The Supreme Court confirms the ban of consent recovery for marketing purposes
Customers’ personal data cannot be used by data controllers to send communications requesting consent for marketing activities. The Italian Supreme Court, reversing the interpretation of the Court of Rome, upholded the DPA’s appeal and confirmed the unlawfulness of the conduct engaged in by a telco company, pointing out that the lack of consent, which is equivalent to dissent, does not allow the legitimacy of a recall activity towards the data subjects, in order to appropriate their consent to receive commercial communications to be established. Moreover, the Supreme Court has stated that the request for consent for subsequent marketing activities already constitutes marketing in itself.
On 10 February 2022, the Italian Data Protection Authority fined a data controller for several GDPR infringements. The investigation started after an employee complained to his employer about alleged violations in the processing of data contained in computer devices and company e-mails following the termination of his work relationship. Violations include:
- denied access to the personal data contained within the business pc (alleged violation of Article 20 GDPR); and
The relationship between the individual’s right to privacy and the right of information
On 28 March 2022, the Italian Supreme Court dismissed the appeal by data subject, who had been subject to a precautionary measure, had asked for his name to be erasure or de-indexed on search engines and requested that a book be withdrawn from sale. It was held that there had been no breach of privacy, but a proper exercise of judicial reporting. The Court points out that both the protection of privacy and the right to be forgotten must be balanced against the right to freedom to inform and be informed, in particular when the person to whom the news refers is in fact a public figure.
The Italian Data Protection Authority sanctions a municipality for disseminating the citizen’s data
On 10 February 2022, a citizen complained to the Italian DPA after learning that details of his complaints and claims had been published in a municipality’s public notice board to justify the withdrawal of another person’s employment. The data controller violated Article 6 GDPR and Article 2-ter of the Privacy Code (before it was amended by Legislative Decree 139/2021). In addition, the DPA detected a violation of Article 5(1)(a) and (c) GDPR. Transparency should always be balanced with the right to privacy and data protection of data subjects.
Facial recognition: the Italian DPA fines Clearview Inc.
The Italian Data Protection Authority fined the U.S. company Clearview AI for 20.000.000 € at the end of investigative activity that revealed that the company had been applying biometric surveillance techniques on Italian territory. The company, which has a database of more than 10 billion facial images of data subject from around the world, offers a search service that allows profiles to be created based on biometric data extracted from the images. Profiles can be enhanced with information associated with these images, such as image tags and geolocation. The DPA found that the company had processed personal data without a valid legal basis and had violated several GDPR principles, such as the principle of transparency, as well as the principle of purpose limitation and the principle of storage limitation.
The Italian Data Protection Authority sanctions a social health authority
On 10 February 2022, the Italian Data Protection Authority issued an injunction order against a territorial social and health authority. In the Authority’s opinion, there has been a violation of personal data, as a report relating to a diagnostic test was communicated to a person who is not entitled to receive it. IT systems and infrastructures were not involved in the incident and, therefore, the Authority contested the infringement of Articles 5 and 9 of the GDPR. The violation, due to a material error by an employee, revealed shortcomings in training on the processing of personal data and the security measures to be applied. An administrative fine was imposed.