Italy: GDPR: With A Historic Ruling, The Supreme Court Outlines Sanctions' Characteristics

The Italian Supreme Court, with an order dated September 22, upheld the appeal of the Italian Data Protection Authority, in which it outlined the necessary criteria of sanctions issued under the European Data Protection Regulation (GDPR).

The case stems from a sanction issued to the plaintiff in 2021 by the Italian Data Protection Authority (“Guarantor”), which had sanctioned a violation of the data protection regulations by issuing a penalty of 2,600,000 euros. The measure was appealed before the Court of Milan, which annulled the sanction as disproportionate.

In fact, the court held that the figure, which was based on to the sanctioned person's turnover, was too high (more than 7 percent), compared to the 4 percent maximum penalty stipulated by the GDPR. In addition, the court declared itself not competent to recalculate the sanction, and consequently annulled it. The Milan judge stated verbatim that “the decision of the Guarantor, was not [legitimate NDR] however on the level of the sanction.”

The Privacy Guarantor appealed to the Supreme Court, claiming violation of the GDPR rules on sanctions, failure to examine the calculation of the sanction and, finally, violation of the procedural rules governing the procedure under Legislative Decree 150/2011. In turn, the company proposed a counter-appeal with cross-appeal, complaining of the failure to establish the cross-border nature of the processing, which would have consequently deprived the Guarantor of jurisdiction over the matter (in favor instead of the Spanish guarantor, the AEPD).

The Supreme Court upheld the Guarantor's appeal, rejecting the company “counter” appeal.

In particular, the first plea regarding the violation of the GDPR's penalty rules was upheld, on the assumption that the Tribunal had erred.

The European regulation, in fact, stipulates that violations are sanctioned with two autonomous provisions, depending on the severity of the rule violated; a first group entails a sanction of up to 10 million euros, the second up to 20 million.

The turnover criterion (2 percent for the first group and 4 percent for the second), used by the court as the main argument for the annulment of the penalty, is actually residual. In fact, the Supreme Court points out that “…the reference to the proportional penalty is not placed by the GDPR as a mitigating function of the limit prescribed by law as established with the ordinary variable penalty, but represents a further and distinct limit prescribed by law, to which reference shall be made only if it is higher ( as such) than the maximum of the aforementioned penalty.” The rule, in fact, allows the use of the turnover limit “if higher” than the purely economic criterion.

In addition, the Supreme Court specified that:

• the sanction must in all cases be effective, proportionate, and dissuasive,  and outlined how the GDPR has introduced greater accuracy in the penalty regime, precisely as a result of the criteria of Article 83.
• It also overruled the part of the ruling regarding the possibility of redetermination of the sanction by the Court of Milan, stating that in these types of proceedings “the Judge may annul all or part of the measure or modify it also limited to the amount of the sanction due, which shall be determined in an amount in any case not less than the minimum penalty.”

As for, however, the grounds of counter-appeal, these were all rejected. In particular, the plea regarding the alleged competence of the AEPD as lead authority by virtue of the cross-border nature of the processing was considered to be unfounded.

In fact, even though the company was subject to management and coordination, the processing that took place in Italy and was carried out directly by the subsidiary with its own autonomy of structure and negotiation is the responsibility of the local authority, as it lacks the requirements of the regulation to be considered cross-border. The counterclaim was, consequently, dismissed.

For the first time, the Supreme Court highlighted the importance of the GDPR with regard to the definition of sanctions, with a reference to the principles of relevance, effectiveness and proportionality. In addition, it was clarified that the lower court has the possibility not only to annul, but also to modify and redetermine the amount of the sanction.

This is certainly a fundamental ruling, as it clarifies the role of the ordinary court in dealing with appeals against the Guarantor's sanctions, and also emphasizes how the sanction must meet certain criteria and should not merely be based on a mathematical calculation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.