The Italian data protection authority ('Garante') announced, on 28 November 2022, in its monthly newsletter, the publication of its Decision No. 348, as issued on 20 October 2022, in which it imposed a fine of €1.4 million on, and issued various compliance orders to, Douglas Italia S.p.A., for violations of Articles 5(1)(b), 5(1)(e), 5(2), 6, 7, 12(1), 13(2)(a), 24, and 25(1) of the General Data Protection Regulation (Regulation (EU) 2016, 679) ('GDPR'), following a complaint submitted by an individual.

Background to the decision

In particular, the Garante reported that the complainant had lamented the lack of response from Douglas Italia, following a request to exercise their data subject rights.

Further to this, the Garante noted that it had launched an investigation, during which Douglas Italia had clarified that it had been incorporated from the merger of three companies ('the Companies'), and that, therefore, Douglas Italia'a database (containing around 10 million customers) included the databases originally belonging to the Companies.

Findings of the Garante

At the end of the investigation carried out, the Garante determined that the failure to respond to the complainant's request was an episodic case, and that, generally, Douglas Italia managed data subjects' requests in a correct and timely manner.

However, the Garante found that Douglas Italia violated:

• Articles 6 and 7 of the GDPR, by requiring users to provide consent, at the same time, to the general terms and conditions of sale, the privacy notice, and the cookie policy;
• Articles 5(2) and 24 of the GDPR, as it could not provide proof of the collection of consent from the Companies' customers, upon renewal of their fidelity card, nor any proof regarding the processing operations carried out by the Companies;
• Articles 5(1)(b) and 5(1)(e) of the GDPR, by storing the data of the Companies' customers, who had not renewed their fidelity cards with Douglas Italia, in an inactive state, in order to facilitate the possible fidelity cards' replacement;
• Article 13(2)(a) of the GDPR, due to the discrepancies between Douglas Italia's practices and the information provided in the privacy notice;
• Article 12 of the GDPR, due to the lack of transparency on, and acessibility to, information regarding the data processing;
• Articles 5(2), 24, and 25(1) of the GDPR, due to the lack of correspondence between the options included in the form used to collect consent to direct marketing and the concrete operational practice; in this regard, the Garante ascertained that customers who had only consented to telemarketing, received also SMS marketing communications, and vice versa; and
• Articles 5(2), 13, and 24 of the GDPR, as Douglas Italia could not provide any clarifications as to the purposes of the collection, and the retention periods, of the data collected through Douglas Italia's blog, and due to the lack of information concerning the data collection through said blog.

Outcomes

In light of the violations ascertained, the Garante issued a fine of €1.4 million and ordered Douglas Italia to:

• amend the layout of the app, ensuring a clear distinction between the privacy notice and the cookie policy, and that both texts indicate only the processing actually carried out and the purposes pursued;
• delete, within 15 days, the personal data of the Companies' customers that have been stored for more than ten years;
• delete or pseudonymise, within 30 days, the personal data of the Companies' customers dating back up to ten years, and, in the latter case, to advertise this on its website and send a notice to customers whose email address is available, informing them that, in case of non-renewal of the fidelity card, within six months their data will be deleted;
• delete the personal data of all the customers who, following the abovementioned notice, decide not to renew the fidelity card, within 15 days of the expiry of the aforementioned six-month period; and
• adopt appropriate organisational and technical measures and provide feedback within 30 days.

In conclusion, the Garante noted that Douglas Italia may lodge an appeal against the decision before the judicial authority within 30 days.

You can read the newsletter here and the decision here, both only available in Italian.