G.Glamour – Complaint Upheld (Italy, 2024)

Garante carried out checks on e-commerce websites and found that one of the selected websites was the clothing and beauty website [https://gglamoursarzana.it/ www.gglamoursarzana.it] in which its cookie banner shown only basic information and two buttons (“OK” and “No, thanks”), but no information about cookie types, purposes and if any tracking tool was being used was provided. Also, it did not allow users to give specific, informed, and freely given consent. Also, the cookie banner led to a privacy policy that was editable by any site visitor. Any user was able to modify the content of the privacy policy document on the website without authentication or any user restriction, exposing other visitors to altered or potentially false information. The website owner later admitted that the editable privacy policy was a configuration error and stated that the site had been created with the help of external developers using a common content management platform. The issue was only corrected after the Garante launched an investigation. Garante found that the controller breached Article 5(1)(a) GDPR by failing to ensure lawful and transparent data processing, since users were not properly informed regarding the cookies. Also, Garante highlighted that the absence of a cookie policy and the editable privacy policy violated Articles 12(1) and 13 GDPR, as the necessary information was not provided in a clear and accessible form. The failure to apply adequate technical and organisational measures, especially allowing public editing of privacy documentation, was a breach of Article 25(1) GDPR (data protection by design and by default). Although the controller eventually resolved the technical issues and updated the information available to users, Garante issued a reprimand under Article 58(2)(b) GDPR due to the failure to comply with the provisions regarding the processing of personal data through the use of cookies.