Lawfulness of processing in anti-fraud investigations

In its newsletter No. 526 of 9 August 2024 (web doc. No. 10043752), the Italian Data Protection Authority gives notice of two decisions by which the authority sanctioned a bank – for EUR 1 million – and a leasing company – for EUR 250,000 – for violations related to unauthorised access to databases for creditworthiness checks, connected to car rentals, in addition to inadequate response to the exercise of rights. 

The decisions were issued following a complaint lodged by a user who had been denied a car rental voucher because she was on a ‘black list’. The leasing company and the bank involved had failed to provide adequate answers to the user’s requests regarding the personal data used for this decision.

Facts

The Authority’s enquiry concerns the case of a complainant who applied to a leasing company that was the data controller in order to obtain information regarding the rejection of her long-term car rental contract and her inclusion in a blacklist by a Bank, acting on behalf of the data controller. 

Since the data subject considered that she had not received a satisfactory response to her requests to exercise her right of access to her data, she complained to the Supervisory Authority.

Following the authority’s investigation, it emerged that the bank – belonging to the same corporate group as the leasing company controller and acting on the basis of a service contract in place with the leasing company – had, on behalf of the latter, accessed a specialised public system to prevent identity theft and to ensure the security of transactions (SCIPAFI), managed by the Ministry of Finance (MEF). 

SCIPAFI is based on a central computerised archive, access to which, according to the founding law (Legislative Decree No. 141/2010, Article 30-ter), is allowed to ‘adherent’ subjects identified as banks, electronic communication service providers, digital identity managers, utilities, insurance companies, credit information managers, in addition to subjects required to carry out customer due diligence. The same article empowers the Minister to identify additional categories of subjects with the right to access the system.

As things stood, only the bank had the right to access the SCIPAFI system and only for its own direct purposes; therefore, not also for third parties and not even for purposes other than those permitted: for example, as in the present case, in order to assess whether or not to enter into car rental contracts.

Only later does the MEF grant authorisation to the leasing company to participate in the SCIPAFI prevention system.

Condividi

Post Recenti

A verbal communication can be a “processing”

CJEU C-446/21: Schrems v. Meta Platforms Ireland Ltd.

Data Governance Act and Italian adaptation law