The Italian Data Protection Authority blocks the use of Google Analytics
On 23 June 2022, the Italian Data Protection Authority (Garante per la protezione dei dati personali) declared that a website using Google Analytics without the safeguards provided by the Regulation (EU) 2016/679 (GDPR) violates data protection law. Indeed, this implies the transfer of user data to the USA, a country that does not have an adequate level of data protection according the European standards, as US-based governmental and intelligence agencies can access the personal data without the required measures – see the guidance provided by the EDPB through the Recommendation No 1/2020 –.
This decision follows a previous provision, adopted on 9 June (no. 224), in which for the first time the Italian DPA brought to the attention of all Italian website operators, both public and private, the unlawfulness of transfers made to the United States through Google Analytics.
GDPR: public consultation on new EDPB Guidelines for the calculation of administrative fines
Until Monday 27 June, private companies, public bodies, associations and all interested parties were able to propose and submit comments and amendments to the draft EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR.
Since the Guidelines set out a 5-step calculation methodology, a Data Protection Authority should:
- establish whether the case at stake concerns one or more instances of sanctionable conduct and if they have led to one or multiple infringements.
- rely on a starting point for the calculation of the fine for which the EDPB provides a harmonised method.
- consider aggravating or mitigating factors that can increase or decrease the amount of the fine, for which the EDPB provides a consistent interpretation.
- determine the legal maximums of fines and to ensure that these amounts are not exceeded.
- analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality.
Telephone directories: unlawful those not extracted from the Single Database
The Italian Data Protection Authority fined a company for 50,000 euros – provision no. 204/2022 –, following numerous complaints and reports regarding the unauthorized disclosure of personal data (names, addresses, telephone numbers) on its website. In particular, the DPA found several violations, including the disclosure of personal data in the absence of a suitable legal basis, failure to respect the right to erasure, unsuitability of information and failure to cooperate with the supervisory authority.
In the provision, the Italian DPA stated that the current regulatory framework does not allow the creation of generic telephone directories not extracted from the single electronic archive (Data Base Unico), which collects the telephone numbers and customer data of all National Telephone Operators. Indeed, they do. not comply with the previous provisions of the Data Protection Authority and the Communication Authority.
The Italian DPA has opened three inquiries into social credit schemes that reward “virtuous” citizens
The Italian Data Protection Authority has opened three inquiries into a series of projects, promoted by public and private entities, which provide for the assignment of scores also on the basis of collection of personal data provided with the consent of the data subjects.
The measure is very important because these “social scoring” projects, which involve a kind of “citizenship by points”, present risks linked to profiling mechanisms from negative legal consequences on the rights and freedoms of data subjects, including the most vulnerable.
The DPA focused mainly on future adoptions of “social scoring” projects or its derivations and stated that these initiatives must always be preceded by timely impact assessments and comply with the principles of the GDPR.
Soon, the DPA may adopt provisions following the results of ongoing actions.
The insurance company is the data controller in distributing insurance policies
In a recent opinion on the distribution of insurance policies by banking institutions, the Italian Data Protection Authority ruled that the role of data controller must be attributed to the insurance company, while banks act as data processors.
The request concerned the correct identification of the subjective role to be attributed to banking institutions that distribute insurance policies (bancassurance), also in view of the processing of data related to the health of the data subjects (policyholders and insured), carried out through the collection, management, transmission and storage of documentation and forms related to the insurance contracts of the companies.
In the opinion the DPA finally highlighted the need for the role played by the banking institution in the placement of insurance policies to be adequately indicated within the disclosures provided to the data subjects.