Share This Article
On October 20, 2022, the Italian data protection authority issued a GDPR fine of 1.4 million euros for multiple violations related to the CRM card system against a well-known perfume store chain.
The Italian data protection authority, the Garante, launched an investigation against the company due to a complaint received from a data subject, who complained that she had not received a response to a request to exercise her rights, which was addressed to the perfumery chain in August 2020. The Garante requested information from the company to investigate the complaint and ran an inspection at the company’s headquarters, having deemed the feedback received insufficient.
By the information acquired, the Italian data protection authority charged the perfumery chain with several conducts committed in violation of the GDPR regarding the management of its CRM card, including, in particular, that:
- the app operated by the company did not ensure a clear distinction between the privacy policy and the dedicated cookie policy – including the relevant consents – from the contractual terms;
- the privacy information notice mentioned processing activities that the company claimed not to carry out and purposes that were not pursued (i.e., geolocation activities, proximity marketing, and access to contacts in the address book or messaging);
- contact data were kept beyond the retention period. The company had also collected in its database contacts originating from the CRM cards of two companies with which it had been merged that it maintained in “inactive” mode without conducting marketing activities for their benefit, but without these individuals have joined the merging company’s CRM card or having been deleted; and
- appropriate organizational and technical solutions had not been adopted to ensure that the retention of customer data and the collection of consents were done in compliance with the GDPR through, for example, store scripts and procedures.
This decision is significant because it raises several issues for consideration:
- the complaint originated from a customer’s request to exercise rights, followed by an Italian data protection authority inspection. This circumstance demonstrates how critical it is for companies to adopt detailed procedures for collecting and handling data subjects’ requests through all their channels and store network. This is an onerous obligation; unfortunately, some individuals abuse these rights to merely harm businesses. Hopefully, the European privacy authorities will take a position that will identify an appropriate balance between the interests of the parties. However, in the meantime, companies must strengthen procedures for handling data subjects’ requests;
- the Garante has asked the sanctioned company to demonstrate the proper acquisition and validity of the consents acquired by the merged companies, which raises a relevant issue for all mergers, acquisitions, or transfer of business units involving the acquisition of databases. In this context, the Italian data protection authority ordered the company to (i) delete all personal data of customers dating back more than ten years (except in cases where a judicial or extra-judicial dispute is pending) and (ii) delete or pseudonymize personal data of customers of merged companies dating back up to 10 years, advising them – if the data had only been pseudonymized – of the possibility of renewing their card within six months, and then proceed with the final deletion. This procedure is quite interesting and could become a best practice to follow in all corporate transactions;
- the Garante challenged the retention period stated in the privacy policy. Specifically, the company had adopted a retention period according to which the data would be kept until the data subjects revoked their consent, which was considered inadequate by the Garante, which then also challenged the failure to indicate the retention period in the notice, which was therefore incomplete. The Garante recalled its own 2005 ruling on the retention period for CRM cards. In our view, this retention period can be extended in case the company operates in an industry where there is a limited frequency of purchases, but the more extended retention period should be justified in light of the principle of accountability; and
- the privacy information notice was considered unclear by the Garante because there was no clear distinction between privacy notice, cookie policy, and contract terms. On this aspect, there are several references in the injunction order to the company’s referrals to the foreign parent company’s guidance to ensure consistency in the documents across different jurisdictions. This is an approach we often hear from our clients. However, the Italian data protection authority did not consider the defense significant, holding that each company must comply with applicable privacy regulations.
Based on the above reasoning for the multiple violations related to the handling of personal data linked to the CRM card system, the Garante issued a GDPR fine of € 1.4 million or 0.4 percent of the company’s turnover. It seems like a coincidence, and the Garante does not provide clear guidance. Still, all high fines issued under the GDPR in Italy have as a basis for calculating an amount between 0.2 percent and 0.4 percent of turnover. This percentage can therefore be considered a valid reference point for calculating the risk of penalty.
It is quite perplexing that the Italian data protection authority did not refer in any way in the complaint regarding the processing of personal data related to the CRM card system to the EDPB’s guidelines on the calculation of the GDPR fine on which you can read the following article “EDPB’s guidelines on the calculation of the penalty under the GDPR reveal gray areas and uncertainties.”
Photo by Heidi Fin on Unsplash
