Tribunale ordinario di Roma - 9551/2022
| Tribunale ordinario di Roma - 9551/2022 | |
|---|---|
 | |
| Court: | Tribunal of Rome (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 166(5) of the Italian Privacy Code Table Regulation No 2/2019 |
| Decided: | 13.02.2023 |
| Published: | |
| Parties: | Enel Energia Garante per la protezione dei dati personali |
| National Case Number/Name: | 9551/2022 |
| European Case Law Identifier: | |
| Appeal from: | Garante per la protezione dei dati personali (Italy) 9735672 |
| Appeal to: | |
| Original Language(s): | Italian |
| Original Source: | Tribunale ordinario di Roma (in Italian) |
| Initial Contributor: | ar |
An Italian Court upheld the appeal of ENEL Energia against a decision of the Italian DPA, where the controller was fined €26,513,977. The Court annulled the fine since it found that the DPA informed the controller of the beginning of the sanctioning procedure after the 120-day deadline from the establishment of a violation.
English Summary
Facts
After receiving several complaints, at different times, about unwanted promotional phone calls from ENEL Energia (the controller), one of Italy's most important energy providers, the DPA initiated its investigation. At the end of 2018 and the beginning of 2019, the DPA made two requests for information to the controller. It then submitted a third request on 17 December 2019, which went unanswered. The DPA followed up with a fourth request on 10 July 2020, which the controller replied to on 14 January 2021. Then, on 14 May 2021, the DPA notified the controller of the initiation of the sanctioning procedure.
On 16 December 2021, the Italian DPA fined the controller €26,513,977 with its decision of 9735672.
The controller appealed the decision to the Tribunale ordinario di Roma (Court) arguing that the Italian DPA failed to comply with the 120-day deadline for notification of the beginning of the sanctioning procedure, which the DPA should have complied with.
Holding
To begin with, the Court noted that the Italian DPA had issued Regulation No 2/2019 concerning the identification of terms and organisational units responsible for the administrative procedures. In accordance with Article 166(5) of the Italian Privacy Code, the Regulation gives the DPA a time limit of 120 days from the establishment of the violation to notify the controller of the beginning of the sanctioning procedure.
Subsequently, the Court addressed the DPA’s claim that the 120-day time limit was not mandatory. The Court stated that the time limit must be regarded as peremptory under Article 2 comma 5 of the L. 241/1990, as this is an indispensable prerequisite to respect the fundamental principles of the legal system. The Court indeed noted that the word "deadline" indicates a moment by which a certain act must be performed and that knowing the deadlines by when the DPA should have started and concluded the proceedings is a requirement for the right of defence, legal certainty and, ultimately, the rule of law.
Regarding whether the DPA took longer than the established deadline, the Court had to assess from which day the 120-day deadline started. Thus, the Court found that the relevant day from which the 120-day period begins is when the DPA last received a response to its information request or, in case of silence, by the expiration of the deadline assigned to the controller to reply. In the present instance, the Court noted that the DPA’s notification of the infringement procedure to the controller on 14 May 2021 had come after the expiration of the 120 days, namely after the controller could legitimately consider that its conduct had not given rise to a sanctioning procedure. Indeed, after the controller did not reply to the third information request of 17 December 2019, the DPA reiterated the request only with the fourth information request on 10 July 2020, almost seven months later. Moreover, after the controller's reply, the DPA requested further clarification more than five months later, on 14 December 2020. All follow-ups then did not comply with the 120-day deadline. Not to mention that the first two requests by the DPA were sent in 2018 and 2019, one to two years before the notification.
Therefore, the Court found that the DPA’s notification of the sanctioning procedure was delayed and that the contested measure should therefore be annulled.
Comment
This decision highlights, as provided by Article 58(4) GDPR, the importance for the DPA's powers to be subject to appropriate safeguards, specifically, in this case, to the right of defence, legal certainty and the rule of law, in compliance, not only with Italian law, but also European law and the Charter.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
File history Click on a date/time to view the file as it appeared at that time. Date/TimeDimensionsUserComment current13:54, 2 February 2024 (235 KB)Ar (talk | contribs) You cannot overwrite this file.File usage There are no pages that use this file.
