Italian Data Protection Authority: obstructing the right of access to personal data through omissive behavior constitutes an illegal conduct  

The Italian Data Protection Authority has sanctioned the unlawfulness of the conduct carried out by a telephone company, which by preventing access to the telephone records of its customer, obstructed and prevented the right of defense in a penal trial. The Authority asserted that “the technical problems” alleged by the telephone company cannot justify the negligence in the failure to respond to the repeated requests of the customer, nor the violation of the duty of the data controller to facilitate the exercise of the rights of the data subjects by providing feedback without undue delay. 

Read the provision 


Stop to remote control and surveillance systems for workers without the relating data protection measures 

After an employee’s complaint, the Italian Data protection Authority fined a public transport company for carrying out a remote control of its workers without guaranteeing the necessary safeguards established in the Workers’ Statute and the Privacy Code. 

As it emerged following the investigation of the Authority, the employer carried out to replay and record on a database the calls between employees and customers, even for a period of time exceeding 90 days, without having provided suitable information to the workers. Furthermore, their personal data had not been processed according to the principles of minimization and limitation, nor had been guaranteed security measures capable of protecting the confidentiality and integrity of the data, human dignity, legitimate interests and fundamental rights of the data subjectsas established by the GDPR for cases in which it is intended to use monitoring tools in the workplace. 

Read the provision  


Italian Competition Authority fines Google and Apple for violating the principle of informed consent and free choice guaranteed by the Consumer Code and the European regulation on the protection of personal data  

The Antitrust Authority (AGCM) has fined with two recent measures  Google and Apple for significant violations of the Consumer Code, highlighting at the same time the infringement of some fundamental principles of data protection regulation. In particular, the Authority found the failure to comply with Articles 24 and 25 of the Consumer Code concerning the coercion of freedom of choice and the undue influence of the average consumer, also indicating the total absence of information during the collection of the data necessary for the creation of a profile or for the use of the services offered as well as the unlawful pre-setting of consent for the collection of data for marketing purposes (Article 4, paragraph 11 and Article 7 of the GDPR). It was therefore found that, even on the privacy field, the failure to indicate terms and conditions of use, a privacy policy and the processing of data for commercial purposes even for the “free services” provided, prevented the consumer from making an informed and free choice. In fact, the consent to the transfer of one’s personal data for profiling or for commercial purposes, to be “informed”, had to be requested in the registration section or at the time of access to the service used, but not before the completion of the procedure (pursuant to art. 13 GDPR). The AGCM therefore requested not only to put an end to the violations of the Consumer Code indicated, but also to respect the principles of privacy by design and by default (Article 25 of the GDPR). 

Read the provision

Read the provision


The Italian Authority: notifying traffic fines via professional certified e-mail is forbidden 

The Italia Data Protection Authoritythrough the note of 27.10.2021, n. DRP / PS / 147434, has put an end to the custom of sending notifications of traffic fines to professionals via PEC, when the certified e-mail address is not strictly personal, but is attributable to professional purposes, as well as the case of the address assigned by one’s own Professional Order. According to the Italian Authority, in fact, tapping into the national index of digital domiciles of companies and professionals (Ini-Pec) without first assessing, case by case, whether the mailbox is strictly personal or not, can lead to a serious violation of privacy to the extent that it could also make colleagues at work aware of the content of the communication. 

This problem may be considered overcome with the future activation of the “Inad” list in which the professional PEC addressalready present in the Ini-pec, will be automatically inserted but the professional will also be given the opportunity to indicate an additional address for personal communications. 

Read the news

Author elex

More posts by elex