The press release of a few days ago with which the Guarantor for the protection of personal data announced that it had sanctioned Eni Gas and Luce (Egl) for a total amount of 11,5 million euros caused a discreet noise.
The titles of the two sanctions reported in the press release in question, respectively concern the illegal processing of personal data in the context of commercial promotion activities (through telemarketing activities) and activation of unsolicited contracts, through the use of the data of the customers conferred elsewhere.
It is interesting to share together some reflections related to the Measures in question.
First of all, it can finally be said - albeit obvious - that Italy has also started to take its first steps in the waltz of sanctioning activities in the field privacy.
In Europe until December 2019, the total sanctioning amount already carried out was around 400 million, with a contribution of "just" 50.000 euros of activity of the Italian Guarantor, with the famous Provision to the Rousseau portal.
Secondly, it is interesting to note one of the first concrete applications of the criteria introduced by the GDPR for the identification of sanctions related to violations. In fact, the latter, found by the Guardia di Finanza Privacy Unit, were developed according to the criteria indicated in EU Regulation no. 679/2016 (GDPR), which include the wide audience of the parties involved, the pervasiveness of the conduct, the duration of the violation, the economic conditions of Egl.
This is not a real novelty, but detecting them within sanctions equal to those imposed on the Egl Company gives a whole new flavor to the sense of the criteria themselves. Not only therefore the traditional aspect of the number of treatments or the nature of the same, most frequently used with the previous legislation, but also pervasiveness criteria (related to the impact that the sanctioned behavior had on the individuals concerned), the duration of the behavior and - fundamental compared to the quantum - the economic conditions of Egl. On the contrary, it could be assumed that, as has already been affirmed several times by the Guarantor also with respect to its previous activity carried out under the first Privacy Code, in front of entities or companies with more modest numbers, the iron fist foreseen by the millionaire ceilings pursuant to art. 83 paragraphs 4 and 5.
Finally, it is interesting to note that the Guarantor wanted to enter into the merits of the typical misalignment existing between the CRM (Customer Relationship Management - backbone of the production system of each Company) and the management of collected consents. In particular, it is noted by the Authority that “The episodes of temporary misalignment of the CRM and of the blacklist of EGL have had limited and limited consequences but in any case constitute the violation of the provisions of art. 5, par. 2 of the Regulation, since the Company has not been able to ensure and prove the timing and methods for updating the status of consents in the CRM and in its black list; therefore, it must also prescribe the Company to carry out the definitive implementation of the proposed mechanisms aimed at automating the data flows from the CRM to the black list in use at the company in certain times ".
This means, as the experts already know well, that the principle of privacy by design in art. 25 becomes concrete in the measure in which the technical-IT flows related to a treatment have also been regularized, not so much the tons of paper behind which the Companies often cling for various reasons.
Therefore, in finding a good start in these first Measures, more numerous guidance and support interventions would be desirable by the Authority and, why not, even more profound (for example, coaching or training), towards the PA or the private sector ( especially if critical infrastructure) on issues such as these, other than higher-level projects at training level, carried out for example with the recent SMEdata meeting cycles.
Of course, 11 million euros will not be paid without saying a word for which Egl has appealed, we will see what happens.
Note: the general objective of the SMEDATA Project is to "Ensure the effective application of the General Regulation on the Protection of Personal Data by raising awareness, multiplying training and sustainable development of skills for SMEs and legal professions".