Garante per la Protezione dei Dati Personali – Court Ruling (Italy, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Italian court annulled a fine against a delivery company for unlawfully processing workers' personal data. This ruling is important because it questions the fairness of the penalty imposed and emphasizes the need for proportionality in fines. Companies should be aware that penalties must align with their financial situation.
What happened
The court annulled a €2,600,000 fine against a delivery company for unlawfully processing personal data of platform workers.
Who was affected
The delivery company that was fined for mishandling personal data of its workers.
What the authority found
The court found that the fine was disproportionately high compared to the company's turnover, violating principles of proportionality in GDPR sanctions.
Why this matters
This ruling underscores the importance of fair and proportional penalties for data violations. Companies should ensure that any fines imposed are reasonable and reflective of their financial capacity.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 10 June 2021, the Italian DPA issued a €2,600,000 fine against the defendant, a delivery company, for unlawfully processing personal data of platform workers. The defendant appealed this decision to the Ordinary Court (Court). The Court annulled the decision of the DPA because although the decision was legitimate in terms of the violation found, the DPA's decision of the sanction was not. The Court found that the fine imposed by the DPA amounted to 7.29% of the defendant's turnover - significantly higher than the 4% parameter mentioned in Article 83(5)(a) GDPR and even higher than the average percentage (0.0019%) applied by the DPA to other sanctioned entities. Thus, the Court annulled the decision, without, however, modifying the amount of the sanction as the Court stated to not have this power under [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2011-09-01;150~art6 Article 10 of Legislative Decree No 150 of 2011]. The Italian DPA appealed this decision to the Italian Supreme Court. The main issue addressed by the Italian Supreme Court and brought by the DPA is the infringement or misapplication of Article 83 GDPR and [https://garanteprivacy.it/web/guest/codice Article 166 of the Italian Privacy Code], given that the sanction imposed was compliant with the provisions. The Supreme Court reiterated that Article 83 GDPR regulates the general conditions for imposing administrative sanctions, and each supervisory authority shall ensure that the administrative fines imposed are ‘in each individual case’ effective, proportionate and dissuasive. To be determined based on certain elements listed in Article 83(2) GDPR. The Supreme Court further noted that in the case of an intentional or negligent breach of several provisions of the GDPR, Article 83(3) GDPR requires that the maximum penalty shall not exceed ‘the amount specified for the gravest infringement’. In this perspective, the amount is set out in paragraphs 4 and 5 of Article 83 GDPR.
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Garante per la Protezione dei Dati Personali in IT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Garante per la Protezione dei Dati Personali - Italy (2023). Retrieved from cookiefines.eu
Last updated: