Introduction and background
On May 7th the Italian Supervisory Authority for Personal Data Protection (composed by Antonello Soro, Augusta Iannini, Giovanna Bianchi Clerici, Licia Califano and hereinafter referred to as “Authority”) introduced its annual report on the activities carried out during 2018.
The official website of the Authority emphasizes that the Report marks the end of the seven years of the board, which was lead by Antonello Soro, and illustrates the various fields that the Authority was active on during these years. The report also pinpoints the state of implementation of the new European Union Regulation in the said fields and indicates the new scenarios that have arisen for the protection of personal data.
The report is structured according to the sequence of the events which took place, both prior and in the first period of the GDPR’s implementation, and under the main assumption that technology is limitless, as Soro said. The supranational premise is that Europe should take a leading political role among the world’s powers, particularly between the United States and China.
For more concrete information, the data speaks for itself: there were 150 inspections, 488 contested administrative penalties, € 8.161,806 collected sanctions, due to the continuous work and contribution of Special Unit of the Italian police (‘Nucleo Speciale della Guardia di finanza’), which became the ‘Nucleo speciale tutela privacy e frodi tecnologiche’ in 2018.
Main aspects and practical implications
Below, ICT Legal Consulting has distinguished the main aspects of the report – without claiming to be exhaustive – based on the themes of data protection considers to be the most controversial and interesting:
MARKETING, PROFILING AND PERSONAL DATA PROCESSING
- Extension of data retention: the most common request received by the Supervisory Authority concerned requests to extend the data retention periods for profiling and marketing purposes, for a longer time than the one established by the Supervisory Authority in its Provision of 24th February 2005 (doc. web n. 1103045). Provision of 14th February 2005 specifies that personal data processed for profiling or marketing purposes can be stored for no longer than twelve or twenty-four months, respectively. On the assumption that different consents have been granted for each purpose, a maximum retention period of 7 years was deemed appropriate, without prejudice to the automatic deletion or definitive anonymisation at the end of the aforementioned period (Provision of 16th May 2018, n. 294 – doc. web n. 88998339). This retention period applies both to customer data, but also to potential customers’ data, or ‘prospect’, as was defined by the Authority in the Provision of 18th April 2018, n. 233 (doc. web n. 8997404). Interestingly, this case concerned a company that designs vehicles, and the Authority considered that data retention of up to 10 years was appropriate. On the contrary, when considering companies which belonged to a medium-low consumption range but had a high frequency of expenditure, such as companies operating in the fashion and cosmetic sectors, the Authority held that the conditions to extend the data retention periods for longer than suggested by the general provision of 2005 were not satisfied.
- So-called, “Wild” Telemarketing: despite of Law 2018, n. 5 of 11th January, ‘New provisions on the registration and functioning of the Do Not Call Register and the establishment of national prefixes for telephone calls for statistical, promotional or market research purposes’, the unsolicited calls continue to affect both the owners of private phone numbers (which do not appear in telephone directories) and those who registered on the public Do Not Call (DNC) List (‘Registro pubblico delle opposizioni’) . The two sectors that carry out most telemarketing activities (directly or through external entities) are telecommunications and energy. Mainly, the data subjects complained about the omitted or late acknowledgment of the exercise of their rights, such as the violation of the their right to oppose further processing, as well as receiving inadequate responses to the right of access (for example, responses that are not exhaustive on the origin of the data collected – a fundamental component in order for data subjects to trace the origin of incoming calls). The sector was subject to injunction orders of € 3.440.000. Inspections were carried out in accordance with articles 157 and 158 of Legislative Decree no. 196/2003 (hereinafter: “Data Protection Code”), at the registered and operational offices of the companies, but also at the offices of the dealers responsible for carrying out the promotional activities. The information provided to the data subjects was found to be unsuitable, thus the Authority prohibited the processing of the data subjects’ personal data for marketing purposes without valid and explicit consent. The Authority also observed that certain forms of profiling (e.g. ‘old person’, ‘low spending’) were realised with inaccurate data and in the absence of specific consent. Moreover, the Authority’s inspection brought to light the fact that the company which was the client had not carried out appropriate data protection controls on its commercial partners. In most cases, these commercial partners had been defined as autonomous controllers, even though they had access to all the data contained in the client’s systems but had no degree of autonomy regarding the purposes of the processing. Therefore, the Authority prohibited any further processing of personal data for marketing purposes without free and informed consent. In addition, it required the adoption of technical and organisational measures to track promotional activities carried out by the commercial partners and the documentation of the refusal of data subjects’ consent (Provision of May 22nd 2018, n. 313, doc. web n. 8995285).
- Dispatch of communications with promotional content to the certified e-mail addresses of self-employed professionals: the Supervisory Authority noticed that, besides the fact that the processing (of certified e-mails) took place without a valid informed consent, the various addresses had been massively collected (web scraping) by means of specific software that exists on the Web (e.g., Ini-Pec Register) or from the website registroimprese.it. It was found that this behaviour is in conflict with Art. 6 bis par. I of Legislative Decree no. 82/2005 (digital administration code, ‘Codice dell’Amministrazione Digitale’), and Art. 16 par. X Decree Law 185/2008, according to which only Public Administrations are allowed to mine data from public lists. The Authority clarified that data subjects’ consent is necessary even if certified e-mails are available on publicly accessible registers, because the wide availability does not allow processing activities for any kind of purpose, but only for the specific purposes underlying their publication. Neither the illegitimacy of the processing due to the mere presence of an unsubscribe link at the bottom of the commercial communication, given that the consent must be lawfully acquired before sending any commercial communication – except in the case of soft-spam, nor the assumed institutional nature of the communication, make this practice legitimate (and in particular, based on acknowledgements received by professional associations to which the data subjects concerned belong).
- Pop-up with mandatory consent for marketing purposes: the Authority has verified that a ‘pop-up’ giving the possibility to access the services strictly based on the data subject’s explicit consent for the processing of personal data, both for marketing purposes and for the communication of data to third parties, is in violation of privacy legislations. In the absence of such consent, which was essentially mandatory, it would not be possible to access the services. Moreover, the consents given for the different purposes were not differentiated, hence each user would accept two different processings with two distinct purposes by granting just one consent. The Authority, through this Provision, reiterated that mere data collection and storage constitute processing, thus the collection of data through the described pop-up is both not compliant with the legislation, and it creates further violations (absence of freely given consent). Consequently, the Authority requested the reformulation of the pop-up in a ‘privacy compliant’ manner. Furthermore, with reference to the communication of lists of personal data to third parties for marketing purposes, the Authority confirmed that the purchaser of databases must verify that the data subject has given his/her specific consent for the communication of their personal data to third parties, as well as for marketing activities, otherwise the original consent collection – in terms of lawfulness – will deem any further processing activity unlawful. As a result, the Authority has banned this kind of processing – due to the purchaser’s inability to prove the free and specific consent of data subjects, and imposed the related administrative sanctions.
PERSONAL DATA PROCESSING IN EMPLOYMENT RELATIONSHIPS:
- For the processing of common data relating to an employee, the employer relies on the execution of the employment contract and the fulfilment of obligations arising from the labour and social security legal framework as a legal basis. Whereas, special categories of personal data (previously referred to as ‘sensitive data’) may only be processed in the presence of one of the legal basis foreseen in Art. 9(2) GDPR, otherwise the processing of such data is prohibited. Processing of special categories of personal data for the purpose of managing the employment relationship (even after the termination of that relationship) or in the recruiting phase, can be carried out only if it is necessary for the fulfilment of obligations by law, regulations or by the Collective Agreement (see Art. 9(2)(b) GDPR).
- Regarding the processing of judicial data, the Authority clarifies that the general authorisation no longer constitutes a suitable legal basis, given that it expired on 19th September 2018. It is up to the legislator to identify the cases in which the processing is allowed, as well as to draft the appropriate guarantees by adopting a specific legal act, which has not yet been issued.
- For processing activities carried out through devices that collect the geolocation of vehicles (smartphone and tablet devices) and, indirectly, the geolocation of employees to whom these devices are distributed, the Authority reaffirmed that these systems are not directly predetermined for the execution of the work, therefore they must be classified as tools which can also result to the possibility of remote control (with the consequent implementation of the Art. 7 par. 1 L. 300/1970 – workers’ statute: ‘Statuto dei Lavoratori’). The Authority has detected that in the case at hand there was a continuous and systematic monitoring of employees, given that the devices used by the controller allowed to geolocalise both vehicles and employees in real time, taking into consideration that it would both the route, but also breaks would be monitored. Thus, the processing activity was a continuous monitoring in violation of the principles of lawfulness, purpose limitation and minimisation, when seen in conjunction with the employer’s purposes.
- Controls on spam (unwanted e-mail): the Authority reaffirmed its position on the conditions for lawfulness of processing activities of personal data to employees’ e-mail accounts when the employer carried out certain disciplinary actions. Specifically, the access to the e-mail accounts was conducted by authorised persons. The elements of unlawfulness identified by the Authority were the following: the lack of a policy to inform employees about the processing of their e-mails, moreover, the data retention for the entire period of the employment relationship would be in contrast with the principles of lawfulness, purpose limitation and minimisation. In other words, the issue is the massive and arbitrary retention of any content which passed through their e-mail account. The justification provided, based on the need to retain some documents (e.g., accounting records) or in general to ensure the efficient management of the flows of documents, cannot be pursued in this way, since the e-mail systems do not allow documents to be saved in the manner required by the law. In other words, if this is the purpose, the employer should refer to the relevant legislation to guarantee the documents’ authenticity, integrity, reliability, legibility and availability (DPCM of 3rd December 2013); while all accounting records should be retained according to the procedures prescribed by Art. 2214 c.c and Arts. 23 and 44 of the digital administration code (‘Codice dell’Amministrazione Digitale’). Accordingly, in the Authority’s opinion, the preparation of tools designed to guarantee an effective management of document flows could be achieved by using less intrusive means for the employees’ right to privacy. So, the Authority reiterated that systematic collection of communications located in company accounts, their storage for an undefined or an extended period, and for abstract purposes (e.g., legal defense), represents a monitoring activity of employees’ work. Any case where the employer makes the archive of e-mails exchanged through the company account available to the employees is treated differently. This case is one of the employer’s authorities and is part of the procedures of providing work tools, meaning that it can be subject to specific instructions (e.g., identifying retention periods diversified according to the functions performed, and coherent with the limits of available space, providing information on the necessity of carrying out selection and erasure of messages on a regular basis). In any case, some indications related to the controls that the employer can carry out on e-mails and the Internet may be found within the Guidelines Applying to the Use of E-Mails and the Internet in the Employment Context, available at this link.
- Processing of sensitive data likely to reveal employees’ trade-union membership: it emerges from the Report that the employer cannot communicate to a trade union organisation the abbreviation of the trade union organisation that a former member has joined. In order to enable the trade union to implement the specific procedures that follow the revocation of a membership, the employer should only share the employee’s choice to no longer be a member to their trade-union abbreviation.
DATA BREACH: from 1st March to 31st December of 2018, 650 data breach notifications were received by the Authority, 630 of which occurred from 25th May to 31st December 2018, involving 27% of public subjects, and 73% related to private subjects. The most recurrent data breach types were:
- Cyber attacks aimed at acquiring personal data (access credentials, e-mail addresses, telephone numbers or payment information);
- Spread of ransomware viruses;
- Loss or theft of digital devices or paper documents;
- Accidental communication or disclosure of personal data.
THE INSPECTIONS OF THE AUTHORITY: Legislative Decree 101/2018 has redefined the powers of the Authority: on the one hand, it may request information and documents from the data controller, data processor, data subjects and also third parties. The Authority can also ask for access to databases, utilising, where necessary, instruments of Judicial Police. It should be highlighted that some inspections have also taken place online, by a direct examination of websites. The measures implemented have been the following: precautionary measures (blocks or bans), checks on the status of implementation of the provisions adopted by the Authority, and prohibitions of further processing activities of personal data. Accordingly, it has imposed the related administrative penalties, even for the type of offences that were decriminalised, under Articles 24 and 25 Legislative Decree 101/2018.
Below are some of the cases that were subject to sanctions:
- Violation of the implementation of minimum security measures required for events which occurred during the validity of the previous provision under Art. 169 par. II of the former Data Protection Code;
- Established criminal infringements under the workers’ statute ‘Statuto dei Lavoratori’ (punished under the criminal sanctions provided for in 38 of the same Statuto. The breach of the rules for the protection of workers contained in Art. 4 par. 1 of the Articles of Association is subject to the application of administrative pecuniary penalties under Arts. 166 of the new Privacy Code and 83 GDPR);
- Processing of personal data without the consent of the data subjects concerned or unwanted electronic communications;
- Failure to provide information or provision of inadequate information;
- Failure to provide information or to give evidence of documents to the Authority;
- Non-compliance with Authority’s provisions;
- Marketing activities not based on consent, meaning that no appropriate legal basis existed, are subject to administrative fines up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year. In particular, the total fine rendered by the Supervisory Authority was € 3.440.000, and a main criteria to help determine the fine was the multiple channels used for communications with marketing purposes (e.g., SMS, landline and mobile phone calls), because it made the unlawful processing more intrusive;
- Excessive retention of images, subject to video surveillance (longer than 7 days) and in violation of the adequate security measures required from the Authority’s Provision on video surveillance issued in 2010.