The Italian Data Protection Authority (Garante) has fined Clubhouse two million euros. The measure is full of useful guidance for the operational implementation of GDPR obligations. We provide below a summary of those that seemed most relevant.
Characteristics of the controller and the service
Clubhouse is a social media app, based solely on voice interactions taking place in conversation rooms, operated by a U.S.-based company.
The company is not reported to be established in any EU member state, and it was not initially the intention of top management to promote the app in the European market.
EU/EEA and Italian Jurisdiction – A foreign company that has no establishment in the EU/EEA but offers services or products or monitors behavior of individuals located in the EU will need to interface with each of the supervisory authorities involved. Each is responsible for the processing of personal data of data subjects present in their respective member states.
EU Representative – When the obligation to designate the EU Representative is triggered, the contact details must be indicated in the notice and qualify the same as the interlocutor of data subjects and Authorities, on behalf of the controller. The relationship with the Representative must be governed by a special mandate contract specifying his or her functions and limits.
Evidence of data processors – An up-to-date list of data processors should be made available to data subjects, possibly through links to appropriate web pages containing it.
Retention periods – When data retention fulfills different purposes (e.g., for relationship management or possible litigation), both the corresponding terms and criteria and which data are subject to the relevant regimes should be specified.
Legal basis – For marketing purposes, the legal basis of implied consent is inadequate and that of legitimate interest is contingent on the successful outcome of the balancing test between the interests of the data controller and the interests, rights, and fundamental freedoms of the data subject, to be carried out on a case-by-case basis. For anti-fraud or infringement control purposes, processing based on legitimate interest and carried out through preventive and indiscriminate monitoring would fail the proportionality test. Profiling of data subjects even though it is intended as preparatory to provide users with categories of subjects with affinity of personal interests, cannot be justified by the legal basis of contractual necessity.
Security measures – The contention about the inadequacy of the security measures taken can also be overturned at the inquiry stage through appropriate evidence.
DPIA – Processing for profiling purposes and the performance of predictive activities related to various aspects of individual personality are subject to mandatory DPIA as per the list published by the Italian Data Protection Authority.
Excusable error – Good faith is not enough to escape the fine; it is also necessary that the infringer has done everything possible to comply with the law.