In April 2023 the Italian Data Protection Authority (Garante per la protezione dei dati personali) has fined the famous fashion brand Benetton with 240,000 Euros for violations of the GDPR related to marketing practices involving consumer data.
The Garante’s investigation started in 2019 during the course of a scheduled investigation related to marketing activities and profiling delegated to the Unit for Privacy of the Italian Law Enforcement Agency “Guardia di Finanza”. In the beginning, the Garante requested documents from the Benetton which included information on the management of the cookies on Group’s websites. Due to the complexity of the topic, the Garante deemed that a further investigation on site was required to examine the company’s processing practices regarding customers’ data for marketing and profiling.
Several GDPR breaches found during the Garante’s investigation
As a result, an administrative proceeding was initiated by the authority in 2021, where different breaches were identified in relation to the cookie banners on two of the Group’s websites. Among the infringements were incompliances on the management of the cookie banner and therefore a lack of choice for the data subjects regarding cookies, as well as incomplete or incorrect information on the use of personal data. Those breaches were partially remediated by the company.
On the other hand, breaches related to the management of personal data within the fidelity card for consumers were identified and lead to the final decision of a fine. In particular:
- data retention periods as marked in the privacy policy and in the record of processing activities were not implemented, therefore data were kept in the databases for longer than allowed (over six years instead of the two years scheduled);
- information about the consumers’ preferences (for example from the purchase tickets) were collected without consent for profiling expressed from the data subjects;
- marketing emails were sent to many consumers even though they had expressed their opposition to the processing.
Benetton’s remediation actions
During the course of the investigation, that was also interrupted by the Covid-19 outbreak, Benetton presented defence memos to the Authority on different occasions clarifying the practices related to marketing communications and the use of the data of consumers registered to the fidelity card program, as well as the implementation of corrective measures in relation to the cookie banners.
However, despite the recognition by the Authority that some remediation actions were taken, the Garante identified possible violations.
Final findings of the Garante
The violations were finally ascertained and included the lack of adequate security measures and retention periods on personal data processed for marketing and profiling purposes as well as the non-compliant management of the consumer database. All employees of the stores in seven EU countries could access the consumer database from one single account by using the same password.
Considering the high volume of data and the timeframe of the violations, in 2023 the Garante finally imposed the high fine of €240,000 and ordered the company to adopt measures for the correct storage of the data, to delete or anonymise the personal data of consumers kept for over 10 years and in general to adopt measures to comply with the GDPR and other applicable privacy legislations.
It is of outmost importance for companies processing personal data for marketing and profiling purposes to comply appropriately with information duties, collect the relevant consents and keep the data in compliance with the storage limitation principle. It can be noted that it is also critical to adopt a compliant set-up for the consumer database management, including the access to personal data and the storage period.