Date of final decision: 16 September 2021
Cross-border case or national case: National case
Controller: La Prima Srl
- Purpose limitation (article 5, par. 1, let. b) GDPR), lawfulness of processing (article 6, par. 1, let. a) GDPR), adequacy of the measures (articles 24, 25 GDPR);
- SA’s power to request information from controller or processor (Section 157, Italian Data protection Code)
- SA’s power to request information from controller or processor (Section 157 and 166 par.2, Italian Data protection Code)
Decision: Infringement of the GDPR, reprimand to the controller, order to bring processing into compliance, administrative fine
Key words: purpose limitation, order to provide information, lawfulness of processing, data subject’s consent
Summary of the Decision
Origin of the case
Complaint by data subject
Exchanges of information on a social network are only intended to enable what is set out in the relevant terms of service, which are relied upon by the data subject in determining the purposes of all processing operations. The Italian SA decided to step in against a real estate agency that offered its services to a lady owning a flat by using her contact information on LinkedIn.
The decision clarified that the platform is intended to enable exchanges of contact information to provide job opportunities; it is not envisaged that users may rely on it to send messages in order to sell products or services to other users regardless of whether this is what their core business consists in.
Against this backdrop, the fact that a user profile is public or not is irrelevant. What matters is the purpose sought by sending the message, which was a promotional one in this case; such purpose conflicts with the one set out in the terms of service for the social network in question.
The Italian SA found the processing to be unlawful and reprimanded the estate agency whilst ordering it to take suitable organisational measures. The SA considered this to be both sufficient and proportionate as a corrective measure in the light of several circumstances – namely, the controller is a small business, exposed to the economic crisis brought about by the COVID-19 pandemic; this was the first proceeding involving such controller; only one message was targeted directly to the complainant. However, the controller was fined EUR 5,000 on account of its failure to reply to repeated requests for information submitted by the Italian SA; the administrative fine was found to be both proportionate and dissuasive taking account of the controller’s economic status.
For further information: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9705632
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned