The Italian data protection authority (the "Garante"), in collaboration with the Italian Financial Police, found that five companies (Yume s.r.l., Marc 1 s.r.l., Sigue Global Service Limited, Sirama s.r.l., and Euro Communication System s.r.l., together the "Companies"), operating in the money transfer industry, were in serious violation of anti-money laundering and data protection legislation.
The Companies collected money from Chinese entrepreneurs and transferred it to China. In order to prevent association between the financial remittance and the real senders however, the monetary amount of the transfers was kept below the threshold specified in anti-money laundering legislation and the personal data of over 1000 customers was used without their knowledge, making them appear as the senders of the payments.
The processing of the data of these customers was done without the customer's consent and, in some cases, data of deceased or non-existing persons was used. As a result, Sigue Global Service Limited was fined €5,880,000, while Yume s.r.l., Marc 1 s.r.l., Sirama s.r.l. and Euro Communication System s.r.l. were fined €1,590,000, €850,000, €1,430,000 and €1,260,000 respectively.
Due to the number and seriousness of deliberate violations of data protection law and the time span involved, the Garante decided to go beyond the fine limit of EUR 2.4 million imposed by the Privacy Code but rather calculated the fine by adding up the fines of the multiple violations of the law that took place in this case (Italian Penal Code principle of tot criminal tot poenae, meaning many crimes, many pains), resulting in the impressive fine of EUR 11 million.
The Companies were given 30 days from the notification of the decision to pay the fines.
Organisations should note that the Italian data protection authority is aiming to crack down on unlawful data processing and inadequate consideration of data protection laws by both data controllers and data processors. Fines imposed can be potentially very high, as this development shows. Organisations operating and/or processing personal data in Italy it should be aware of this.
The full statement from Garante can be accessed here (Italian).