Garante per la protezione dei dati personali – Court Ruling (Italy, 2023)
Italy's data protection authority prohibited an association from using an algorithm to calculate reputation ratings due to consent issues. This ruling is significant because it reinforces the importance of obtaining proper consent when processing personal data. Organizations using similar algorithms should review their consent practices.
What happened
An association was banned from processing personal data for reputation ratings without proper consent.
Who was affected
Individuals and businesses whose profiles were rated by the association's algorithm were affected.
What the authority found
The DPA found that the association violated data protection rules by not adhering to consent requirements.
Why this matters
This decision emphasizes the need for clear consent in data processing. Companies using algorithms for personal data should ensure they comply with consent regulations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The appellant in the present proceeding was an association which used an algorithmic system to objectively calculate the reputation rating of the natural and legal persons who created a profile (the data subjects) on their platform. The case stems from an investigation the Italian DPA had conducted on the appellant. At the end of the investigation, the Garante prohibited under [https://www.garanteprivacy.it/codice Article 154(1)(d) of the Italian Privacy Code] the mentioned data processing operations due to a breach of [https://www.garanteprivacy.it/codice Articles 2, 3, 11, 23, 24 and 26 of the Code]. The DPA decision was appealed by the company and ended up before the Italian Supreme Court, for three reasons. First, the appellant claimed that the previous instance did not adhere to well-established Supreme Court case-law on consent. Second, it highlighted that the math scheme of the algorithm was already available in the EU Patent Registry and easily recognizable. Lastly, the violation and wrongful application of [https://www.gazzettaufficiale.it/anteprima/codici/codiceCivile Article 41 of the Civil Code], [https://www.europarl.europa.eu/charter/pdf/text_en.pdf Article 8(2) of the European Charter for Fundamental Rights], [https://www.garanteprivacy.it/codice Articles 13, 23, 26 of the Italian Privacy Code], as applicable at the time of the facts, and Article 7(4) GDPR with regards to the protection of the principle of economic initiative. The Supreme Court stated that the first two claims of the appellant had to be considered together as they were interrelated. It noted that the previous court had ruled that data processing by an algorithmic system could be considered transparent when the data subjects knew how the algorithm worked. Regardless of the explanation, the Supreme Court focused on the lawfulness of the processing and found that it is necessary for the data processing carried out by an algorithm to be subject to consent. This means that the data subj
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Garante per la protezione dei dati personali in IT
Details
About this data
Cite as: Cookie Fines. Garante per la protezione dei dati personali - Italy (2023). Retrieved from cookiefines.eu
Last updated: