Serfin 97 S.r.l. – €60,000 Fine (Italy, 2024)

The data subject was contacted by the credit market agency Serfin 97 S.r.l., the processor, to request the payment of an outstanding debt the data subject had with P.E.S S.r.l., the controller. However, the email address used by the processor to contact the data subject was the address of an acquaintance of the data subject and not the data subject’s address. Also, the data subject never communicated the email address to the controller or the processor. The data subject advanced a complaint before the DPA, which started an investigation. The investigation revealed that the debt was transferred from “ENI gas e luce S.p.a.” (Hereinafter: ENI), one of the biggest gas and electricity providers in Italy, to the controller, in the context of a contract of cession of monetary claims. However, the collecting of the purchased debt was fully handled, on behalf of the controller, by Centotrenta Servicing S.p.A., which itself delegated the task to the processor. In fact, the controller is a vehicle company for the securisation of credits, does not have any employee, no database and delegates all its services, even the administration ones, to Centotrenta Servicing S.p.A. The DPA further established that the cession of the debt automatically entailed the sharing of personal data of the debtors with the controller, as this data is included in the documents and in the computer records related to the debtors. In relation to the data subject´s file, no email address was present in its contact data. Against this background, when the processor received a request of information from the DPA, it replied and put forward that, it is “highly likely that the email contact came from a telephone contact with the data subject, or by acquiring the data through consulting publicly available sources”. The processor explained that, after the third party´s request to delete the email, such data was erased not only from the documentation related to the data subject, but overall from the entire datab