Italy: Garante fines OMNIA24 €100,000 for multiple GDPR violations
The Italian data protection authority ('Garante') issued, on 2 December 2021, its decision in case No. 424, in which it imposed a fine of €100,000 to OMNIA24 srl, for violations of Article 5(1)(a), 5(2), 6(1)(a), 12, 13, 14, 15, 24, and 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Article 130 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ('the Code'), following a complaint submitted by an individual, and in conjunction with a related decision.
Background to the decision
In particular, the Garante reported that the complainant, upon receiving promotional SMS for a service named 'Evo24', a trademark owned by OMNIA24, had exercised their right of access, inquiring, among other things, about the methods of collection of consent and the source of the data. In response to this, OMNIA24 had notified the complainant that it had proceeded with the deletion of their personal data, and informed the complainant that it had acquired the complainant's personal data from La Duomo S.r.l.s., a company to which OMNIA24 outsourced marketing activities. As such, the Garante noted that the complainant had requested that La Duomo provide proof of its declaration of consent to the use of personal data for marketing purposes. As the complainant did not receive any reply from La Duomo nor any further information from OMNIA24, they had contacted the Garante.
Accordingly, the Garante detailed that OMNIA24 had communicated to the Garante that they had been assured by La Duomo that the marketing lists complied with data protection law. Thus, OMNIA24 denied any responsibility. In addition, the Garante reported that La Duomo had explained that it had correctly acquired the complainant's consent but was unable to provide any proof of the same nor any information on the source of the complainant's personal data.
Further to the above, the Garante added that it had also received similar complaints from other data subjects.
Findings of the Garante
Further to the above, the Garante considered that neither OMNIA24 nor La Duomo had provided any clarifications on the respective responsibilities with regard to the data processing in question. However, the Garante took the view that OMNIA24 acted as data controller, considering that the same determines the purpose and means of the processing as well it is the entity in whose interest the processing is carried out. In addition, the Garante held that the failure to qualify the roles in relation to the processing had led to a breach of the basic processing principle of lawfulness, fairness, and transparency, since it did not appear that the necessary information had been provided to the complainant, such as to allow the the same to understand their respective responsibilities in the processing. Moreover, according to the Garante, OMNIA24's inadequate response to the complainant's request to access their personal data constituted a violation of Articles 5(1)(a),12, 13, 14, and 15 of the GDPR. Additionally, the Garante found that OMNIA24 had not adopted any precautions in entrusting the promotional service to La Duomo, thus failing to implement the required technical and organisational measures to guarantee and be able to demonstrate compliance, thus resulting in a violation of Article 5(2), 24, and 28 of the GDPR.
Also, the Garante took the view that the conduct described above lead to the sending of promotional messages without consent, integrating a violation of Article 6(1)(a) of the GDPR and Article 160 of the Code.
Furthermore, in determining the amount of the fine, the Garante noted that it had taken into account as aggravating circumstances, among other things, the fact that OMNIA24 had not put in place any type of control over the activity of La Duomo and had not cooperated with the Garante during the investigation. However, the Garante also considered as mitigating circumstances, among other things, the absence of previous violations.
Besides the imposition of the fine, the Garante:
- prohibited OMNIA24 to further process personal data for marketing purposes, in the absence of the data subjects' consent;
- ordered OMNIA24 to adopt suitable measures to regulate the contractual relationship with other entities involved in the processing before any further processing of personal data for marketing purposes; and
- ordered OMNIA24 to adopt measures to guarantee the facilitation of data subjects' rights.
In conclusion, the Garante issued the aforementioned fine, and ordered that payment be received within 30 days. In addition, the Garante requested OMNIA24 to provide proof, within the same timeframe, of the measures adopted to implement the abovementioned orders, and reminded that an appeal against the decision may be lodged before the ordinary judicial authority within 30 days.
You can read the decision, only available in Italian, here.