Rinascente S.p.A. – €300,000 Fine (Italy, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Rinascente S.p.A. was fined EUR 300,000 for mishandling customer data, including unauthorized access and unclear data retention policies. The company also failed to inform customers about data sharing with Facebook-Meta and did not conduct a required data protection impact assessment. This case highlights the importance of clear communication and proper data management for businesses handling large amounts of customer information.
What happened
Rinascente S.p.A. mishandled customer data by accessing it without consent and failing to provide clear information about data retention and sharing.
Who was affected
Over 2,000,000 customers who registered in Rinascente's stores or online were affected by these data handling issues.
What the authority found
The Italian DPA found that Rinascente violated GDPR by not providing clear information about data retention and sharing, and by failing to conduct a data protection impact assessment.
Why this matters
This case emphasizes the need for businesses to clearly inform customers about how their data is used and shared, especially when involving third parties like Facebook-Meta. Companies should ensure they conduct necessary assessments to comply with data protection laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Italian DPA has fined Rinascente S.p.A. EUR 300,000. The DPA acted on a complaint from a customer who, following an incident with a store employee, had her long-standing loyalty card cancelled and received a new, unsolicited card that contained offensive information about the complainant in her name. The customer complained that their information had been accessed without their consent. During the investigation, the DPA also found that the information on the loyalty card did not specify the retention period of the data for marketing and profiling purposes. In addition, it was not stated that activities were carried out through Facebook-Meta, in which customers' email addresses were forwarded to the American company. As for the e-commerce activities on the website, it was found that, although broad profiling was carried out, Rinascente had not carried out a data protection impact assessment in accordance with the GDPR. In setting the fine, the DPA took into account the high number of data subjects (more than 2,000,000 people were registered in the stores or online), the duration of the violations and the financial performance of the company.
Violations (1)
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Rinascente S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
8 June 2023
Authority
Garante per la protezione dei dati personali
Fine Amount
€300,000
Enforcement Tracker ID
ETid-2022
About this data
Cite as: Cookie Fines. Rinascente S.p.A. - Italy (2023). Retrieved from cookiefines.eu
Last updated: