Rinascente S.p.A.: Non-compliance with general data processing principles

The Italian DPA has fined Rinascente S.p.A. EUR 300,000. The DPA acted on a complaint from a customer who, following an incident with a store employee, had her long-standing loyalty card cancelled and received a new, unsolicited card that contained offensive information about the complainant in her name. The customer complained that their information had been accessed without their consent. During the investigation, the DPA also found that the information on the loyalty card did not specify the retention period of the data for marketing and profiling purposes. In addition, it was not stated that activities were carried out through Facebook-Meta, in which customers' email addresses were forwarded to the American company. As for the e-commerce activities on the website, it was found that, although broad profiling was carried out, Rinascente had not carried out a data protection impact assessment in accordance with the GDPR. In setting the fine, the DPA took into account the high number of data subjects (more than 2,000,000 people were registered in the stores or online), the duration of the violations and the financial performance of the company.

GDPR Articles: Art. 5 (1) a), b), c), e), f) GDPR, Art. 12 (1) GDPR, Art. 32 (1) b), d) GDPR, Art. 35 GDPR
Industry: Industry and Commerce