Garante per la protezione dei dati personali - 9435807

From GDPRhub
Garante per la protezione dei dati personali - 9435807
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 25 GDPR
Article 58(2)(d) GDPR
Article 83(5)(e) GDPR
Type: Complaint
Outcome: Upheld
Decided: 09.07.2020
Published: 13.07.2020
Fine: 800000 EUR
Parties: n/a
National Case Number/Name: 9435807
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) fined telecoms operator Iliad €800,000 for violating multiple GDPR and Italian Privacy code provisions.

English Summary[edit | edit source]

Facts[edit | edit source]

As a number of different complainants brought similar issues to the Garante's attention regarding Iliad's processing practices, they decided to carry out a single inspection addressing all the complaints. The issues concerned the following:

- on activating their sim cards, customers had to give a mandatory tick of a box; by doing so Iliad declared them to have "read and accepted the general conditions, the service charter, the price brochure and Iliad's privacy policy on the processing of personal data";

- Iliad's requesting of consent for processing for marketing purposes, without having any specific intention or plan to do so;

-Iliad's use of "Simboxes", special machines with which customers could independently activate their simcard, by entering their data and ending the procedure by scanning the document and recording a video message of consent to the conclusion of the contract, the installation of Simboxes in raliway stations, shopping centres and Iliad shops, and the storage of the videos in Iliad's central databases;

- the accessibility (by certain staff members) and storage measures (retention periods over six months, a lack of authentication requirements beyond username and password, failure to store different types of data in separate computer systems) for customer's telephone and telematic traffic data.

Dispute[edit | edit source]

Holding[edit | edit source]

The Garante held the following:

The use of the mandatory tick of the box constituted an infringement of the fairness, lawfulness and transparency principle under Article 5(1)(a), because the formulation of the wording lacked the requirements of intelligibility and clarity that data customers would tick the box and be aware that by ticking the box, there would be a possibility of processing. The Garante did not accept that the box ticking could be considered consent, because that did not appear to be the controller's intention. The Garante did not issue further corrective measures on this aspect, as Iliad had subsequently adopted changes to more clearer separate information obligations from the collection of consent.

The collection of consent for marketing purposes "just in case" also constituted an infringement of Article 5(1)(a). The Garante did not issue further corrective measures on this aspect, because Iliad declared that it considered the consent for marketing given by anyone before July 2019 (when the issue was discovered) to be invalid and not given.

The use of the Simboxes, while not considered an outright breach of the data integrity and confidentiality principle in Article 5(1)(f), was still considered insufficient for containing potential risks of unauthorised access, particularly where the Simboxes were located in public spaces. Applying Articles 58(2)(a) and (d), the Garante ordered Iliad to adopt appropriate corrective measures, to guarantee greater confidentiality, including adopting specific measures for the positioning and placement of the machines.

The data storage measures constituted a violation of Articles 123(2) and 132-ter of the Italian Privacy Code. Applying Articles 58(2)(d) and (2)(i), the Garante ordered Iliad to adapt appropriate security measures and stop the processing, and issued a fine pursuant to Article 83.

Comment[edit | edit source]

In setting the quantity of the fine, the Garante considered the following to be factors justifying the size of the fine:

-the wide scope of the processing operations relating to the storage of traffic data;

-the fact that the storage could be considered "systemic", since it extended to all customers of Iliad's mobile telephone services, which included approximately 3 million users at the date of the Garante's inspection;

-the gravity of the violations, given the inadequacy of the security measures in places and the type of personal data (telephone traffic data) subject to the processing;

-the controller's inadequate technical and organisational measures;

-Iliad's general approach to processing, which showed "an overall negligent picture in the application";

- the degree of cooperation of Iliad with the Garante;

-the fact that the Garante discovered the violation during an inspection activity.


The Garante considered the following to be mitigating factors for the size of the fine:

-the measures adopted by Iliad to mitigate some of the consequences of the violations;

- the significant losses recorded by Iliad in 2018.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Order injunction against Iliad Italia S.p.A. - 9 July 2020

Register of measures
No 138 of 9 July

THE DATA PROTECTION SUPERVISOR

At today's meeting, Dr. Antonello Soro, President, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members, and Dr. Giuseppe Busia, Secretary General, took part;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD to the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, laying down provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the complaints and reports received by the Guarantor, with regard to various processing of personal data carried out by Iliad Italia S.p.A. (hereinafter also referred to as: "Iliad" or "the Company");

HAVING REGARD to the results of the inspections carried out on 27, 28 and 29 May 2019 at the registered office of Iliad Italia S.p.A. in Milan;

HAVING CONSIDERED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Garante Regulation no. 1/2000;

REPORTER Dr. Antonello Soro;

PRESS RELEASE

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

Since the end of 2018, the Guarantor has received a number of complaints and reports relating to different methods of personal data processing implemented by Iliad.

In particular, the issues brought to the Authority's attention concerned the processing of customer data for the activation of sim cards and the related method of acquiring payment data, the processing for its own promotional purposes and those of third parties and the measures adopted for the storage of data in customers' personal areas.

Given the nature and heterogeneity of the issues represented and in view of the fact that the Company, as a new electronic communications operator, had never been the subject of discussions with the Guarantor, it was deemed appropriate to make an overall assessment as part of a single inspection that was conducted on 27, 28 and 29 May 2019.

2. RESULTS OF THE INVESTIGATION

During the course of this assessment, checks were carried out which, starting from the individual reports and following the practice of the Office for the conduct of on-site inspections, made it possible to assess, also in a more general manner, the methods used to carry out the treatments and the technical and organisational measures adopted by the Company.

As a result of this activity, violations of the rules on the protection of personal data have emerged and some processing operations that could have probably violated these rules have also been detected. Therefore, on October 11, 2019, the Company was notified of the initiation of proceedings pursuant to Article 166, paragraph 5, of the Code to contest violations of the Code and the Regulations.

The Company sent its observations in reply by note dated 8 November 2019 and a hearing held the following 10 December.

2.1. Contextual acceptance of the contractual conditions and privacy policy.

In order to verify in a general way the business processes more closely related to the processing of users' personal data, the operations began with the verification of the activities necessary to activate a new user by accessing the website www.iliad.it.

In this context, it was verified that the procedure leading to the confirmation of the order provided, once all the data had been entered, for the mandatory tick of a box with which the subject declared to have "read and accepted the general conditions, the service charter, the price brochure and Iliad's privacy policy on the processing of personal data" (see page 3 of the minutes of 27 May). The documents referred to therein, including the information notice, were easily accessible via a link.

It should be noted, however, that the processing operations listed in the information published on the website are both optional and mandatory and, in some cases (processing for marketing and profiling purposes) are subject to the acquisition of a specific consent.

However, the wording of the above statement, while at the same time contemplating the "acknowledgement" and "acceptance" of the information notice, could lead to the doubt that the collection of consent for marketing purposes - which is specifically provided for in one of the previous screens - took place in the latter location with the tick "for acceptance".

Although the presentation of the information at the time of data collection was correct, as provided for by art. 13 of the Regulation, and taking into account that the data controller must be able to demonstrate, by documenting the viewing, that he or she has provided such information, the simultaneous mention of the acceptance of the information also appears superfluous, since no other meaning than that of mere confirmation of reading can be attributed to this diction; otherwise, in fact, by ticking the box, the subject would find himself or herself expressing consent to the processing which would be neither free, because the tick is mandatory and unique for the acceptance of the contractual clauses, nor specific because it concerns all the processing mentioned in the information. In this regard, reference is made to the contents of recitals 42 and 43 of the Regulation regarding the awareness of the subject expressing consent in the context of a written declaration that also covers other issues.

Therefore, the Office, in a note dated 11 October 2019, contested to the Company that such processing - taking into account that, in the terms described, the owner's intention did not appear to be to obtain consent to the processing, but only to demonstrate that he had complied with the information obligations - did not have the character of clarity and intelligibility and, therefore, could be in conflict, in particular, with the principles of fairness and transparency expressed by Article 5, paragraph 1, letter a) of the Regulation.

In its defence statement of 8 November 2019, the Company stated that, although it believes "that the approach taken so far is in accordance with the principles of lawfulness and transparency [...], with a view to always improving the services to its users, Iliad has removed the reference to the information on the processing of personal data from the contested sentence". The same has also attached the new screen in which, at the end of the user activation procedure, you are asked to select whether you have read and accept the General Terms and Conditions, Service Charter and Price Brochures while, in a separate space, the following notice is shown: "Your personal data will be processed in accordance with Iliad's Privacy Policy on the processing of personal data".

2.2. Request for consent for marketing purposes.

During the inspection, the registration procedure on the website www.iliad.it, aimed at requesting a new user, was examined and it was found that, at the bottom of the page for entering personal data, there was a box to tick to give consent to the processing of personal data for promotional purposes of Iliad itself. Failure to tick the box allowed to go ahead with the signing of the contract. This in accordance with the privacy policy where, in point 4 letter. i), the processing for marketing purposes with the express consent of the person concerned was envisaged.

In this regard, with statements made in the minutes (see page 2 of the minutes of 28 May), the Company clarified that "the checkbox, relating to the request for consent for promotional purposes, seen in the online activation procedure, does not imply the registration of such consent in Iliad's information systems, as the Company does not carry out direct marketing activities".

The Office, therefore, with the aforementioned note of 11 October, pointed out that, in the absence of processing for promotional purposes, both its mention in the information notice and the request for a specific consent were irrelevant; on the other hand, if the company had intended to carry out this type of processing, it would not have been able to demonstrate the correct acquisition of the consent of the parties concerned, since it had not registered them. Similarly, it was pointed out that in point 4, letter j) of the information notice, provision was made for the possibility of using the data provided by the interested party "to send marketing communications focused on the interests and needs of the user". Also in this case, the reference to a processing, the profiling aimed at marketing, which in reality is not carried out (and for which, in this case, the request for specific consent is not even provided), is not relevant.

In its statement of defence of 8 November 2019, the Company first specified that "unlike other operators in the telecommunications market, Iliad does not carry out any marketing, telemarketing or user profiling activities [...] and carries out promotional activities mainly through the television and digital channel which does not involve the processing of users' personal data". Then, with specific regard to the disputed point, it stated that 'Iliad intends to process its users' personal data for promotional purposes and, for this reason, Iliad has included this processing purpose in its information notice on the processing of personal data and has set up a system for collecting consent [...]. However, this activity has been postponed until now precisely because - due to a technical problem - the company has not been able to register the consents". In fact, the company added that the consent collection system, which had already been set up, was affected by a design bug which prevented the identification of the user, the date and time when the checkbox for consent was ticked. The Company has therefore corrected the error and since July 2019 all consents have been registered in the system; this allows users to express their willingness to grant or revoke consent also through the appropriate function in the personal area.

In addition, it is acknowledged that the Company has stated that its procedures do not include the transfer of customer data to third parties for promotional purposes (see minutes of 28 May 2019) and therefore there is no direct basis for the complaints made in some reports regarding the receipt of promotional calls after activating an Iliad user.

2.3 Suitability of Simboxes to guarantee the confidentiality of those concerned.

During the inspection, the Company was asked to describe how the Simboxes were assigned to customers. Iliad clarified that the new users can be requested through the website or by going to the physical sales channels (Iliad branded points of sale or special spaces, called "corners", set up in places open to the public). In all cases, the company has set up special procedures to identify those who require the activation of a telephone number, in accordance with the provisions of current legislation on the fight against terrorism (Law no. 155 of 31 July 2005).

In the case of activation via the web, the user can choose whether to proceed immediately with the identification through the site or to postpone this phase when the sim is delivered by courier. In the first case, at the end of the procedure, the user is asked to attach a copy of the identification document by recording a short video in which he declares that he wants to sign the contract; in the second case, instead, the identification of the owner of the sim is made directly by the courier, appointed responsible for the processing and specially trained for this procedure.

If, on the other hand, the activation of a new sim is carried out through physical channels, the company has set up special machines, called "Simbox", with which customers can make the purchase independently, entering their data and ending the procedure by scanning the document and recording a video message of consent to the conclusion of the contract. The staff present in the shops only have the function of customer assistance and are not involved in the user activation procedure.

The video recordings made in this way are viewed by back office operators who, after a comparison with the uploaded document, conclude the procedure allowing the activation of the user.

During the assessment carried out by the Authority, the user activation procedure was simulated using a Simbox installed at a point of sale. During this activity, documented by means of photographic footage (see attachment 5 in the minutes of 28 May), it was possible to verify that there were several publicly accessible machines inside the store to carry out the procedure independently.

Iliad was denied that the camera installed on the Simbox was capable of taking a shot at an angle of approximately 180 degrees; as can also be seen from the documentation on the record, such a method could also enable the image of people passing behind or to the side of the person carrying out the operation to be recorded; the photographic recordings, set out in Annex 5 to the minutes of 28 May, show that the camera's shot not only shows the face of the person making the recording but also the people behind it. At the same time, the absence of appropriate measures to ensure the confidentiality of customers during operations could allow anyone on the premises to view the data entered on the Simbox screen and to listen to the content of the video message (during which the user must state his first and last name).

It should also be borne in mind that these machines are installed, not only in Iliad shops, but also (and mainly) in special areas set up at railway stations and shopping centres, and even in this case there are no particular measures to protect the confidentiality of customers, considering in particular that these are places characterized, in general, by a large influx of people (see attachment 2 to the minutes of 27 May where there is a photo of two Simboxes positioned inside a shopping centre).

Moreover, even in the service contract signed with the company that deals with the operational management of the areas located in the shopping centres, there is no reference to particular measures to be observed in the positioning of the Simboxes in order to comply with the rules of confidentiality (see attachment 2 to the minutes of 27 May).

In providing its own observations in reply, Iliad represented that the Simbox camera is activated only for the short period of time (maximum 10 seconds) necessary to carry out the recording and does not allow a clear picture of the subjects passing near the machine. Moreover, with regard to the possibility, contested by the Guarantor, to expose the personal data typed by users to the view of third parties, the Company stated that the size of the screen and its positioning should not allow third parties to read the text typed since the view would be covered by the person who performs the operation and taking into account that the input character is gray.

This stated, while continuing to consider that the measures taken are already in line with the standards, the company nevertheless introduced the following corrective solutions:

- in the screen that appears to the user at the start of the registration procedure, the following warning is shown: "make sure that you do not register images of third parties, that you are alone, facing and positioned so that your entire face is visible and identifiable";

- the collected registrations, as soon as they have been validated by the customer care operators, are made visible only to the managers of the customer care function and, after six months, are accessible only to the JAS (Judicial Authority Services) function for the duration of the contract.

In addition, during the hearing held on 10 December 2019, Iliad added that the video recording is not stored in the Simbox, but is stored directly in the central database; in addition, videos containing third-party images are immediately deleted by the operators in charge of the identification procedure with simultaneous interruption of the process and request to the customer to make a new recording. The Company also specified that the operator in charge of identification and the assistant present at the points of sale cannot make copies of the documents provided by customers or of the registrations made.

2.4.  Compliance with the rules on access and storage of telephone and telematic traffic data.

During the investigation conducted on 28 May 2019, access was made to the company's CRM system, both with operator and administrator profiles, to verify its content. It was thus found, and reported in the minutes, that the "customer care department administrator" profile could view users' telephone traffic data in clear text by entering userid and password. In addition, the accessible data was related to traffic since August 2018.

It was therefore contested to the company that this procedure could not be considered compliant with the rules on the storage of telephone and telematic traffic data pursuant to Articles 123, 132 and 132-ter of the Code and on the basis of the provisions of the Guarantor's general provision of 17 January 2018 (in www.garanteprivacy.it web doc no. 1482111). This is because:

1. the person in charge with an administrator profile - who, being in charge of the customer care function, could have access only to data stored for billing purposes - could instead view data stored for a period longer than six months allowed by art. 123 of the Code (traffic data of August 2018 as of May 2019 were present);

2. the same had access to the system containing the traffic data by typing only username and password, without therefore using strong authentication techniques at the time of verification;

Moreover, as a result of the above findings, the requirement to store the different types of data in separate computer systems was not implemented, since the operator, accessing the CRM system, could also view data generated in a period exceeding six months.

In a note dated 8 November 2019, Iliad considered that the objections received by the Guarantor were unfounded on the grounds that the information contained in the screenshot in Annex 6 to the assessment report of 28 May 2019, "do not make it possible to reconstruct the communication flows of the users to which they refer and cannot therefore be considered traffic data". In this regard, it should be noted that the content to which the company refers (attachment 6), since it refers to access made with an operator profile, has never been contested by the Authority and is therefore improperly cited. The dispute, on the other hand, was based on access made with an administrator profile which, as reported in the minutes of May 28, 2019 signed by the party, "can display further information such as the data of outgoing telephone traffic in clear text starting from August 2018". No further comments were received from Iliad on that point either in the statement of defence referred to above or during the subsequent hearing.

Moreover, with regard to the contested access made without adopting strong authentication techniques, the Company stated in its defence brief that 'with regard to the Mobo management system inspected specifically but in general with regard to all corporate systems, Iliad has adopted a dual authentication technology. In fact, in addition to entering the username and password of the user accessing the system, there is a form of automatic authentication determined by the connection exclusively of the company devices to the Iliad network. When accessing the Iliad network through the company device, in fact, the system performs a first recognition of the Iliad employee and a second recognition occurs when accessing the Mobo management system". The same, however, has not attached any documentation proving what has been declared and it must be pointed out that this justification was not mentioned at the time of verification.

With the note of 8 November 2019, the Company also provided its own observations with regard to the fact that, at the time of the assessment, the telephone traffic data generated over six months were found to be present in the customer care management system, contrary to the requirements of the Guarantor regarding the need, after the first six months, to separate the computer systems responsible for data storage for different purposes. In this regard, the company has stated that it has "created a single database with security measures and differentiated levels of access (i.e. Mobo and JAS management CRM) according to the purposes of the processing and the related storage period. This system therefore has a logical rather than physical separation".

3. LEGAL ASSESSMENTS

With reference to the factual profiles highlighted above, also on the basis of the declarations of the Company for which we are responsible pursuant to art. 168 of the Code, the following assessments are made in relation to the profiles concerning the regulations on the protection of personal data.

3.1 Contextual acceptance of the contractual conditions and privacy policy.

The processing described in point 2.1., the reasons for which are referred to in full, as implemented before the amendments made by the Company, did not fully comply with the principles expressed in the Regulation. This is because the formulation proposed in the screenshot of the conclusion of the contract was inconferential, requiring the "acceptance" of the information notice and not only its acknowledgement and this request was, moreover, formulated together with the confirmations of a contractual nature. As is well known, the informative note drawn up by the owner has the function of making the interested party aware of every aspect of the processing of personal data; this merely explanatory nature means that the owner, while being able to ask the interested party to confirm that he has read it, cannot however also ask him to express, through a general and general acceptance, a will that would be in fact similar to a consent.

Therefore, although the Office understood that, in the terms described, the intention of the data controller did not appear to be to obtain consent to the processing but only to demonstrate that it had complied with the information obligations, it considered it necessary to contest the lack of the requirements of clarity and intelligibility with the consequence of a possible processing in contrast, in particular, with the principles of fairness and transparency expressed by Article 5(1)(a) of the Regulation.

The corrective measures adopted by the Company, following the dispute received, are sufficient to separate the information obligations from the collection of consent, giving back to this phase of the processing the necessary clarity.

On this aspect, therefore, it is not considered necessary to adopt specific corrective measures, with the exception of what indicated in point 4.1 of this provision.

3.2. Request for consent for marketing purposes.

With regard to the processing described in point 2.2., it should be noted that the Company, on the basis of the statements made, until July 2019 requested the parties concerned to give their consent to the processing for promotional purposes without, however, keeping track of this intention. This would have happened because, as initially stated in the minutes, the Company did not carry out (and still does not carry out) direct marketing activities, but also, as subsequently claimed in the defence brief, due to a bug in the system for recording consent.

On the basis of the statements made, it must therefore be considered that, as already disputed, the request for consent for promotional purposes, specifically mentioned in the information notice, without such processing existing or planned, is in contrast with the principle of fairness and transparency set forth in Article 5, paragraph 1, letter a) of the Regulation.

However, having taken note of the Company's intention, not mentioned during the inspection, but made known in the defence, to actually implement processing for promotional purposes, taking into account the corrective measures taken, and the fact that the Company has declared that it considers the consent of persons registered before July 2019 as denied, it is considered that, also on this point, there are no grounds for adopting specific corrective measures, except as indicated in point 4.1 of this provision.

3.3 Suitability of Simboxes to guarantee confidentiality.

The checks carried out by simulating the signing of a contract through Simbox have raised some doubts regarding the confidentiality of the procedure. Therefore, it has been contested to the Company that such treatment may expose the parties concerned to the risk of unauthorized access, violating the principle of integrity and confidentiality set forth in art. 5, par. 1, letter f) of the Regulation.

The corrective measures introduced by the Company (described in point 2.3) may be considered suitable to contain the risk, but may not be sufficient, especially in the case of totems located in places open to the public (not only Iliad points of sale but also corners) which are, in general, characterised by a greater number of people.

Moreover, taking into account the overall processing carried out even before the adoption of the corrective measures, the violation of Article 5, paragraph 1, letter f) of the Regulation is considered to be integrated with the lack of adequacy of the measures adopted to ensure the confidentiality of personal data.

Having said that, pursuant to art. 58, par. 2, letter a), it is considered necessary to issue a warning to the Iliad about the breaches of confidentiality through the use of the Simbox and, consequently, to enjoin it, pursuant to art. 58, par. 2, letter a), of the Regulation. d), to adopt appropriate corrective measures to guarantee greater confidentiality to the parties concerned when recording the video by adopting specific measures for the positioning of the machines, placing them in such a way that they cannot allow undue access to the information (for example near a wall) or by inserting rear panels, or by providing for courtesy distances and consequently integrating the instructions to the service personnel.

3.4. Compliance with the rules on access and storage of telephone and telematic traffic data.

As reconstructed in point 2.4., during the course of the inspection activity it was ascertained that the customer care officer with administrator profile could view telephone traffic data in clear text, generated for more than six months, by accessing the system, called "Mobo", in charge of customer care management.

The Company's conduct was assessed in the light of the provisions of articles 123, 132 and 132-ter of the Code, which provide specific indications on the measures to be adopted in the storage of traffic data. In particular, art. 132-ter requires suppliers of electronic communication services to avail themselves, pursuant to art. 32 of the Regulations, of technical and organisational measures appropriate to the existing risk. Such measures, to be considered, at the state of the art, as a minimum security requirement generally used by the operators present on the market, are concretely identifiable with the provisions of the Guarantor, with regard to the storage of traffic data, by general measure of 17 January 2008 (in www.garanteprivacy.it web doc no. 1482111, as amended by the subsequent measure of 24 July 2008, web doc no. 1538224), according to which:

- the processing of telephone and telematic traffic data by providers must be allowed only to specifically authorised persons in charge and only on the basis of the prior use of specific computer authentication systems based on strong authentication techniques, consisting in the contextual use of at least two different authentication technologies; for traffic data stored for the sole purpose of ascertaining and prosecuting crimes (and generated for more than six months), one of these technologies must be based on the processing of biometric characteristics of the person in charge;

- the computer systems used for the processing of traffic data retained for the sole purpose of justice must be different from those used also for other business functions (such as billing, marketing, anti-fraud); however, a first period, of 6 months from generation, during which the data may be processed by computer systems not exclusively reserved for justice purposes, is permissible;

- the supplier must define and assign specific authorisation profiles to the persons in charge, differentiating the functions of processing traffic data for ordinary management purposes from those for the detection and prosecution of crimes.

As a result of the preliminary investigation activities carried out, the Office considered that the elements acquired could constitute violations and therefore initiated the procedure referred to in Article 166, paragraph 5 of the Code. In the face of the precise objections received, the Company - which also presented a 22-page brief and was heard at a subsequent hearing - replied on the point in a non-exhaustive and sometimes equivocal manner.

In the specific case concerning the retention of traffic data, Iliad replied that the objections received were to be considered unfounded as, in his opinion, there were three issues to consider:

1. the levels of access to personal data;

2) the verification that traffic data could be viewed through the Mobo management system;

3) the period of retention of personal data.

With regard to the first point, Iliad stated that it had adopted differentiated levels of access to the systems according to the role of the employees and, also in this case, access to the Mobo system allows different levels of visibility of the information according to the profile (operator/administrator). With regard to this, it should be noted that this aspect has never been contested by the Office, which, on the other hand, has contested the fact that the person in charge of customer care (albeit with the administrator profile) was able to view data stored for a period of more than six months, after which time the staff in charge of verifying the correctness of the billing (such as the customer care administrator) should no longer be allowed and should, instead, be reserved only to those persons authorized to access traffic data stored for justice purposes.

With regard to the second point, as already described in paragraph 2.4, the Company noted that the screenshot included in Annex 6 to the minutes of May 28, 2019 does not contain traffic data and, for this reason, the dispute would not be founded. As mentioned above, the attachment referred to by the Company is the one related to the access made with operator profile which has never been contested by the Office. The access carried out with the system administrator profile is instead reported in attachment 7, which shows how the person in charge accessed the system by typing userid and password and that the customer care platform keeps track of the operations carried out by the administrator; moreover, the overall result of this access, which acknowledges the presence of "outgoing telephone traffic data in clear text as of August 2018 for the user card displayed," was reported in the report that the party signed and never subsequently contested.

Moreover, the Company, in the aforementioned memorandum, continuing with the alleged groundlessness of the objection (third point of the above mentioned list), added that "in any case, Iliad confirms that the accessibility to traffic data in the Mobo system is currently limited to a period of six months from their registration". Therefore, the presence of traffic data in the customer care system (Mobo) is to be considered unquestionable, as confirmed by Iliad itself, and, as underlined by the adverb "currently", the retention period is now limited to six months, thus being able to deduce that this retention period was previously different and that, probably, the Company has taken corrective action (which, however, it has neither mentioned nor documented).

The objection addressed to Iliad also concerned the aspect related to the conformity of the authentication procedure. As reported in the minutes of 28 May 2019, the person in charge with administrator profile logged on to the customer care system by entering a user-id and password (as reported in attachment 7 to the minutes). It was therefore contested that, at the time of the assessment, the measure of two-factor authentication was not used, which, as prescribed in the Guarantor's order, is necessary to guarantee the confidentiality of traffic data even if kept only for billing purposes.

As described in point 2.4, the company, in its defensive memory, stated that two-factor authentication is automatically given "by connecting exclusively the company devices to the Iliad network. When accessing the Iliad network through the company device, in fact, the system performs a first recognition of the Iliad employee and a second recognition occurs when accessing the Mobo management system". On this point, reference is made to the aforementioned provision of the Guarantor, which admits that "this authentication phase can be carried out with procedures that are strictly integrated with the IT applications with which the supplier processes traffic data, or with procedures for the protection of individual workstations that are integrated with the authentication functions of the operating systems used. In the latter case, the supplier must ensure that there are no methods of access to the computer applications by its data processors that allow the strong authentication procedures set up for access to the workstation to be circumvented". Therefore, while considering that the justification put forward by the Company could in principle be acceptable with regard only to the data generated within six months, it appears however late and therefore no longer verifiable, since it was only submitted after receiving the complaint and not during the inspection; the same is also undocumented since the Company has limited itself to stating that an initial authentication phase is overcome with access to the company device without however proving, either during the inspection or subsequently, that the instrument used by the person in charge possessed the necessary characteristics to uniquely identify the user. Moreover, it must be remembered that for access to data generated more than six months ago, it is in any case required that one of the authentication technologies is based on the biometric characteristics of the person in charge.

Finally, the observations made with regard to the Company more generally concerned the methods of storing traffic data which, on the basis of the preliminary findings, raised doubts also with regard to the separate storage according to the purpose (billing or justice). In fact, the presence of traffic data generated for more than six months in the system dedicated to customer management led to the Company being challenged for failure to comply with the requirement to store the different types of data in separate computer systems.

In relation to this specific complaint, the Company only replied that "Iliad has created a single database with different security measures and access levels (CRM i.e. Mobo and JAS) depending on the purpose of the processing and the related storage period. This system therefore has a logical rather than physical separation [...] Iliad did not decide to physically duplicate the databases according to the purpose of the processing'. From the laconic reply of the Company, which has received punctual objections and has had ample opportunity to articulate its defence, it can only be deduced that there is a single system, logically separated by means of differentiated accesses according to the purposes and storage times. The Company, however, did not provide any explanation regarding the disputed access to the data generated more than six months ago by the customer care area manager who, due to the function performed, should not have had access to such data taking into account that, according to what has been stated, the logical separation based on purposes should have prevented such access.

Therefore, the above reply confirms what has already been challenged with regard to the failure to separate the systems responsible for the storage of traffic data.

The cited measure of the Guarantor, in fact, prescribes that the data kept for exclusive purposes of justice be kept in informatics systems physically - and not logically - distinct from all other company systems and to such systems dedicated measures are applied, such as, among others, access only to authorized personnel with systems of recognition to two factors (of which one biometric) and the encryption of the data. The same measure also admits that, at the holder's choice, data generated for up to six months can be stored in a single system in order to be processed also for justice purposes, without the need to resort to any separation; this option, however, is applicable, as said, only within six months of generation and therefore, in the presence of data generated for more than six months, cannot be considered applicable to the present case.

Therefore, the statements made by the data controller in the course of the investigation, the truthfulness of which may be called to account pursuant to art. 168 of the Code, do not allow, in any case, to overcome the findings notified by the Office with the act of initiation of the procedure, and are not suitable to exclude the responsibility of the party with regard to what has been challenged, since they have not helped to demonstrate that the measures adopted by the company can be considered compliant with the security measures - at the state of the art available and adopted in general by electronic communication operators - described in the measure of the Guarantor on the retention of traffic data.

In the light of the new regulatory framework constituted by the Regulations and the Code, it must in fact be considered that the specific prescriptions of the provision of the Guarantor of 17 January 2008 are to be considered in the same way as the basic security measures of treatment applicable to the providers of electronic communication services. The failure to comply with these provisions must be considered equivalent to the lack of technical and organizational measures appropriate to the existing risk and, consequently, integrates the violation of Article 132-ter of the Code.

For the above, it must also be considered as a violation of art. 123 of the Code, with regard to storage exceeding six months in systems used for billing purposes.

On the basis of the elements set out above, having noted the violations indicated in this paragraph, it is necessary, pursuant to Article 58, paragraph 2, letter d) of the Regulation, to order Iliad to adapt the security measures put in place to protect traffic data in compliance with the provisions of the Guarantor with the measure of 17 January 2008 as amended by the measure of 24 July 2008. Moreover, considering that the objections addressed to the Company did not prove to be sufficient to request corrective action by the latter, it is deemed necessary to adopt an injunction against the Company, pursuant to Article 58, paragraph 2, letter i), of the Regulation, Article 166, paragraph 7, of the Code and Article 18 of Law no. 689/1981, for the application of the administrative fines provided for by Article 83, paragraphs 4 and 5, of the Regulation. 

4. ORDER INJUNCTION FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

4.1. Information and consent.

The conduct ascertained in points 3.1. and 3.2. of this decision constitutes an infringement of Article 5(1)(a) of the Regulation.

However, taking into account:

- of the holder's intentions which, on the basis of what has been acquired in deeds, do not appear to be aimed at knowingly achieving the effects of the contested conduct and are rather attributable to a negligent application of the rules;

- the presumed lack of consequences for the data subjects, since the promotional purpose of the processing has not yet been achieved;

- the measures adopted and aimed at resolving the critical issues mentioned above,

it is considered that they can be classified as 'minor' infringements in the light of Article 83(2) and recital 148 of the Rules of Procedure and that, therefore, it may be sufficient to admonish Iliad, pursuant to Article 58(2)(b) of the Rules of Procedure, to the effect that it is not necessary to refer to the infringement in question. b) of the Rules for failure to comply with art. 5(1)(a) of the Rules, as well as with the principles set forth in art. 25 of the Rules, also meaning that in default the sanction set forth in art. 83(5)(a) of the Rules is applicable.

4.2. Simbox and security measures.

The conduct ascertained in point 3.3 of this decision is likely to expose the parties concerned to the risk of unauthorised access to personal data and is therefore likely to constitute a breach of the principle of integrity and confidentiality as per art. 5, par. 1, letter f) of the Regulation.

However, taking into account the corrective measures introduced by the Company to contain this risk, as well as the measures taken with reference to any videos containing images of third parties, it is considered that this violation can also be qualified as "minor" in the light of Article 83, paragraph 2 and recital 148 of the Regulation.  Therefore, it is considered sufficient to admonish Iliad, pursuant to art. 58, par. 2, letter a) of the Regulation, with regard to the breaches of confidentiality through the use of the Simbox and, at the same time, to order it, pursuant to art. 58, par. 2, letter d) of the same Regulation, to take corrective measures to ensure greater confidentiality to the parties concerned when recording the video by adopting the specific measures indicated in point 3.3 of this decision. 

4.3. Safety measures applied to the storage of traffic data.

The conduct ascertained in point 3.4 of this decision integrates the violations of articles 132-ter and 123, paragraph 2 of the Code, subject respectively to the sanction set forth in art. 83, paragraph 4 and paragraph 5 of the Regulation.

4.4. Quantification of the pecuniary administrative sanction.

In view of the above, Article 83, paragraph 3, of the Regulation is applicable, according to which, if, in relation to the same processing or related processing, a data controller violates, with intent or negligence, various provisions of the Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation with consequent application of the sanction provided for in Article 83, paragraph 5 of the Regulation.

In particular, for the purposes of quantifying the administrative sanction, for the violations referred to in point 4.3 above, the cited art. 83, par. 5, in setting the maximum amount at 20 million euros or, for companies, at 4% of the world-wide annual turnover of the previous financial year, if higher, specifies the methods of quantification of the aforesaid sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of Regulation (EU) 2016/679), identifying, for this purpose, a series of elements, listed in paragraph 2, to be assessed when quantifying the relative amount.

In compliance with this provision, in the present case, the following circumstances must be considered:

1. the wide scope of the processing operations relating to the storage of traffic data) which, on the basis of the information provided and in the absence of other specifications, can be considered to be systemic in nature and therefore extended to all customers of Iliad's mobile telephone service relating to approximately 3 million users at the date of the inspection, as declared by the same (Article 83(2)(a) of the Regulation);

2. the seriousness of the violations detected, due to the fact that, due to the inadequacy of security measures, a type of personal data (telephone traffic data) for which the legislator, in view of the high prejudice resulting from the processing, has prepared special rules to protect the conservation (Article 83, paragraph 2, letter a) of the Regulation);

3. the degree of responsibility of the data controller, taking into account that the technical and organizational measures described were not adequate to the state of the art, despite the provisions of the Guarantor are to be considered widely known among operators of electronic communication services, since they were issued with a general measure in 2008, several times the subject of specific application measures;

4. the general approach taken by Iliad in the processing of personal data (Article 83, paragraph 2, letter d) of the Regulation), considering that, in addition to what is highlighted in the previous point, also the violations described in points 3.1, 3.2 and 3. 3, even if considered of a lesser character, have, however, shown an overall negligent picture in the application, since the planning, of measures of protection of the interested parties which, given the constant and numerous pronouncements of the Guarantor, are by now to be considered commonly known to the holders of the treatment (see, also here, the numerous measures regarding the correctness of the information and the collection of the consent and, with regard to the respect of measures suitable to avoid unauthorized access, by means of, for example, the use of the data protection system, which is not only the responsibility of the Guarantor, but also of the data controller. the establishment of "courtesy" distances, the numerous clarifications made by the Guarantor, including, for example, the note of 30.3.1998, web document no. 39464);

5. the degree of cooperation with the Supervisory Authority, since the Company limited itself to considering the contested violations unfounded, supporting its reasons with arguments that were often not relevant to what was ascertained in the minutes, and taking into account that, in view of the objections received with regard to the retention of traffic data, the Company, unlike the other findings received, did not consider it necessary to intervene in any way to adjust its security measures, limiting itself only to confirming the current presence in the Mobo system of traffic data generated no more than six months ago (art. 83, paragraph 2, letter f) of the Regulation);

6. the way in which the Control Authority became aware of the violation, which emerged during an inspection activity (art. 83, par. 2, letter h) of the Regulation).

As mitigating elements, it is deemed necessary to take into account:

1. the measures adopted by Iliad which, although not sufficient, appear to be useful to mitigate part of the prejudicial consequences of the violations found;

2. the significant loss recorded in 2018, higher than the value of production (art. 83(2)(k) of the Regulation).

From an overall perspective of the necessary balance between the rights of the parties concerned and the freedom to conduct a business, taking into account that the Company, also due to its recent presence on the Italian market, has not had any previous sanctioning proceedings, and as the first application of the administrative pecuniary sanctions provided for by the Regulation, it is necessary to prudently evaluate the above criteria, also in order to limit the economic impact of the sanction on the organizational, functional and employment needs of the Company.

Therefore, it is considered that - on the basis of all the above mentioned elements - the administrative sanction of the payment of a sum equal to 4% of the maximum amount of Euro 20 million, corresponding to Euro 800,000.00 (eight hundred thousand), should be applied to Iliad. The maximum fine is determined with reference to Article 83(5), taking into account that 4% of Iliad Italia S.p.A.'s turnover is less than EUR 20 million.

It should be noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

In this context, it is also considered - in consideration of the delicacy of the processing operations whose unlawfulness has been ascertained in light of the fundamental rights of the data subjects and the large number of the same - that, pursuant to Article 166, paragraph 7, of the Code, and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this measure should be published on the website of the Guarantor, as an accessory sanction.

Please note that in case of non-compliance with this measure, the sanction referred to in Article 83, paragraph 5, letter e) of the Regulation shall be applied at the administrative level.

ALL THIS BEING SAID, THE GUARANTOR

against Iliad Italia S.p.A., with registered office in Viale Francesco Restelli, 1/A, Milan, Tax Code 13970161009,

a) with regard to the violations found with regard to the correct methods of administration of the information and the consent of the parties concerned (points 3.1. and 3.2 in the introduction), admonishes Iliad, pursuant to art. 58, par. 2, letter b) of the Regulation, for failure to comply with art. 5, par. 1, letter a) of the Regulation, as well as with the principles set out in art. 25 of the Regulation;

b) with regard to the violations found with regard to the video recordings made through Simbox (point 3.3. in the introduction): pursuant to art. 58, par. 2, letter a) of the Regulation, Iliad warns Iliad about the violations of confidentiality and, pursuant to art. 58, par. 2, letter d), of the Regulation, enjoins Iliad to adopt, within 120 days of receipt of this measure, the corrective measures indicated in the introduction, suitable to ensure greater confidentiality to those concerned during the use of such equipment;

c) with regard to the breaches found with regard to the storage of telephone traffic data (point 3.4. in the introduction), pursuant to Article 58(2)(d) of the Regulation, enjoins it to adopt, within 120 days of receipt of this measure, all the measures necessary to make the processing in accordance with the measure of the Guarantor of 17 January 2008 as amended by the measure of 24 July 2008;

d) considers that the conditions set out in Article 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met;

e) in accordance with art. 157 of the Code, requests to communicate, within the following 30 days, what initiatives have been taken in order to implement the requirements, with an adequately documented response; failure to do so may result in the application of the pecuniary administrative sanction provided for in art. 83, par. 5, letter e) of the Regulation;

ORDER

pursuant to art. 58, par. 2, letter i), of the Regulation, Iliad Italia S.p.A., in the person of its legal representative, to pay the sum of Euro 800,000.00 (eight hundred thousand) as an administrative fine for the violations indicated in the statement of reasons; it is represented that the offender, pursuant to art. 166, par. 8, of the Code, has the right to settle the dispute by payment, within 30 days, of an amount equal to half of the sanction imposed;

INGIUNGE

the aforesaid Company, in the event of failure to settle the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of Euro 800,000.00 (eight hundred thousand), according to the methods indicated in the attachment, within 30 days of notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of Law no. 689/1981;

AVAILABLE

in accordance with Article 166, paragraph 7, of the Code, the publication of this measure in full on the website of the Guarantor.

Pursuant to Article 78 of Regulation (EU) 2016/679, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, opposition to this measure may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, or, alternatively, with the court of the place of residence of the person concerned, within thirty days from the date of communication of the measure itself, or sixty days if the claimant resides abroad.

Rome, 9 July 2020

THE PRESIDENT
Soro

THE REPORTER
Soro

THE SECRETARY GENERAL
Busia