Italian Supreme Court clarifies guidelines for quantifying GDPR sanctions

In a landmark and recent decision, the Italian Supreme Court provided essential insights into the calculation of GDPR sanctions (decision No. 27189 of 22 September 2023). This case revolved around the Italian Data Protection Authority (IDPA) imposing sanctions under Article 83 of the GDPR and, significantly, the Italian courts’ power not only to annul but also to redetermine GDPR sanctions.

The Supreme Court’s decision brings clarity to the application of GDPR sanctions, emphasizing the importance of considering factors such as relevance, effectiveness and proportionality. These factors, as outlined in Article 83 of the GDPR, should be carefully evaluated according to the specific circumstances of each case. Furthermore, the Italian Supreme Court made a significant pronouncement: while not expressly stated in Italian law, Italian courts have the authority not only to annul, but also to modify and redetermine IDPA-imposed sanctions to ensure that they align with the seriousness of the specific violation.

Background of the case

The journey leading to this Supreme Court decision began with the Court of Milan’s judgment No. 3276/2022. The case originated from a dispute involving a popular food delivery platform (the Company) and the IDPA. The IDPA had imposed a sanction under Article 83 of the GDPR due to violations concerning the processing of personal data belonging to the Company’s delivery riders. The Milan Court, on the grounds that the quantification of the sanction exceeded the parameters provided for in Article 83(5) of the GDPR, invalidated the sanctions.. It also contended that Italian courts lacked the authority to redetermine IDPA-imposed sanction amounts.

Challenging the Milan Court’s decision, the IDPA raised three key arguments claiming that:

1. the Milan Court had misapplied Article 83 of the GDPR, wrongly assuming that the imposed sanctions were beyond the permissible GDPR limits;

2. the Milan Court failed to thoroughly examine and evaluate the alternative methods of calculating GDPR sanctions, as set out under Article 83 of the GDPR;

3. ordinary courts are expected to quantify GDPR penalties and, if necessary, adjust them in accordance with GDPR criteria and the actual severity of the violations.

In response, the Company filed a counter-appeal based on three additional grounds claiming that:

1. infringement and misapplication of Articles 56 and 60 of the GDPR concerning the power of the lead supervisory authority in cases of cross-border processing of personal data.  Indeed, the Company argued to be wholly owned by the parent company based in Spain and that the processing occurred through the e-platform fully owned by the Spanish parent company.  Thus it represents a cross border processing controlled by the Spanish company and the Spanish Data Protection Authority has the sole authority on the case, with subsequent lack of authority of IDPA;

2. crucial facts regarding the operation of the platform used for processing the riders’ personal data had been overlooked;

3. there was a parallel proceedings underway brought by the Spanish Data Protection Authority, the circumstances of which had not been adequately considered.

The Supreme Court’s ruling

The Supreme Court upheld the first and third grounds of the main appeal, while considering the second absorbed, and declared the cross-appeal filed by the Company inadmissible. Consequently, the Supreme Court set aside the judgment, referring the case back to the Court of Milan in order to decide on the merits of the case in accordance with the principles set out in its judgment.

According to the Supreme Court, Article 83 of the GDPR allows the data protection authorities to determine sanctions for personal data breaches in compliance with the general rules of relevance, effectiveness and proportionality, taking into account the specific circumstances of the case. According to the judgment, the GDPR provision also offers the data protection authority two options for calculating sanctions, choosing ‘whichever is higher’ between: (i) a fixed maximum amount (in this case, €20m), or (ii) a percentage of the global financial turnover (4% in this case). The Supreme Court determined that the fine imposed by IDPA, approximately 7.29% of the Company’s global turnover, did not exceed the maximum limit specified in Article 83 of the GDPR.

Regarding the third argument raised by the IDPA, the Supreme Court clarified that even though Article 10 of the Italian Legislative Decree no. 150/2011 does not explicitly address the power of Italian courts to modify IDPA-imposed sanctions, the power to modify and/or redetermine economic sanctions can be inferred based on a comprehensive interpretation of various legal provisions implementing in Italy the GDPR. Therefore, courts are empowered not only to annul, but also to amend and/or redetermine all or part of the sanctions imposed by IDPA, based on the  specific circumstances of each case.

Regarding the Company’s cross-appeal, the Supreme Court dismissed it as inadmissible, finding that assessments related to cross-border data processing are matters of fact that cannot be examined and reassessed by the Supreme Court. Furthermore, the Supreme Court confirmed the authority of the IDPA to apply sanctions in this case, as the Company, based on the findings of the lower Court, functioned as the autonomous controller for the Italian riders’ personal data, whose processing was governed by local contracts.  As a result, the IDPA had authority over the GDPR breaches occurred in Italy, notwithstanding parallel investigations by Spanish authorities.

In summary, the Italian Supreme Court’s ruling provides valuable insights into the determination of GDPR sanctions in Italy:

1. article 83 GDPR establishes general criteria for quantifying pecuniary sanctions arising in connection with GDPR infringements, emphasising the importance of specificity, effectiveness and the proportionality; 

2. the total sanction amount should not exceed the highest limit set for the most severe infringement, considering the parameters outlined in Article 83 of the GDPR;

3. courts, even in data protection disputes, possess the authority to annul – in whole or part – or modify sanctions, including the penalty amount, provided it remains above the minimum threshold.

This landmark decision underscores the significance of a case-by-case assessment in GDPR enforcement, ensuring fairness and proportionality in sanctioning violators.