Italy

Fining practice

Trend: to date, have the national data protection authorities in Italy focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?

To date, the main fines have been imposed for reasons related to there being an insufficient legal basis for data processing, as well as non-compliance with general data processing principles. The focus to date has been on telemarketing activities, especially in the telecommunications and electricity sectors. 

In the second half of 2022, the Italian Data Protection Authority (“Garante per la protezione dei dati personali” - “Garante”, "DPA" inspection activity has focused mainly on: the processing of personal data carried out by digital identity providers and vendors that supply apps and online services to public authorities, the proper implementation of the Guidelines on the use of cookies and other tracking tools issued by the DPA on 10 June 2021 that entered into force in January 2022, transfer of data outside the EU through the use of Google analytics.

The Data Protection Authority has not yet released the inspection plan for the first half of 2023.

Overall, what was the most significant fine in Italy to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?

The highest GDPR fines in Italy to date have been imposed on:
 

1. Tim SpA on 1 February 2020 in the amount of EUR 27.8 million due to there being an insufficient legal basis for data processing. According to the DPA, TIM SpA – a leading Italian telecommunications company - had carried out illegal data processing operations related to marketing activities. From January 2017 to early 2019, the DPA received numerous complaints concerning, in particular, the receipt of unsolicited promotional calls made without consent or despite the fact that the telephone users had been entered in the public objections register, or despite the fact that the persons contacted had expressed to the company their wish not to receive promotional calls. Complaints as to irregularities in the processing of data were also made in connection with prize competitions and forms submitted to users by TIM.
2. Enel Energia, on 19 January 2022, was fined EUR 26.5 million due to its unlawfully processing users’ personal data for telemarketing purposes. The decision was issued following complex inquiries the DPA had started due to hundreds of complaints being made by users who had received unsolicited calls made on behalf of Enel Energia, some of them using pre-recorded messages, or who had found it difficult to exercise their data protection rights and had encountered problems more generally relating to the handling of their data in relation to the supply of utility services – including the processing of data performed in the dedicated area on the company’s website and/or through the app provided to manage power consumption. The DPA has observed that telemarketing issues in the utilities sector are clearly and worryingly on the rise with the upcoming switch to an unregulated market regime for electricity and gas suppliers. The inquiries made by the DPA showed pervasive, unrelenting as well as increasingly invasive reliance on unsolicited promotional calls without the required consent, addressed to off-directory users or to users listed in the opt-out register; additionally, responses to user requests to access their own personal data or object to processing for marketing purposes is increasingly delayed or is missing altogether. On 16 February 2023, the Court of Rome overturned the decision of the DPA. To date, the grounds of the ruling have not been published.
3. Clearview AI (a US-based company), on 10 February 2022, was fined EUR 20 million for illegitimately using over 10 billion facial images from all over the world, which were extracted from public web sources (media outlets, social media, online videos) through web scraping. The company offers a sophisticated search service which allows, through AI systems, for the creation of profiles on the basis of the biometric data extracted from the images. The profiles can be enriched by information linked to these images, such as image tags and geolocation or source web pages. The DPA’s inquiries were started on the basis of complaints and alerts and found that Clearview AI – contrary to what was alleged – allows the tracking of Italian nationals and persons located in Italy. The findings showed that the personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis, as the legitimate interest of the US-based company does not qualify as such. Additionally, the company infringed several fundamental principles of the GDPR including transparency – because it failed to adequately inform users-, purpose limitation – because it processed users’ data for purposes other than those for which they had been made available online-, and storage limitation – because it did not set out any data storage period. Thus, Clearview AI was violating data subjects’ freedoms, including the protection of privacy and non-discrimination.
4. Douglas Italia Spa, a perfumery chain, on 20 October 2022, was fined EUR 1.4 million for failing to comply with Italian and European legislation concerning, specifically, data retention periods and processing for marketing and profiling purposes. The Italian Data Protection DPA identified several issues in relation to the company's fidelity programme, for which personal data are also collected through a specific mobile App. The DPA specifically identified the following issues: (i) lack of distinction – in Douglas' mobile app – between T&Cs, privacy policy and cookie policy; (ii) mentioning in its policies processing activities that were not actually carried out and purposes that were not actually pursued; (iii) collecting a single consent for different activities (e.g., company marketing, third party marketing and profiling). Such consent, according to the DPA, couldn’t have been deemed either free or specific. Therefore, the relevant processing activities were deemed as having no legal basis; (iv) breach of the principle of accountability for failing to prove how the personal data were collected by former companies (later merged into Douglas), and whether and how the information and consent obligations were fulfilled by those companies; (v) breach of the principles of purpose limitation and of data retention limitation for failing to delete the personal data collected more than 10 years earlier and related to customers who did not renew their fidelity card. With regards to more recently collected personal data, the DPA ordered the company to delete or pseudonymize them. The DPA also specified in its decision that if the company decides to pseudonymize the data of customers owning a fidelity card, it shall publish this on its website and send a notice to customers informing them that, in the event of non-renewal of the fidelity card, their data will be deleted within six months. Therefore, the DPA ordered Douglas to adopt appropriate organizational and technical solutions to ensure the proper storage of its customers’ data in compliance with the purpose and minimization principles of the GDPR.
5. Areti s.p.a., a company that distributes electricity in the city of Rome, on 24 November 2022, was fined EUR 1 million for having erroneously classified thousands of users as “defaulting debtor“, thus preventing them from switching to another electricity supplier and losing the potential savings resulting from changing supplier. The DPA declared the data processing carried out by the company to be unlawful because it was impossible for users to change suppliers and benefit from such a change due to the processing of inaccurate and outdated data. In fact, the sector regulations allow a potential succeeding supplier to assess whether it would be convenient or not to acquire a new customer by consulting the so-called "Integrated Information System", which is also fed by the information communicated by the original supplier (i.e., Areti) and which records, inter alia, the solvency of a specific customer. The DPA fined Areti for its inadequate data retention timeframes, inaccurate data migration within its systems, and inadequate response to the request by which data subjects had exercised their rights. Therefore, Areti was fined for infringing the principle of accuracy of personal data and the principle of accountability, since the technical and organizational measures adopted to comply with the GDPR were not adequate to the processing carried out.
6. Alpha Exploration, owner of Clubhouse, the social network based on voice chat exchange, was fined EUR 2 million on 2 October 2022. Inter alia, the following numerous violations were identified by the DPA: (i) lack of transparency on the use of users’ and their “friends'” data; (ii) the possibility for users to store and share audio files without the consent of the recorded persons; (iv) profiling and sharing of account information without a proper legal basis; (v) indefinite retention periods of recordings made by the social network justified by the need to challenge possible abuses; (vi) lack of users' specific consent for marketing and profiling purposes; (vii) failure to comply with the principle of privacy by-design in that the social network was not provided with a feature that would allow users to be aware, before entering in a chat room, of the possibility of the chat being recorded; (viii) lack of the appropriate information in the privacy policy, including the identification of the legal basis applicable to each purpose of processing, the retention periods and the information about the controller's representative in the European Union. Finally, the DPA ordered Alpha Exploration to carry out an impact assessment on the data processing carried out through the Clubhouse platform.

Organisation of authorities, procedure and publicising of fine proceedings

How is the data protection authority organised in Italy? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The DPA is a collegial body, composed of four members elected by the Parliament, who remain in office for a non-renewable term of seven years. The members elect a President whose vote prevails in the event of a tie (article 153 of the Italian Privacy Code - Legislative Decree 196/2003).

The DPA is structured as follows:

SERVICES

• Legal and Institutional Affairs
• Management control
• External relations and media
• International and European relations
• Studies and documentation

DEPARTMENTS

• Justice and legal affairs
• Administration, assets and accounting
• Inspections
• Freedom of expression and cyberbullying
• Economic and productive activities
• Public administrations
• Marketing and telematics networks
• Human Resources and contractual activities
• Health and research
• Digital technologies and cyber security

The operating expenses of the DPA are charged to a fund allocated in the State budget, within a specific expenditure programme under the Ministry of Economics and Finance. Currently, the budget allocated to the DPA amounts to EUR 47,367,934 for 2023, EUR 47,685,528 for 2024 and EUR 48,012,394 for 2025.

In addition to the dedicated budget, 50% of the annual fines imposed by the DPA is allocated to the DPA to be used to support three activities: GDPR awareness, inspections, and implementation.

How does a fine procedure work in Italy? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

Pursuant to section 166 of the Italian Privacy Code, proceedings may be brought against both private and public bodies or public authorities following a complaint being lodged in accordance with Article 77 of the Regulation or after inquiries are carried out by the DPA at its own initiative, within the framework of the investigative powers referred to in Article 58(1) of the Regulation as well as in connection with access, inspections and audits carried out on the basis of either autonomous powers to carry out controls or powers delegated by the DPA.

If the DPA considers that the findings of the investigations indicate that a violation of data protection laws has been committed, it shall notify the controller or the processor as to the alleged violations, except where prior notification as to such alleged violations proves incompatible with the nature and objective of the measures to be adopted.

Within thirty days from receipt of the above-mentioned notification, the relevant company/public authority may send pleadings or documents to the DPA and may request to be heard.

The DPA itself is entitled to impose fines and sanctions, which may be challenged before the ordinary courts.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the State treasury, the authority's budget)?

50% of fines are allocated to the State treasury and 50% of the annual fines are allocated to the DPA to be used to support three activities, namely: awareness, inspections and implementation of the GDPR.

Is there a common, official calculation methodology of fines in Italy (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines.

Can public authorities be fined in Italy? If they can: Where does this money go?

Yes, pursuant to section 166 par. 4 of the Italian Privacy Code. Please refer to two questions earlier as regards the allocation of fines.

In Italy, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

The publishing of fines imposed by the DPA on its website is an ancillary sanction (section 166 par. 7 of the Italian Privacy Code). The publication may include the whole decision or an excerpt thereof. Fined companies are not anonymised.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Considering that the publishing of fines is an ancillary sanction, there is no information on all individual fine cases. Nevertheless, through the annual summary concerning the DPA’s activities, aggregated information on the total number of cases and the total amount of fines are provided by the DPA. The main annual figures from 2019 are as follows:
 

• 2019: (i) 232 decisions; (ii) EUR 3,017,363 in collected fines; (iii) 147 inspections.
• 2020: (i) 278 decisions; (ii) EUR 38,448,895 in collected fines; (iii) 21 inspections.
• 2021: (i) 252 decisions; (ii) EUR 13,465,148 in collected fines; (iii) 49 inspections.
• 2022: no public information so far.

Other legal consequences of non-compliance

Does Italy have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Under the new legislation, the scope of the new class action regime has been significantly broadened and now aims at protecting a wide range of contractual or noncontractual rights across different sectors, including with regard to environmental law and financial services. As a result, wider access to the class action regime is expected.

Please note that Directive 1828/2020 (“on representative actions for the protection of the collective interests of consumers”) is currently being transposed into national law in Italy. The new legislation will extend the power of certain entities enabled by national law to take legal action to protect the collective interests of consumers (including “data subjects” under the GDPR) and to obtain compensation for damages also across borders between several countries.

What is more relevant in Italy: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

For the time being, the fines issued by the DPA are much more relevant than claims for damages arising from court proceedings concerned with data protection infringements.

However, litigation with ordinary courts for data protection breaches is increasing as a consequence of the growing sensibility of public opinion regarding data protection issues triggered by the GDPR’s entry into force in May 2018.

The expectation is that this trend will continue and in coming years there will be a significant growth in cases brought before civil courts making claims for compensation for damages, often in connection with matters discovered through investigations by the DPA. It should be noted that a growing trend of case law concerns the right to be forgotten and damages for publication of a personal image without consent.