日期：27 July 2020

國家：義大利

關鍵字：同意；撤回同意；反對處理

GDPR：§7 (conditions for consent)、§21 (right to object)

裁決：行政罰鍰（€17,000,000）、命令（遵循資料主體行使權利之要求、適當處理資料）

摘要：

(1) 義大利監管機關對控管者 Wind Tre SpA——電話營運商——課處行政罰鍰（€17,000,000），因為該公司涉及多起與行銷有關的違法處理個資事件。

(2) 監管機關收到多起投訴，表示收到未經同意的訪問行銷——透過簡訊、電子郵件、傳真和自動電話等方式。在某些案件，當事人主張他們無法行使撤回同意權，或反對處理權——反對基於行銷目的處理個人資料，部分原因則是因為控管者提供的聯繫資訊不正確。而在其他案件，儘管當事人已經多次表示反對，但其個人數據仍然被列入公開電話名簿（public phone listing）裡。

(3) 經過調查，監管機關發現控管者使用的兩款應用程式—— MyWind 和 My3 ——被設定為使用者在每次登入時，都必須同意控管者得基於多種目的進行處理，包括行銷、個人行為剖繪（profiling）、向第三方傳輸資料、地理位置定位行銷等；如果當事人想要撤回同意，則必須等到 24 小時後。

(4) 針對上述違反 GDPR 的行為，監管機關對控管者處理 €16,729,600 的行政罰鍰，並禁止在未取得當事人同意情況下，繼續處理他們所獲得的個人資料。

Reference

Article 7 Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Article 21 Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first Communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.