Serfin 97 S.r.l. – €60,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Serfin 97 S.r.l. was fined for contacting a person about a debt using the wrong email address. This is important because it shows that companies must use correct contact information when dealing with personal data. Businesses should verify their data sources to avoid similar errors.
What happened
Serfin 97 S.r.l. contacted a person about a debt using an email address that did not belong to them.
Who was affected
A person who was mistakenly contacted about a debt using an incorrect email address.
What the authority found
The Garante found that Serfin 97 S.r.l. violated GDPR rules by not having valid legal grounds for processing the person's personal data.
Why this matters
This ruling emphasizes the importance of accurate data handling practices. Companies must ensure they have the right information before reaching out to individuals to avoid privacy violations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject was contacted by the credit market agency Serfin 97 S.r.l., the processor, to request the payment of an outstanding debt the data subject had with P.E.S S.r.l., the controller. However, the email address used by the processor to contact the data subject was the address of an acquaintance of the data subject and not the data subject’s address. Also, the data subject never communicated the email address to the controller or the processor. The data subject advanced a complaint before the DPA, which started an investigation. The investigation revealed that the debt was transferred from “ENI gas e luce S.p.a.” (Hereinafter: ENI), one of the biggest gas and electricity providers in Italy, to the controller, in the context of a contract of cession of monetary claims. However, the collecting of the purchased debt was fully handled, on behalf of the controller, by Centotrenta Servicing S.p.A., which itself delegated the task to the processor. In fact, the controller is a vehicle company for the securisation of credits, does not have any employee, no database and delegates all its services, even the administration ones, to Centotrenta Servicing S.p.A. The DPA further established that the cession of the debt automatically entailed the sharing of personal data of the debtors with the controller, as this data is included in the documents and in the computer records related to the debtors. In relation to the data subject´s file, no email address was present in its contact data. Against this background, when the processor received a request of information from the DPA, it replied and put forward that, it is “highly likely that the email contact came from a telephone contact with the data subject, or by acquiring the data through consulting publicly available sources”. The processor explained that, after the third party´s request to delete the email, such data was erased not only from the documentation related to the data subject, but overall from the entire datab
Related Enforcement Actions (0)
No other enforcement actions found for Serfin 97 S.r.l. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
17 October 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€60,000
GDPRhub ID
gdprhub-8755About this data
Cite as: Cookie Fines. Serfin 97 S.r.l. - Italy (2024). Retrieved from cookiefines.eu
Last updated: