The Italian data protection authority ('Garante') announced, on 22 December 2022, in its monthly newsletter, the publication of its Decision No. 370, as issued on 10 November 2022, in which it imposed a fine of €10,000 on I-Model s.r.l, for violations of Articles 6(1) and 17 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.

Background to the decision

In particular, the Garante explained that the complainant reported that, after receiving confirmation from I-Model that the personal data in its files had been deleted, they continued to receive SMS messages from I-Model concerning job offers. Further, the Garante reported that I-Model declared that the data was not deleted only due to an error.

Findings of the Garante

Following its investigation, the Garante found that I-Model gave a formal response to the complainant's requests for deletion of personal data on two occasions, merely stating that it had removed the data from the mailing list, but, in fact, continuing to store and process the data without a proper legal basis. In fact, the Garante explained that, since the data subject's consent to the processing of their personal data had been revoked with their deletion request, it follows that the processing subsequently carried out by I-Model was unlawful and with no legal basis, thus violating Article 6(1) of the GDPR.

Outcomes

In conclusion, the Garante imposed a fine of €10,000 on I-Model in light of the aforementioned violations.

You can read the decision, only available in Italian, here.