The Italian Data Protection Authority fines the famous Douglas perfume chain
In its recent Order No. 348 of 20 October 2022, the Italian Data Protection Authority (“Authority”) ruled on the data collection and processing policies for marketing and profiling purposes of Douglas Italia S.p.a. (“Douglas”), the renowned perfume and cosmetics chain.
The decision was reached at the end of a complex investigation initiated against the Italian company, following a complaint by a customer who claimed not to have received a reply to a request to exercise her rights. More precisely, the customer had allegedly asked Douglas for information on the management of personal data without receiving a reply. On the basis of the complainant's experience, the Authority deemed it appropriate to carry out further investigations into the company's handling of requests submitted by other interested subjects, as well as the processing of data for marketing and profiling purposes.
First of all, the Authority noted that the failure to respond to the subject's requests constituted an isolated event, and ascertained that subjects' requests were usually handled correctly and promptly. Despite this, the Authority considered it necessary to examine in greater detail the other aspects relating to the processing of personal data, focusing in the first instance on the corporate app. In particular, the preliminary investigation, first of all, identified the violation of Article 7 of Regulation (EU) 2016/679 (the 'Regulation'), a provision that provides for the principle of granularity with respect to the request for consent to the processing of personal data: consent must be specific, i.e. related to the purpose for which that processing is carried out. The Italian company, when collecting the consent, did not make the processing of personal data specific and therefore would not have allowed customers to express a free and specific consent for the different activities (marketing of the company, marketing of third parties and profiling).
The Authority also found a breach of the principle of accountability set out in Articles 5(2) and 24 of the Regulation, given that Douglas, after the merger with three companies in 2019, allegedly did not keep track of the data collection and processing methods implemented by the other companies. Furthermore, the Italian company, once it had acquired the data from the merged companies in 2019, would have kept this data for a long time, without worrying about the methods of acquisition and, above all, without requesting any specific consent for processing its own activities. On this point, Douglas clarified that the retention of customer data by the former companies had been carried out as a matter of business strategy, in order to speed up the transfer of personal information in the event of a request to issue a Douglas fidelity card. The Authority ascertained the violation of the principle of purpose and limitation of retention, considering the purpose declared by the Italian company in relation to the retention period to be entirely disproportionate, also in light of the large amount of personal data retained.
Following the inspections, it was also found that the principle of accountability and the principle of privacy by design, referred to in Article 25(1) of the Regulation, had been violated with regard to telemarketing activities carried out in stores. In fact, the Authority found a mismatch between the consent given by the data subject and the processing of personal data carried out: the customer who had only given consent to receive instant messaging also received telephone calls and vice versa.
Lastly, the Authority established a violation of the principle of accountability with regard to the processing of personal data carried out through the company blog. In the present case, Douglas had allegedly failed to provide evidence of the purposes and storage methods relating to the personal data processed through the blog.
For the aforementioned violations, the Authority therefore ordered Douglas to pay a fine of EUR 1.4 million and ordered the company to correct the violations detected.