Home » Business » La Rinascente Faces €300,000 Fine for Personal Data Breach Dispute

La Rinascente Faces €300,000 Fine for Personal Data Breach Dispute

A dispute that took place two years ago between a saleswoman and a customer risks costing 300 thousand euros to La Rinascente, which was ordered to pay the fine by the Guarantor for the protection of personal data: the facts date back to 24 July 2021, when a shopping mall customerimmediately after “an altercation with a store employee”, she received an email from Rinascente informing her that a new fidelity card had been activated (which she never requested) in which her personal details had been changed and she appeared with the very unflattering title of “Damnish Vampire”.

Reconnecting the strange episode to the quarrel a few hours earlier, the woman immediately telephoned customer service, receiving confirmation of the fact that her Rinascentecard, signed years earlier, had been canceled and replaced that very day with the new one, renamed with the new name , which in the pronouncement of the Guarantor is defined as “obviously offensive”.

She then turned to the Privacy Guarantor, believing that an unsolicited access to her customer file had been made, to introduce the new header. For its part, La Rinascente, which proceeded to restore the customer’s original fidelity card on 5 August 2021, communicated that “the event that occurred did not involve any processing of personal data by Rinascente staff in a manner different from what is represented to the interested party in the information provided upon activation of the Card, with the exception of the act performed by the store employee in violation of the procedures and instructions given to her by the company”, underlining that “there has been no loss of the lady’s personal data” and that a disciplinary sanction was applied to the worker given that “the actions taken by the employee totally deviate from the procedures adopted by Rinascente in relation to the management of the Cards as well as from the instructions that the company itself provides to own employees”.

However, the special privacy and technological fraud unit of the Guarantor’s office conducted an inspection of the company, also noting other critical issues: in the information relating to the fidelity card known as friendscard, for example, it was not provided to customers who consented to the processing of personal data for marketing and profiling purposes “no necessary reference to make interested parties understand how many and which time limits are applied by the company, also in relation to the type of data and the purposes of the processing”. Furthermore, the note from the Privacy Guarantor continues, “the processing activity carried out through Facebook-Meta is not indicated, also with regard to the forwarding of the email addresses of La Rinascente customers to the American company”.

And again, “although carrying out a wide-ranging profiling activity, it did not appear that La Rinascente had defined the impact assessment procedure” which is instead required by the Guarantor for the protection of personal data: the company was therefore asked to define differentiated data retention times, distinguishing between treatments for marketing purposes and treatments for profiling purposes. As regards the episodes of data breach (i.e. violation of personal data), another was detected in addition to the one reported by the customer defined as “Donzella Svampita”: during a production release of a technical development, “because of a misalignment, five e-commerce customers have erroneously received communications relating to the orders of 70 users” admitted la Rinascente, specifying however that it had intervened to immediately block the flow of emails and to notify the recipient customers of the incident, inviting them to cancel the emails received. If the first data breach, according to the Guarantor, “appears to be attributable to the carelessness of an employee who violated the instructions received as well as, more generally, a predefined protocol, and therefore can be archived”, the second “appears to imply an inadequate original level of measures to prevent the infringement”.

Hence the administrative fine of 300 thousand euros (amount that can be halved if paid within 30 days), defined taking into account the high number of subjects involved in the violations, the duration and the broad territorial scope of the violations themselves and the economic capacity of society. On the other hand, the absence of previous proceedings initiated against the company, the timely adoption of corrective measures and the serious socio-economic crisis underway, with effects also on the economic and financial situation of La Rinascente, were considered extenuating factors.

2023-07-19 16:27:36
#Saleswoman #dispute #customers #fidelity #card #Donzella #vampita #Guarantor #sentences #Rinascente #thousand #euro #fine

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.