Douglas Italia S.p.a.

Beschrijving

The Italian DPA has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a. for various GDPR violations. In the course of its investigation, the DPA initially found that customers were supposed to give their consent to the privacy notices, the cookie policy, and the GTC at the same time. The DPA considered this to be a breach of Art. 6 GDPR and Art. 7 GDPR, as the data subject's consent to the processing of their personal data could not be considered voluntary due to the lack of separate options for consenting to the different notices. Douglas had merged with other companies and in the process acquired additional personal data. The DPA found that after acquiring the data, Douglas had kept the data for an excessive period of time without obtaining consent from the data subjects to use it for its own purposes. The DPA also found that Douglas retained data of customers who had not renewed their loyalty cards for an excessive period of time. Douglas also failed to provide its customers with sufficient and accurate information about the data processing. The DPA also found that Douglas did not use the data for direct marketing in accordance with customer consent. For example, customers who had only consented to telemarketing also received SMS marketing messages. Finally, the DPA found that Douglas had breached its accountability obligations regarding the processing of personal data on its blog.