The Supreme Court confirms the ban of consent recovery for marketing purposes 

Customers’ personal data cannot be used by data controllers to send communications requesting consent for marketing activities. The Italian Supreme Court, reversing the interpretation of the Court of Rome, upholded the DPA’s appeal and confirmed the unlawfulness of the conduct engaged in by a telco company, pointing out that the lack of consent, which is equivalent to dissent, does not allow the legitimacy of a recall activity towards the data subjects, in order to appropriate their consent to receive commercial communications to be established. Moreover, the Supreme Court has stated that the request for consent for subsequent marketing activities already constitutes marketing in itself. 

Read the judgment 


The Italian Data Protection Authority sanctions a data controller for lack of privacy policy  

On 10 February 2022, the Italian Data Protection Authority fined a data controller for several GDPR infringements. The investigation started after an employee complained to his employer about alleged violations in the processing of data contained in computer devices and company e-mails following the termination of his work relationship. Violations include: 

  • denied access to the personal data contained within the business pc (alleged violation of Article 20 GDPR); and 
  • rejected request to erasure and access the email box provided by the employer, following the termination of the employment relationship. As part of this, the Authority found a lack of privacy policy to the employee, consisting in the violation of Articles 5(1)(a), 12, 13 GDPR. 

Read the provision 


The relationship between the individual’s right to privacy and the right of information 

On 28 March 2022, the Italian Supreme Court dismissed the appeal by data subject, who had been subject to a precautionary measure, had asked for his name to be erasure or de-indexed on search engines and requested that a book be withdrawn from sale. It was held that there had been no breach of privacy, but a proper exercise of judicial reporting. The Court points out that both the protection of privacy and the right to be forgotten must be balanced against the right to freedom to inform and be informed, in particular when the person to whom the news refers is in fact a public figure.  

Read the judgment 


The Italian Data Protection Authority sanctions a municipality for disseminating the citizen’s data 

On 10 February 2022, a citizen complained to the Italian DPA after learning that details of his complaints and claims had been published in a municipality’s public notice board to justify the withdrawal of another person’s employment. The data controller violated Article 6 GDPR and Article 2-ter of the Privacy Code (before it was amended by Legislative Decree 139/2021). In addition, the DPA detected a violation of Article 5(1)(a) and (c) GDPR. Transparency should always be balanced with the right to privacy and data protection of data subjects. 

Read the provision 


Facial recognition: the Italian DPA fines Clearview Inc. 

The Italian Data Protection Authority fined the U.S. company Clearview AI for 20.000.000 € at the end of investigative activity that revealed that the company had been applying biometric surveillance techniques on Italian territory. The company, which has a database of more than 10 billion facial images of data subject from around the world, offers a search service that allows profiles to be created based on biometric data extracted from the images. Profiles can be enhanced with information associated with these images, such as image tags and geolocation. The DPA found that the company had processed personal data without a valid legal basis and had violated several GDPR principles, such as the principle of transparency, as well as the principle of purpose limitation and the principle of storage limitation. 

Read the provision 


The Italian Data Protection Authority sanctions a social health authority 

On 10 February 2022, the Italian Data Protection Authority issued an injunction order against a territorial social and health authority. In the Authority’s opinion, there has been a violation of personal data, as a report relating to a diagnostic test was communicated to a person who is not entitled to receive it. IT systems and infrastructures were not involved in the incident and, therefore, the Authority contested the infringement of Articles 5 and 9 of the GDPR. The violation, due to a material error by an employee, revealed shortcomings in training on the processing of personal data and the security measures to be applied. An administrative fine was imposed. 

Read the provision 

Author elex

More posts by elex