Centralcar S.p.a. – Violation Found (Italy, 2025)
The DPA opened an ex officio investigation on the website of a car dealership (Centralcar S.p.a., the controller) with a focus on the cookie banner. The DPA found that the banner did include an option to reject non-essential cookies and did not allow for the expression of granular consent in relation to the types of cookies used. The DPA also found that the website used cookies for profiling purposes even though its privacy policy stated otherwise. The controller changed its cookie banner's design after the DPA notified it about the investigation. The DPA considered that the cookie banner did not offer a "reject" button or a similar option. This prevented visitors from browsing the website without accepting non-necessary cookies. On these grounds, the DPA found that the banner did not collect valid consent and held that the controller processed data unlawfully, in violation Articles 4(11), 5, 7, 24 and 25 GDPR as well as Article 122 d. lgs. 196/2003This the Italian implementation of Article 5(3) of the ePrivacy Directive.. The DPA also held that the controller violated Articles 12 and 13 GDPR by providing an inadequate cookie policy. The DPA issued a warning. In this regard, the DPA considered that the controller brought its cookie banner into compliance during the procedure.
GDPR Articles Cited
National Law Articles
The DPA opened an ex officio investigation on the website of a car dealership (Centralcar S.p.a., the controller) with a focus on the cookie banner. The DPA found that the banner did include an option to reject non-essential cookies and did not allow for the expression of granular consent in relation to the types of cookies used. The DPA also found that the website used cookies for profiling purposes even though its privacy policy stated otherwise. The controller changed its cookie banner's design after the DPA notified it about the investigation. The DPA considered that the cookie banner did not offer a "reject" button or a similar option. This prevented visitors from browsing the website without accepting non-necessary cookies. On these grounds, the DPA found that the banner did not collect valid consent and held that the controller processed data unlawfully, in violation Articles 4(11), 5, 7, 24 and 25 GDPR as well as Article 122 d. lgs. 196/2003This the Italian implementation of Article 5(3) of the ePrivacy Directive.. The DPA also held that the controller violated Articles 12 and 13 GDPR by providing an inadequate cookie policy. The DPA issued a warning. In this regard, the DPA considered that the controller brought its cookie banner into compliance during the procedure.
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Violations (4)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Centralcar S.p.a. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Centralcar S.p.a. - Italy (2025). Retrieved from cookiefines.eu
Last updated: