Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Cribis Credit Management €10,000 for violating basic data protection principles

The Italian data protection authority ('Garante') issued, on 9 June 2022, its decision in Case No. 215, in which it imposed a fine of €10,000 on Cribis Credit Management s.r.l., for violation of Articles 5(1)(a), 5(1)(c), and 6 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.

Background to the case

In particular, the Garante reported that the complainant had lamented a breach of the GDPR by Cribis Credit Management, which, in the interest of Sky Italia S.r.l., had sent multiple emails, concerning the payment of an invoice relating to the termination for default of the complainant's Sky subscription, to the company email address of a third party, specifically an employee of the company for which the complainant acts as representative.

Findings of the Garante

Further to the above and based on the elements acquired in the course of the investigation, the Garante found that Cribis Credit Management, given impossibility to contact the complainant by phone, had used an email address found online to contact the complainant, believing that the same belonged to the actual debtor, rather than to a third party. In light of the established facts, the Garante held that Cribis Credit Management had violated Articles 5(1)(a), 5(1)(c), and 6 of the GDPR.

Subsequently, the Garante, based on the nature of the violations occurred, imposed an administrative fine on Cribis Credit Management, and in quantifying the same, it took into account, among other factors, the degree of liability of Cribis Credit Management, for failing to comply with data protection rules, despite clear guidance to debt collection operators issued by the Garante since 2005.


In conclusion, the Garante imposed the aforementioned fine and ordered the publication of the decision on its website as an ancillary sanction. Lastly, the Garante highlighted that Cribis Credit Management may lodge an appeal before the ordinary judicial authority within 30 days.

You can read the decision, only available in Italian, here.