On October 10, 2023, the Italian data protection authority (Garante) announced in its newsletter its Decision No. 393, as issued on July 18, 2023, in which it imposed a fine of €75,000 and a corrective order on Università e-Campus, for violations of the General Data Protection Regulation (GDPR) and the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (the Code), following the submission of complaints by multiple individuals.

Background to the decision

The Garante noted that its intervention followed the complaint of some citizens who claimed to have received from the respondent many unwanted text messages and, in one case, repeated promotional phone calls for six years, even after having opposed these messages. The complaints alleged that the promotional messages had been sent for years without taking into account the rights of the recipients, despite the numerous complaints received but never addressed by the respondent. The Garante noted that, even after the start of the investigation by the Garante, the respondent avoided any form of cooperation and did not address any inquiry submitted by the Garante itself.

Findings of the Garante

At the end of its investigation, the Garante determined that Università e-Campus had violated Articles 5(1)(a), 5(1)(d), 5(2), and 24 of the GDPR, and Articles 130 and 157 of the Code.

Notably, the Garante found that the respondent had violated data protection legislation with its poor level of collaboration towards the Garante, and that Università e-Campus must be held responsible for having sent promotional text messages without the consent of the recipients and without properly and adequately addressing the data subject right requests it had received from related data subjects.

Outcomes

In conclusion, the Garante imposed a fine of €75,000 on Università e-Campus, which may be appealed before the judicial authority. Additionally, the Garante ordered the respondent to establish appropriate data retention periods for personal data, to give specific instructions to the staff, so that data subject requests are promptly addressed, and to verify the technical and organizational measures adopted in order to demonstrate that it has acquired valid consent to the processing of data for promotional purposes. Lastly, Università e-Campus was banned from using personal data processed unlawfully.

You can read the newsletter here and the decision here, both only available in Italian.