Garante per la protezione dei dati personali - 9525315

From GDPRhub
Revision as of 16:12, 18 March 2021 by Cvl (talk | contribs) (→‎Facts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9525315
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(e) GDPR
Article 6 GDPR
Article 9 GDPR
Article 28 GDPR
Type: Investigation
Outcome: Violation Found
Published: 17.12.2020
Fine: 40000 EUR
Parties: Miropass s.r.l.
National Case Number/Name: 9525315
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) imposed a fine of € 40 000 on Miropass s.r.l. for the violation of Articles 5(1)(a) and (e), 6, 9 and 28 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

With a previous measure (n. 81 of 7 march 2019) the Garante declared the unlawfulness of the processing activity deployed by the Municipality of Rome using the system "TuPassi" provided by Miropass s.r.l..

Consequently, the Garante carried out an investigation on the platform "TuPassi" provided by Miropass s.r.l.; in its investigation the Garante noted the absence of: - a suitable prerequisite of lawfulness, in violation of article 5(a), 6 and 9 GDPR

  • definition of the data retention period, in violation of Article 5(1)(e) GDPR
  • adequate definition of the relationship with a sub-processor, in violation of Article 28 GDPR.

Dispute[edit | edit source]

Miropass s.r.l. presented its written defense, based on this, is the processing still deemed illicit by the DPA?

Holding[edit | edit source]

The Garante considers that the elements produced in defense did not allow to overcome the previously notified findings and thus reaffirms the unlawfulness of the processing of personal data carried out by Miropass s.r.l.

The processing was conducted in violation of basic principles: in the absence of a suitable legal basis for the processing of personal data of users and employees and without having regulated the relationship with its processor, thus, in violation of Articles 5(1) (a) and (e), 6, 9 and 28 GDPR.

With the power conferred by Article 58(2)(i) GDPR, the Italian DPA imposed a fine of 40.000 euro on Miropass s.r.l.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.