Razmataz Live srl – €1,000 Fine (Italy, 2023)

In the context of some processing operations already subject to investigation, the Italian DPA found that some controllers outsourced marketing services to Razmataz Live s.r.l. - a company active in the field of promotion of cultural activities. Razmataz relied in turn on another company, Flowers R, for the actual sending of marketing communications. Since Razmataz did not reply to the supervisory authority's request of information, in May 2022 the DPA notified to the company the opening of a sanctioning procedure against it. In its submission Razmataz claimed that the company did not assume any data protection role, as the marketing communications were sent by Flowers R according to the instructions directly issued by Razmataz's clients. Razmataz merely established a connection between Flowers R and such clients. Indeed, Razmataz did not have access to the contact details of the recipients of the marketing messages. The Italian DPA rejected the arguments of the submission. According to the materials submitted by Razmataz, the latter played a key role in ensuring the communications between its clients and Flowers R in the context of the marketing campaigns. Indeed, Razmataz considered that Flowers R could provide its customers with adequate assistance in launching promotional campaigns. Razmataz was the channel of communication between the clients - acting as data controllers - and Flowers R the company that actually processed personal data. Therefore, Razmataz acted as data processor and did not conduct appropriate checks on the level of data protection guaranteed by the sub-processor Flowers R. This triggered a violation of Articles 5 and 28 GDPR. Since the data processor is fully liable to the controller for the performance of a sub-processor’s obligations, Razmataz was liable for the non-compliant marketing campaigns run by Flowers R. These campaigns indeed resulted in an unlawful processing of personal data and in a violation of Article 6 GDPR, as data subj