Italian Garante Fines
March 17, 2017
With a recent decision, the Italian Data Protection Authority issued fines for over 11 million Euro to five companies operating in the money transfer sector. It is the highest sanction ever applied for unlawful processing of personal data by a Data Protection Authority in Europe.
This is a milestone decision for the enforcement of data protection legislation, considering that the new GDPR which, as known, has significantly raised fines to up to 20 million Euro or, if higher, 4% of the companies’ annual worldwide turnover, is still not effective.
The breach of personal data was discovered by the Italian DPA within a broader investigation carried out by the public prosecutor’s office in Rome on money laundering activities. The investigations were focused on the transfer of significant amounts of money from Italy to China jointly structured and performed by five companies.
In particular, in order to avoid reaching the thresholds set by AML legislation and to hide the identity of the “real” money senders, the investigated companies split the amounts of money transferred in several payments and registered them in the centralized archive requested by AML laws under the name of unaware individuals.
Such conduct, in violation of the AML laws, has been also considered an infringement of the data protection legislation.
In particular, the Italian DPA contested to the investigated companies: (i) to have processed personal data of unaware individuals without their consent; (ii) that the unlawful processing relates to data base having a significant size, and (iii) that each registration of an unaware individual has to be considered a single and autonomous violation of the data protection laws.
In this respect, Section 162, paragraph 2-bis of the Italian Data Protection Code provides that if the processing of personal data is carried out in breach of the provisions on, among others, the consent of the data subjects, the applicable fine may range from Euro 10,000 to Euro 120,000.
Furthermore, according to Section 164-bis, paragraph 2, of the Data Protection Code, when one or more provisions are violated repeatedly, also on different occasions, in connection with large databases, an administrative penalty ranging from Euro 50,000 to Euro 300,000 may be applied.
On the base of the above, each one of the five companies investigated has been condemned to pay a fine calculated considering the numbers of unaware individuals registered in its data bases (total 996) multiplied for Euro 10,000 plus an amount of Euro 50,000 in consideration of the size of the database involved.
The issued sanctions amount respectively to Euro 5,880,000, 1,590,000, 1,430,000, 1,260,000 and 850,000, thus reaching a total amount higher than 11 million Euro.