Douglas Italia S.p.a. – €1,400,000 Fine (Italy, 2022)
The Italian DPA has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a. for various GDPR violations. In the course of its investigation, the DPA initially found that customers were supposed to give their consent to the privacy notices, the cookie policy, and the GTC at the same time. The DPA considered this to be a breach of Art. 6 GDPR and Art. 7 GDPR, as the data subject's consent to the processing of their personal data could not be considered voluntary due to the lack of separate options for consenting to the different notices. Douglas had merged with other companies and in the process acquired additional personal data. The DPA found that after acquiring the data, Douglas had kept the data for an excessive period of time without obtaining consent from the data subjects to use it for its own purposes. The DPA also found that Douglas retained data of customers who had not renewed their loyalty cards for an excessive period of time. Douglas also failed to provide its customers with sufficient and accurate information about the data processing. The DPA also found that Douglas did not use the data for direct marketing in accordance with customer consent. For example, customers who had only consented to telemarketing also received SMS marketing messages. Finally, the DPA found that Douglas had breached its accountability obligations regarding the processing of personal data on its blog.
GDPR Articles Cited
The Italian DPA has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a. for various GDPR violations. In the course of its investigation, the DPA initially found that customers were supposed to give their consent to the privacy notices, the cookie policy, and the GTC at the same time. The DPA considered this to be a breach of Art. 6 GDPR and Art. 7 GDPR, as the data subject's consent to the processing of their personal data could not be considered voluntary due to the lack of separate options for consenting to the different notices. Douglas had merged with other companies and in the process acquired additional personal data. The DPA found that after acquiring the data, Douglas had kept the data for an excessive period of time without obtaining consent from the data subjects to use it for its own purposes. The DPA also found that Douglas retained data of customers who had not renewed their loyalty cards for an excessive period of time. Douglas also failed to provide its customers with sufficient and accurate information about the data processing. The DPA also found that Douglas did not use the data for direct marketing in accordance with customer consent. For example, customers who had only consented to telemarketing also received SMS marketing messages. Finally, the DPA found that Douglas had breached its accountability obligations regarding the processing of personal data on its blog.
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Douglas Italia S.p.a. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Data Subject versus Telecommunications Company
2025 · DPA OLGKoblenz
Legal Person
2023 · Úřad pro ochranu osobních údajů
ANSPDCP
2025 · Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
CNIL
2019 · Court of Justice of the European Union
Minister for Legal Protection
2022 · DPA RbOverijssel
Details
Fine Date
20 October 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€1,400,000
Enforcement Tracker ID
ETid-1653
GDPRhub ID
gdprhub-5490About this data
Cite as: Cookie Fines. Douglas Italia S.p.a. - Italy (2022). Retrieved from cookiefines.eu
Last updated: