Verizon's internal teams handle data access requests with greater clarity in the future (making sure not only to transmit the request to data controller customers, but to route it correctly, appropriately involving the Verizon dedicated protection team of data), Verizon reiterated to the subjects involved the importance of respecting internal procedures, inviting them to re-follow the international training on privacy” (note cit., p. 14).

With a subsequent note dated 25 May 2022, sent in response to a request for further information formulated by the Office (on 6/5/2022), the Company declared that:

to. “in relation to the appointment as "external data processor" pursuant to Article 29 of the Privacy Code, Verizon wishes to underline [...] that prior to the entry into force of the GDPR on May 25, 2018, data processors (such as Verizon in the context of its contractual relationship with Giessegi) had no direct responsibility under Directive 95/46/EC and the Privacy Code. On the contrary, the data controllers (such as Giessegi in the present case) were the only subjects exclusively responsible for their own compliance with the legislation on the protection of personal data and that of their data processors. This means that pursuant to the regulatory framework on the protection of personal data in force before the GDPR, Giessegi was the only person responsible for the appointment of Verizon as data controller pursuant to article 29 of the Privacy Code" (note 25 /5/2022, p. 7);

b. "Except as indicated above, in the T&Cs of 2016 Verizon, recalling the now repealed article 29 of the Privacy Code, reaffirmed Giessegi's responsibility to appoint Verizon as data processor. Despite this, this appointment was never received by Verizon ” (cited note, p. 7);

c. “regarding the localization frequency, Verizon is not [...] able to provide specific information on the characteristics set by Giessegi, as these characteristics were associated with the hardware of the Device. As specified to this Authority [...], once the Device has been deactivated, Verizon cannot access such data in any way" (note cit., p. 7);

d. "the "Light" subscription plan, i.e. the plan activated by Giessegi in relation to the Device, is set up to collect location data at regular intervals (not in real time), specifically every 60 seconds, and to transmit them every 120 seconds . However, the customer may have set these intervals to different values” (cited note, p. 8).

At the same time, the Authority initiated a proceeding against Giessegi S.p.A., in its capacity as owner of the processing carried out using the device found on the complainant's vehicle and the connected location service provided by the Company. The data controller provided feedback with notes dated 29 December 2021 and 26 May 2022.

2. The initiation of the procedure for the adoption of corrective measures and the deductions of the Company.

On 13 July 2022, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lit. a), 6 and 28, par. 3 of the Regulation. The Company, with a note dated September 12, 2022, declared that:

to. "Notwithstanding the importance of signing a deed of appointment as data processor, an obligation that Verizon currently [...] imposes punctually on its customers in the context of all contractual relationships established after the entry into force of the GDPR, the degree The seriousness of the alleged violation contested in this case against Verizon is certainly very low, due to the fact that it only refers to the formalization of the relationship between the data controller (Giessegi) and the data processor (Verizon), but does not involve , in any way, a violation of the rights established to protect the personal data of the [complainant]" (note 12/9/2022, p. 2);

b. "the existence itself, in the specific case, of the violation by Verizon is disputed, as the dispute is based on a specific interpretation of Article 28 of the GDPR, offered by the "Guidelines 07/2020 on the concepts of data controller and data controller pursuant to the GDPR" ("Guidelines"), adopted by the European Data Protection Board ("EDPB") on 7 July 2021; that is, after the termination of the contractual relationship between Verizon and Giessegi” (note cit., p. 2);

c. “according to the EDPB, since the entry into force of the GDPR there has been a lack of clarity in relation to the concepts of controller/processor, which requires clarification also with regard to the obligations under Article 28 of the GDPR and the responsibilities arising from failure to comply with them. In fact, on the one hand, Article 28, paragraph 1, of the GDPR imposes only on the data controller the obligation to make use of data processors capable of satisfying the requirements established by the GDPR, on the other, Article 28, paragraph 3 of the GDPR does not provide any indication regarding the obligation to conclude a deed of appointment as data controller, and the related responsibilities" (note cit., p. 3);

d. “in its "Opinion 1/2010 on the concepts of "controller" and "processor"" [...] - which was, moreover, the only guide available on the subject at the time of entry into force and termination of the relationship contract between Verizon and Giessegi - the Article 29 Working Party has not provided any clarification regarding the obligation to enter into an agreement on data processing and the responsibilities deriving from its non-compliance" (note cit., p. 3);

And. “This uncertainty has led to differing opinions on the obligation of the manager to stipulate an appointment deed pursuant to art. 28 of the GDPR and its responsibilities in case of non-compliance. In particular, Verizon, after Giessegi accepted the General Conditions of Service [...] in which [...] it was clearly indicated that the customer, as data controller, was required to appoint Verizon (then Visirun S.p.A.) as responsible for data processing, did not consider itself bound by the obligation to proactively engage with Giessegi […]. Indeed, Verizon acted in good faith and in the firm belief that it complied with applicable data protection laws and regulations” (note cit., p. 3);

f. “It is evident that from a systematic reading of the GDPR (or even only of Articles 5, 6 and 28 of the same), Articles 5 and 6 mentioned by the Guarantor refer to the legal basis that legitimizes the processing of personal data by the owner of the treatment [...] The role of data controller and the limits of his action are governed, on the contrary, by Article 28" (note cit., p. 4);

g. “Verizon reiterates that it did not consider itself obliged to require Giessegi to sign a deed of appointment as data processor [...]. The EDPB Guidelines, in fact, were adopted after the termination of the contractual relationship between the Company and Giessegi" (note cit., p. 4);

h. “Verizon has implemented administrative, technical and physical security measures to protect the confidentiality, integrity and availability of customers' systems, networks and personal data”, this “despite the failure to enter into a deed of appointment as responsible for the treatment" (note cit., p. 5);

the. "Verizon has always collaborated with the Guarantor, providing its responses to requests for information received, supplemented by numerous annexes that describe the Company's internal policies and procedures, in a timely and punctual manner" (note cit., p. 5);

j. "The alleged violation did not concern the processing of "special categories of personal data" (referred to in Article 9 of the GDPR) or of "personal data relating to criminal convictions and offenses" (referred to in Article 10 of the GDPR)" ( note cit., p. 6);

k. “Verizon wishes to emphasize that the group's principal establishment in Europe is Verizon Ireland Limited, with its registered office in […], Ireland”; in this regard “Verizon has not mentioned the matter of the main plant until now, as the Company understands that it was involved in the Giessegi case by the Guarantor as a third party supplier and subject informed of the facts. However, following the opening of an infringement proceeding directly against Verizon for the alleged violation of GDPR provisions, we wish to emphasize that any further investigation involving compliance and the Verizon Group's accountability for GDPR violations should involve the DPC Ireland through the cooperation procedure pursuant to Article 56 of the GDPR” (cited note, p. 6).

3. The outcome of the investigation.

3.1. The processing of personal data carried out by the Company.

Based on the elements acquired during the preliminary investigation, it is ascertained that the Company has stipulated with Giessegi Industria Mobili S.p.A. a contract for the supply of a vehicle tracking service - which also makes use of the installation of geolocation devices - based on orders dated 22/1, 8/2, 3/3, 5 and 9/5, 15/6 of 2016 in execution of which 76 geolocation devices were supplied to the customer.

The relationship with the localization service provider was interrupted at the end of 2020 (in this regard, to be precise, Giessegi Industria Mobili S.p.A. declared that the interruption occurred in November 2020; while the Company represented that the contract was terminated on 31 December 2020 [see the Company's note dated 14/1/2022, point 2, letter c]).

This geolocation service makes it possible to acquire and process data relating to the circulation of the vehicle used by the carrier, collected by the device installed on board, which can be consulted via a web application.

The Company has indicated the standard features of the "Light" service covered by the contract with the Giessegi customer (location via GPS system, map control of the distance traveled by each vehicle, calculation of kilometres, travel time and average driving speed, with retention of data, in relation to the specific case, for 12 months).

According to what was declared "all the journeys traveled were recorded and remained available in the Visirun systems in compliance with the retention period illustrated above". In relation to such processing activities the Company itself has stated that “Verizon is acting as data controller. These roles were specified in article 18 of the T&C signed by Giessegi in 2016 [...] and are even clearer from the provisions of article 17.4 of the current version of the T&C”.

With reference to the processing activities carried out by the Company in execution of the orders issued by Giessegi Industria Mobili S.p.A. finally, it should be noted that - contrary to what was held in the defense briefs - the cooperation procedures envisaged by the Regulation (Chapter VII, Section I) do not apply.

The definition of "cross-border processing" contained in the Regulation - the implementation of which constitutes the prerequisite for the application of the aforementioned procedures (see art. 56. paragraph 1 of the Regulation) - refers to two distinct hypotheses.

The first concerns the "processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a data controller or data processor in the Union where the data controller or data processor are established in more than one Member State" (art. 4, no. 23, letter a) of the Regulation).

The second hypothesis instead refers to the "processing of personal data which takes place within the scope of the activities of a single establishment of a data controller or data processor in the Union, but which substantially affects or probably substantially affects more than one data subject of a Member State” (art. 4, no. 23, letter b) of the Regulation).

In the present case, the verification activity carried out by the Guarantor did not concern data processing carried out by Verizon Ireland Limited, with registered office in Ireland, against interested parties operating on the national territory and in any case "in more than one Member State" nor does the Italian company appear to be an "establishment" of the parent company given that Verizon Connect Italy S.p.A., controlled by Verizon Ireland Limited, is an independent legal entity which has its registered office in Italy (see also, in this regard, recital 36 of the Regulation).

In the present case, in fact, the treatments object of the control activity initiated by the Authority following the presentation of a complaint were carried out in execution of contracts entered into by the Italian company with another company having its registered office in Italy (contracts which therefore have defined the reference framework for the purposes and methods of the processing themselves), which excludes their possible cross-border nature as instead proposed by the company (without providing any evidence in this regard other than the mere belonging of the Italian company to a group of companies) .

In this case, therefore, the art. 55 of the Regulation which establishes the competence of the national Supervisory Authorities to exercise the powers and to fulfill the tasks assigned to it by the Regulation in relation to the treatments carried out on the national territory by the subject established therein, for which the same acts as an independent data controller (see art. 55 and recital 122 of the Regulation).

In fact, the existence of a group of companies does not result in the configuration of a new center of attribution of juridical relationships which overlaps the single companies belonging to the group (in a compliant sense, see the Guidelines 07/2020 on the concepts as data controller and data processor pursuant to the GDPR, version 2.0, adopted by the European Data Protection Board on 7 July 2021, p. 32, point 89: "within a group of companies, a company other than that of the data controller or data processor is a third party, even if it belongs to the same group to which the company acting as data controller or data processor belongs").

Participation in a corporate group, therefore, does not determine a legal-formal unification of the corporate entities involved, which maintain their legal subjectivity.

Moreover, and solely for the purpose of completing the framework outlined by the Regulation on cooperation procedures between the European supervisory authorities, it should be noted that even in the presence of cross-border processing (not found in the present case, as already argued) the authority of the establishment remains competent in the event that the same receives a complaint or in the event of any violations of the Regulation if the object concerns only an establishment in its Member State or substantially affects the interested parties only in its Member State (art. 56 , paragraph 2, Regulation).

In conclusion, for the reasons set out above, none of the provisions of the Regulation attributes the competence to deal with the complaint that gave rise to the investigation concluded with this provision to the Irish Authority, as instead deemed by the Company.

3.2. The violation of the articles 5, par. 1, lit. a), 6 and 28 of the Regulation.

The Company, in execution of the contract stipulated with the customer Giessegi, has carried out the processing of personal data referring to the complainant through the Visirun device n. 30006717 which was active until 23 November 2020 (as well as to the other interested parties who used the vehicles on which the other geolocation devices were installed) as data processor, given that the determination of the purposes and means of the processing itself was up to the customer to whom the service was provided (see art. 4, n. 8 of the Regulation containing the definition of "responsible for the treatment").

Based on the analysis of the concrete circumstances relating to the processing object of the complaint, it appears that the Company has therefore carried out personal data processing activities relating to the complainant and to other carriers, in execution, as far as the complainant is concerned, of orders for the supply of the service "Light", for a period between February 2016 and November/December 2020, without having adequately defined the relationship with the customer/data controller and in the absence of specific instructions prepared by the latter, in accordance with the provisions of art. . 28 of the Regulation.

The data controller, as part of the preparation of the technical and organizational measures that meet the requirements established by the Regulation, also in terms of security (articles 24 and 32 of the Regulation), can make use of a manager for the performance of some activities of treatment, to which it gives specific instructions (see recital 81 of the Regulation).

In this case, the controller "recourses only to data processors who present sufficient guarantees to implement [the aforementioned measures] adequate in such a way that the treatment meets the requirements of the Regulation and guarantees the protection of the rights of the interested parties" (art. 28 , paragraph 1 of the Regulation).

Pursuant to art. 28 of the Regulation, the owner can therefore also entrust a treatment to external subjects, regulating the relationship with a contract or another legal act and issuing instructions regarding the main characteristics of the treatment, also with reference, as regards the specific case , to the "nature and purpose of the processing", the "duration of the processing", "the obligations and rights of the data controller", the methods with which the manager assists the data controller in relation to the latter's obligation "to follow up on requests for the exercise of the rights of the data subject" as well as the operations to be carried out "after the provision of services relating to the treatment has ended".

The controller is therefore entitled to process the data of the interested parties on the basis of the discipline established by a contract or other legal act that binds him to the owner and "only on documented instruction" of the latter (art. 28, par. 3, letter a), of the Regulation).

The Regulation also governs further specific obligations and forms of cooperation to which the data controller is required and the scope of responsibilities incumbent respectively on the data controller and the data processor (see articles 30, paragraphs 2 and 3, 32, 33 , paragraph 2, 82 and 83 of the Regulation).

Therefore, in the light of the literal content of the reference standards, the objection proposed by the Company in its defense briefs cannot be accepted according to which only the aforementioned Guidelines 07/2020 on the concepts of data controller and data processor, adopted on 7 July 2021, would have clarified the content of art. 28 of the Regulation.

This provision, in fact, expressly provides that "processing by a manager is governed by a contract and by another legal act [...] which binds the manager to the data controller" and that the manager, on the basis of this contract or other deed, "process [a] personal data only on documented instruction of the data controller".

The expressions used by the EU legislator therefore indicate, with sufficient clarity, the conditions necessary for the processing carried out by the manager, in the event that the owner has decided to entrust its execution to a different subject, to be lawful.

Moreover, the aforementioned Guidelines 07/2020 confirmed the unequivocal meaning of the rules on the point: "Since the regulation clearly establishes the obligation to enter into a written contract, if no other relevant legal act is in force there is a violation of the GDPR. Both the data controller and the data processor are responsible for ensuring the existence of a contract or other legal act governing the processing. Without prejudice to the provisions of Article 83 of the GDPR, the competent supervisory authority may impose an administrative fine on both the data controller and the data processor, taking into account the circumstances of each individual case. Contracts entered into before the date of application of the GDPR should have been updated in accordance with Article 28(3). The absence of such an update, intended to align a previously existing contract with the requirements of the GDPR, constitutes a violation of Article 28 , paragraph 3” (cited Guidelines, page 35, point 103).

The aforementioned regulation is applicable to the facts which are the subject of a complaint, on the basis of the "tempus regit actum" principle (art. 1, paragraph 2, of law no. 689 of 11/24/1981), taking into account that the treatments, started in 2016, continued until the end of 2020, with the consequent applicability of art. 28 of the Regulation in force at the time of cessation of the conduct.

In any case, even prior to the application of the Regulation in our legal system, the art. 29 of Legislative Decree no. 196 of 2003 (text in force at the time) provided that data processing on behalf of the owner could be lawfully carried out only in case of assignment of the relative assignment based on specific instructions from the owner.

This reconstruction, already affirmed by the Guarantor in previous decisions (see provv.to 21/7/2022 n. 268, web doc. n. 9811271) finds confirmation in the ruling with which the Court of Cassation (see Cass., Section I Civ., ordinance n. 21234 of 23 July 2021, with regard to the processing of personal data carried out in a different context), in confirming a provision of the Guarantor, among other things specified that "the agreement between the " owner" and the "manager" is provided by law and is not intended only to regulate relations between parties, with purely internal value, in terms of any breach of contract [...] because the discipline dictated by the "owner", in this regard to the purposes and methods of processing, becomes a necessary element for the qualification of "responsible" in the specific case".

Furthermore, considering the lack of due designation as responsible and the simultaneous indication of the characteristics of the treatments to be carried out within the instructions, the data treatments in the context of the provision of the geolocation service were carried out by the Company, for a significant period of time, in the absence of a suitable prerequisite of lawfulness given that in the concrete case no autonomous (and further) prerequisite of lawfulness was found in relation to the aforementioned processing activities.

In this regard, the objection of the Company cannot be accepted according to which "Articles 5 and 6 mentioned by the Guarantor refer to the legal basis that legitimizes the processing of personal data by the data controller" and "The data controller [ …] is a third party supplier to which the responsibility of the data controller towards third parties cannot be extended”, given that the articles 5 and 6 of the Regulation, in setting the principles applicable to the processing of personal data and the conditions of lawfulness of the processing, already in the choice of the words used and their literal meaning, disregard the legal qualification of the person carrying out the processing and refer, rather , to the principles and conditions that must characterize the processing itself (see also recital 39 of the Regulation: "Any processing of personal data should be lawful and correct. [...]" and recital 40: "Why the processing of personal data should be based on consent or on any other lawful basis established by law in this Regulation or by Union or Member State law").

In this regard, from a systematic point of view, the definitions of "communication" of data must also be taken into consideration, which constitutes one of the possible methods of processing and therefore can only be carried out in the presence of one of the conditions that legitimize its carrying out (see art. 2-ter, co. 4, letter a), of the Code), and of a "third party", i.e. the natural or legal person other than the interested party, the owner, the manager and the subjects acting under the direct authority of the owner or manager (art. 4, n. 10 of the Regulation).

The aforementioned Guidelines 07/2020, moreover, confirm this reconstruction: "a data controller-responsible relationship could exist even in the absence of a written treatment agreement. This would, however, imply a violation of Article 28(3) of the GDPR. Furthermore, in certain circumstances, the absence of a clear definition of the relationship between the controller and the processor can lead to the problem of the lack of a legal basis on which any processing should be based, for example regarding the communication of data between the controller and the presumed data controller" (Guidelines cited, p. 35, note 42).

In this case, given that the relationship between Giessegi, data controller, and Visirun S.p.A. has not been adequately regulated by specific legal acts, which do not appear to have been given the due instructions at the same time, and that the contractual regulation existing between the parties did not contain either - at the time of its preparation - the elements envisaged by art. 29 of Legislative Decree no. 196 of 2003 nor, after the application of the Regulation, those indicated by art. 28 of the Regulation, it emerges that the treatments carried out by the Company took place in violation of art. 28, par. 3 of the Regulation.

Even though the Company had clarified its qualification in terms of data controller and the need to proceed with the relative designation (see note from the Company 14 /1/2022, Annexes 7 and 8, spec. point 18), it does not appear that the Company itself has asked the customer, before starting the service, to provide for this fulfillment and communicate the necessary instructions relating to the concrete methods with the which to carry out the data processing.

Nor does any reminder appear to have been addressed to the customer even after the moment of application of the Regulation in the national legal system.

Furthermore, for the reasons set out above, the Company has acted in violation of articles 5, par. 1, lit. a) and 6 of the Regulation, on the basis of which processing is lawful only if at least one of the conditions strictly indicated by the law occurs (in particular, for the so-called common data, by art. 6 of the Regulation) (in accordance with v previous decisions of the Authority, including: provisions 17/9/2020, n. 160 and 161, web doc. n. 9461168 and 9461321; provision 11/2/2021, n. 49, web doc. n. 9562852).

4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the Company during the investigation do not allow the findings notified by the Office to be overcome with the deed of initiation of the procedure and are therefore unsuitable to allow the archiving of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The processing of personal data carried out by the Company and in particular the processing of data relating to the geographical position of the interested party is in fact unlawful, in the terms set out above, in relation to articles 5, par. 1, lit. a), 6 and 28 of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (cons. 148 of the Regulation).

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

At the end of the proceeding it appears that Verizon Connect Italy S.p.A. has violated the articles 5, par. 1, lit. a), 6 and 28 of the Regulation. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 4, lit. a) and par. 5, letter. a) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, n. 689).

Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that In the present case, the following circumstances were considered:

a) in relation to the nature and seriousness of the violation, the nature of the violation which concerned the general principles of processing was considered relevant; in relation to the duration of the violation, it was considered that this lasted for more than four years, over a period between February 2016 and the end of December 2020; it was also considered that the treatments carried out in violation of the Regulation concerned, in addition to the complainant, also the other interested parties attributable to the vehicles subject to geolocation through the devices delivered to Giessegi Industria Mobili S.p.A.;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration which did not comply with the regulations on data protection, in relation to a plurality of provisions also concerning the general principles of processing (lawfulness);

c) in favor of the Company, the cooperation with the Supervisory Authority and the absence of previous relevant violations were taken into account.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues earned by the company with reference to the financial statements for the year 2021. The entity of the sanctions imposed in similar cases was also taken into account.

In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply the administrative sanction of payment of a sum equal to Euro 30,000 (thirty thousand) against Verizon Connect Italy S.p.A..

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of treatment, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.

It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THAT BEING CONSIDERED, THE GUARANTOR

notes the illegality of the processing carried out by Verizon Connect Italy S.p.A., in the person of its legal representative, with registered office in Via Annibale Zucchini 53 Ferrara (FE), C.F. 01744310382, pursuant to art. 143 of the Code, for the violation of the articles 5, par. 1, lit. a), 6 and 28 of the Regulation;

ORDER

pursuant to art. 58, par. 2, lit. i) of the Regulation to Verizon Connect Italy S.p.A., to pay the sum of 30,000 (thirty thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

then to the same Company to pay the aforementioned sum of 30,000 (thirty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions pursuant to art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.

Rome, 15 December 2022

PRESIDENT
Station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew
Form
Doc-Web
9856694
Date
12/15/22
Subjects
Geolocation Private work
Typologies
Order injunction or revocation
See also (10)

    Newsletter of 10/10/2016 - Work, "stamp" with app: ok, but only with adequate guarantees - Dialysis and transplants, Guarantor: yes to Veneto Registry

    Processing of personal data carried out through the localization of smartphone devices - May 18, 2016 [5217175]

    Newsletter of 04/21/2017 - Greater guarantees for personal data processed for police purposes

    Provision of 19 July 2018 [9039945]

    Newsletter 03/29/18 - Customer care, no to software that controls operators - Work: massive email control prohibited

    Corrective and sanctioning measure against TIM S.p.A. - January 9, 2020 [9263597]

    Provision of 18 October 2018 [9084531]

    Localization of company vehicles - June 28, 2018 [9023246]

    Preliminary verification. Processing of personal data of employees carried out through the tracking of company vehicles - 16 March 2017 [6275314]

    Newsletter 05/29/18 - Violated privacy: 960,000 euro fines for Tim - Guarantor for Fastweb: stop the
Retrieved from "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9856694&oldid=31809"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki