Douglas Italia S.p.a. – €1,400,000 Fine (Italy, 2022)
Douglas Italia S.p.a. was fined EUR 1.4 million for multiple violations of data protection laws, including not getting proper consent from customers for data processing. The company merged with others and kept customer data too long without permission. This case serves as a warning for businesses to ensure they obtain clear consent and provide accurate information about data use.
What happened
Douglas Italia S.p.a. failed to obtain valid consent from customers for processing their personal data and kept data longer than allowed.
Who was affected
Customers of Douglas Italia whose personal data was processed without proper consent.
What the authority found
The authority ruled that Douglas did not comply with GDPR requirements for obtaining consent and providing clear information about data processing.
Why this matters
This case highlights the need for companies to have clear consent processes and to respect customers' data rights. Businesses should review their data handling practices to avoid similar penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Italian DPA has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a. for various GDPR violations. In the course of its investigation, the DPA initially found that customers were supposed to give their consent to the privacy notices, the cookie policy, and the GTC at the same time. The DPA considered this to be a breach of Art. 6 GDPR and Art. 7 GDPR, as the data subject's consent to the processing of their personal data could not be considered voluntary due to the lack of separate options for consenting to the different notices. Douglas had merged with other companies and in the process acquired additional personal data. The DPA found that after acquiring the data, Douglas had kept the data for an excessive period of time without obtaining consent from the data subjects to use it for its own purposes. The DPA also found that Douglas retained data of customers who had not renewed their loyalty cards for an excessive period of time. Douglas also failed to provide its customers with sufficient and accurate information about the data processing. The DPA also found that Douglas did not use the data for direct marketing in accordance with customer consent. For example, customers who had only consented to telemarketing also received SMS marketing messages. Finally, the DPA found that Douglas had breached its accountability obligations regarding the processing of personal data on its blog.
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Douglas Italia S.p.a. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
20 October 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€1,400,000
Enforcement Tracker ID
ETid-1653
About this data
Cite as: Cookie Fines. Douglas Italia S.p.a. - Italy (2022). Retrieved from cookiefines.eu
Last updated: