an unnamed data subject – Complaint Upheld (Italy, 2022)
An Italian company, Fastweb S.p.A., faced a complaint upheld by the DPA for sending personal data to the US without proper safeguards. This case is significant because it shows that companies must be careful about international data transfers. Website operators should ensure they comply with data protection rules when using analytics tools.
What happened
Fastweb S.p.A. was found to be transferring personal data to the US through Google Analytics without adequate protections.
Who was affected
The affected individual was a user of the Fastweb website whose data was sent to the US.
What the authority found
The Italian DPA upheld the complaint, stating that Fastweb did not have adequate safeguards for transferring personal data outside the EU.
Why this matters
This case underscores the importance of complying with data protection rules, especially regarding international data transfers. Businesses should assess their use of analytics tools to ensure they are compliant.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
An Italian company, Fastweb S.p.A. (the controller), owned the website www.fastweb.it. Following the Schrems II decision, a user of the website (the data subject), represented by noyb – European Center for Digital Rights, complained to the Italian DPA that the controller was sending his personal data to the US without appropriate safeguards required by Article 46 GDPR. The transfers took place through the use of the Google Analytics 360. The controller operated a news website that used Google Analytics to collect statistcal data on the use of its services. Google Analytics cookies collected data on users' IP address, browser or device, operating system, screen resolution, selected language, date and time of access, and interaction with the website. For users who logged in with their Google account, this information could be associated with other identifiers like email adress, telephone number, gender, date of birth, and profile picture. Google LLC (based in the US), and later Google Ireland, were responsible for processing the collected information; even after the Google Analytics terms of service were changed to list Google Ireland as processor, Google LLC was still designated as a sub-processor. In response to the DPA's investigation, Google claimed it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR. These measures consisted of encryption (for which Google LLC held a copy of the encryption key) and a service called "IP-Anonymisation," wherein Google truncated users' IP addresses to hamper identification. This process, however, was actually a form of pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons. Both Google and the controller also offered that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingl
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (3)
Other enforcement actions involving an unnamed data subject in IT
Complaint Upheld
Similar Cases
Enforcement actions with similar violations
Details
Decision Date
21 July 2022
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-5309About this data
Cite as: Cookie Fines. an unnamed data subject - Italy (2022). Retrieved from cookiefines.eu
Last updated: