an unnamed data subject – Complaint Upheld (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Italian company, Fastweb S.p.A., was found to be sending personal data of users to the US without proper safeguards. This matters because it highlights the importance of protecting user data when using services like Google Analytics. Companies should ensure they have the right measures in place to comply with data protection laws.
What happened
Fastweb S.p.A. transferred users' personal data to the US through Google Analytics without appropriate safeguards.
Who was affected
Website visitors of Fastweb whose data was collected and sent to the US without their consent.
What the authority found
The Italian data protection authority ruled that Fastweb lacked a valid legal basis for transferring personal data, violating GDPR requirements.
Why this matters
This case shows that companies must be cautious when using third-party services that handle personal data. It sets a precedent for stricter scrutiny of international data transfers.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
An Italian company, Fastweb S.p.A. (the controller), owned the website www.fastweb.it. Following the Schrems II decision, a user of the website (the data subject), represented by noyb – European Center for Digital Rights, complained to the Italian DPA that the controller was sending his personal data to the US without appropriate safeguards required by Article 46 GDPR. The transfers took place through the use of the Google Analytics 360. The controller operated a news website that used Google Analytics to collect statistcal data on the use of its services. Google Analytics cookies collected data on users' IP address, browser or device, operating system, screen resolution, selected language, date and time of access, and interaction with the website. For users who logged in with their Google account, this information could be associated with other identifiers like email adress, telephone number, gender, date of birth, and profile picture. Google LLC (based in the US), and later Google Ireland, were responsible for processing the collected information; even after the Google Analytics terms of service were changed to list Google Ireland as processor, Google LLC was still designated as a sub-processor. In response to the DPA's investigation, Google claimed it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR. These measures consisted of encryption (for which Google LLC held a copy of the encryption key) and a service called "IP-Anonymisation," wherein Google truncated users' IP addresses to hamper identification. This process, however, was actually a form of pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons. Both Google and the controller also offered that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingl
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (3)
Other enforcement actions involving an unnamed data subject in IT
Complaint Upheld
Similar Cases
Enforcement actions with similar violations
Details
Decision Date
21 July 2022
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-5309About this data
Cite as: Cookie Fines. an unnamed data subject - Italy (2022). Retrieved from cookiefines.eu
Last updated: