With press release of 28th November 2022, the Italian DPA announced the fine imposed to Perfumeries Douglas Italia S.p.A. for infringing the data protection regulation.
The case
Following a complaint, the Italian DPA began a proceeding to asses that Douglas Italia S.p.A. performed the proper data processing regarding its own customer fidelity programs.
During the investigation it was ascertained that the Douglas Group, born in 2019 from the merging of three companies in the field (Limoni, La Gardenia e Profumerie Douglas), was storing the data of almost 3.300.000 customers of the former companies.
The company resulting from the merging created a single company database, replacing the consents granted by the clients of the previous companies with the one requested during the joining phase to the Douglas new fidelity program. The renewal of the consents however was carried out only for those clients who, after the merging, came back to the Douglas stores asking for a new fidelity card.
The data of the customers who did not activate a new Douglas fidelity card were stored in the Douglas CRM allocated in servers of the German parent company in an inactive status. Therefore, once the Italian company obtained the data from the merged companies, stored them without bothering to request any consent for the processing of its own activities.
Moreover, the Douglas app was examined among the other modalities of storage of personal data. In this regard, it was found that the Douglas app showed the links “customize your cookies”, “general conditions of sale”, “personal data policy” and “cookie policy”, inviting to accept all texts simultaneously and with the only wording “ok, I understand, I accept”.
The provision of the Italian Dpa
As a consequence of the found GDPR infringements, the DPA ordered Douglas Italia S.p.A to pay the sum of 1,400,000.00 Euro.
Moreover, the company was enjoined to adopt a series of measures to comply with the GDPR for what concerns the time of storage and the processing carried out for marketing and profiling purposes.
First of all, the company will have to modify the settings of the Douglas app, distinguishing unmistakably the contents of the privacy policy from those dedicated to cookies: both texts will have to indicate only the processing actually carried out and the purposes actually pursued, while clients should be able to express their consent freely and specifically for the different activities.
Douglas Italia must then delete data dating back to more than 10 years ago and delete or pseudonymize those more recent. If it decides to pseudonymize them, the company will have to write it on its own website and send a communication to the clients of which it has an email address, informing them that, in case of non-renewal of the fidelity card, their data will be deleted within 6 months.
Lastly, Douglas will have to adopt proper organizational and technical solutions aimed at assuring the correct storage of the data of their clients in compliance with GDPR principles of purpose and minimization.
Ilaria Feriti