With a resolution issued on October 20, 2022, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) ordered the beauty retail company Douglas Italia S.p.A. (“Douglas”) to pay total sanctions of EUR 1,400,000 for several breaches of the data protection rules. In addition, the company must implement a series of measures to comply with applicable data protection rules.
The Garante undertook proceedings against Douglas in August 2020. After an inquiry, the Garante ascertained several types of conduct in breach of the law, largely in connection with marketing and profiling activities, matters which are confirmed to always catch the Garante’s eye.
Among other items, the Garante ruled on the matter of data retention periods. Douglas kept the personal data of nearly 3.3 million clients. The data had not been used for several years, nor had Douglas collected data subjects’ consent to keep them. (In several cases the data were collected by another company that no longer exists after having been merged into Douglas.) Douglas justified this long retention period by saying it needed to comply with internal policies established by its German parent company, which applies standard policies to all group companies.
The Garante determined that retaining data for so long is manifestly and unjustifiably excessive from both a qualitative and a temporal perspective. The Garante stressed that even when a data subject consents to marketing and/or profiling activities, with that consent valid until it is revoked or the subject opposes the data’s processing or use for promotional purposes, in exercising accountability Douglas should store data in a selective and limited way—especially with regard to the timeframe and categories of data kept, and with actual use of data kept under consideration.
In relation to the timeframe, the Garante cited its general resolution of February 24, 2005, “Fidelity cards and guarantees for consumers. The Garante’s rules for loyalty programs,” and the tight time periods contemplated therein—12 months for data used for marketing activities and 24 months for data used for profiling activities, to be interpreted in light of the principles of accountability and general responsibility set forth by the GDPR.