Ediscom S.p.A. – €300,000 Fine (Italy, 2023)
Ediscom S.p.A. was fined for not properly handling personal data and using cookies without consent. This matters because it shows that companies must respect users' privacy choices, especially regarding tracking technologies. Failing to do so can lead to significant penalties.
What happened
Ediscom S.p.A. was fined for using cookies that persisted after users rejected them and for placing third-party cookies without consent.
Who was affected
Visitors whose online behavior was tracked by Ediscom's cookies without their permission were affected.
What the authority found
The Garante per la protezione dei dati personali ruled that Ediscom violated GDPR rules by not obtaining valid consent for cookie usage.
Why this matters
This case highlights the importance of clear consent mechanisms for cookies and tracking tools. Other companies should ensure they comply with privacy regulations to avoid similar fines.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller – Ediscom S.p.A. – was a marketing company whose business consisted in contacting potential customers on behalf of third vendors through sms, emails and automated calls. In order to conduct this activity, the company made use of an extensive database including contact details of more than 21 million people. Personal data were collected both directly by Ediscom and by third parties. In general, Ediscom acknowledged to act as a controller. However, in some cases, Ediscom rented databases from third parties with an aim of monetising them. Although costs and profits were shared, Ediscom considered itself a processor on behalf of the owners of such databases. Ediscom regularly received withdrawals of consent and erasure requests. As Ediscom relied on several databases with partial overlap of data, it usually put these requests in blacklists in order to avoid to reimport the same data from another source – and use them again. Whenever it considered to operate as a processor, Ediscom notified the original controller about erasure or withdrawal of consent requests. Some data subjects claimed to have objected to the processing for marketing purposes. However, they still received calls and messages from Ediscom. In the context of these complaints, the Italian DPA started a broader investigation about the Ediscom’s business practices. The investigation concerned both the websites used by the controller to directly collect personal data and personal data disclosed to Ediscom by third parties. On several websites managed by the Ediscom, users were invited to take part to lotteries or to subscribe to cooking or health newsletters. Theoretically, users could choose whether the Ediscom was allowed to use and share their data for marketing purposes. In practice, the supervisory authority identified numerous GDPR violations. Several GDPR infringements could also be found with regard to personal data originally collected by third parties. Data directly collected by t
Violations (4)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Tracking cookies remain active or are re-placed even after the user explicitly rejects them.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Ediscom S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
23 February 2023
Authority
Garante per la protezione dei dati personali
Fine Amount
€300,000
GDPRhub ID
gdprhub-5831About this data
Cite as: Cookie Fines. Ediscom S.p.A. - Italy (2023). Retrieved from cookiefines.eu
Last updated: