Tribunale ordinario di Roma - 9551/2022: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 66: Line 66:
}}
}}


An Italian Court upheld the appeal of ENEL Energia against a decision of the Italian DPA, where the controller was fined €26,513,977. The Court found that the DPA informed the controller of the beginning of the infringement procedure after the 120-day deadline from the establishment of a violation.
An Italian Court upheld the appeal of ENEL Energia against a decision of the Italian DPA, where the controller was fined €26,513,977. The Court annulled the fine since it found that the DPA informed the controller of the beginning of the sanctioning procedure after the 120-day deadline from the establishment of a violation.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 16 December 2021, the Italian DPA fined ENEL Energia (the controller), one of Italy's most important energy providers, €26,513,977 with its [https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9735672 decision of 9735672].
After receiving several complaints, at different times, about unwanted promotional phone calls from ENEL Energia (the controller), one of Italy's most important energy providers, the DPA initiated its investigation. At the end of 2018 and the beginning of 2019, the DPA made two requests for information to the controller. It then submitted a third request on 17 December 2019, which went unanswered. The DPA followed up with a fourth request on 10 July 2020, which the controller replied to on 14 January 2021. Then, on 14 May 2021, the DPA notified the controller of the initiation of the sanctioning procedure.


The DPA had initiated its proceedings after receiving several complaints, at different times, about receiving unwanted promotional phone calls from the controller. At the end of 2018 and the beginning of 2019, the DPA started its investigation, during which it made two requests for information to the controller. It then submitted a third request on 17 December 2019, which went unanswered. The DPA followed up with a fourth request on 10 July 2020, which the controller replied to on 14 January 2021. Then, on 14 May 2021, the DPA notified the controller of the initiation of the infringement procedure.
On 16 December 2021, the Italian DPA fined the controller €26,513,977 with its [https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9735672 decision of 9735672].


The controller appealed the decision to the Tribunale ordinario di Roma (Court) arguing that the Italian DPA failed to comply with the 120-day deadline for notification of the beginning of the infringement procedure, which the DPA should have complied with.
The controller appealed the decision to the Tribunale ordinario di Roma (Court) arguing that the Italian DPA failed to comply with the 120-day deadline for notification of the beginning of the sanctioning procedure, which the DPA should have complied with.


=== Holding ===
=== Holding ===
To begin with, the Court noted that the Italian DPA had issued [https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9107640 Regulation No 2/2019] concerning the identification of terms and organisational units responsible for the administrative procedures. In accordance with [https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29.pdf/b1787d6b-6bce-07da-a38f-3742e3888c1d?version=7.0 Article 166(5) of the Italian Privacy Code], the Regulation gives the DPA a time limit of 120 days from the establishment of the violation to notify the controller of the beginning of the investigation of the infringement procedure.
To begin with, the Court noted that the Italian DPA had issued [https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9107640 Regulation No 2/2019] concerning the identification of terms and organisational units responsible for the administrative procedures. In accordance with [https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29.pdf/b1787d6b-6bce-07da-a38f-3742e3888c1d?version=7.0 Article 166(5) of the Italian Privacy Code], the Regulation gives the DPA a time limit of 120 days from the establishment of the violation to notify the controller of the beginning of the sanctioning procedure.


Subsequently, the Court addressed the DPA’s claim that the 120-day time limit was not mandatory. The Court stated that the time limit must be regarded as peremptory under [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:1990-08-07;241!vig= Article 2 comma 5 of the L. 241/1990], as this is an indispensable prerequisite to respect the fundamental principles of the legal system. The Court indeed noted that the word "deadline" indicates a moment by which a certain act must be performed and that knowing the deadlines by when the DPA should have started and concluded the proceedings is a requirement for the right of defence, legal certainty and, ultimately, the rule of law.
Subsequently, the Court addressed the DPA’s claim that the 120-day time limit was not mandatory. The Court stated that the time limit must be regarded as peremptory under [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:1990-08-07;241!vig= Article 2 comma 5 of the L. 241/1990], as this is an indispensable prerequisite to respect the fundamental principles of the legal system. The Court indeed noted that the word "deadline" indicates a moment by which a certain act must be performed and that knowing the deadlines by when the DPA should have started and concluded the proceedings is a requirement for the right of defence, legal certainty and, ultimately, the rule of law.


Regarding whether the DPA took longer than the established deadline, the Court had to assess from which day the 120-day deadline started. Thus, the Court found that the relevant day from which the 120-day period begins is when the DPA last received a response to its information request or, in case of silence by the expiration of the deadline assigned to the controller to reply. In the present instance, the Court noted that the DPA’s notification of the infringement procedure to the controller on 14 May 2021 had come after the expiry of the 120 days, namely after the controller could legitimately consider that its conduct had not given rise to a sanction procedure. Indeed, after the controller did not reply to the third information request of 17 December 2019, the DPA reiterated the request only with the fourth information request on 10 July 2020, almost seven months later. Moreover, after the controller's reply, the DPA requested further clarification more than five months later, on 14 December 2020. All follow-ups then did not comply with the 120-day deadline. Not to mention that the first two requests by the DPA were sent in 2018 and 2019, one to two years before the notification.
Regarding whether the DPA took longer than the established deadline, the Court had to assess from which day the 120-day deadline started. Thus, the Court found that the relevant day from which the 120-day period begins is when the DPA last received a response to its information request or, in case of silence, by the expiration of the deadline assigned to the controller to reply. In the present instance, the Court noted that the DPA’s notification of the infringement procedure to the controller on 14 May 2021 had come after the expiration of the 120 days, namely after the controller could legitimately consider that its conduct had not given rise to a sanctioning procedure. Indeed, after the controller did not reply to the third information request of 17 December 2019, the DPA reiterated the request only with the fourth information request on 10 July 2020, almost seven months later. Moreover, after the controller's reply, the DPA requested further clarification more than five months later, on 14 December 2020. All follow-ups then did not comply with the 120-day deadline. Not to mention that the first two requests by the DPA were sent in 2018 and 2019, one to two years before the notification.


Therefore, the Court found that the DPA’s notification of the infringement procedure was delayed and that the contested measure should therefore be annulled.
Therefore, the Court found that the DPA’s notification of the sanctioning procedure was delayed and that the contested measure should therefore be annulled.


== Comment ==
== Comment ==

Latest revision as of 10:13, 6 February 2024

Tribunale ordinario di Roma - 9551/2022
Courts logo1.png
Court: Tribunal of Rome (Italy)
Jurisdiction: Italy
Relevant Law:
Article 166(5) of the Italian Privacy Code
Table Regulation No 2/2019
Decided: 13.02.2023
Published:
Parties: Enel Energia
Garante per la protezione dei dati personali
National Case Number/Name: 9551/2022
European Case Law Identifier:
Appeal from: Garante per la protezione dei dati personali (Italy)
9735672
Appeal to:
Original Language(s): Italian
Original Source: Tribunale ordinario di Roma (in Italian)
Initial Contributor: ar

An Italian Court upheld the appeal of ENEL Energia against a decision of the Italian DPA, where the controller was fined €26,513,977. The Court annulled the fine since it found that the DPA informed the controller of the beginning of the sanctioning procedure after the 120-day deadline from the establishment of a violation.

English Summary

Facts

After receiving several complaints, at different times, about unwanted promotional phone calls from ENEL Energia (the controller), one of Italy's most important energy providers, the DPA initiated its investigation. At the end of 2018 and the beginning of 2019, the DPA made two requests for information to the controller. It then submitted a third request on 17 December 2019, which went unanswered. The DPA followed up with a fourth request on 10 July 2020, which the controller replied to on 14 January 2021. Then, on 14 May 2021, the DPA notified the controller of the initiation of the sanctioning procedure.

On 16 December 2021, the Italian DPA fined the controller €26,513,977 with its decision of 9735672.

The controller appealed the decision to the Tribunale ordinario di Roma (Court) arguing that the Italian DPA failed to comply with the 120-day deadline for notification of the beginning of the sanctioning procedure, which the DPA should have complied with.

Holding

To begin with, the Court noted that the Italian DPA had issued Regulation No 2/2019 concerning the identification of terms and organisational units responsible for the administrative procedures. In accordance with Article 166(5) of the Italian Privacy Code, the Regulation gives the DPA a time limit of 120 days from the establishment of the violation to notify the controller of the beginning of the sanctioning procedure.

Subsequently, the Court addressed the DPA’s claim that the 120-day time limit was not mandatory. The Court stated that the time limit must be regarded as peremptory under Article 2 comma 5 of the L. 241/1990, as this is an indispensable prerequisite to respect the fundamental principles of the legal system. The Court indeed noted that the word "deadline" indicates a moment by which a certain act must be performed and that knowing the deadlines by when the DPA should have started and concluded the proceedings is a requirement for the right of defence, legal certainty and, ultimately, the rule of law.

Regarding whether the DPA took longer than the established deadline, the Court had to assess from which day the 120-day deadline started. Thus, the Court found that the relevant day from which the 120-day period begins is when the DPA last received a response to its information request or, in case of silence, by the expiration of the deadline assigned to the controller to reply. In the present instance, the Court noted that the DPA’s notification of the infringement procedure to the controller on 14 May 2021 had come after the expiration of the 120 days, namely after the controller could legitimately consider that its conduct had not given rise to a sanctioning procedure. Indeed, after the controller did not reply to the third information request of 17 December 2019, the DPA reiterated the request only with the fourth information request on 10 July 2020, almost seven months later. Moreover, after the controller's reply, the DPA requested further clarification more than five months later, on 14 December 2020. All follow-ups then did not comply with the 120-day deadline. Not to mention that the first two requests by the DPA were sent in 2018 and 2019, one to two years before the notification.

Therefore, the Court found that the DPA’s notification of the sanctioning procedure was delayed and that the contested measure should therefore be annulled.

Comment

This decision highlights, as provided by Article 58(4) GDPR, the importance for the DPA's powers to be subject to appropriate safeguards, specifically, in this case, to the right of defence, legal certainty and the rule of law, in compliance, not only with Italian law, but also European law and the Charter.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
Date/TimeDimensionsUserComment
current13:54, 2 February 2024 (235 KB)Ar (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.