The investigations of the privacy authority led to € 11 million fines, with 65 inspections performed in Italy, 1,300 investigated entities, and a detailed plan for the second half of 2019.
In a previous post, I had discussed the plan of inspections of the Italian data protection authority for the first half of 2019, and now the Garante published a report showing the outcome of such an activity, also indicating the plan for the coming second half of the year.
Privacy fines and inspections of the first half of 2019 in Italy
It appears that the Italian data protection authority is having a quite aggressive approach, following the first months after the effective date of the GDPR. According to data published by the regulator, 779 entities have been sanctioned with € 11 million privacy fines issued, but 1,300 companies have been investigated.
The most famous sanction issued was of € 1 million fine against Facebook for the Cambridge Analytica case. The amount can appear quite low, but the events that led to the fine occurred before the effective date of the GDPR. It is foreseeable that if the conduct had occurred after the 25th of May 2018, the privacy fine would have been substantially higher.
And GDPR fines might be higher as a consequence of the 65 privacy inspections run through the so-called dawn raids by the Italian data protection authority.
The targeted sectors for inspections of the second half of 2019 of the Italian data protection authority
According to the plan of inspections for the second half of 2019, the Garante will target the processing of personal data by
- banks with particular reference to the flows to the registry of accounts;
- intermediaries for the newly launched electronic invoicing system;
- companies for marketing and profiling activities, also for loyalty cards;
- companies belonging to the “Food Delivery” sector;
- private companies in the health sector.
Also, they will focus on specific issues such as the operation of the so-called whistleblowing systems, the validity of privacy consents provided, and the provision of a privacy information notice and the compliance with the data retention periods.
A hundred investigations will be performed during the second half of 2019, and – as usually occurs – they will be carried out with the support of the tax police.
My view and recommendations
The report of the activity of the first half of 2019 by the Italian data protection authority confirms my opinion as to the approach taken by the Garante after May 2018. The regulator granted a few additional months to companies to get ready, also because the local integrating law came into force in August 2018. But then strict investigations started.
The checklist of Garante and the tax police during a privacy investigation is extraordinarily long. Even if the focus of the dawn raid is on a specific issue, they usually expand the audit to further findings arisen looking at IT systems, reviewing the record of processing activities or just, in general, accessing to information on the operation of the company.
We always insist on the need to get prepared for a privacy dawn raid and are running mock dawn raids at our clients’ premises, shops, and plants to understand the reaction of companies to an investigation. At this stage, most of the relevant companies on the market have performed a substantial amount of work on data protection compliance. But very few of them are 100% compliant.
The way a dawn raid is conducted can make a massive difference between facing the risk of a fine and the consequential challenging proceeding, and the dealing with investigations from which no challenging proceeding arises.
On the same topic, you can find interesting the article “How to be prepared for privacy dawn raids under the GDPR?”. Also, I found quite useful for our clients the criteria for the calculation of GDPR potential fines discussed in this article “Guidelines on the calculation of GDPR fines now issued by German DPAs“.