The Italian Supreme Court imposes parameters of relevance, effectiveness and proportionality for GDPR sanctions

With Order No. 27189 of 22 September 2023, the Italian Supreme Court recognised the centrality of the GDPR in the determination of sanctions for violation of data protection laws.

The order was issued following an appeal by the Italian Data Protection Authority (the IDPA) against the Court of Milan’s decision to cancel an administrative sanction imposed by the IDPA for violation of data protection laws. According to the Court, the fine set at 7.29% of the annual global turnover of the sanctioned company was too high when compared to the 4% parameter referred to in the aforementioned law; and, moreover, higher than the average percentage (0.0019%) applied by the IDPA to other sanctioned entities. The Court had also held that it could not itself redetermine the fine.

The IDPA appealed to the Supreme Court on the following three grounds: first, for infringement and misapplication of Article 83 GDPR and Article 166 Privacy Code, since the penalty imposed was permitted, by the assessment criteria set out in these articles. Second, for non-examination of a material fact, in relation to the method of calculation of the penalty. Lastly, for infringement and misapplication of Articles 6 and 10 of Legislative Decree 150/2011 and 166 of the Privacy Code, since the court is in any event obliged, also with regard to the protection of personal data, to quantify the fine and, if necessary, to redetermine it in accordance with the legal requirements and on the basis of the gravity of the facts.

The company submitted a defence based on the grounds of three cross-appeals.

The Supreme Court allowed the first and third grounds of the main appeal, declared the second ground absorbed, dismissed the cross-appeal as inadmissible and set aside the judgment.

The Supreme Court stated its reasoning by noting, firstly, that the Court's assertion that the sanction would be unlawful only because it was higher than the average percentage (of the annual turnover of the person affected by the sanction measure) imposed in other cases constituted a breach of the Regulation: at most, this could be an indicator of hypothetical disproportion, but in any case to be related to the individual case.

As regards the claimed infringement of the edict limit, the Court of Cassation observed that the GDPR, in paragraphs 4 and 5 of Article 83, defines the parameters by means of which the administrative sanction is to be determined: up to €10,000,000 (or €20,000,000) or, for companies, up to 2% (or 4%) of the total annual global turnover of the previous year, whichever is higher. The reference to the turnover percentage does not have the function of mitigating the edict limit, as the Court had held, operating instead as a further edict limit of the alternative sanction against the maximum of the ordinary one of €20,000,000, in other words, it applies only if it leads to a sanction amount higher than the first.

With reference to the third ground of appeal, the Supreme Court noted that, as a result of the coordination of Article 166 of the Privacy Code with Articles 6 and 10 of Legislative Decree 150/2011, with the judgment granting the opposition, the judge, even in disputes concerning personal data, may cancel all or part of the order, or modify it limiting it to the amount of the fine due.