With an injunction order, the Italian Data Protection Authority fined the Benetton company for breaching some principles of the GDPR regarding data retention, minimization, and technical and organizational security measures.

The Italian Data Protection Authority ("Garante" or "DPA") fined the Benetton company for certain violations regarding privacy regulations. During the inspection, which began in 2019, a number of irregularities were found on the websites and in the management of customer data, both for fidelity card and promotional purposes.

During a subsequent inspection, in 2021, to verify the implementation of additional security measures and the correction of the alleged violations, the Garante found additional circumstances, related to the retention of customer data indefinitely as well as the lack of security measures related to fidelity programs and the platform provided to retail stores.

After analysing the company's defenses, the DPA decided to archive some of the objections (such as those on the websites as well as those related to the management of consents for promotional purposes). However, the following violations were confirmed:

(1) The retention of customer or former customer data with no time limit. The company's proposal to keep them for 10 years was also deemed unacceptable, with regards to the Garante 's guidelines on Fidelity Cards;

(2) The lack of adequate security measures in the management of the platform in stores. In fact, the system provides a single account for the entire store, with no need to change passwords. In addition, it was also accessible from the web and thus from any device. Finally, there was no control as to who could log in among employees;

(3) In addition, this circumstance also implies a violation of the obligation for the data controller to have a procedure in place to test and verify the security measures implemented to ensure the security of the processing.

The DPA also pointed out, as an aggravating factor, the massive amount of data involved (each store could access data from all over the world) as well as the variety of personal details acquired with the fidelity cards, which were used for profiling purposes.

In conclusion, therefore, the Garante issued a fine of 240,000 euros, also ordering the company:

– to delete or anonymize data of former customers older than 10 years, unless there is an ongoing dispute;

– to adopt appropriate technical and organizational solutions to ensure that data storage is carried out in accordance with the principles of the GDPR, with particular reference to minimization and limitation of storage, as well as data security and safeguarding.

Finally, as always, the Garante ordered the publication on its institutional channels.

This sanction demonstrates once again how there is often a tendency to underestimate the internal procedures and systems to control and monitor compliance with the regulations and the work of employees and suppliers, in favor of a compliance that is more aimed at a mere documentary update.

On the contrary, full compliance and the safeguarding of personal data can only come through robust and well-delineated procedures that can ensure the control, management and proper conduct of all data processing activities.

Originally published 14 July 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.